dots/hosts/orion/os/boot.nix

{
  modulesPath,
  pkgs,
  lib,
  ...
}:
let
  pkiBundlePath = "/etc/secureboot";
in
{

  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

  security.tpm2.enable = true;
  environment.systemPackages = with pkgs; [
    tpm2-tss
    sbctl
  ];

  services.btrfs-rollback = {
    enable = true;
    diskLabel = "NixOS-Primary";
    subvolume = "root";
    snapshot = "root-base";
  };

  environment.persistence.ephemeral.directories = [
    pkiBundlePath
  ];

  boot = {
    lanzaboote = {
      enable = true;
      pkiBundle = pkiBundlePath;
    };
    loader = {
      systemd-boot.enable = lib.mkForce false;
      efi.canTouchEfiVariables = true;
    };
    kernelPackages = pkgs.linuxPackages_latest;
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
    initrd = {
      availableKernelModules = [
        "xhci_pci"
        "thunderbolt"
        "vmd"
        "nvme"
        "usbhid"
        "rtsx_pci_sdmmc"
      ];
      systemd = {
        tpm2.enable = true;
        enable = true;
      };
    };
  };
}
feat(hosts/orion): enable secureboot 2024-09-27 00:36:41 -05:00			`{`
			`modulesPath,`
			`pkgs,`
			`lib,`
			`...`
			`}:`
			`let`
			`pkiBundlePath = "/etc/secureboot";`
			`in`
refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00			`{`

refactor(nix/hosts/orion): use real system os options 2024-05-24 17:18:15 -05:00			`imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];`
refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00
feat(host/orion): improve tpm2 support 2024-07-24 22:16:17 -05:00			`security.tpm2.enable = true;`
feat(hosts/orion): enable secureboot 2024-09-27 00:36:41 -05:00			`environment.systemPackages = with pkgs; [`
			`tpm2-tss`
			`sbctl`
			`];`
feat(host/orion): improve tpm2 support 2024-07-24 22:16:17 -05:00
refactor(nix): extract orion's btrfs rollback to NixOS module 2024-08-24 23:38:27 -05:00			`services.btrfs-rollback = {`
			`enable = true;`
			`diskLabel = "NixOS-Primary";`
			`subvolume = "root";`
			`snapshot = "root-base";`
			`};`

feat(hosts/orion): enable secureboot 2024-09-27 00:36:41 -05:00			`environment.persistence.ephemeral.directories = [`
			`pkiBundlePath`
			`];`

refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00			`boot = {`
feat(hosts/orion): enable secureboot 2024-09-27 00:36:41 -05:00			`lanzaboote = {`
			`enable = true;`
			`pkiBundle = pkiBundlePath;`
			`};`
refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00			`loader = {`
feat(hosts/orion): enable secureboot 2024-09-27 00:36:41 -05:00			`systemd-boot.enable = lib.mkForce false;`
refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00			`efi.canTouchEfiVariables = true;`
			`};`
feat(host/orion): use latest linux kernel 2024-07-01 22:41:24 -05:00			`kernelPackages = pkgs.linuxPackages_latest;`
refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00			`kernelModules = [ "kvm-intel" ];`
			`extraModulePackages = [ ];`
			`initrd = {`
			`availableKernelModules = [`
			`"xhci_pci"`
refactor(nix/hosts/orion): use real system os options 2024-05-24 17:18:15 -05:00			`"thunderbolt"`
			`"vmd"`
			`"nvme"`
			`"usbhid"`
			`"rtsx_pci_sdmmc"`
refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00			`];`
			`systemd = {`
refactor(hosts/orion): update systemd tpm2 to new name 2024-10-03 03:40:23 -05:00			`tpm2.enable = true;`
refactor!: the big nix refactor 2024-05-03 14:35:00 -05:00			`enable = true;`
			`};`
			`};`
			`};`
feat(hosts/orion): improve security options 2024-09-27 02:36:09 -05:00			`}`