From c95629704115eca1dd6d0423230a9f2373485149 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 24 Oct 2021 01:18:33 +0200 Subject: [PATCH] x-os: prepare booting from unencrypted /boot partition --- modules/x-os/boot.nix | 35 ++++------------------------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/modules/x-os/boot.nix b/modules/x-os/boot.nix index dff8d526..51cd5b4b 100644 --- a/modules/x-os/boot.nix +++ b/modules/x-os/boot.nix @@ -3,46 +3,19 @@ let cfg = config.pub-solar.x-os; in -with lib; { - options = { - pub-solar.x-os.keyfile = mkOption { - type = types.str; - description = "Keyfile location"; - }; - - pub-solar.x-os.enableBootLoader = mkOption { - type = types.bool; - default = false; - description = "Whether to include the grub bootloader. Turn this off for ISO images."; - }; - }; - +{ config = { # Enable plymouth for better experience of booting boot.plymouth.enable = true; - # Use Keyfile to unlock the root partition to avoid keying in twice. + # Mount / luks device in initrd # Allow fstrim to work on it. - boot.initrd = mkIf cfg.enableBootLoader { - secrets = { "/keyfile.bin" = cfg.keyfile; }; + boot.initrd = { luks.devices."cryptroot" = { - keyFile = "/keyfile.bin"; allowDiscards = true; - fallbackToPassword = true; }; }; - # Use GRUB with encrypted /boot under EFI env. - boot.loader = { - efi.efiSysMountPoint = "/boot/efi"; - - grub = { - enable = cfg.enableBootLoader; - version = 2; - device = "nodev"; - efiSupport = true; - enableCryptodisk = true; - }; - }; + boot.loader.systemd-boot.enable = true; }; }