From 0b6b98c6dedd66dd3645e5e3f64fd705183d45d8 Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Fri, 12 Apr 2024 20:57:52 +0200
Subject: [PATCH] Update boot options

---
 docs/99_MY_FLAKE.md                       | 13 +++++--
 hosts/herugrim/default.nix                | 11 +++++-
 options/system/boot/default.nix           | 26 ++++++++++++++
 options/system/{ => boot}/secure-boot.nix |  4 +--
 options/system/default.nix                |  2 +-
 system/boot/default.nix                   |  4 ++-
 system/boot/generic.nix                   | 42 +++++++++++++++++++++++
 system/boot/initrd.nix                    | 24 +++++++++++++
 system/boot/loaders/default.nix           |  5 +++
 system/boot/loaders/systemd-boot.nix      | 18 ++++++++++
 system/boot/secure-boot.nix               |  4 +--
 system/boot/systemd-boot.nix              | 11 ------
 12 files changed, 143 insertions(+), 21 deletions(-)
 create mode 100644 options/system/boot/default.nix
 rename options/system/{ => boot}/secure-boot.nix (87%)
 create mode 100644 system/boot/generic.nix
 create mode 100644 system/boot/initrd.nix
 create mode 100644 system/boot/loaders/default.nix
 create mode 100644 system/boot/loaders/systemd-boot.nix
 delete mode 100644 system/boot/systemd-boot.nix

diff --git a/docs/99_MY_FLAKE.md b/docs/99_MY_FLAKE.md
index 0ccd179..8185030 100644
--- a/docs/99_MY_FLAKE.md
+++ b/docs/99_MY_FLAKE.md
@@ -134,14 +134,21 @@ The resulting file should then look something like this:
       #  };
       #};
 
-      # Enable secure boot (requires running some commands afterwards, see the
-      # option's docs)
-      #secure-boot.enabled = true;
+      boot = {
+        # Enable secure boot (requires running some commands afterwards, see the
+        # option's docs before enabling)
+        #secure-boot.enable = true;
+
+        # I have enough RAM to afford using tmpfs for /tmp
+        tmpOnTmpfs = true;
+      };
     };
+
     device = {
       virtual-machine = false;
       cpu.type = "intel";
     };
+
     home-manager = {
       enabled = true;
       stateVersion = "23.11";
diff --git a/hosts/herugrim/default.nix b/hosts/herugrim/default.nix
index 770da1c..f64e553 100644
--- a/hosts/herugrim/default.nix
+++ b/hosts/herugrim/default.nix
@@ -6,6 +6,12 @@
 
   boot.supportedFilesystems = [ "btrfs" ];
 
+  # My flake disables this by default for security reasons. However,
+  # with an encrypted setup, which requires entering password before
+  # booting anyways, this is not a security concern, and changing the
+  # kernel params can be useful for debugging.
+  boot.loader.systemd-boot.editor = true;
+
   nix.settings = {
     max-jobs = 6;
     cores = 6;
@@ -38,7 +44,10 @@
         };
       };
 
-      secure-boot.enabled = true;
+      boot = {
+        secure-boot.enable = true;
+        tmpOnTmpfs = true;
+      };
     };
 
     device = {
diff --git a/options/system/boot/default.nix b/options/system/boot/default.nix
new file mode 100644
index 0000000..3b06b2e
--- /dev/null
+++ b/options/system/boot/default.nix
@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ...}: let
+  inherit (lib) mkOption mkEnableOption literalExpression;
+
+  cfg = config.myOptions.system.boot;
+in {
+  imports = [
+    ./secure-boot.nix
+  ];
+
+  options.myOptions.system.boot = {
+    kernel = mkOption {
+      type = with lib.types; nullOr raw;
+      default = pkgs.linuxPackages_latest;
+      example = literalExpression "pkgs.linuxPackages_latest";
+      description = "The kernel to use for the system.";
+    };
+
+    tmpOnTmpfs =
+      mkEnableOption ''
+        `/tmp` living on tmpfs. false means it will be cleared manually on each reboot
+
+        This option defaults to `true` if the host provides patches to the kernel package in
+        `boot.kernelPatches`
+      '';
+  };
+}
diff --git a/options/system/secure-boot.nix b/options/system/boot/secure-boot.nix
similarity index 87%
rename from options/system/secure-boot.nix
rename to options/system/boot/secure-boot.nix
index 1cd77c7..489a632 100644
--- a/options/system/secure-boot.nix
+++ b/options/system/boot/secure-boot.nix
@@ -2,8 +2,8 @@
   inherit (lib) mkEnableOption;
 in
 {
-  options.myOptions.system.secure-boot = {
-     enabled = mkEnableOption ''
+  options.myOptions.system.boot.secure-boot = {
+     enable = mkEnableOption ''
       secure-boot using lanzaboote.
 
