1
0
Fork 0
nix-configuration/modules/nixos/system/bootloader/default.nix

75 lines
2 KiB
Nix

# Configuration options specific to bootloader management.
# SecureBoot is handled via Lanzaboote. See https://github.com/nix-community/lanzaboote
{
config,
lib,
pkgs,
namespace,
...
}:
# Bootloader
let
cfg = config.${namespace}.bootloader;
in
{
options = {
${namespace}.bootloader = {
enable = lib.mkOption {
description = "Automatically configures the bootloader. Set to false to configure manually.";
type = lib.types.bool;
default = true;
};
secureboot.enable = lib.mkEnableOption "Enables Secureboot support (please read the README before enabling!).";
tpm2.enable = lib.mkEnableOption "Enables TPM2 support.";
};
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
(lib.mkIf cfg.secureboot.enable {
boot = {
# Enable Secure Boot
bootspec.enable = true;
# Use Lanzaboote in place of systemd-boot.
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
})
# Set up TPM if enabled. See https://wiki.nixos.org/wiki/TPM
(lib.mkIf (cfg.tpm2.enable) {
boot.initrd = {
# Enable modules and support for TPM auto-unlocking
systemd.enable = true;
kernelModules = [ "tpm_crb" ];
};
# After installing and rebooting, set it up via https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
environment.systemPackages = with pkgs; [ tpm2-tss ];
security.tpm2 = {
enable = true;
pkcs11.enable = true;
tctiEnvironment.enable = true;
};
})
# Use the default systemd-boot bootloader.
(lib.mkIf (!cfg.secureboot.enable) {
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
})
]
);
}