From 5e8f5bf7f3d3de187e310daca932293314b93386 Mon Sep 17 00:00:00 2001 From: unexplrd Date: Wed, 30 Apr 2025 00:33:56 +0300 Subject: [PATCH] hosts/dunamis: break up boot Signed-off-by: unexplrd --- hosts/dunamis/boot.nix | 56 ---------------------------------- hosts/dunamis/boot/default.nix | 38 +++++++++++++++++++++++ hosts/dunamis/boot/loader.nix | 15 +++++++++ 3 files changed, 53 insertions(+), 56 deletions(-) delete mode 100644 hosts/dunamis/boot.nix create mode 100644 hosts/dunamis/boot/default.nix create mode 100644 hosts/dunamis/boot/loader.nix diff --git a/hosts/dunamis/boot.nix b/hosts/dunamis/boot.nix deleted file mode 100644 index 65ea95d..0000000 --- a/hosts/dunamis/boot.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - pkgs, - config, - inputs, - ... -}: { - imports = with inputs; [ - chaotic.nixosModules.default - lanzaboote.nixosModules.lanzaboote - ]; - boot = { - # kernelPackages = pkgs.linuxPackages_latest; - consoleLogLevel = 0; - kernelPackages = pkgs.linuxPackages_cachyos; - kernelModules = ["kvm-amd"]; - kernelParams = [ - # "mitigations=auto" - # "spectre_v2=on" - # "spectre_v2_user=on" - # "spectre_bhi=on" - # "spec_store_bypass_disable=on" - # "tsx=off" - # "kvm.nx_huge_pages=force" - # "l1d_flush=on" - "amd_iommu=force_isolation" - "debugfs=off" - "efi=disable_early_pci_dma" - "gather_data_sampling=force" - # "ia32_emulation=0" - "intel_iommu=on" - "iommu.passthrough=0" - "iommu.strict=1" - "iommu=force" - # "lockdown=confidentiality" - # "module.sig_enforce=1" - "page_alloc.shuffle=1" - # "reg_file_data_sampling=on" - # "spec_rstack_overflow=safe-ret" - "vsyscall=none" - ]; - initrd = { - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"]; - systemd.enable = true; # needed for auto-unlocking with TPM - }; - loader.efi.canTouchEfiVariables = true; - loader.systemd-boot = { - enable = !config.boot.lanzaboote.enable; - consoleMode = "auto"; - }; - lanzaboote = { - enable = true; - pkiBundle = "/var/lib/sbctl"; - }; - plymouth.enable = true; - }; -} diff --git a/hosts/dunamis/boot/default.nix b/hosts/dunamis/boot/default.nix new file mode 100644 index 0000000..5e541e4 --- /dev/null +++ b/hosts/dunamis/boot/default.nix @@ -0,0 +1,38 @@ +{ + pkgs, + inputs, + ... +}: { + imports = with inputs; + [ + chaotic.nixosModules.default + lanzaboote.nixosModules.lanzaboote + ] + ++ [ + ./loader.nix + ]; + boot = { + # kernelPackages = pkgs.linuxPackages_latest; + plymouth.enable = true; + consoleLogLevel = 0; + kernelPackages = pkgs.linuxPackages_cachyos; + kernelParams = [ + "amd_iommu=force_isolation" + "debugfs=off" + "efi=disable_early_pci_dma" + "gather_data_sampling=force" + "intel_iommu=on" + "iommu.passthrough=0" + "iommu.strict=1" + "iommu=force" + "page_alloc.shuffle=1" + "vsyscall=none" + # "ia32_emulation=0" + # "lockdown=confidentiality" + # "module.sig_enforce=1" + ]; + initrd = { + systemd.enable = true; # needed for auto-unlocking with TPM + }; + }; +} diff --git a/hosts/dunamis/boot/loader.nix b/hosts/dunamis/boot/loader.nix new file mode 100644 index 0000000..7c6c12c --- /dev/null +++ b/hosts/dunamis/boot/loader.nix @@ -0,0 +1,15 @@ +{config, ...}: { + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + loader = { + efi.canTouchEfiVariables = true; + systemd-boot = { + enable = !config.boot.lanzaboote.enable; + consoleMode = "auto"; + }; + }; + }; +}