2024-05-07 22:02:59 +00:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}:
|
2024-02-29 14:53:34 +00:00
|
|
|
|
|
|
|
# Bootloader
|
|
|
|
let
|
2024-05-07 22:02:59 +00:00
|
|
|
cfg = config.host.boot;
|
2024-02-29 14:53:34 +00:00
|
|
|
in
|
|
|
|
with lib;
|
|
|
|
{
|
|
|
|
|
2024-05-07 22:02:59 +00:00
|
|
|
options = {
|
|
|
|
host.boot = {
|
|
|
|
enable = mkOption {
|
|
|
|
description = "Automatically configures the bootloader. Set to false to configure manually.";
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
secureboot.enable = mkOption {
|
|
|
|
description = "Enables Secureboot";
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable (mkMerge [
|
|
|
|
(mkIf cfg.secureboot.enable {
|
|
|
|
boot = {
|
|
|
|
# Enable Secure Boot
|
|
|
|
bootspec.enable = true;
|
|
|
|
|
|
|
|
# Disable systemd-boot. We lanzaboote now.
|
|
|
|
loader.systemd-boot.enable = false;
|
|
|
|
loader.efi.canTouchEfiVariables = true;
|
|
|
|
lanzaboote = {
|
|
|
|
enable = true;
|
|
|
|
pkiBundle = "/etc/secureboot";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Increase bootloader font size
|
|
|
|
lanzaboote.settings.console-mode = "auto";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Set up TPM. See https://nixos.wiki/wiki/TPM
|
|
|
|
# After installing and rebooting, set it up via https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
|
|
|
|
environment.systemPackages = with pkgs; [ tpm2-tss ];
|
|
|
|
security.tpm2 = {
|
|
|
|
enable = true;
|
|
|
|
pkcs11.enable = true;
|
|
|
|
tctiEnvironment.enable = true;
|
|
|
|
};
|
|
|
|
})
|
|
|
|
|
|
|
|
# Plain boot
|
|
|
|
(mkIf (!cfg.secureboot.enable) {
|
|
|
|
boot = {
|
|
|
|
loader.systemd-boot.enable = true;
|
|
|
|
loader.efi.canTouchEfiVariables = true;
|
|
|
|
};
|
|
|
|
})
|
|
|
|
]);
|
2024-02-29 14:53:34 +00:00
|
|
|
}
|