mirror of
https://github.com/ItsDrike/nixdots
synced 2025-01-27 04:24:35 +00:00
Update boot options
This commit is contained in:
parent
cb968bdc07
commit
0b6b98c6de
|
@ -134,14 +134,21 @@ The resulting file should then look something like this:
|
|||
# };
|
||||
#};
|
||||
|
||||
# Enable secure boot (requires running some commands afterwards, see the
|
||||
# option's docs)
|
||||
#secure-boot.enabled = true;
|
||||
boot = {
|
||||
# Enable secure boot (requires running some commands afterwards, see the
|
||||
# option's docs before enabling)
|
||||
#secure-boot.enable = true;
|
||||
|
||||
# I have enough RAM to afford using tmpfs for /tmp
|
||||
tmpOnTmpfs = true;
|
||||
};
|
||||
};
|
||||
|
||||
device = {
|
||||
virtual-machine = false;
|
||||
cpu.type = "intel";
|
||||
};
|
||||
|
||||
home-manager = {
|
||||
enabled = true;
|
||||
stateVersion = "23.11";
|
||||
|
|
|
@ -6,6 +6,12 @@
|
|||
|
||||
boot.supportedFilesystems = [ "btrfs" ];
|
||||
|
||||
# My flake disables this by default for security reasons. However,
|
||||
# with an encrypted setup, which requires entering password before
|
||||
# booting anyways, this is not a security concern, and changing the
|
||||
# kernel params can be useful for debugging.
|
||||
boot.loader.systemd-boot.editor = true;
|
||||
|
||||
nix.settings = {
|
||||
max-jobs = 6;
|
||||
cores = 6;
|
||||
|
@ -38,7 +44,10 @@
|
|||
};
|
||||
};
|
||||
|
||||
secure-boot.enabled = true;
|
||||
boot = {
|
||||
secure-boot.enable = true;
|
||||
tmpOnTmpfs = true;
|
||||
};
|
||||
};
|
||||
|
||||
device = {
|
||||
|
|
26
options/system/boot/default.nix
Normal file
26
options/system/boot/default.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ config, lib, pkgs, ...}: let
|
||||
inherit (lib) mkOption mkEnableOption literalExpression;
|
||||
|
||||
cfg = config.myOptions.system.boot;
|
||||
in {
|
||||
imports = [
|
||||
./secure-boot.nix
|
||||
];
|
||||
|
||||
options.myOptions.system.boot = {
|
||||
kernel = mkOption {
|
||||
type = with lib.types; nullOr raw;
|
||||
default = pkgs.linuxPackages_latest;
|
||||
example = literalExpression "pkgs.linuxPackages_latest";
|
||||
description = "The kernel to use for the system.";
|
||||
};
|
||||
|
||||
tmpOnTmpfs =
|
||||
mkEnableOption ''
|
||||
`/tmp` living on tmpfs. false means it will be cleared manually on each reboot
|
||||
|
||||
This option defaults to `true` if the host provides patches to the kernel package in
|
||||
`boot.kernelPatches`
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -2,8 +2,8 @@
|
|||
inherit (lib) mkEnableOption;
|
||||
in
|
||||
{
|
||||
options.myOptions.system.secure-boot = {
|
||||
enabled = mkEnableOption ''
|
||||
options.myOptions.system.boot.secure-boot = {
|
||||
enable = mkEnableOption ''
|
||||
secure-boot using lanzaboote.
|
||||
|
||||
Note that you will need to have UEFI firmware, and the rebuild
|
|
@ -3,8 +3,8 @@
|
|||
in
|
||||
{
|
||||
imports = [
|
||||
./boot
|
||||
./impermanence.nix
|
||||
./secure-boot.nix
|
||||
];
|
||||
|
||||
options.myOptions.system = {
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
_: {
|
||||
imports = [
|
||||
./systemd-boot.nix
|
||||
./loaders
|
||||
./generic.nix
|
||||
./secure-boot.nix
|
||||
./initrd.nix
|
||||
];
|
||||
}
|
||||
|
|
42
system/boot/generic.nix
Normal file
42
system/boot/generic.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, ... }: let
|
||||
inherit (lib) mkDefault;
|
||||
|
||||
cfg = config.myOptions.system.boot;
|
||||
in {
|
||||
config.boot = {
|
||||
# kernel console loglevel
|
||||
consoleLogLevel = 3;
