From 679497cf607e59cb4c62d80174228e776369751f Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Wed, 6 Apr 2022 07:04:03 -0700
Subject: refactor boot configuration to a module

We don't need the previous `hosts/common/system` configs anymore, as
everything has been moved out.

We keep some boot configuration for carmel in the host configuration for
now, but I need to check why I don't have similar settings for
tahoe (since I also need to unlock the host remotely).
---
 hosts/aptos/default.nix          |  2 --
 hosts/carmel/boot.nix            | 14 +++++++++++++
 hosts/carmel/default.nix         | 11 +---------
 hosts/common/default.nix         |  7 -------
 hosts/common/system/boot-ssh.nix | 21 -------------------
 hosts/common/system/boot.nix     | 16 ---------------
 hosts/common/system/default.nix  |  5 -----
 hosts/tahoe/default.nix          |  5 ++++-
 lib/default.nix                  |  1 -
 modules/system/boot/default.nix  | 44 ++++++++++++++++++++++++++++++++++++++++
 modules/system/default.nix       |  6 +++++-
 11 files changed, 68 insertions(+), 64 deletions(-)
 create mode 100644 hosts/carmel/boot.nix
 delete mode 100644 hosts/common/default.nix
 delete mode 100644 hosts/common/system/boot-ssh.nix
 delete mode 100644 hosts/common/system/boot.nix
 delete mode 100644 hosts/common/system/default.nix
 create mode 100644 modules/system/boot/default.nix

diff --git a/hosts/aptos/default.nix b/hosts/aptos/default.nix
index aa012c9..8efb050 100644
--- a/hosts/aptos/default.nix
+++ b/hosts/aptos/default.nix
@@ -8,8 +8,6 @@
     ../common/desktop
   ];
 
-  boot = { initrd = { luks.devices."system".allowDiscards = true; }; };
-
   virtualisation.docker = { enable = true; };
 
   virtualisation.containerd = {
diff --git a/hosts/carmel/boot.nix b/hosts/carmel/boot.nix
new file mode 100644
index 0000000..606215e
--- /dev/null
+++ b/hosts/carmel/boot.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  boot = {
+    # get an IP address on boot, so we can unlock the root disk remotely
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      # driver for the NIC, required in order to get an IP address
+      kernelModules = [ "igb" ];
+    };
+  };
+
+  my.system.boot = { initrd = { network.enable = true; }; };
+}
diff --git a/hosts/carmel/default.nix b/hosts/carmel/default.nix
index 7e48b5d..61599d6 100644
--- a/hosts/carmel/default.nix
+++ b/hosts/carmel/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
+    ./boot.nix
     ./sound.nix
     ./networking.nix
     ../common/desktop
@@ -10,16 +11,6 @@
     ../common/system/boot-ssh.nix
   ];
 
-  boot = {
-    # get an IP address on boot, so we can unlock the root disk remotely
-    kernelParams = [ "ip=dhcp" ];
-    initrd = {
-      luks.devices."system".allowDiscards = true;
-      # driver for the NIC, required in order to get an IP address
-      kernelModules = [ "igb" ];
-    };
-  };
-
   hardware.opengl.driSupport = true;
 
   # This value determines the NixOS release from which the default
diff --git a/hosts/common/default.nix b/hosts/common/default.nix
deleted file mode 100644
index 0361d27..0000000
--- a/hosts/common/default.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, pkgs, system, inputs, ... }:
-
-{
-  imports = [
-    ./system
-  ];
-}
diff --git a/hosts/common/system/boot-ssh.nix b/hosts/common/system/boot-ssh.nix
deleted file mode 100644
index 2b865d5..0000000
--- a/hosts/common/system/boot-ssh.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  boot.initrd = {
-    network = {
-      enable = true;
-      postCommands = ''
-        echo "cryptsetup-askpass; exit" > /root/.profile
-      '';
-      ssh = {
-        enable = true;
-        port = 2222;
-        hostKeys = [
-          /etc/ssh/ssh_host_ed25519_key
-          /etc/ssh/ssh_host_rsa_key
-        ];
-        authorizedKeys = config.users.users.fcuny.openssh.authorizedKeys.keys;
-      };
-    };
-  };
-}
diff --git a/hosts/common/system/boot.nix b/hosts/common/system/boot.nix
deleted file mode 100644
index 75433eb..0000000
--- a/hosts/common/system/boot.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ pkgs, config, lib, ... }:
-
-{
-  boot = {
-    loader = {
-      # Use the systemd-boot EFI boot loader.
-      systemd-boot.enable = true;
-       # Prohibits gaining root access by passing init=/bin/sh as a kernel parameter
-      systemd-boot.editor = false;
-      efi.canTouchEfiVariables = true;
-    };
-
-    kernelPackages = pkgs.linuxPackages_latest;
-    tmpOnTmpfs = true;
-  };
-}
diff --git a/hosts/common/system/default.nix b/hosts/common/system/default.nix
deleted file mode 100644
index a4ef6cd..0000000
--- a/hosts/common/system/default.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ pkgs, ... }:
-
-{
-  imports = [ ./boot.nix ];
-}
diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
index 9d11720..c72baa0 100644
--- a/hosts/tahoe/default.nix
+++ b/hosts/tahoe/default.nix
@@ -7,7 +7,10 @@
     ../profiles/nas.nix
   ];
 
-  boot = { initrd = { luks.devices."system".allowDiscards = true; }; };
+  my.system.boot = {
+    tmp = { clean = true; };
+    initrd = { network.enable = true; };
+  };
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
diff --git a/lib/default.nix b/lib/default.nix
index 1a16e1c..e442357 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -14,7 +14,6 @@
         inputs.agenix.nixosModules.age
         ../modules
         ../profiles
-        ../hosts/common
         ../hosts/${hostname}
         ./private-wireguard.nix
         {
diff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix
new file mode 100644
index 0000000..b037f63
--- /dev/null
+++ b/modules/system/boot/default.nix
@@ -0,0 +1,44 @@
+{ pkgs, config, lib, ... }:
+let cfg = config.my.system.boot;
+in {
+  options.my.system.boot = with lib; {
+    tmp = { clean = mkEnableOption "clean `/tmp` on boot."; };
+    initrd = {
+      network = { enable = mkEnableOption "enable SSH with initrd"; };
+    };
+  };
+
+  config = {
+    boot = {
+      loader = {
+        # Use the systemd-boot EFI boot loader.
+        systemd-boot.enable = true;
+        # Prohibits gaining root access by passing init=/bin/sh as a kernel parameter
+        systemd-boot.editor = false;
+        efi.canTouchEfiVariables = true;
+      };
+
+      kernelPackages = pkgs.linuxPackages_latest;
+      cleanTmpDir = cfg.tmp.clean;
+      tmpOnTmpfs = true;
+
+      initrd = {
+        luks.devices."system".allowDiscards = true;
+        network = lib.mkIf cfg.initrd.network.enable {
+          enable = true;
+          postCommands = ''
+            echo "cryptsetup-askpass; exit" > /root/.profile
+          '';
+          ssh = {
+            enable = true;
+            port = 2222;
+            hostKeys =
+              [ /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key ];
+            authorizedKeys =
+              config.users.users.fcuny.openssh.authorizedKeys.keys;
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/modules/system/default.nix b/modules/system/default.nix
index 620ad2e..c39d1d2 100644
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -1 +1,5 @@
-{ ... }: { imports = [ ./console ./locale ./nix ./users ./security ./btrfs ]; }
+{ ... }:
+
+{
+  imports = [ ./boot ./console ./locale ./nix ./users ./security ./btrfs ];
+}
-- 
cgit 1.4.1