x-os: prepare booting from unencrypted /boot partition

This commit is contained in:
teutat3s 2021-10-24 01:18:33 +02:00
parent d35fc6d8ae
commit 56ab7a1d28
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1

View file

@ -3,40 +3,19 @@
let
cfg = config.pub-solar.x-os;
in
with lib; {
options = {
pub-solar.x-os.keyfile = mkOption {
type = types.str;
description = "Keyfile location";
};
};
{
config = {
# Enable plymouth for better experience of booting
boot.plymouth.enable = true;
# Use Keyfile to unlock the root partition to avoid keying in twice.
# Mount / luks device in initrd
# Allow fstrim to work on it.
boot.initrd = {
secrets = { "/keyfile.bin" = cfg.keyfile; };
luks.devices."cryptroot" = {
keyFile = "/keyfile.bin";
allowDiscards = true;
fallbackToPassword = true;
};
};
# Use GRUB with encrypted /boot under EFI env.
boot.loader = {
efi.efiSysMountPoint = "/boot/efi";
grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
};
boot.loader.systemd-boot.enable = true;
};
}