modularizing kernel and loader settings

2024-09-22 14:30:06 +02:00
parent 6f53da8393
commit 50d554b6f6
22 changed files with 294 additions and 84 deletions
--- a/system/modules/boot/loader/default.nix
+++ b/system/modules/boot/loader/default.nix
@@ -0,0 +1,60 @@
+{
+  pkgs,
+  lib,
+  config,
+  inputs,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption mkMerge mkForce;
+  cfg = config.modules.boot.loader;
+in {
+  options = {
+    modules.boot.loader = {
+      default = {
+        enable = mkEnableOption "Enable default boot loader configuration.";
+      };
+      lanzaboote = {
+        enable = mkEnableOption "Enable Lanzaboote boot loader configuration.";
+      };
+    };
+  };
+
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  config = mkMerge [
+    {
+      assertions = [
+        {
+          assertion = !(cfg.default.enable && cfg.lanzaboote.enable);
+          message = "Only one of modules.boot.loader.default.enable and modules.boot.loader.lanzaboote.enable can be set to true.";
+        }
+      ];
+    }
+
+    (mkIf cfg.default.enable {
+      # Default boot loader configuration
+      boot.loader = {
+        systemd-boot.enable = true;
+        systemd-boot.graceful = true;
+        efi.canTouchEfiVariables = false;
+      };
+    })
+
+    (mkIf cfg.lanzaboote.enable {
+      # Lanzaboote boot loader configuration
+      boot = {
+        lanzaboote = {
+          enable = true;
+          pkiBundle = "/etc/secureboot";
+        };
+
+        # We let Lanzaboote install systemd-boot
+        loader.systemd-boot.enable = mkForce false;
+      };
+
+      environment.systemPackages = [pkgs.sbctl];
+    })
+  ];
+}