about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-05-11 18:18:09 +0200
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-05-11 18:18:09 +0200
commitb649d1d34a4ad0058848b5778deb5cfd451213e2 (patch)
treed19741ae8344733a423795841d1eac13c7a0cec0
parentfeat(sys/boot): Provide the latest arch-iso as boot target (diff)
downloadnixos-config-b649d1d34a4ad0058848b5778deb5cfd451213e2.zip
fix(sys/boot): Also apply the `systemd-boot` settings, when lanzaboote is active
Diffstat (limited to '')
-rw-r--r--sys/boot/default.nix57
1 files changed, 53 insertions, 4 deletions
diff --git a/sys/boot/default.nix b/sys/boot/default.nix
index 625394e8..0a45fd08 100644
--- a/sys/boot/default.nix
+++ b/sys/boot/default.nix
@@ -1,4 +1,54 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.boot.loader.systemd-boot;
+  inherit (config.boot.loader) efi;
+
+  esa = n: lib.strings.escapeShellArg n;
+
+  bootMountPoint =
+    if cfg.xbootldrMountPoint != null
+    then cfg.xbootldrMountPoint
+    else efi.efiSysMountPoint;
+
+  nixosDir = "/EFI/nixos";
+
+  copyExtraFiles = ''
+      echo "[Systemd-boot] copying files to ${bootMountPoint}"
+      empty_file=$(mktemp)
+
+      ${lib.concatStrings (lib.mapAttrsToList (n: v:
+      /*
+      bash
+      */
+      ''
+        if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then
+          install -Dp "${v}" ${esa "${bootMountPoint}/${n}"}
+          install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"}
+        fi
+      '')
+    cfg.extraFiles)}
+
+      ${lib.concatStrings (lib.mapAttrsToList (n: v:
+      /*
+      bash
+      */
+      ''
+        if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then
+          install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"}
+          install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"}
+        fi
+      '')
+    cfg.extraEntries)}
+  '';
+in {
+  system.activationScripts = {
+    copyExtraFilesForBoot = copyExtraFiles;
+  };
+
   boot = {
     initrd = {
       #compressor = "lz4";
@@ -13,6 +63,8 @@
       pkiBundle = "/etc/secureboot";
 
       settings = {
+        # Disable editing the kernel command line (which could allow someone to become root)
+        editor = false;
       };
     };
 
@@ -24,9 +76,6 @@
         # for now.
         enable = false;
 
-        # Disable editing the kernel command line (which could allow someone to become root)
-        editor = false;
-
         extraEntries = {
           "live.conf" = ''
             title Archlinux Live ISO