{ config, lib, ... }: { options.snowflake.hardware = { isEfi = lib.mkEnableOption "pick systemd-boot if an EFI system or grub otherwise"; diskDevice = lib.mkOption { type = lib.types.str; description = "path to disk device eg. /dev/sda"; }; isInitrdLuksUnlockingEnabled = lib.mkEnableOption "enable SSH in initrd to remotely unlock LUKS device"; xbootldrMountPoint = lib.mkOption { type = lib.types.str; default = ""; description = "mount point for boot"; }; efiSysMountPoint = lib.mkOption { type = lib.types.str; default = ""; description = "mount point for efi"; }; }; config = { boot = { loader = if config.snowflake.hardware.isEfi then { systemd-boot = { enable = true; xbootldrMountPoint = if config.snowflake.hardware.xbootldrMountPoint != "" then config.snowflake.hardware.xbootldrMountPoint else null; }; efi = { canTouchEfiVariables = true; efiSysMountPoint = if config.snowflake.hardware.efiSysMountPoint != "" then config.snowflake.hardware.efiSysMountPoint else "/boot"; }; } else { grub = { enable = true; device = config.snowflake.hardware.diskDevice; useOSProber = true; efiSupport = true; efiInstallAsRemovable = true; }; }; # Enable remote LUKS unlocking. This allows remote SSH to unlock LUKS # encrypted root. $ ssh root@ While in the shell, run # `cryptsetup-askpass` to trigger the unlock prompt. initrd = lib.mkIf config.snowflake.hardware.isInitrdLuksUnlockingEnabled { network = { flushBeforeStage2 = true; enable = true; ssh = { enable = true; port = 22; hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell" ]; }; }; }; # Use DHCP to figure out the IP address. kernelParams = lib.mkIf config.snowflake.hardware.isInitrdLuksUnlockingEnabled [ "ip=dhcp" ]; }; }; }