Update boot options

docs/99_MY_FLAKE.md

@@ -134,14 +134,21 @@ The resulting file should then look something like this:
       #  };
       #};
 
+      boot = {
         # Enable secure boot (requires running some commands afterwards, see the
-      # option's docs)
-      #secure-boot.enabled = true;
+        # option's docs before enabling)
+        #secure-boot.enable = true;
+
+        # I have enough RAM to afford using tmpfs for /tmp
+        tmpOnTmpfs = true;
       };
+    };
+
     device = {
       virtual-machine = false;
       cpu.type = "intel";
     };
+
     home-manager = {
       enabled = true;
       stateVersion = "23.11";

hosts/herugrim/default.nix

@@ -6,6 +6,12 @@
 
   boot.supportedFilesystems = [ "btrfs" ];
 
+  # My flake disables this by default for security reasons. However,
+  # with an encrypted setup, which requires entering password before
+  # booting anyways, this is not a security concern, and changing the
+  # kernel params can be useful for debugging.
+  boot.loader.systemd-boot.editor = true;
+
   nix.settings = {
     max-jobs = 6;
     cores = 6;
@@ -38,7 +44,10 @@
         };
       };
 
-      secure-boot.enabled = true;
+      boot = {
+        secure-boot.enable = true;
+        tmpOnTmpfs = true;
+      };
     };
 
     device = {

options/system/boot/default.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ...}: let
+  inherit (lib) mkOption mkEnableOption literalExpression;
+
+  cfg = config.myOptions.system.boot;
+in {
+  imports = [
+    ./secure-boot.nix
+  ];
+
+  options.myOptions.system.boot = {
+    kernel = mkOption {
+      type = with lib.types; nullOr raw;
+      default = pkgs.linuxPackages_latest;
+      example = literalExpression "pkgs.linuxPackages_latest";
+      description = "The kernel to use for the system.";
+    };
+
+    tmpOnTmpfs =
+      mkEnableOption ''
+        `/tmp` living on tmpfs. false means it will be cleared manually on each reboot
+
+        This option defaults to `true` if the host provides patches to the kernel package in
+        `boot.kernelPatches`
+      '';
+  };
+}

options/system/boot/secure-boot.nix

@@ -2,8 +2,8 @@
   inherit (lib) mkEnableOption;
 in
 {
-  options.myOptions.system.secure-boot = {
-     enabled = mkEnableOption ''
+  options.myOptions.system.boot.secure-boot = {
+     enable = mkEnableOption ''
       secure-boot using lanzaboote.
 
       Note that you will need to have UEFI firmware, and the rebuild

options/system/default.nix

@@ -3,8 +3,8 @@
 in
 {
   imports = [
+    ./boot
     ./impermanence.nix
-    ./secure-boot.nix
   ];
 
   options.myOptions.system = {

system/boot/default.nix

@@ -1,6 +1,8 @@
 _: {
   imports = [
-    ./systemd-boot.nix
+    ./loaders
+    ./generic.nix
     ./secure-boot.nix
+    ./initrd.nix
   ];
 }

system/boot/generic.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }: let
+  inherit (lib) mkDefault;
+
+  cfg = config.myOptions.system.boot;
+in {
+  config.boot = {
+    # kernel console loglevel
+    consoleLogLevel = 3;
+
+    # The NixOS default is to use an lts kernel, which can be quite old.
+    # My configuration defaults to the latest kernel instead
+    kernelPackages = cfg.kernel;
+
+    loader = {
+      # if set to 0, space needs to be held to get the boot menu to appear
+      timeout = 2;
+
+      # whether to copy the necessary boot files into /boot
+      # so that /nix/store is not needed by the boot loader.
+      generationsDir.copyKernels = true;
+
+      # allow installation to modify EFI variables
+      efi.canTouchEfiVariables = true;
+    };
+
+    tmp = {
+      # /tmp on tmpfs, lets it live on your ram
+      # it defaults to false, which means you will use disk space instead of ram 
+      # enable tmpfs tmp on anything where you have ram to spare
+      useTmpfs = cfg.tmpOnTmpfs;
+
+      # if not using tmpfs, which is naturally purged on reboot, we must clean
+      # /tmp ourselves. /tmp should be volatile storage!
+      cleanOnBoot = mkDefault (!cfg.tmpOnTmpfs);
+
+      # The size of the tmpfs, in percentage form
+      # this defaults to 50% of your ram, which is a good default
+      # but should be tweaked based on your systems capabilities
+      tmpfsSize = mkDefault "50%";
+    };
+  };
+}

system/boot/initrd.nix

@@ -0,0 +1,24 @@
+{pkgs, ...}: {
+  boot.initrd = {
+    systemd = {
+      # Enable systemd in initrd
+      # I prefe to use systemd in initrd, because it is more powerful than busybox
+      # however, it can result in slightly slower boot times.
+      enable = true;
+
+      # Strip copied binaries and libraries from initrd
+      # saves 30~ MB of space, according to the nix derivation
+      strip = true;
+
+      # Packages to include in the initrd
+      # This is useful for debugging, if the host provides
+      # emergency mode
+      storePaths = with pkgs; [util-linux pciutils];
+      extraBin = {
+        fdisk = "${pkgs.util-linux}/bin/fdisk";
+        lsblk = "${pkgs.util-linux}/bin/lsblk";
+        lspci = "${pkgs.pciutils}/bin/lspci";
+      };
+    };
+  };
+}

system/boot/loaders/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./systemd-boot.nix
+  ];
+}

system/boot/loaders/systemd-boot.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }: let 
+  cfg = config.myOptions.system.boot;
+in {
+  boot.loader.systemd-boot = {
+    enable = true;
+    memtest86.enable = true;
+
+    # Enabling the editor will allow anyone to change the kernel params.
+    # This can be useful for debugging, however it is a potential security hole
+    # as this allows setting init=/bin/bash, which will boot directly into bash
+    # as root, bypassing any need for authentication.
+    #
+    # If you're using an encrypted setup, and you can't get into the system without
+    # entering a decryption password (or have TPM release it conditionally, only if
+    # the kernel parameters remain the same), this can safely be enabled.
+    editor = lib.mkDefault false;
+  };
+}

system/boot/secure-boot.nix

@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }: let
   inherit (lib) mkIf;
 
-  cfg = config.myOptions.system.secure-boot;
+  cfg = config.myOptions.system.boot.secure-boot;
 in {
-  config = mkIf cfg.enabled {
+  config = mkIf cfg.enable {
     # Secure Boot Key Manager
     environment.systemPackages = [ pkgs.sbctl ];
 

system/boot/systemd-boot.nix

@@ -1,11 +0,0 @@
-_: {
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      memtest86.enable = true;
-      editor = true;
-    };
-    efi.canTouchEfiVariables = true;
-    timeout = 3;
-  };
-}