1
0
Fork 0
nix-configuration/modules/base/bootloader.nix

60 lines
1.3 KiB
Nix
Raw Normal View History

2024-04-27 20:19:59 -04:00
{ config, lib, pkgs, ... }:
2024-02-29 09:53:34 -05:00
# Bootloader
let
cfg = config.host.boot;
in
with lib;
{
options = {
host.boot = {
enable = mkOption {
description = "Automatically configures the bootloader. Set to false to configure manually.";
type = types.bool;
default = true;
};
secureboot.enable = mkOption {
description = "Enables Secureboot";
type = types.bool;
default = true;
};
};
};
config = mkIf cfg.enable (mkMerge[
2024-03-02 12:58:30 -05:00
(mkIf cfg.secureboot.enable {
2024-02-29 09:53:34 -05:00
boot = {
# Enable Secure Boot
bootspec.enable = true;
# Disable systemd-boot. We lanzaboote now.
loader.systemd-boot.enable = false;
loader.efi.canTouchEfiVariables = true;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
# Set up TPM. See https://nixos.wiki/wiki/TPM
# After installing and rebooting, set it up via https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
2024-04-27 20:19:59 -04:00
environment.systemPackages = with pkgs; [ tpm2-tss ];
2024-02-29 09:53:34 -05:00
security.tpm2 = {
enable = true;
pkcs11.enable = true;
tctiEnvironment.enable = true;
};
})
# Plain boot
2024-03-02 12:58:30 -05:00
(mkIf (!cfg.secureboot.enable) {
2024-02-29 09:53:34 -05:00
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
})
]);
}