Update boot options

This commit is contained in:
ItsDrike 2024-04-12 20:57:52 +02:00
parent cb968bdc07
commit 0b6b98c6de
Signed by: ItsDrike
GPG key ID: FA2745890B7048C0
12 changed files with 143 additions and 21 deletions

View file

@ -134,14 +134,21 @@ The resulting file should then look something like this:
# };
#};
boot = {
# Enable secure boot (requires running some commands afterwards, see the
# option's docs)
#secure-boot.enabled = true;
# option's docs before enabling)
#secure-boot.enable = true;
# I have enough RAM to afford using tmpfs for /tmp
tmpOnTmpfs = true;
};
};
device = {
virtual-machine = false;
cpu.type = "intel";
};
home-manager = {
enabled = true;
stateVersion = "23.11";

View file

@ -6,6 +6,12 @@
boot.supportedFilesystems = [ "btrfs" ];
# My flake disables this by default for security reasons. However,
# with an encrypted setup, which requires entering password before
# booting anyways, this is not a security concern, and changing the
# kernel params can be useful for debugging.
boot.loader.systemd-boot.editor = true;
nix.settings = {
max-jobs = 6;
cores = 6;
@ -38,7 +44,10 @@
};
};
secure-boot.enabled = true;
boot = {
secure-boot.enable = true;
tmpOnTmpfs = true;
};
};
device = {

View file

@ -0,0 +1,26 @@
{ config, lib, pkgs, ...}: let
inherit (lib) mkOption mkEnableOption literalExpression;
cfg = config.myOptions.system.boot;
in {
imports = [
./secure-boot.nix
];
options.myOptions.system.boot = {
kernel = mkOption {
type = with lib.types; nullOr raw;
default = pkgs.linuxPackages_latest;
example = literalExpression "pkgs.linuxPackages_latest";
description = "The kernel to use for the system.";
};
tmpOnTmpfs =
mkEnableOption ''
`/tmp` living on tmpfs. false means it will be cleared manually on each reboot
This option defaults to `true` if the host provides patches to the kernel package in
`boot.kernelPatches`
'';
};
}

View file

@ -2,8 +2,8 @@
inherit (lib) mkEnableOption;
in
{
options.myOptions.system.secure-boot = {
enabled = mkEnableOption ''
options.myOptions.system.boot.secure-boot = {
enable = mkEnableOption ''
secure-boot using lanzaboote.
Note that you will need to have UEFI firmware, and the rebuild

View file

@ -3,8 +3,8 @@
in
{
imports = [
./boot
./impermanence.nix
./secure-boot.nix
];
options.myOptions.system = {

View file

@ -1,6 +1,8 @@
_: {
imports = [
./systemd-boot.nix
./loaders
./generic.nix
./secure-boot.nix
./initrd.nix
];
}

42
system/boot/generic.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, ... }: let
inherit (lib) mkDefault;
cfg = config.myOptions.system.boot;
in {
config.boot = {
# kernel console loglevel
consoleLogLevel = 3;
# The NixOS default is to use an lts kernel, which can be quite old.
# My configuration defaults to the latest kernel instead
kernelPackages = cfg.kernel;
loader = {
# if set to 0, space needs to be held to get the boot menu to appear
timeout = 2;
# whether to copy the necessary boot files into /boot
# so that /nix/store is not needed by the boot loader.
generationsDir.copyKernels = true;
# allow installation to modify EFI variables
efi.canTouchEfiVariables = true;
};
tmp = {
# /tmp on tmpfs, lets it live on your ram
# it defaults to false, which means you will use disk space instead of ram
# enable tmpfs tmp on anything where you have ram to spare
useTmpfs = cfg.tmpOnTmpfs;
# if not using tmpfs, which is naturally purged on reboot, we must clean
# /tmp ourselves. /tmp should be volatile storage!
cleanOnBoot = mkDefault (!cfg.tmpOnTmpfs);
# The size of the tmpfs, in percentage form
# this defaults to 50% of your ram, which is a good default
# but should be tweaked based on your systems capabilities
tmpfsSize = mkDefault "50%";
};
};
}

24
system/boot/initrd.nix Normal file
View file

@ -0,0 +1,24 @@
{pkgs, ...}: {
boot.initrd = {
systemd = {
# Enable systemd in initrd
# I prefe to use systemd in initrd, because it is more powerful than busybox
# however, it can result in slightly slower boot times.
enable = true;
# Strip copied binaries and libraries from initrd
# saves 30~ MB of space, according to the nix derivation
strip = true;
# Packages to include in the initrd
# This is useful for debugging, if the host provides
# emergency mode
storePaths = with pkgs; [util-linux pciutils];
extraBin = {
fdisk = "${pkgs.util-linux}/bin/fdisk";
lsblk = "${pkgs.util-linux}/bin/lsblk";
lspci = "${pkgs.pciutils}/bin/lspci";
};
};
};
}

View file

@ -0,0 +1,5 @@
{
imports = [
./systemd-boot.nix
];
}

View file

@ -0,0 +1,18 @@
{ config, lib, ... }: let
cfg = config.myOptions.system.boot;
in {
boot.loader.systemd-boot = {
enable = true;
memtest86.enable = true;
# Enabling the editor will allow anyone to change the kernel params.
# This can be useful for debugging, however it is a potential security hole
# as this allows setting init=/bin/bash, which will boot directly into bash
# as root, bypassing any need for authentication.
#
# If you're using an encrypted setup, and you can't get into the system without
# entering a decryption password (or have TPM release it conditionally, only if
# the kernel parameters remain the same), this can safely be enabled.
editor = lib.mkDefault false;
};
}

View file

@ -1,9 +1,9 @@
{ config, pkgs, lib, ... }: let
inherit (lib) mkIf;
cfg = config.myOptions.system.secure-boot;
cfg = config.myOptions.system.boot.secure-boot;
in {
config = mkIf cfg.enabled {
config = mkIf cfg.enable {
# Secure Boot Key Manager
environment.systemPackages = [ pkgs.sbctl ];

View file

@ -1,11 +0,0 @@
_: {
boot.loader = {
systemd-boot = {
enable = true;
memtest86.enable = true;
editor = true;
};
efi.canTouchEfiVariables = true;
timeout = 3;
};
}