|
||||
|
||||
# The NixOS default is to use an lts kernel, which can be quite old.
|
||||
# My configuration defaults to the latest kernel instead
|
||||
kernelPackages = cfg.kernel;
|
||||
|
||||
loader = {
|
||||
# if set to 0, space needs to be held to get the boot menu to appear
|
||||
timeout = 2;
|
||||
|
||||
# whether to copy the necessary boot files into /boot
|
||||
# so that /nix/store is not needed by the boot loader.
|
||||
generationsDir.copyKernels = true;
|
||||
|
||||
# allow installation to modify EFI variables
|
||||
efi.canTouchEfiVariables = true;
|
||||
};
|
||||
|
||||
tmp = {
|
||||
# /tmp on tmpfs, lets it live on your ram
|
||||
# it defaults to false, which means you will use disk space instead of ram
|
||||
# enable tmpfs tmp on anything where you have ram to spare
|
||||
useTmpfs = cfg.tmpOnTmpfs;
|
||||
|
||||
# if not using tmpfs, which is naturally purged on reboot, we must clean
|
||||
# /tmp ourselves. /tmp should be volatile storage!
|
||||
cleanOnBoot = mkDefault (!cfg.tmpOnTmpfs);
|
||||
|
||||
# The size of the tmpfs, in percentage form
|
||||
# this defaults to 50% of your ram, which is a good default
|
||||
# but should be tweaked based on your systems capabilities
|
||||
tmpfsSize = mkDefault "50%";
|
||||
};
|
||||
};
|
||||
}
|
24
system/boot/initrd.nix
Normal file
24
system/boot/initrd.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{pkgs, ...}: {
|
||||
boot.initrd = {
|
||||
systemd = {
|
||||
# Enable systemd in initrd
|
||||
# I prefe to use systemd in initrd, because it is more powerful than busybox
|
||||
# however, it can result in slightly slower boot times.
|
||||
enable = true;
|
||||
|
||||
# Strip copied binaries and libraries from initrd
|
||||
# saves 30~ MB of space, according to the nix derivation
|
||||
strip = true;
|
||||
|
||||
# Packages to include in the initrd
|
||||
# This is useful for debugging, if the host provides
|
||||
# emergency mode
|
||||
storePaths = with pkgs; [util-linux pciutils];
|
||||
extraBin = {
|
||||
fdisk = "${pkgs.util-linux}/bin/fdisk";
|
||||
lsblk = "${pkgs.util-linux}/bin/lsblk";
|
||||
lspci = "${pkgs.pciutils}/bin/lspci";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
5
system/boot/loaders/default.nix
Normal file
5
system/boot/loaders/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./systemd-boot.nix
|
||||
];
|
||||
}
|
18
system/boot/loaders/systemd-boot.nix
Normal file
18
system/boot/loaders/systemd-boot.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ config, lib, ... }: let
|
||||
cfg = config.myOptions.system.boot;
|
||||
in {
|
||||
boot.loader.systemd-boot = {
|
||||
enable = true;
|
||||
memtest86.enable = true;
|
||||
|
||||
# Enabling the editor will allow anyone to change the kernel params.
|
||||
# This can be useful for debugging, however it is a potential security hole
|
||||
# as this allows setting init=/bin/bash, which will boot directly into bash
|
||||
# as root, bypassing any need for authentication.
|
||||
#
|
||||
# If you're using an encrypted setup, and you can't get into the system without
|
||||
# entering a decryption password (or have TPM release it conditionally, only if
|
||||
# the kernel parameters remain the same), this can safely be enabled.
|
||||
editor = lib.mkDefault false;
|
||||
};
|
||||
}
|
|
@ -1,9 +1,9 @@
|
|||
{ config, pkgs, lib, ... }: let
|
||||
inherit (lib) mkIf;
|
||||
|
||||
cfg = config.myOptions.system.secure-boot;
|
||||
cfg = config.myOptions.system.boot.secure-boot;
|
||||
in {
|
||||
config = mkIf cfg.enabled {
|
||||
config = mkIf cfg.enable {
|
||||
# Secure Boot Key Manager
|
||||
environment.systemPackages = [ pkgs.sbctl ];
|
||||
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
_: {
|
||||
boot.loader = {
|
||||
systemd-boot = {
|
||||
enable = true;
|
||||
memtest86.enable = true;
|
||||
editor = true;
|
||||
};
|
||||
efi.canTouchEfiVariables = true;
|
||||
timeout = 3;
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue