{ pkgs, lib, config, ... }: let cfg = config.boot.loader.systemd-boot; inherit (config.boot.loader) efi; esa = n: lib.strings.escapeShellArg n; bootMountPoint = if cfg.xbootldrMountPoint != null then cfg.xbootldrMountPoint else efi.efiSysMountPoint; nixosDir = "/EFI/nixos"; # FIXME: This system has two big problems: # 1. It does not updated files, which still have the same name # 2. It forgets about files, which were 'deleted' in this configuration (these just # stay on disk forever) <2024-05-11> copyExtraFiles = '' echo "[systemd-boot] copying files to ${bootMountPoint}" empty_file=$(mktemp) ${lib.concatStrings (lib.mapAttrsToList (n: v: /* bash */ '' if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then install -Dp "${v}" ${esa "${bootMountPoint}/${n}"} install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"} fi '') cfg.extraFiles)} ${lib.concatStrings (lib.mapAttrsToList (n: v: /* bash */ '' # if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"} install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"} # fi '') cfg.extraEntries)} ''; in { system.activationScripts = { copyExtraFilesForBoot = copyExtraFiles; }; # Help lanzaboote with the filesystems # source: https://github.com/nix-community/lanzaboote/issues/173#issuecomment-1532386210 # TODO: Remove this workaround <2024-05-11> fileSystems = { "/efi/EFI/Linux" = { device = "/boot/EFI/Linux"; options = ["bind"]; }; "/efi/EFI/nixos" = { device = "/boot/EFI/nixos"; options = ["bind"]; }; }; boot = { initrd = { #compressor = "lz4"; #compressorArgs = ["-9"]; kernelModules = ["nvme" "btrfs"]; }; kernelPackages = pkgs.linuxPackages_latest; lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; settings = { # Disable editing the kernel command line (which could allow someone to become root) editor = false; }; }; loader = { systemd-boot = { # Lanzaboote currently replaces the systemd-boot module. # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false # for now. enable = false; xbootldrMountPoint = "/boot"; extraEntries = { "live.conf" = '' title Archlinux Live ISO linux /live/vmlinuz-linux initrd /live/initramfs-linux.img options img_dev=${config.soispha.disks.disk} img_loop=/archlinux.iso copytoram ''; }; extraFiles = let iso = import ./archlive_iso.nix {inherit pkgs;}; in { "archlinux.iso" = "${iso}/archlinux.iso"; "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; }; }; grub = { enable = false; # theme = pkgs.nixos-grub2-theme; splashImage = ./boot_pictures/gnu.png; efiSupport = true; device = "nodev"; # only for efi }; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; }; }; }; }