       Note that you will need to have UEFI firmware, and the rebuild
diff --git a/options/system/default.nix b/options/system/default.nix
index f6b7f95..70204e3 100644
--- a/options/system/default.nix
+++ b/options/system/default.nix
@@ -3,8 +3,8 @@
 in
 {
   imports = [
+    ./boot
     ./impermanence.nix
-    ./secure-boot.nix
   ];
 
   options.myOptions.system = {
diff --git a/system/boot/default.nix b/system/boot/default.nix
index 57a3683..971ffd6 100644
--- a/system/boot/default.nix
+++ b/system/boot/default.nix
@@ -1,6 +1,8 @@
 _: {
   imports = [
-    ./systemd-boot.nix
+    ./loaders
+    ./generic.nix
     ./secure-boot.nix
+    ./initrd.nix
   ];
 }
diff --git a/system/boot/generic.nix b/system/boot/generic.nix
new file mode 100644
index 0000000..4c82521
--- /dev/null
+++ b/system/boot/generic.nix
@@ -0,0 +1,42 @@
+{ config, lib, ... }: let
+  inherit (lib) mkDefault;
+
+  cfg = config.myOptions.system.boot;
+in {
+  config.boot = {
+    # kernel console loglevel
+    consoleLogLevel = 3;
+
+    # The NixOS default is to use an lts kernel, which can be quite old.
+    # My configuration defaults to the latest kernel instead
+    kernelPackages = cfg.kernel;
+
+    loader = {
+      # if set to 0, space needs to be held to get the boot menu to appear
+      timeout = 2;
+
+      # whether to copy the necessary boot files into /boot
+      # so that /nix/store is not needed by the boot loader.
+      generationsDir.copyKernels = true;
+
+      # allow installation to modify EFI variables
+      efi.canTouchEfiVariables = true;
+    };
+
+    tmp = {
+      # /tmp on tmpfs, lets it live on your ram
+      # it defaults to false, which means you will use disk space instead of ram 
+      # enable tmpfs tmp on anything where you have ram to spare
+      useTmpfs = cfg.tmpOnTmpfs;
+
+      # if not using tmpfs, which is naturally purged on reboot, we must clean
+      # /tmp ourselves. /tmp should be volatile storage!
+      cleanOnBoot = mkDefault (!cfg.tmpOnTmpfs);
+
+      # The size of the tmpfs, in percentage form
+      # this defaults to 50% of your ram, which is a good default
+      # but should be tweaked based on your systems capabilities
+      tmpfsSize = mkDefault "50%";
+    };
+  };
+}
diff --git a/system/boot/initrd.nix b/system/boot/initrd.nix
new file mode 100644
index 0000000..e686fdd
--- /dev/null
+++ b/system/boot/initrd.nix
@@ -0,0 +1,24 @@
+{pkgs, ...}: {
+  boot.initrd = {
+    systemd = {
+      # Enable systemd in initrd
+      # I prefe to use systemd in initrd, because it is more powerful than busybox
+      # however, it can result in slightly slower boot times.
+      enable = true;
+
+      # Strip copied binaries and libraries from initrd
+      # saves 30~ MB of space, according to the nix derivation
+      strip = true;
+
+      # Packages to include in the initrd
+      # This is useful for debugging, if the host provides
+      # emergency mode
+      storePaths = with pkgs; [util-linux pciutils];
+      extraBin = {
+        fdisk = "${pkgs.util-linux}/bin/fdisk";
+        lsblk = "${pkgs.util-linux}/bin/lsblk";
+        lspci = "${pkgs.pciutils}/bin/lspci";
+      };
+    };
+  };
+}
diff --git a/system/boot/loaders/default.nix b/system/boot/loaders/default.nix
new file mode 100644
index 0000000..82c3c2a
--- /dev/null
+++ b/system/boot/loaders/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./systemd-boot.nix
+  ];
+}
diff --git a/system/boot/loaders/systemd-boot.nix b/system/boot/loaders/systemd-boot.nix
new file mode 100644
index 0000000..68c406b
--- /dev/null
+++ b/system/boot/loaders/systemd-boot.nix
@@ -0,0 +1,18 @@
+{ config, lib, ... }: let 
+  cfg = config.myOptions.system.boot;
+in {
+  boot.loader.systemd-boot = {
+    enable = true;
+    memtest86.enable = true;
+
+    # Enabling the editor will allow anyone to change the kernel params.
+    # This can be useful for debugging, however it is a potential security hole
+    # as this allows setting init=/bin/bash, which will boot directly into bash
+    # as root, bypassing any need for authentication.
+    #
+    # If you're using an encrypted setup, and you can't get into the system without
+    # entering a decryption password (or have TPM release it conditionally, only if
+    # the kernel parameters remain the same), this can safely be enabled.
+    editor = lib.mkDefault false;
+  };
+}
diff --git a/system/boot/secure-boot.nix b/system/boot/secure-boot.nix
index baee854..5dc1e34 100644
--- a/system/boot/secure-boot.nix
+++ b/system/boot/secure-boot.nix
@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }: let
   inherit (lib) mkIf;
 
-  cfg = config.myOptions.system.secure-boot;
+  cfg = config.myOptions.system.boot.secure-boot;
 in {
-  config = mkIf cfg.enabled {
+  config = mkIf cfg.enable {
     # Secure Boot Key Manager
     environment.systemPackages = [ pkgs.sbctl ];
 
diff --git a/system/boot/systemd-boot.nix b/system/boot/systemd-boot.nix
deleted file mode 100644
index 9b8864c..0000000
--- a/system/boot/systemd-boot.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-_: {
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      memtest86.enable = true;
-      editor = true;
-    };
-    efi.canTouchEfiVariables = true;
-    timeout = 3;
-  };
-}