From eca0ea67fe34658246228510dd318b9c5a276b5e Mon Sep 17 00:00:00 2001
From: nikstur <nikstur@outlook.com>
Date: Sun, 25 Dec 2022 20:50:30 +0100
Subject: [PATCH] lanzabooteModule: implement configuration limit

---
 nix/modules/lanzaboote.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
index 3942e5b..07ff7ab 100644
--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@@ -5,11 +5,24 @@ let
   sbctlWithPki = pkgs.sbctl.override {
     databasePath = "/tmp/pki";
   };
+
+  configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
 in
 {
   options.boot.lanzaboote = {
     enable = mkEnableOption "Enable the LANZABOOTE";
     enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
+    configurationLimit = mkOption {
+      default = null;
+      example = 120;
+      type = types.nullOr types.int;
+      description = lib.mdDoc ''
+        Maximum number of latest generations in the boot menu.
+        Useful to prevent boot partition running out of disk space.
+        `null` means no limit i.e. all generations
+        that were not garbage collected yet.
+      '';
+    };
     pkiBundle = mkOption {
       type = types.nullOr types.path;
       description = "PKI bundle containg db, PK, KEK";
@@ -49,6 +62,7 @@ in
         ${cfg.package}/bin/lanzatool install \
           --public-key ${cfg.publicKeyFile} \
           --private-key ${cfg.privateKeyFile} \
+          --configuration-limit ${toString configurationLimit} \
           ${config.boot.loader.efi.efiSysMountPoint} \
           /nix/var/nix/profiles/system-*-link
       '';