1
0
Fork 0
nix-configuration/modules/base/bootloader.nix
2024-04-27 20:19:59 -04:00

60 lines
1.3 KiB
Nix

{ config, lib, pkgs, ... }:
# Bootloader
let
cfg = config.host.boot;
in
with lib;
{
options = {
host.boot = {
enable = mkOption {
description = "Automatically configures the bootloader. Set to false to configure manually.";
type = types.bool;
default = true;
};
secureboot.enable = mkOption {
description = "Enables Secureboot";
type = types.bool;
default = true;
};
};
};
config = mkIf cfg.enable (mkMerge[
(mkIf cfg.secureboot.enable {
boot = {
# Enable Secure Boot
bootspec.enable = true;
# Disable systemd-boot. We lanzaboote now.
loader.systemd-boot.enable = false;
loader.efi.canTouchEfiVariables = true;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
# Set up TPM. See https://nixos.wiki/wiki/TPM
# After installing and rebooting, set it up via https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module
environment.systemPackages = with pkgs; [ tpm2-tss ];
security.tpm2 = {
enable = true;
pkcs11.enable = true;
tctiEnvironment.enable = true;
};
})
# Plain boot
(mkIf (!cfg.secureboot.enable) {
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
})
]);
}