Group shared system settings

system/shared/boot/default.nix

@@ -0,0 +1,9 @@
+_: {
+  imports = [
+    ./loaders
+    ./generic.nix
+    ./secure-boot.nix
+    ./initrd.nix
+    ./plymouth.nix
+  ];
+}

system/shared/boot/generic.nix

@@ -0,0 +1,58 @@
+{ config, lib, ... }: let
+  inherit (lib) mkDefault optionals;
+
+  cfg = config.myOptions.system.boot;
+in {
+  boot = {
+    # kernel console loglevel
+    consoleLogLevel = 3;
+
+    # The NixOS default is to use an lts kernel, which can be quite old.
+    # My configuration defaults to the latest kernel instead
+    kernelPackages = cfg.kernel;
+
+    loader = {
+      # if set to 0, space needs to be held to get the boot menu to appear
+      timeout = 2;
+
+      # whether to copy the necessary boot files into /boot
+      # so that /nix/store is not needed by the boot loader.
+      generationsDir.copyKernels = true;
+
+      # allow installation to modify EFI variables
+      efi.canTouchEfiVariables = true;
+    };
+
+    tmp = {
+      # /tmp on tmpfs, lets it live on your ram
+      # it defaults to false, which means you will use disk space instead of ram 
+      # enable tmpfs tmp on anything where you have ram to spare
+      useTmpfs = cfg.tmpOnTmpfs;
+
+      # if not using tmpfs, which is naturally purged on reboot, we must clean
+      # /tmp ourselves. /tmp should be volatile storage!
+      cleanOnBoot = mkDefault (!cfg.tmpOnTmpfs);
+
+      # The size of the tmpfs, in percentage form
+      # this defaults to 50% of your ram, which is a good default
+      # but should be tweaked based on your systems capabilities
+      tmpfsSize = mkDefault "50%";
+    };
+
+    kernelParams = (optionals cfg.silentBoot [
+      # tell the kernel to not be verbose
+      "quiet"
+
+      "loglevel=3" # 1: system is unusable | 3: error condition | 7: very verbose
+
+      # udev log message level
+      # rd prefix means systemd-udev will be used instead of initrd
+      "udev.log_level=3"
+      "rd.udev.log_level=3"
+
+      # disable systemd status messages
+      "systemd.show_status=auto"
+      "rd.systemd.show_status=auto"
+    ]);
+  };
+}

system/shared/boot/initrd.nix

@@ -0,0 +1,28 @@
+{pkgs, ...}: {
+  boot.initrd = {
+    # Verbosity of initrd.
+    # Disabling verbosity removes only the mandantory messages generated by NixOS
+    verbose = false;
+
+    systemd = {
+      # Enable systemd in initrd
+      # I prefe to use systemd in initrd, because it is more powerful than busybox
+      # however, it can result in slightly slower boot times.
+      enable = true;
+
+      # Strip copied binaries and libraries from initrd
+      # saves 30~ MB of space, according to the nix derivation
+      strip = true;
+
+      # Packages to include in the initrd
+      # This is useful for debugging, if the host provides
+      # emergency mode
+      storePaths = with pkgs; [util-linux pciutils];
+      extraBin = {
+        fdisk = "${pkgs.util-linux}/bin/fdisk";
+        lsblk = "${pkgs.util-linux}/bin/lsblk";
+        lspci = "${pkgs.pciutils}/bin/lspci";
+      };
+    };
+  };
+}

system/shared/boot/loaders/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./systemd-boot.nix
+  ];
+}

system/shared/boot/loaders/systemd-boot.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }: let 
+  cfg = config.myOptions.system.boot;
+in {
+  boot.loader.systemd-boot = {
+    enable = true;
+    memtest86.enable = true;
+
+    # Enabling the editor will allow anyone to change the kernel params.
+    # This can be useful for debugging, however it is a potential security hole
+    # as this allows setting init=/bin/bash, which will boot directly into bash
+    # as root, bypassing any need for authentication.
+    #
+    # If you're using an encrypted setup, and you can't get into the system without
+    # entering a decryption password (or have TPM release it conditionally, only if
+    # the kernel parameters remain the same), this can safely be enabled.
+    editor = lib.mkDefault false;
+  };
+}

system/shared/boot/plymouth.nix

@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ...}: let
+  inherit (lib) mkIf;
+  cfg = config.myOptions.system.boot.plymouth;
+in {
+  config = mkIf cfg.enable {
+    boot = {
+      plymouth = {
+        enable = true;
+        theme = cfg.selectedTheme;
+      }
+      // lib.optionalAttrs cfg.withThemes {
+        themePackages = [
+          (pkgs.adi1090x-plymouth-themes.override {
+            selected_themes = [ cfg.selectedTheme ];
+          })
+        ];
+      };
+
+      kernelParams = ["splash"];
+    };
+
+    # Make polymouth work with sleep
+    powerManagement = {
+      powerDownCommands = ''
+        ${pkgs.plymouth} --show-splash
+      '';
+      resumeCommands = ''
+        ${pkgs.plymouth} --quit
+      '';
+    };
+  };
+}

system/shared/boot/secure-boot.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }: let
+  inherit (lib) mkIf;
+
+  cfg = config.myOptions.system.boot.secure-boot;
+in {
+  config = mkIf cfg.enable {
+    # Secure Boot Key Manager
+    environment.systemPackages = [ pkgs.sbctl ];
+
+    # Persist the secure boot keys (for impermanence)
+    myOptions.system.impermanence.root.extraDirectories = [
+      "/etc/secureboot"
+    ];
+
+    # Lanzaboote replaces systemd-boot
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+  };
+}