lanzabooteModule: implement configuration limit

nix/modules/lanzaboote.nix

@@ -5,11 +5,24 @@ let
   sbctlWithPki = pkgs.sbctl.override {
     databasePath = "/tmp/pki";
   };
+
+  configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
 in
 {
   options.boot.lanzaboote = {
     enable = mkEnableOption "Enable the LANZABOOTE";
     enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
+    configurationLimit = mkOption {
+      default = null;
+      example = 120;
+      type = types.nullOr types.int;
+      description = lib.mdDoc ''
+        Maximum number of latest generations in the boot menu.
+        Useful to prevent boot partition running out of disk space.
+        `null` means no limit i.e. all generations
+        that were not garbage collected yet.
+      '';
+    };
     pkiBundle = mkOption {
       type = types.nullOr types.path;
       description = "PKI bundle containg db, PK, KEK";
@@ -49,6 +62,7 @@ in
         ${cfg.package}/bin/lanzatool install \
           --public-key ${cfg.publicKeyFile} \
           --private-key ${cfg.privateKeyFile} \
+          --configuration-limit ${toString configurationLimit} \
           ${config.boot.loader.efi.efiSysMountPoint} \
           /nix/var/nix/profiles/system-*-link
       '';