about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/system/boot/default.nix44
-rw-r--r--modules/system/default.nix6
2 files changed, 49 insertions, 1 deletions
diff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix
new file mode 100644
index 0000000..b037f63
--- /dev/null
+++ b/modules/system/boot/default.nix
@@ -0,0 +1,44 @@
+{ pkgs, config, lib, ... }:
+let cfg = config.my.system.boot;
+in {
+  options.my.system.boot = with lib; {
+    tmp = { clean = mkEnableOption "clean `/tmp` on boot."; };
+    initrd = {
+      network = { enable = mkEnableOption "enable SSH with initrd"; };
+    };
+  };
+
+  config = {
+    boot = {
+      loader = {
+        # Use the systemd-boot EFI boot loader.
+        systemd-boot.enable = true;
+        # Prohibits gaining root access by passing init=/bin/sh as a kernel parameter
+        systemd-boot.editor = false;
+        efi.canTouchEfiVariables = true;
+      };
+
+      kernelPackages = pkgs.linuxPackages_latest;
+      cleanTmpDir = cfg.tmp.clean;
+      tmpOnTmpfs = true;
+
+      initrd = {
+        luks.devices."system".allowDiscards = true;
+        network = lib.mkIf cfg.initrd.network.enable {
+          enable = true;
+          postCommands = ''
+            echo "cryptsetup-askpass; exit" > /root/.profile
+          '';
+          ssh = {
+            enable = true;
+            port = 2222;
+            hostKeys =
+              [ /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key ];
+            authorizedKeys =
+              config.users.users.fcuny.openssh.authorizedKeys.keys;
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/modules/system/default.nix b/modules/system/default.nix
index 620ad2e..c39d1d2 100644
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -1 +1,5 @@
-{ ... }: { imports = [ ./console ./locale ./nix ./users ./security ./btrfs ]; }
+{ ... }:
+
+{
+  imports = [ ./boot ./console ./locale ./nix ./users ./security ./btrfs ];
+}