hosts/dunamis: break up boot

Signed-off-by: unexplrd <unexplrd@linerds.us>
2025-04-30 00:33:56 +03:00
parent 6279b93b1e
commit 5e8f5bf7f3
3 changed files with 53 additions and 56 deletions
--- a/hosts/dunamis/boot.nix
+++ b/hosts/dunamis/boot.nix
@ -1,56 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs,
-  ...
-}: {
-  imports = with inputs; [
-    chaotic.nixosModules.default
-    lanzaboote.nixosModules.lanzaboote
-  ];
-  boot = {
-    # kernelPackages = pkgs.linuxPackages_latest;
-    consoleLogLevel = 0;
-    kernelPackages = pkgs.linuxPackages_cachyos;
-    kernelModules = ["kvm-amd"];
-    kernelParams = [
-      # "mitigations=auto"
-      # "spectre_v2=on"
-      # "spectre_v2_user=on"
-      # "spectre_bhi=on"
-      # "spec_store_bypass_disable=on"
-      # "tsx=off"
-      # "kvm.nx_huge_pages=force"
-      # "l1d_flush=on"
-      "amd_iommu=force_isolation"
-      "debugfs=off"
-      "efi=disable_early_pci_dma"
-      "gather_data_sampling=force"
-      # "ia32_emulation=0"
-      "intel_iommu=on"
-      "iommu.passthrough=0"
-      "iommu.strict=1"
-      "iommu=force"
-      # "lockdown=confidentiality"
-      # "module.sig_enforce=1"
-      "page_alloc.shuffle=1"
-      # "reg_file_data_sampling=on"
-      # "spec_rstack_overflow=safe-ret"
-      "vsyscall=none"
-    ];
-    initrd = {
-      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-      systemd.enable = true; # needed for auto-unlocking with TPM
-    };
-    loader.efi.canTouchEfiVariables = true;
-    loader.systemd-boot = {
-      enable = !config.boot.lanzaboote.enable;
-      consoleMode = "auto";
-    };
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/var/lib/sbctl";
-    };
-    plymouth.enable = true;
-  };
-}
--- a/hosts/dunamis/boot/default.nix
+++ b/hosts/dunamis/boot/default.nix
@ -0,0 +1,38 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = with inputs;
+    [
+      chaotic.nixosModules.default
+      lanzaboote.nixosModules.lanzaboote
+    ]
+    ++ [
+      ./loader.nix
+    ];
+  boot = {
+    # kernelPackages = pkgs.linuxPackages_latest;
+    plymouth.enable = true;
+    consoleLogLevel = 0;
+    kernelPackages = pkgs.linuxPackages_cachyos;
+    kernelParams = [
+      "amd_iommu=force_isolation"
+      "debugfs=off"
+      "efi=disable_early_pci_dma"
+      "gather_data_sampling=force"
+      "intel_iommu=on"
+      "iommu.passthrough=0"
+      "iommu.strict=1"
+      "iommu=force"
+      "page_alloc.shuffle=1"
+      "vsyscall=none"
+      # "ia32_emulation=0"
+      # "lockdown=confidentiality"
+      # "module.sig_enforce=1"
+    ];
+    initrd = {
+      systemd.enable = true; # needed for auto-unlocking with TPM
+    };
+  };
+}
--- a/hosts/dunamis/boot/loader.nix
+++ b/hosts/dunamis/boot/loader.nix
@ -0,0 +1,15 @@
+{config, ...}: {
+  boot = {
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot = {
+        enable = !config.boot.lanzaboote.enable;
+        consoleMode = "auto";
+      };
+    };
+  };
+}