61 lines
1.3 KiB
Nix
61 lines
1.3 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
inputs,
|
|
...
|
|
}: let
|
|
inherit (lib) mkIf mkEnableOption mkMerge mkForce;
|
|
cfg = config.system.boot.loader;
|
|
in {
|
|
options = {
|
|
system.boot.loader = {
|
|
default = {
|
|
enable = mkEnableOption "Enable default boot loader configuration.";
|
|
};
|
|
lanzaboote = {
|
|
enable = mkEnableOption "Enable Lanzaboote boot loader configuration.";
|
|
};
|
|
};
|
|
};
|
|
|
|
imports = [
|
|
inputs.lanzaboote.nixosModules.lanzaboote
|
|
];
|
|
|
|
config = mkMerge [
|
|
{
|
|
assertions = [
|
|
{
|
|
assertion = !(cfg.default.enable && cfg.lanzaboote.enable);
|
|
message = "Only one of system.boot.loader.default.enable and system.boot.loader.lanzaboote.enable can be set to true.";
|
|
}
|
|
];
|
|
}
|
|
|
|
(mkIf cfg.default.enable {
|
|
# Default boot loader configuration
|
|
boot.loader = {
|
|
systemd-boot.enable = true;
|
|
systemd-boot.graceful = true;
|
|
efi.canTouchEfiVariables = false;
|
|
};
|
|
})
|
|
|
|
(mkIf cfg.lanzaboote.enable {
|
|
# Lanzaboote boot loader configuration
|
|
boot = {
|
|
lanzaboote = {
|
|
enable = true;
|
|
pkiBundle = "/etc/secureboot";
|
|
};
|
|
|
|
# We let Lanzaboote install systemd-boot
|
|
loader.systemd-boot.enable = mkForce false;
|
|
};
|
|
|
|
environment.systemPackages = [pkgs.sbctl];
|
|
})
|
|
];
|
|
}
|