about summary refs log tree commit diff stats
path: root/modules/system/boot
diff options
context:
space:
mode:
Diffstat (limited to 'modules/system/boot')
-rwxr-xr-xmodules/system/boot/boot_pictures/gnu.pngbin0 -> 327518 bytes
-rwxr-xr-xmodules/system/boot/boot_pictures/gnulin_emb_1.pngbin0 -> 207444 bytes
-rwxr-xr-xmodules/system/boot/boot_pictures/gnulin_emb_2.pngbin0 -> 208347 bytes
-rw-r--r--modules/system/boot/default.nix129
-rw-r--r--modules/system/boot/iso_entry/archlive_iso.nix77
-rw-r--r--modules/system/boot/iso_entry/signing_key.nix18
6 files changed, 224 insertions, 0 deletions
diff --git a/modules/system/boot/boot_pictures/gnu.png b/modules/system/boot/boot_pictures/gnu.png
new file mode 100755
index 00000000..d07dee3e
--- /dev/null
+++ b/modules/system/boot/boot_pictures/gnu.png
Binary files differdiff --git a/modules/system/boot/boot_pictures/gnulin_emb_1.png b/modules/system/boot/boot_pictures/gnulin_emb_1.png
new file mode 100755
index 00000000..483f2681
--- /dev/null
+++ b/modules/system/boot/boot_pictures/gnulin_emb_1.png
Binary files differdiff --git a/modules/system/boot/boot_pictures/gnulin_emb_2.png b/modules/system/boot/boot_pictures/gnulin_emb_2.png
new file mode 100755
index 00000000..48cd6ad7
--- /dev/null
+++ b/modules/system/boot/boot_pictures/gnulin_emb_2.png
Binary files differdiff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix
new file mode 100644
index 00000000..1e6fa99b
--- /dev/null
+++ b/modules/system/boot/default.nix
@@ -0,0 +1,129 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.soispha.boot;
+in {
+  options.soispha.boot = {
+    enable = lib.mkEnableOption "Bootloader configuration";
+    # TODO: Add this option <2024-05-16>
+    # enableIsoEntry = lib.mkEnableOption "an tails iso boot entry";
+  };
+
+  config = lib.mkIf cfg.enable (
+    # let
+    # cfg = config.boot.loader.systemd-boot;
+    # inherit (config.boot.loader) efi;
+    #
+    # esa = n: lib.strings.escapeShellArg n;
+    #
+    # bootMountPoint =
+    #   if cfg.xbootldrMountPoint != null
+    #   then cfg.xbootldrMountPoint
+    #   else efi.efiSysMountPoint;
+    #
+    # nixosDir = "/EFI/nixos";
+    #
+    # # FIXME: This system has two big problems:
+    # # 1. It does not updated files, which still have the same name
+    # # 2. It forgets about files, which were 'deleted' in this configuration (these just
+    # #    stay on disk forever) <2024-05-11>
+    # copyExtraFiles = ''
+    #   echo "[systemd-boot] copying files to ${bootMountPoint}"
+    #   empty_file=$(mktemp)
+    #
+    #   ${lib.concatStrings (lib.mapAttrsToList (n: v:
+    #     /*
+    #     bash
+    #     */
+    #     ''
+    #       if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then
+    #         install -Dp "${v}" ${esa "${bootMountPoint}/${n}"}
+    #         install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"}
+    #       fi
+    #     '')
+    #   cfg.extraFiles)}
+    #
+    #   ${lib.concatStrings (lib.mapAttrsToList (n: v:
+    #     /*
+    #     bash
+    #     */
+    #     ''
+    #       # if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then
+    #         install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"}
+    #         install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"}
+    #       # fi
+    #     '')
+    #   cfg.extraEntries)}
+    # '';
+    # in
+    {
+      # FIXME: Reactviate this whole iso thing when a disko redeploy is done.
+      # (and switch to tails instead of arch) <2024-05-12>
+      #
+      # system.activationScripts = {
+      #   copyExtraFilesForBoot = copyExtraFiles;
+      # };
+
+      boot = {
+        initrd = {
+          kernelModules = ["nvme" "btrfs"];
+        };
+
+        kernelPackages = pkgs.linuxPackages_latest;
+
+        lanzaboote = {
+          enable = true;
+          pkiBundle = "/etc/secureboot";
+
+          settings = {
+            # Disable editing the kernel command line (which could allow someone to become root)
+            editor = false;
+          };
+        };
+
+        loader = {
+          systemd-boot = {
+            # Lanzaboote currently replaces the systemd-boot module.
+            # This setting is usually set to true in configuration.nix
+            # generated at installation time. So we force it to false
+            # for now.
+            enable = false;
+
+            # extraEntries = {
+            #   "live.conf" = ''
+            #     title Archlinux Live ISO
+            #     linux /live/vmlinuz-linux
+            #     initrd /live/initramfs-linux.img
+            #     options img_dev=${config.soispha.disks.disk} img_loop=/archlinux.iso copytoram
+            #   '';
+            # };
+            #
+            # extraFiles = let
+            #   iso = import ./archlive_iso.nix {inherit pkgs;};
+            # in {
+            #   "archlinux.iso" = "${iso}/archlinux.iso";
+            #   "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img";
+            #   "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux";
+            # };
+          };
+
+          grub = {
+            enable = false;
+            # theme = pkgs.nixos-grub2-theme;
+            splashImage = ./boot_pictures/gnu.png;
+            efiSupport = true;
+            device = "nodev"; # only for efi
+          };
+
+          efi = {
+            canTouchEfiVariables = true;
+            efiSysMountPoint = "/boot";
+          };
+        };
+      };
+    }
+  );
+}
diff --git a/modules/system/boot/iso_entry/archlive_iso.nix b/modules/system/boot/iso_entry/archlive_iso.nix
new file mode 100644
index 00000000..d19a4a87
--- /dev/null
+++ b/modules/system/boot/iso_entry/archlive_iso.nix
@@ -0,0 +1,77 @@
+{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let
+  signing_key = import ./signing_key.nix {inherit pkgs;};
+
+  checked_iso = pkgs.stdenv.mkDerivation {
+    pname = "archlinux-iso";
+    version = "2024.05.01";
+
+    srcs = [
+      (pkgs.fetchurl {
+        url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig";
+        hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4=";
+      })
+      (pkgs.fetchurl {
+        url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso";
+        hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw=";
+      })
+      (pkgs.fetchurl {
+        url = "https://archlinux.org/iso/2024.05.01/b2sums.txt";
+        hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw=";
+      })
+    ];
+
+    dontUnpack = true;
+
+    nativeBuildInputs = with pkgs; [
+      sequoia-sq
+    ];
+
+    buildPhase =
+      /*
+      bash
+      */
+      ''
+        cp -r "${signing_key}" ./release-key.pgp
+        for src in $srcs; do
+          cp -r  "$src" "$(stripHash "$src")"
+        done
+
+        sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt
+
+        # As per the directions from: https://archlinux.org/download/
+
+        # blake hash check
+        b2sum -c ./b2sums_clean.txt
+
+        # pgp signature check
+        sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso
+      '';
+
+    installPhase = ''
+      cp archlinux-2024.05.01-x86_64.iso "$out";
+    '';
+  };
+in
+  pkgs.stdenv.mkDerivation {
+    name = "live_iso_boot_entry";
+
+    src = checked_iso;
+
+    dontUnpack = true;
+
+    nativeBuildInputs = with pkgs; [
+      libarchive # for bsdtar
+    ];
+
+    buildPhase = ''
+      mkdir iso
+      bsdtar -xf "$src" -C iso
+    '';
+
+    installPhase = ''
+      install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img"
+      install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux"
+
+      install -D "$src" "$out/archlinux.iso"
+    '';
+  }
diff --git a/modules/system/boot/iso_entry/signing_key.nix b/modules/system/boot/iso_entry/signing_key.nix
new file mode 100644
index 00000000..788447be
--- /dev/null
+++ b/modules/system/boot/iso_entry/signing_key.nix
@@ -0,0 +1,18 @@
+{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}:
+pkgs.stdenv.mkDerivation {
+  name = "archlinux_signing_keys";
+
+  outputHash = "sha256-evGWzkxMaZw3rlixKsyWCS/ZvNuZ+OfXQb6sgiHz9XY=";
+  outputHashAlgo = "sha256";
+  NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+
+  nativeBuildInputs = with pkgs; [
+    sequoia-sq
+  ];
+
+  dontUnpack = true;
+
+  buildPhase = ''
+    sq --verbose --no-cert-store --no-key-store network wkd fetch pierre@archlinux.org --output "$out"
+  '';
+}