mirror of
https://github.com/ItsDrike/nixdots
synced 2024-12-25 06:24:35 +00:00
Update boot options
This commit is contained in:
parent
cb968bdc07
commit
e89b387e72
|
@ -134,14 +134,21 @@ The resulting file should then look something like this:
|
||||||
# };
|
# };
|
||||||
#};
|
#};
|
||||||
|
|
||||||
# Enable secure boot (requires running some commands afterwards, see the
|
boot = {
|
||||||
# option's docs)
|
# Enable secure boot (requires running some commands afterwards, see the
|
||||||
#secure-boot.enabled = true;
|
# option's docs before enabling)
|
||||||
|
#secure-boot.enable = true;
|
||||||
|
|
||||||
|
# I have enough RAM to afford using tmpfs for /tmp
|
||||||
|
tmpOnTmpfs = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
device = {
|
device = {
|
||||||
virtual-machine = false;
|
virtual-machine = false;
|
||||||
cpu.type = "intel";
|
cpu.type = "intel";
|
||||||
};
|
};
|
||||||
|
|
||||||
home-manager = {
|
home-manager = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
stateVersion = "23.11";
|
stateVersion = "23.11";
|
||||||
|
|
|
@ -6,6 +6,12 @@
|
||||||
|
|
||||||
boot.supportedFilesystems = [ "btrfs" ];
|
boot.supportedFilesystems = [ "btrfs" ];
|
||||||
|
|
||||||
|
# My flake disables this by default for security reasons. However,
|
||||||
|
# with an encrypted setup, which requires entering password before
|
||||||
|
# booting anyways, this is not a security concern, and changing the
|
||||||
|
# kernel params can be useful for debugging.
|
||||||
|
boot.loader.systemd-boot.editor = true;
|
||||||
|
|
||||||
nix.settings = {
|
nix.settings = {
|
||||||
max-jobs = 6;
|
max-jobs = 6;
|
||||||
cores = 6;
|
cores = 6;
|
||||||
|
@ -38,7 +44,10 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
secure-boot.enabled = true;
|
boot = {
|
||||||
|
secure-boot.enable = true;
|
||||||
|
tmpOnTmpfs = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
device = {
|
device = {
|
||||||
|
|
26
options/system/boot/default.nix
Normal file
26
options/system/boot/default.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
{ config, lib, pkgs, ...}: let
|
||||||
|
inherit (lib) mkOption mkEnableOption literalExpression;
|
||||||
|
|
||||||
|
cfg = config.myOptions.system.boot;
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
./secure-boot.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
options.myOptions.system.boot = {
|
||||||
|
kernel = mkOption {
|
||||||
|
type = with lib.types; nullOr raw;
|
||||||
|
default = pkgs.linuxPackages_latest;
|
||||||
|
example = literalExpression "pkgs.linuxPackages_latest";
|
||||||
|
description = "The kernel to use for the system.";
|
||||||
|
};
|
||||||
|
|
||||||
|
tmpOnTmpfs =
|
||||||
|
mkEnableOption ''
|
||||||
|
`/tmp` living on tmpfs. false means it will be cleared manually on each reboot
|
||||||
|
|
||||||
|
This option defaults to `true` if the host provides patches to the kernel package in
|
||||||
|
`boot.kernelPatches`
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,8 +2,8 @@
|
||||||
inherit (lib) mkEnableOption;
|
inherit (lib) mkEnableOption;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.myOptions.system.secure-boot = {
|
options.myOptions.system.boot.secure-boot = {
|
||||||
enabled = mkEnableOption ''
|
enable = mkEnableOption ''
|
||||||
secure-boot using lanzaboote.
|
secure-boot using lanzaboote.
|
||||||
|
|
||||||
Note that you will need to have UEFI firmware, and the rebuild
|
Note that you will need to have UEFI firmware, and the rebuild
|
|
@ -3,8 +3,8 @@
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
./boot
|
||||||
./impermanence.nix
|
./impermanence.nix
|
||||||
./secure-boot.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.myOptions.system = {
|
options.myOptions.system = {
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
_: {
|
_: {
|
||||||
imports = [
|
imports = [
|
||||||
./systemd-boot.nix
|
./loaders
|
||||||
|
./generic.nix
|
||||||
./secure-boot.nix
|
./secure-boot.nix
|
||||||
|
./initrd.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
42
system/boot/generic.nix
Normal file
42
system/boot/generic.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
{ config, lib, ... }: let
|
||||||
|
inherit (lib) mkDefault;
|
||||||
|
|
||||||
|
cfg = config.myOptions.system.boot;
|
||||||
|
in {
|
||||||
|
config.boot = {
|
||||||
|
# kernel console loglevel
|
||||||
|
consoleLogLevel = 3;
