feat(boot): configure systemd-boot and GRUB based on options

2026-06-17 02:06:32 +05:30 · 2026-05-10 04:54:52 +05:30
parent bd6055cae5
commit cb3389bce6
2 changed files with 34 additions and 8 deletions
--- a/modules/nixos/boot/loader.nix
+++ b/modules/nixos/boot/loader.nix
@@ -1,8 +1,29 @@
 {
-  flake.modules.nixos.boot = {
+  flake.modules.nixos.boot =
+    { config, lib, ... }:
+    let
+      cfg = config.tnix.boot;
+    in
+    {
+      options.tnix.boot.legacy = {
+        enable = lib.mkEnableOption "legacy boot (GRUB) instead of systemd-boot";
+      };
+
+      config = lib.mkMerge [
+        {
          boot.loader = {
            timeout = 1;
            efi.canTouchEfiVariables = true;
          };
+        }
+
+        (lib.mkIf (!cfg.legacy.enable && !cfg.secure-boot.enable) {
+          boot.loader.systemd-boot.enable = true;
+        })
+
+        (lib.mkIf cfg.legacy.enable {
+          boot.loader.grub.enable = true;
+        })
+      ];
    };
 }
--- a/modules/nixos/boot/secure-boot.nix
+++ b/modules/nixos/boot/secure-boot.nix
@@ -18,11 +18,16 @@
      };

      config = lib.mkIf cfg.secure-boot.enable {
-        environment.systemPackages = [
-          pkgs.sbctl
+        assertions = [
+          {
+            assertion = !cfg.legacy.enable;
+            message = "secure-boot and legacy boot (GRUB) cannot be enabled at the same time";
+          }
        ];

-        # Lanzaboote currently replaces the systemd-boot module.
+        environment.systemPackages = [ pkgs.sbctl ];
+
+        # Lanzaboote replaces systemd-boot, so force it off
        boot.loader.systemd-boot.enable = lib.mkForce false;

        boot.lanzaboote = {