nix-config/modules/nixos/boot/common/default.nix

{
  config,
  pkgs,
  system,
  lib,
  namespace,
  ...
}:
with lib;
let
  inherit (lib.${namespace}) mkOpt mkBoolOpt;
  cfg = config.${namespace}.boot.common;
  isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
in
{
  options.${namespace}.boot.common = {
    enable = mkBoolOpt true "Enable common boot stuff";

    yubikeyEncryption = mkBoolOpt false "Enable Yubikey root encryption";

    yubikeyGracePeriod = mkOpt types.int 180 "Time to wait for yubikey in seconds";
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = !cfg.yubikeyEncryption || config.${namespace}.hardware.disko.enableLuks;
        message = "mjallen.boot.common.yubikeyEncryption requires mjallen.hardware.disko.enableLuks = true.";
      }
      {
        assertion = !cfg.yubikeyEncryption || config.${namespace}.hardware.disko.enable;
        message = "mjallen.boot.common.yubikeyEncryption requires mjallen.hardware.disko.enable = true (disko-managed disk layout).";
      }
    ];

    boot = {

      kernelModules = [ "kvm" ];
      kernelParams = lib.mkDefault [
        "quiet"
        "splash"
        "udev.log_level=3"
      ];

      binfmt = lib.mkIf isArm {
        registrations."x86_64-linux" = {
          magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
          mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
          openBinary = true;
          interpreter = "${lib.getExe pkgs.box64}";
          preserveArgvZero = true;
          matchCredentials = true;
          fixBinary = false;
        };
      };

      supportedFilesystems = {
        bcachefs = lib.mkOverride 90 true;
        btrfs = lib.mkOverride 90 true;
      };

      bcachefs.package = lib.mkOverride 90 pkgs.${namespace}.bcachefs;

      consoleLogLevel = lib.mkDefault 0;
      bootspec.enable = !isArm;

      initrd = {
        verbose = lib.mkDefault false;
        # availableKernelModules = {
        #   bcachefs = lib.mkOverride 90 true;
        #   btrfs = lib.mkOverride 90 true;
        # };
        # kernelModules = {
        #   bcachefs = lib.mkOverride 90 true;
        #   btrfs = lib.mkOverride 90 true;
        # };
        # systemd.storePaths = with pkgs; [
        #   bcachefs-tools
        # ];

        luks = mkIf cfg.yubikeyEncryption {
          devices = {
            "${config.disko.devices.disk.main.content.partitions.root.name}" = {
              yubikey = {
                storage = {
                  device = "/dev/disk/by-label/${config.disko.devices.disk.main.content.partitions.root.name}";
                  fsType = config.${namespace}.hardware.disko.filesystem;
                  path = "/";
                };
                slot = 2;
                twoFactor = false;
                gracePeriod = cfg.yubikeyGracePeriod;
              };
            };
          };
        };
      };
    };

    zramSwap.enable = lib.mkDefault true;
  };
}