From b649d1d34a4ad0058848b5778deb5cfd451213e2 Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Sat, 11 May 2024 18:18:09 +0200 Subject: fix(sys/boot): Also apply the `systemd-boot` settings, when lanzaboote is active --- sys/boot/default.nix | 57 ++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 4 deletions(-) diff --git a/sys/boot/default.nix b/sys/boot/default.nix index 625394e8..0a45fd08 100644 --- a/sys/boot/default.nix +++ b/sys/boot/default.nix @@ -1,4 +1,54 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + config, + ... +}: let + cfg = config.boot.loader.systemd-boot; + inherit (config.boot.loader) efi; + + esa = n: lib.strings.escapeShellArg n; + + bootMountPoint = + if cfg.xbootldrMountPoint != null + then cfg.xbootldrMountPoint + else efi.efiSysMountPoint; + + nixosDir = "/EFI/nixos"; + + copyExtraFiles = '' + echo "[Systemd-boot] copying files to ${bootMountPoint}" + empty_file=$(mktemp) + + ${lib.concatStrings (lib.mapAttrsToList (n: v: + /* + bash + */ + '' + if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then + install -Dp "${v}" ${esa "${bootMountPoint}/${n}"} + install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"} + fi + '') + cfg.extraFiles)} + + ${lib.concatStrings (lib.mapAttrsToList (n: v: + /* + bash + */ + '' + if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then + install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"} + install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"} + fi + '') + cfg.extraEntries)} + ''; +in { + system.activationScripts = { + copyExtraFilesForBoot = copyExtraFiles; + }; + boot = { initrd = { #compressor = "lz4"; @@ -13,6 +63,8 @@ pkiBundle = "/etc/secureboot"; settings = { + # Disable editing the kernel command line (which could allow someone to become root) + editor = false; }; }; @@ -24,9 +76,6 @@ # for now. enable = false; - # Disable editing the kernel command line (which could allow someone to become root) - editor = false; - extraEntries = { "live.conf" = '' title Archlinux Live ISO -- cgit 1.4.1