|
||||||
|
|
||||||
|
# The NixOS default is to use an lts kernel, which can be quite old.
|
||||||
|
# My configuration defaults to the latest kernel instead
|
||||||
|
kernelPackages = cfg.kernel;
|
||||||
|
|
||||||
|
loader = {
|
||||||
|
# if set to 0, space needs to be held to get the boot menu to appear
|
||||||
|
timeout = 2;
|
||||||
|
|
||||||
|
# whether to copy the necessary boot files into /boot
|
||||||
|
# so that /nix/store is not needed by the boot loader.
|
||||||
|
generationsDir.copyKernels = true;
|
||||||
|
|
||||||
|
# allow installation to modify EFI variables
|
||||||
|
efi.canTouchEfiVariables = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
tmp = {
|
||||||
|
# /tmp on tmpfs, lets it live on your ram
|
||||||
|
# it defaults to false, which means you will use disk space instead of ram
|
||||||
|
# enable tmpfs tmp on anything where you have ram to spare
|
||||||
|
useTmpfs = cfg.tmpOnTmpfs;
|
||||||
|
|
||||||
|
# if not using tmpfs, which is naturally purged on reboot, we must clean
|
||||||
|
# /tmp ourselves. /tmp should be volatile storage!
|
||||||
|
cleanOnBoot = mkDefault (!cfg.tmpOnTmpfs);
|
||||||
|
|
||||||
|
# The size of the tmpfs, in percentage form
|
||||||
|
# this defaults to 50% of your ram, which is a good default
|
||||||
|
# but should be tweaked based on your systems capabilities
|
||||||
|
tmpfsSize = mkDefault "50%";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
24
system/boot/initrd.nix
Normal file
24
system/boot/initrd.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
boot.initrd = {
|
||||||
|
systemd = {
|
||||||
|
# Enable systemd in initrd
|
||||||
|
# I prefe to use systemd in initrd, because it is more powerful than busybox
|
||||||
|
# however, it can result in slightly slower boot times.
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# Strip copied binaries and libraries from initrd
|
||||||
|
# saves 30~ MB of space, according to the nix derivation
|
||||||
|
strip = true;
|
||||||
|
|
||||||
|
# Packages to include in the initrd
|
||||||
|
# This is useful for debugging, if the host provides
|
||||||
|
# emergency mode
|
||||||
|
storePaths = with pkgs; [util-linux pciutils];
|
||||||
|
extraBin = {
|
||||||
|
fdisk = "${pkgs.util-linux}/bin/fdisk";
|
||||||
|
lsblk = "${pkgs.util-linux}/bin/lsblk";
|
||||||
|
lspci = "${pkgs.pciutils}/bin/lspci";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
5
system/boot/loaders/default.nix
Normal file
5
system/boot/loaders/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./systemd-boot.nix
|
||||||
|
];
|
||||||
|
}
|
18
system/boot/loaders/systemd-boot.nix
Normal file
18
system/boot/loaders/systemd-boot.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ config, lib, ... }: let
|
||||||
|
cfg = config.myOptions.system.boot;
|
||||||
|
in {
|
||||||
|
boot.loader.systemd-boot = {
|
||||||
|
enable = true;
|
||||||
|
memtest86.enable = true;
|
||||||
|
|
||||||
|
# Enabling the editor will allow anyone to change the kernel params.
|
||||||
|
# This can be useful for debugging, however it is a potential security hole
|
||||||
|
# as this allows setting init=/bin/bash, which will boot directly into bash
|
||||||
|
# as root, bypassing any need for authentication.
|
||||||
|
#
|
||||||
|
# If you're using an encrypted setup, and you can't get into the system without
|
||||||
|
# entering a decryption password (or have TPM release it conditionally, only if
|
||||||
|
# the kernel parameters remain the same), this can safely be enabled.
|
||||||
|
editor = lib.mkDefault false;
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,9 +1,9 @@
|
||||||
{ config, pkgs, lib, ... }: let
|
{ config, pkgs, lib, ... }: let
|
||||||
inherit (lib) mkIf;
|
inherit (lib) mkIf;
|
||||||
|
|
||||||
cfg = config.myOptions.system.secure-boot;
|
cfg = config.myOptions.system.boot.secure-boot;
|
||||||
in {
|
in {
|
||||||
config = mkIf cfg.enabled {
|
config = mkIf cfg.enable {
|
||||||
# Secure Boot Key Manager
|
# Secure Boot Key Manager
|
||||||
environment.systemPackages = [ pkgs.sbctl ];
|
environment.systemPackages = [ pkgs.sbctl ];
|
||||||
|
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
_: {
|
|
||||||
boot.loader = {
|
|
||||||
systemd-boot = {
|
|
||||||
enable = true;
|
|
||||||
memtest86.enable = true;
|
|
||||||
editor = true;
|
|
||||||
};
|
|
||||||
efi.canTouchEfiVariables = true;
|
|
||||||
timeout = 3;
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue