diff options
Diffstat (limited to 'modules/system/boot')
-rwxr-xr-x | modules/system/boot/boot_pictures/gnu.png | bin | 0 -> 327518 bytes | |||
-rwxr-xr-x | modules/system/boot/boot_pictures/gnulin_emb_1.png | bin | 0 -> 207444 bytes | |||
-rwxr-xr-x | modules/system/boot/boot_pictures/gnulin_emb_2.png | bin | 0 -> 208347 bytes | |||
-rw-r--r-- | modules/system/boot/default.nix | 129 | ||||
-rw-r--r-- | modules/system/boot/iso_entry/archlive_iso.nix | 77 | ||||
-rw-r--r-- | modules/system/boot/iso_entry/signing_key.nix | 18 |
6 files changed, 224 insertions, 0 deletions
diff --git a/modules/system/boot/boot_pictures/gnu.png b/modules/system/boot/boot_pictures/gnu.png new file mode 100755 index 00000000..d07dee3e --- /dev/null +++ b/modules/system/boot/boot_pictures/gnu.png Binary files differdiff --git a/modules/system/boot/boot_pictures/gnulin_emb_1.png b/modules/system/boot/boot_pictures/gnulin_emb_1.png new file mode 100755 index 00000000..483f2681 --- /dev/null +++ b/modules/system/boot/boot_pictures/gnulin_emb_1.png Binary files differdiff --git a/modules/system/boot/boot_pictures/gnulin_emb_2.png b/modules/system/boot/boot_pictures/gnulin_emb_2.png new file mode 100755 index 00000000..48cd6ad7 --- /dev/null +++ b/modules/system/boot/boot_pictures/gnulin_emb_2.png Binary files differdiff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix new file mode 100644 index 00000000..1e6fa99b --- /dev/null +++ b/modules/system/boot/default.nix @@ -0,0 +1,129 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.soispha.boot; +in { + options.soispha.boot = { + enable = lib.mkEnableOption "Bootloader configuration"; + # TODO: Add this option <2024-05-16> + # enableIsoEntry = lib.mkEnableOption "an tails iso boot entry"; + }; + + config = lib.mkIf cfg.enable ( + # let + # cfg = config.boot.loader.systemd-boot; + # inherit (config.boot.loader) efi; + # + # esa = n: lib.strings.escapeShellArg n; + # + # bootMountPoint = + # if cfg.xbootldrMountPoint != null + # then cfg.xbootldrMountPoint + # else efi.efiSysMountPoint; + # + # nixosDir = "/EFI/nixos"; + # + # # FIXME: This system has two big problems: + # # 1. It does not updated files, which still have the same name + # # 2. It forgets about files, which were 'deleted' in this configuration (these just + # # stay on disk forever) <2024-05-11> + # copyExtraFiles = '' + # echo "[systemd-boot] copying files to ${bootMountPoint}" + # empty_file=$(mktemp) + # + # ${lib.concatStrings (lib.mapAttrsToList (n: v: + # /* + # bash + # */ + # '' + # if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then + # install -Dp "${v}" ${esa "${bootMountPoint}/${n}"} + # install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"} + # fi + # '') + # cfg.extraFiles)} + # + # ${lib.concatStrings (lib.mapAttrsToList (n: v: + # /* + # bash + # */ + # '' + # # if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then + # install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"} + # install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"} + # # fi + # '') + # cfg.extraEntries)} + # ''; + # in + { + # FIXME: Reactviate this whole iso thing when a disko redeploy is done. + # (and switch to tails instead of arch) <2024-05-12> + # + # system.activationScripts = { + # copyExtraFilesForBoot = copyExtraFiles; + # }; + + boot = { + initrd = { + kernelModules = ["nvme" "btrfs"]; + }; + + kernelPackages = pkgs.linuxPackages_latest; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + + settings = { + # Disable editing the kernel command line (which could allow someone to become root) + editor = false; + }; + }; + + loader = { + systemd-boot = { + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + enable = false; + + # extraEntries = { + # "live.conf" = '' + # title Archlinux Live ISO + # linux /live/vmlinuz-linux + # initrd /live/initramfs-linux.img + # options img_dev=${config.soispha.disks.disk} img_loop=/archlinux.iso copytoram + # ''; + # }; + # + # extraFiles = let + # iso = import ./archlive_iso.nix {inherit pkgs;}; + # in { + # "archlinux.iso" = "${iso}/archlinux.iso"; + # "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; + # "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; + # }; + }; + + grub = { + enable = false; + # theme = pkgs.nixos-grub2-theme; + splashImage = ./boot_pictures/gnu.png; + efiSupport = true; + device = "nodev"; # only for efi + }; + + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + }; + } + ); +} diff --git a/modules/system/boot/iso_entry/archlive_iso.nix b/modules/system/boot/iso_entry/archlive_iso.nix new file mode 100644 index 00000000..d19a4a87 --- /dev/null +++ b/modules/system/boot/iso_entry/archlive_iso.nix @@ -0,0 +1,77 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let + signing_key = import ./signing_key.nix {inherit pkgs;}; + + checked_iso = pkgs.stdenv.mkDerivation { + pname = "archlinux-iso"; + version = "2024.05.01"; + + srcs = [ + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig"; + hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4="; + }) + (pkgs.fetchurl { + url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso"; + hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw="; + }) + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/b2sums.txt"; + hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw="; + }) + ]; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + buildPhase = + /* + bash + */ + '' + cp -r "${signing_key}" ./release-key.pgp + for src in $srcs; do + cp -r "$src" "$(stripHash "$src")" + done + + sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt + + # As per the directions from: https://archlinux.org/download/ + + # blake hash check + b2sum -c ./b2sums_clean.txt + + # pgp signature check + sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso + ''; + + installPhase = '' + cp archlinux-2024.05.01-x86_64.iso "$out"; + ''; + }; +in + pkgs.stdenv.mkDerivation { + name = "live_iso_boot_entry"; + + src = checked_iso; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + libarchive # for bsdtar + ]; + + buildPhase = '' + mkdir iso + bsdtar -xf "$src" -C iso + ''; + + installPhase = '' + install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img" + install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux" + + install -D "$src" "$out/archlinux.iso" + ''; + } diff --git a/modules/system/boot/iso_entry/signing_key.nix b/modules/system/boot/iso_entry/signing_key.nix new file mode 100644 index 00000000..788447be --- /dev/null +++ b/modules/system/boot/iso_entry/signing_key.nix @@ -0,0 +1,18 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: +pkgs.stdenv.mkDerivation { + name = "archlinux_signing_keys"; + + outputHash = "sha256-evGWzkxMaZw3rlixKsyWCS/ZvNuZ+OfXQb6sgiHz9XY="; + outputHashAlgo = "sha256"; + NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + dontUnpack = true; + + buildPhase = '' + sq --verbose --no-cert-store --no-key-store network wkd fetch pierre@archlinux.org --output "$out" + ''; +} |