lanzabooteModule: implement configuration limit

This commit is contained in:
nikstur 2022-12-25 20:50:30 +01:00
parent 9daf9ae0a8
commit eca0ea67fe
1 changed files with 14 additions and 0 deletions

View File

@ -5,11 +5,24 @@ let
sbctlWithPki = pkgs.sbctl.override { sbctlWithPki = pkgs.sbctl.override {
databasePath = "/tmp/pki"; databasePath = "/tmp/pki";
}; };
configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
in in
{ {
options.boot.lanzaboote = { options.boot.lanzaboote = {
enable = mkEnableOption "Enable the LANZABOOTE"; enable = mkEnableOption "Enable the LANZABOOTE";
enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl"; enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
configurationLimit = mkOption {
default = null;
example = 120;
type = types.nullOr types.int;
description = lib.mdDoc ''
Maximum number of latest generations in the boot menu.
Useful to prevent boot partition running out of disk space.
`null` means no limit i.e. all generations
that were not garbage collected yet.
'';
};
pkiBundle = mkOption { pkiBundle = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
description = "PKI bundle containg db, PK, KEK"; description = "PKI bundle containg db, PK, KEK";
@ -49,6 +62,7 @@ in
${cfg.package}/bin/lanzatool install \ ${cfg.package}/bin/lanzatool install \
--public-key ${cfg.publicKeyFile} \ --public-key ${cfg.publicKeyFile} \
--private-key ${cfg.privateKeyFile} \ --private-key ${cfg.privateKeyFile} \
--configuration-limit ${toString configurationLimit} \
${config.boot.loader.efi.efiSysMountPoint} \ ${config.boot.loader.efi.efiSysMountPoint} \
/nix/var/nix/profiles/system-*-link /nix/var/nix/profiles/system-*-link
''; '';