forked from pub-solar/os
x-os: prepare booting from unencrypted /boot partition
This commit is contained in:
parent
cd4dce51c1
commit
c956297041
|
@ -3,46 +3,19 @@
|
|||
let
|
||||
cfg = config.pub-solar.x-os;
|
||||
in
|
||||
with lib; {
|
||||
options = {
|
||||
pub-solar.x-os.keyfile = mkOption {
|
||||
type = types.str;
|
||||
description = "Keyfile location";
|
||||
};
|
||||
|
||||
pub-solar.x-os.enableBootLoader = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to include the grub bootloader. Turn this off for ISO images.";
|
||||
};
|
||||
};
|
||||
|
||||
{
|
||||
config = {
|
||||
# Enable plymouth for better experience of booting
|
||||
boot.plymouth.enable = true;
|
||||
|
||||
# Use Keyfile to unlock the root partition to avoid keying in twice.
|
||||
# Mount / luks device in initrd
|
||||
# Allow fstrim to work on it.
|
||||
boot.initrd = mkIf cfg.enableBootLoader {
|
||||
secrets = { "/keyfile.bin" = cfg.keyfile; };
|
||||
boot.initrd = {
|
||||
luks.devices."cryptroot" = {
|
||||
keyFile = "/keyfile.bin";
|
||||
allowDiscards = true;
|
||||
fallbackToPassword = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Use GRUB with encrypted /boot under EFI env.
|
||||
boot.loader = {
|
||||
efi.efiSysMountPoint = "/boot/efi";
|
||||
|
||||
grub = {
|
||||
enable = cfg.enableBootLoader;
|
||||
version = 2;
|
||||
device = "nodev";
|
||||
efiSupport = true;
|
||||
enableCryptodisk = true;
|
||||
};
|
||||
};
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue