modules/config: init new module

Signed-off-by: unexplrd <unexplrd@linerds.us>

modules/nixos/config/boot/default.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = with inputs; [
+    chaotic.nixosModules.default
+    ./loader.nix
+    ./lanzaboote.nix
+  ];
+  boot = {
+    plymouth.enable = true;
+    consoleLogLevel = 0;
+    kernelPackages = pkgs.linuxPackages_cachyos;
+    kernelParams = [
+      "amd_iommu=force_isolation"
+      "debugfs=off"
+      "efi=disable_early_pci_dma"
+      "gather_data_sampling=force"
+      "intel_iommu=on"
+      "iommu.passthrough=0"
+      "iommu.strict=1"
+      "iommu=force"
+      "page_alloc.shuffle=1"
+      "vsyscall=none"
+      # "ia32_emulation=0"
+      # "lockdown=confidentiality"
+      # "module.sig_enforce=1"
+    ];
+    initrd = {
+      systemd.enable = true; # needed for auto-unlocking with TPM
+      systemd.tpm2.enable = config.module.config.tpmDiskUnlock;
+    };
+  };
+}

modules/nixos/config/boot/lanzaboote.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}: {
+  imports = with inputs; [
+    lanzaboote.nixosModules.lanzaboote
+  ];
+  boot = {
+    lanzaboote = {
+      enable = config.module.config.secureBoot;
+      pkiBundle = "/var/lib/sbctl";
+    };
+    loader.systemd-boot.enable = lib.mkDefault (!config.boot.lanzaboote.enable);
+  };
+}

modules/nixos/config/boot/loader.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  boot.loader = {
+    timeout = 3;
+    efi.canTouchEfiVariables = true;
+    systemd-boot = {
+      enable = true;
+      consoleMode = "auto";
+      configurationLimit = lib.mkOverride 1337 10;
+    };
+  };
+}