diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-05-11 18:18:09 +0200 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-05-11 18:18:09 +0200 |
commit | b649d1d34a4ad0058848b5778deb5cfd451213e2 (patch) | |
tree | d19741ae8344733a423795841d1eac13c7a0cec0 | |
parent | feat(sys/boot): Provide the latest arch-iso as boot target (diff) | |
download | nixos-config-b649d1d34a4ad0058848b5778deb5cfd451213e2.zip |
fix(sys/boot): Also apply the `systemd-boot` settings, when lanzaboote is active
-rw-r--r-- | sys/boot/default.nix | 57 |
1 files changed, 53 insertions, 4 deletions
diff --git a/sys/boot/default.nix b/sys/boot/default.nix index 625394e8..0a45fd08 100644 --- a/sys/boot/default.nix +++ b/sys/boot/default.nix @@ -1,4 +1,54 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + config, + ... +}: let + cfg = config.boot.loader.systemd-boot; + inherit (config.boot.loader) efi; + + esa = n: lib.strings.escapeShellArg n; + + bootMountPoint = + if cfg.xbootldrMountPoint != null + then cfg.xbootldrMountPoint + else efi.efiSysMountPoint; + + nixosDir = "/EFI/nixos"; + + copyExtraFiles = '' + echo "[Systemd-boot] copying files to ${bootMountPoint}" + empty_file=$(mktemp) + + ${lib.concatStrings (lib.mapAttrsToList (n: v: + /* + bash + */ + '' + if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then + install -Dp "${v}" ${esa "${bootMountPoint}/${n}"} + install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"} + fi + '') + cfg.extraFiles)} + + ${lib.concatStrings (lib.mapAttrsToList (n: v: + /* + bash + */ + '' + if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then + install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"} + install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"} + fi + '') + cfg.extraEntries)} + ''; +in { + system.activationScripts = { + copyExtraFilesForBoot = copyExtraFiles; + }; + boot = { initrd = { #compressor = "lz4"; @@ -13,6 +63,8 @@ pkiBundle = "/etc/secureboot"; settings = { + # Disable editing the kernel command line (which could allow someone to become root) + editor = false; }; }; @@ -24,9 +76,6 @@ # for now. enable = false; - # Disable editing the kernel command line (which could allow someone to become root) - editor = false; - extraEntries = { "live.conf" = '' title Archlinux Live ISO |