2021-05-30 19:10:28 +00:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
cfg = config.pub-solar.x-os;
|
|
|
|
|
in
|
|
|
|
|
with lib; {
|
|
|
|
|
options = {
|
|
|
|
|
pub-solar.x-os.keyfile = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "Keyfile location";
|
|
|
|
|
};
|
2021-10-21 18:06:57 +00:00
|
|
|
|
|
|
|
|
pub-solar.x-os.enableBootLoader = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = "Whether to include the grub bootloader. Turn this off for ISO images.";
|
|
|
|
|
};
|
2021-05-30 19:10:28 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
# Enable plymouth for better experience of booting
|
|
|
|
|
boot.plymouth.enable = true;
|
|
|
|
|
|
|
|
|
|
# Use Keyfile to unlock the root partition to avoid keying in twice.
|
|
|
|
|
# Allow fstrim to work on it.
|
2021-10-23 21:29:09 +00:00
|
|
|
boot.initrd = mkIf cfg.enableBootLoader {
|
2021-05-30 19:10:28 +00:00
|
|
|
secrets = { "/keyfile.bin" = cfg.keyfile; };
|
|
|
|
|
luks.devices."cryptroot" = {
|
|
|
|
|
keyFile = "/keyfile.bin";
|
|
|
|
|
allowDiscards = true;
|
|
|
|
|
fallbackToPassword = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Use GRUB with encrypted /boot under EFI env.
|
|
|
|
|
boot.loader = {
|
|
|
|
|
efi.efiSysMountPoint = "/boot/efi";
|
|
|
|
|
|
|
|
|
|
grub = {
|
2021-10-21 18:06:57 +00:00
|
|
|
enable = cfg.enableBootLoader;
|
2021-05-30 19:10:28 +00:00
|
|
|
version = 2;
|
|
|
|
|
device = "nodev";
|
|
|
|
|
efiSupport = true;
|
|
|
|
|
enableCryptodisk = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
