So, the best option is to separate /boot from the ESP so that only the boot loader executable itself is on the ESP. This can’t be done with systemd-boot on NixOS until this PR is merged. In the meantime, you can use Grub. You can mount the ESP to its own mountpoint, typically /boot/efi or /efi (I think /efi is generally preferred these days). Grub will read boot files from /boot during boot. Your nixos config should have something like this:
boot.loader = {
grub = {
enable = true;
device = "nodev";
efiSupport = true;
};
efi = {
efiSysMountPoint = "/efi";
canTouchEfiVariables = true;
};
};
As for /boot itself, it depends. If you want to switch to systemd-boot when that PR is merged, it needs to be its own partition with the right type code in GPT, formatted with vfat.
But Grub is more flexible. /boot can just be a directory in your regular root fs, or it can be its own partition formatted with any FS that Grub understands. If your root fs is encrypted, then storing /boot on the root fs would require boot.loader.grub.enableCryptodisk = true;, but I strongly recommend against Grub’s LUKS support. Instead, if your root fs is encrypted, I recommend just using an unencrypted separate /boot partition.
So to put it simply: My recommendation is to mount the ESP separately from /boot, setting efiSysMountPoint to match. Enable Grub with efiSupport = true;. There should be a separate vfat partition for /boot, and it should have the GPT partition type code for “Linux extended boot” (as described in the cfdisk TUI) so that you can switch to systemd-boot later when that PR has been merged.