x-os: prepare booting from unencrypted /boot partition

This commit is contained in:
teutat3s 2021-10-24 01:18:33 +02:00
parent cd4dce51c1
commit c956297041
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1

View file

@ -3,46 +3,19 @@
let let
cfg = config.pub-solar.x-os; cfg = config.pub-solar.x-os;
in in
with lib; { {
options = {
pub-solar.x-os.keyfile = mkOption {
type = types.str;
description = "Keyfile location";
};
pub-solar.x-os.enableBootLoader = mkOption {
type = types.bool;
default = false;
description = "Whether to include the grub bootloader. Turn this off for ISO images.";
};
};
config = { config = {
# Enable plymouth for better experience of booting # Enable plymouth for better experience of booting
boot.plymouth.enable = true; boot.plymouth.enable = true;
# Use Keyfile to unlock the root partition to avoid keying in twice. # Mount / luks device in initrd
# Allow fstrim to work on it. # Allow fstrim to work on it.
boot.initrd = mkIf cfg.enableBootLoader { boot.initrd = {
secrets = { "/keyfile.bin" = cfg.keyfile; };
luks.devices."cryptroot" = { luks.devices."cryptroot" = {
keyFile = "/keyfile.bin";
allowDiscards = true; allowDiscards = true;
fallbackToPassword = true;
}; };
}; };
# Use GRUB with encrypted /boot under EFI env. boot.loader.systemd-boot.enable = true;
boot.loader = {
efi.efiSysMountPoint = "/boot/efi";
grub = {
enable = cfg.enableBootLoader;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
};
}; };
} }