x-os: prepare booting from unencrypted /boot partition
This commit is contained in:
parent
cd4dce51c1
commit
c956297041
|
@ -3,46 +3,19 @@
|
||||||
let
|
let
|
||||||
cfg = config.pub-solar.x-os;
|
cfg = config.pub-solar.x-os;
|
||||||
in
|
in
|
||||||
with lib; {
|
{
|
||||||
options = {
|
|
||||||
pub-solar.x-os.keyfile = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Keyfile location";
|
|
||||||
};
|
|
||||||
|
|
||||||
pub-solar.x-os.enableBootLoader = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = "Whether to include the grub bootloader. Turn this off for ISO images.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
# Enable plymouth for better experience of booting
|
# Enable plymouth for better experience of booting
|
||||||
boot.plymouth.enable = true;
|
boot.plymouth.enable = true;
|
||||||
|
|
||||||
# Use Keyfile to unlock the root partition to avoid keying in twice.
|
# Mount / luks device in initrd
|
||||||
# Allow fstrim to work on it.
|
# Allow fstrim to work on it.
|
||||||
boot.initrd = mkIf cfg.enableBootLoader {
|
boot.initrd = {
|
||||||
secrets = { "/keyfile.bin" = cfg.keyfile; };
|
|
||||||
luks.devices."cryptroot" = {
|
luks.devices."cryptroot" = {
|
||||||
keyFile = "/keyfile.bin";
|
|
||||||
allowDiscards = true;
|
allowDiscards = true;
|
||||||
fallbackToPassword = true;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Use GRUB with encrypted /boot under EFI env.
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader = {
|
|
||||||
efi.efiSysMountPoint = "/boot/efi";
|
|
||||||
|
|
||||||
grub = {
|
|
||||||
enable = cfg.enableBootLoader;
|
|
||||||
version = 2;
|
|
||||||
device = "nodev";
|
|
||||||
efiSupport = true;
|
|
||||||
enableCryptodisk = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue