peripheral-firmware: extract on boot by default

[Enzime]

This improves the situation for flake users, as previously they had to either add the non-redistributable firmware to their repositories or go without the firmware.

This change also brings the ISO into line with the regular NixOS modules as storing the peripheral firmware in the Nix Store is no longer a requirement.

[tpwrules]

I do not think I agree with this change at this time.

1. It exposes us to race conditions between drivers which need the firmware and the extraction of it.
2. It means firmware is less controlled by the generational mechanism which could create incompatibilities in updates. Admittedly this is not exceptionally well defined by default but these changes would make rolling back a firmware ESP file update through the bootloader menu impossible.
3. It brings Python and a bunch of libraries into the system closure.

Let's revisit this once the mechanism by which firmware updates occur is defined. I will give some more thought to the flakes case in a bit. It might even be possible to grab the firmware files ourselves using bits of the installer and sidestep this issue.

[MatthewCroughan]

Is it possible we could have this available as a module option, off by default? I would like to use it, but would have to maintain my own fork of nixos-apple-silicon, or use @Enzime's branch if it's not maintained here.

[nrabulinski]

@tpwrules would you be more willing to accept this change if the extraction happened during stage-1 boot instead of stage-2? Then to my knowledge there should be no race. Admittedly there's still the issue of not having the firmware tied to the generation, but if we moved firmware initialization/extraction from this PR to stage-1, we could also utilize something like agenix for encrypting the firmware and then decrypting it during stage-1, so if someone wants to have their config public, they still could. WDYT?

[tpwrules]

Asahi Linux has not really changed on this aspect unfortunately, and I still think this PR is an awkward middle. I don't think a stage one hugely improves the issues I raised earlier, and there are some more issues like firmware being bigger and slower to extract (lengthening boot), and limited EFI partition space meaning large initrds are a big problem and I suspect an entire Python installation is bigger than the firmware.

It would be extremely awesome, and probably an unfeasible amount of work, if we could write a derivation that downloads the macOS installer ISO and extracts the firmware much like the Apple Silicon installer does. This could at its base be done with ranged requests to avoid downloading whole dozen gigabytes, and there might be Python libraries now that let us mount the images to copy the files out. I don't recall exactly how the installer does it but it has some shortcuts here we could reuse and improve upon as the files we need are relatively small.

But the more pragmatic solution I think is to simply use boot.initrd.prepend or similar (maybe it needs to be an adjustment to the kernel or systemd-boot command line; I have not looked at this in a while) to load the firmware.cpio archive like other distros do, combined with a NixOS option to use this mode. It would need instructions, a tool, or perhaps a systemd service to re-run the extractor and update that archive but that is updated pretty rarely still. It would also still have downside 2, but again that's not a huge issue in practice it has turned out. I would happily accept such a PR if you could prepare one or modify this one; I know this has been an issue for a long time now.

[Enzime]

Someone has already done that here with Nix even: https://github.com/JJJollyjim/firmware-abomination

I no longer use Asahi so I don't have much interest in updating this PR