Update boot options

system/boot/default.nix

@@ -1,6 +1,8 @@
 _: {
   imports = [
-    ./systemd-boot.nix
+    ./loaders
+    ./generic.nix
     ./secure-boot.nix
+    ./initrd.nix
   ];
 }

system/boot/generic.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }: let
+  inherit (lib) mkDefault;
+
+  cfg = config.myOptions.system.boot;
+in {
+  config.boot = {
+    # kernel console loglevel
+    consoleLogLevel = 3;
+
+    # The NixOS default is to use an lts kernel, which can be quite old.
+    # My configuration defaults to the latest kernel instead
+    kernelPackages = cfg.kernel;
+
+    loader = {
+      # if set to 0, space needs to be held to get the boot menu to appear
+      timeout = 2;
+
+      # whether to copy the necessary boot files into /boot
+      # so that /nix/store is not needed by the boot loader.
+      generationsDir.copyKernels = true;
+
+      # allow installation to modify EFI variables
+      efi.canTouchEfiVariables = true;
+    };
+
+    tmp = {
+      # /tmp on tmpfs, lets it live on your ram
+      # it defaults to false, which means you will use disk space instead of ram 
+      # enable tmpfs tmp on anything where you have ram to spare
+      useTmpfs = cfg.tmpOnTmpfs;
+
+      # if not using tmpfs, which is naturally purged on reboot, we must clean
+      # /tmp ourselves. /tmp should be volatile storage!
+      cleanOnBoot = mkDefault (!cfg.tmpOnTmpfs);
+
+      # The size of the tmpfs, in percentage form
+      # this defaults to 50% of your ram, which is a good default
+      # but should be tweaked based on your systems capabilities
+      tmpfsSize = mkDefault "50%";
+    };
+  };
+}

system/boot/initrd.nix

@@ -0,0 +1,24 @@
+{pkgs, ...}: {
+  boot.initrd = {
+    systemd = {
+      # Enable systemd in initrd
+      # I prefe to use systemd in initrd, because it is more powerful than busybox
+      # however, it can result in slightly slower boot times.
+      enable = true;
+
+      # Strip copied binaries and libraries from initrd
+      # saves 30~ MB of space, according to the nix derivation
+      strip = true;
+
+      # Packages to include in the initrd
+      # This is useful for debugging, if the host provides
+      # emergency mode
+      storePaths = with pkgs; [util-linux pciutils];
+      extraBin = {
+        fdisk = "${pkgs.util-linux}/bin/fdisk";
+        lsblk = "${pkgs.util-linux}/bin/lsblk";
+        lspci = "${pkgs.pciutils}/bin/lspci";
+      };
+    };
+  };
+}

system/boot/loaders/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./systemd-boot.nix
+  ];
+}

system/boot/loaders/systemd-boot.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }: let 
+  cfg = config.myOptions.system.boot;
+in {
+  boot.loader.systemd-boot = {
+    enable = true;
+    memtest86.enable = true;
+
+    # Enabling the editor will allow anyone to change the kernel params.
+    # This can be useful for debugging, however it is a potential security hole
+    # as this allows setting init=/bin/bash, which will boot directly into bash
+    # as root, bypassing any need for authentication.
+    #
+    # If you're using an encrypted setup, and you can't get into the system without
+    # entering a decryption password (or have TPM release it conditionally, only if
+    # the kernel parameters remain the same), this can safely be enabled.
+    editor = lib.mkDefault false;
+  };
+}

system/boot/secure-boot.nix

@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }: let
   inherit (lib) mkIf;
 
-  cfg = config.myOptions.system.secure-boot;
+  cfg = config.myOptions.system.boot.secure-boot;
 in {
-  config = mkIf cfg.enabled {
+  config = mkIf cfg.enable {
     # Secure Boot Key Manager
     environment.systemPackages = [ pkgs.sbctl ];
 

system/boot/systemd-boot.nix

@@ -1,11 +0,0 @@
-_: {
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      memtest86.enable = true;
-      editor = true;
-    };
-    efi.canTouchEfiVariables = true;
-    timeout = 3;
-  };
-}