diff options
Diffstat (limited to 'modules/by-name/bo/boot/module.nix')
| -rw-r--r-- | modules/by-name/bo/boot/module.nix | 244 |
1 files changed, 136 insertions, 108 deletions
diff --git a/modules/by-name/bo/boot/module.nix b/modules/by-name/bo/boot/module.nix index 4b95aedf..01c98d6e 100644 --- a/modules/by-name/bo/boot/module.nix +++ b/modules/by-name/bo/boot/module.nix @@ -12,139 +12,167 @@ lib, pkgs, modules, + modulesPath, + system, + specialArgs, ... }: let cfg = config.soispha.boot; + + tailsPrefix = "EFI/tails"; in { options.soispha.boot = { enable = lib.mkEnableOption "Bootloader configuration"; - # TODO: Add this option <2024-05-16> - # enableIsoEntry = lib.mkEnableOption "an tails iso boot entry"; + enableIsoEntry = lib.mkEnableOption "an tails iso boot entry"; }; imports = [ modules.lanzaboote.nixosModules.lanzaboote ]; - config = lib.mkIf cfg.enable ( - # let - # cfg = config.boot.loader.systemd-boot; - # inherit (config.boot.loader) efi; - # - # esa = n: lib.strings.escapeShellArg n; - # - # bootMountPoint = - # if cfg.xbootldrMountPoint != null - # then cfg.xbootldrMountPoint - # else efi.efiSysMountPoint; - # - # nixosDir = "/EFI/nixos"; - # - # # FIXME: This system has two big problems: - # # 1. It does not updated files, which still have the same name - # # 2. It forgets about files, which were 'deleted' in this configuration (these just - # # stay on disk forever) <2024-05-11> - # copyExtraFiles = '' - # echo "[systemd-boot] copying files to ${bootMountPoint}" - # empty_file=$(mktemp boot_empty_file_XXX) - # - # ${lib.concatStrings (lib.mapAttrsToList (n: v: - # /* - # bash - # */ - # '' - # if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then - # install -Dp "${v}" ${esa "${bootMountPoint}/${n}"} - # install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"} - # fi - # '') - # cfg.extraFiles)} - # - # ${lib.concatStrings (lib.mapAttrsToList (n: v: - # /* - # bash - # */ - # '' - # # if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then - # install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"} - # install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"} - # # fi - # '') - # cfg.extraEntries)} - # ''; - # in - { - # FIXME: Reactviate this whole iso thing when a disko redeploy is done. - # (and switch to tails instead of arch) <2024-05-12> - # - # system.activationScripts = { - # copyExtraFilesForBoot = copyExtraFiles; - # }; + config = lib.mkIf cfg.enable { + # This should only be necessary for `lanzaboote`, but that is the current default in + # this module. + soispha.impermanence.directories = [ + "/var/lib/sbctl" + "/boot" + ]; + + fileSystems = { + # Emulate XBOOTLDR for lanzaboote (see: https://github.com/nix-community/lanzaboote/issues/173#issuecomment-1532386210) + "/efi/EFI/Linux" = { + device = "/boot/EFI/Linux"; + options = ["bind"]; + fsType = "btrfs"; + }; + "/efi/EFI/nixos" = { + device = "/boot/EFI/nixos"; + options = ["bind"]; + fsType = "btrfs"; + }; - # This should only be necessary for `lanzaboote`, but that is the current default in - # this module. - soispha.impermanence.directories = [ - "/var/lib/sbctl" - ]; + "/efi/${tailsPrefix}" = lib.mkIf cfg.enableIsoEntry { + device = "/boot/${tailsPrefix}"; + options = ["bind"]; + fsType = "btrfs"; + }; + }; - boot = { - initrd = { - kernelModules = ["nvme" "btrfs"]; + boot = { + initrd = { + kernelModules = ["nvme" "btrfs"]; + }; + + kernelPackages = pkgs.linuxPackages_latest; + + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + + settings = { + # Disable editing the kernel command line (which could allow someone to become root) + editor = false; + default = "@saved"; }; + }; - kernelPackages = pkgs.linuxPackages_latest; + loader = { + external = lib.mkIf cfg.enableIsoEntry { + installHook = lib.mkForce (let + lanzabooteCfg = config.boot.lanzaboote; - lanzaboote = { - enable = true; - pkiBundle = "/var/lib/sbctl"; + lanzabooteInstallHook = import "${modulesPath}/../lib/eval-config.nix" { + inherit system specialArgs; + modules = [ + modules.lanzaboote.nixosModules.lanzaboote - settings = { - # Disable editing the kernel command line (which could allow someone to become root) - editor = false; - default = "@saved"; - }; + { + # Copy the relevant config into the eval-module context. + boot = { + inherit (config.boot) kernelPackages; + + lanzaboote = { + inherit (lanzabooteCfg) enable pkiBundle; + settings = { + inherit (lanzabooteCfg.settings) editor default; + }; + }; + + loader = { + inherit (config.boot.loader) timeout efi systemd-boot; + }; + }; + systemd.package = config.systemd.package; + } + ]; + }; + + install = pkgs.writeShellScript "wrapped-install-tails-iso-marker" '' + echo "[Wrapped bootloader install] Copying tails iso..." + ${copyExtraFiles} + + echo "[Wrapped bootloader install] Running original lanzaboote install..." + ${lanzabooteInstallHook.config.boot.loader.external.installHook} + ''; + + copyExtraFiles = let + systemdCfg = config.boot.loader.systemd-boot; + nixosDir = "EFI/nixos"; + + bootMountPoint = config.boot.loader.efi.efiSysMountPoint; + install = lib.getExe' pkgs.coreutils "install"; + + inherit (lib) mapAttrsToList; + inherit (lib.strings) escapeShellArg concatStrings; + in + pkgs.writeShellScript "copy-extra-files" '' + ${concatStrings ( + mapAttrsToList (n: v: '' + ${install} -Dp "${v}" "${bootMountPoint}/"${escapeShellArg n} + ${install} -D /dev/null "${bootMountPoint}/${nixosDir}/.extra-files/"${escapeShellArg n} + '') + systemdCfg.extraFiles + )} + + ${concatStrings ( + mapAttrsToList (n: v: '' + ${install} -Dp "${pkgs.writeText n v}" "${bootMountPoint}/loader/entries/"${escapeShellArg n} + ${install} -D /dev/null "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/"${escapeShellArg n} + '') + systemdCfg.extraEntries + )} + ''; + in + install); }; - loader = { - systemd-boot = { - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - enable = false; + systemd-boot = lib.mkIf cfg.enableIsoEntry { + # Lanzaboote currently replaces the systemd-boot module. + enable = false; - # extraEntries = { - # "live.conf" = '' - # title Archlinux Live ISO - # linux /live/vmlinuz-linux - # initrd /live/initramfs-linux.img - # options img_dev=${config.soispha.disks.disk} img_loop=/archlinux.iso copytoram - # ''; - # }; - # - # extraFiles = let - # iso = import ./archlive_iso.nix {inherit pkgs;}; - # in { - # "archlinux.iso" = "${iso}/archlinux.iso"; - # "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; - # "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; - # }; + extraEntries = { + "live.conf" = '' + title Tails Live ISO + linux /${tailsPrefix}/vmlinuz-linux + initrd /${tailsPrefix}/initramfs-linux.img + options img_dev=${config.soispha.disks.disk} img_loop=/${tailsPrefix}/tails.iso copytoram + ''; }; - grub = { - enable = false; - # theme = pkgs.nixos-grub2-theme; - splashImage = ./boot_pictures/gnu.png; - efiSupport = true; - device = "nodev"; # only for efi + extraFiles = let + iso = import ./tails_iso.nix {inherit pkgs;}; + in { + "/${tailsPrefix}/tails.iso" = "${iso}/tails.iso"; + "/${tailsPrefix}/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; + "/${tailsPrefix}/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; }; + }; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/efi"; }; }; - } - ); + }; + }; } |