# nixos-config - My current NixOS configuration # # Copyright (C) 2025 Benedikt Peetz # SPDX-License-Identifier: GPL-3.0-or-later # # This file is part of my nixos-config. # # You should have received a copy of the License along with this program. # If not, see . { config, lib, pkgs, modules, modulesPath, system, specialArgs, ... }: let cfg = config.soispha.boot; tailsPrefix = "EFI/tails"; in { options.soispha.boot = { enable = lib.mkEnableOption "Bootloader configuration"; enableIsoEntry = lib.mkEnableOption "an tails iso boot entry"; }; imports = [ modules.lanzaboote.nixosModules.lanzaboote ]; config = lib.mkIf cfg.enable { # This should only be necessary for `lanzaboote`, but that is the current default in # this module. soispha.impermanence.directories = [ "/var/lib/sbctl" ]; boot = { initrd = { kernelModules = ["nvme" "btrfs"]; }; kernelPackages = pkgs.linuxPackages_latest; lanzaboote = { enable = true; pkiBundle = "/var/lib/sbctl"; settings = { # Disable editing the kernel command line (which could allow someone to become root) editor = false; default = "@saved"; }; }; loader = { external = lib.mkIf cfg.enableIsoEntry { installHook = lib.mkForce (let lanzabooteCfg = config.boot.lanzaboote; lanzabooteInstallHook = import "${modulesPath}/../lib/eval-config.nix" { inherit system specialArgs; modules = [ modules.lanzaboote.nixosModules.lanzaboote { # Copy the relevant config into the eval-module context. boot = { inherit (config.boot) kernelPackages; lanzaboote = { inherit (lanzabooteCfg) enable pkiBundle; settings = { inherit (lanzabooteCfg.settings) editor default; }; }; loader = { inherit (config.boot.loader) timeout efi systemd-boot; }; }; systemd.package = config.systemd.package; } ]; }; install = pkgs.writeShellScript "wrapped-install-tails-iso-marker" '' echo "[Wrapped bootloader install] Copying tails iso..." ${copyExtraFiles} echo "[Wrapped bootloader install] Running original lanzaboote install..." ${lanzabooteInstallHook.config.boot.loader.external.installHook} ''; copyExtraFiles = let systemdCfg = config.boot.loader.systemd-boot; nixosDir = "EFI/nixos"; bootMountPoint = config.boot.loader.efi.efiSysMountPoint; install = lib.getExe' pkgs.coreutils "install"; inherit (lib) mapAttrsToList; inherit (lib.strings) escapeShellArg concatStrings; in pkgs.writeShellScript "copy-extra-files" '' ${concatStrings ( mapAttrsToList (n: v: '' ${install} -Dp "${v}" "${bootMountPoint}/"${escapeShellArg n} ${install} -D /dev/null "${bootMountPoint}/${nixosDir}/.extra-files/"${escapeShellArg n} '') systemdCfg.extraFiles )} ${lib.getExe pkgs.sbctl} sign "${bootMountPoint}/${tailsPrefix}/vmlinuz-linux" ${concatStrings ( mapAttrsToList (n: v: '' ${install} -Dp "${pkgs.writeText n v}" "${bootMountPoint}/loader/entries/"${escapeShellArg n} ${install} -D /dev/null "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/"${escapeShellArg n} '') systemdCfg.extraEntries )} ''; in install); }; systemd-boot = lib.mkIf cfg.enableIsoEntry { # Lanzaboote currently replaces the systemd-boot module. enable = false; extraEntries = { "live.conf" = '' title Tails Live ISO linux /${tailsPrefix}/vmlinuz-linux initrd /${tailsPrefix}/initramfs-linux.img options root=root=/dev/ram0 rw img_loop=/${tailsPrefix}/tails.iso copytoram ''; }; extraFiles = let iso = import ./tails_iso.nix {inherit pkgs;}; in { "/${tailsPrefix}/tails.iso" = "${iso}/tails.iso"; "/${tailsPrefix}/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; "/${tailsPrefix}/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; }; }; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; }; }; }; }; }