59 lines
1.2 KiB
Nix
59 lines
1.2 KiB
Nix
|
{ config, lib, ... }:
|
||
|
|
|
||
|
|
# Bootloader
|
||
|
|
let
|
||
|
|
cfg = config.host.boot;
|
||
|
|
in
|
||
|
|
with lib;
|
||
|
|
{
|
||
|
|
|
||
|
|
options = {
|
||
|
|
host.boot = {
|
||
|
|
enable = mkOption {
|
||
|
|
description = "Automatically configures the bootloader. Set to false to configure manually.";
|
||
|
|
type = types.bool;
|
||
|
|
default = true;
|
||
|
|
};
|
||
|
|
|
||
|
|
secureboot.enable = mkOption {
|
||
|
|
description = "Enables Secureboot";
|
||
|
|
type = types.bool;
|
||
|
|
default = true;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
config = mkIf cfg.enable (mkMerge[
|
||
|
|
(mkIf (cfg.secureboot.enable == true) {
|
||
|
|
boot = {
|
||
|
|
# Enable Secure Boot
|
||
|
|
bootspec.enable = true;
|
||
|
|
|
||
|
|
# Disable systemd-boot. We lanzaboote now.
|
||
|
|
loader.systemd-boot.enable = false;
|
||
|
|
loader.efi.canTouchEfiVariables = true;
|
||
|
|
lanzaboote = {
|
||
|
|
enable = true;
|
||
|
|
pkiBundle = "/etc/secureboot";
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
# Set up TPM. See https://nixos.wiki/wiki/TPM
|
||
|
|
# After installing and rebooting, set it up via https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
|
||
|
|
security.tpm2 = {
|
||
|
|
enable = true;
|
||
|
|
pkcs11.enable = true;
|
||
|
|
tctiEnvironment.enable = true;
|
||
|
|
};
|
||
|
|
})
|
||
|
|
|
||
|
|
# Plain boot
|
||
|
|
(mkIf (cfg.secureboot.enable == false) {
|
||
|
|
boot = {
|
||
|
|
loader.systemd-boot.enable = true;
|
||
|
|
loader.efi.canTouchEfiVariables = true;
|
||
|
|
};
|
||
|
|
})
|
||
|
|
]);
|
||
|
|
}
|