boot: reorganize and add comments

Most of the options for booting are common to all hosts.

2 files changed, 16 insertions, 11 deletions

diff --git a/hosts/carmel/default.nix b/hosts/carmel/default.nix
index 0856337..0234e90 100644
--- a/hosts/carmel/default.nix
+++ b/hosts/carmel/default.nix
@@ -9,19 +9,16 @@
       ../common/system/boot-ssh.nix
     ];
 
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.initrd = {
-    luks.devices."system".allowDiscards = true;
-    kernelModules = [ "igb" ];
+  boot = {
+    # get an IP address on boot, so we can unlock the root disk remotely
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      luks.devices."system".allowDiscards = true;
+      # driver for the NIC, required in order to get an IP address
+      kernelModules = [ "igb" ];
+    };
   };
 
-  boot.kernelParams = [ "ip=dhcp" ];
-
-  time.timeZone = "America/Los_Angeles";
-
   hardware.opengl.driSupport = true;
 
   # Use systemd-networkd for networking
diff --git a/hosts/common/system/boot.nix b/hosts/common/system/boot.nix
index 974b072..053b81d 100644
--- a/hosts/common/system/boot.nix
+++ b/hosts/common/system/boot.nix
@@ -2,6 +2,14 @@
 
 {
   boot = {
+    loader = {
+      # Use the systemd-boot EFI boot loader.
+      systemd-boot.enable = true;
+       # Prohibits gaining root access by passing init=/bin/sh as a kernel parameter
+      boot.loader.systemd-boot.editor = false;
+      efi.canTouchEfiVariables = true;
+    };
+
     kernelPackages = pkgs.linuxPackages_latest;
     tmpOnTmpfs = true;
   };