secureboot keys things

2025-03-25 23:43:03 -04:00 · 2025-03-25 23:43:03 -04:00 · 551a87372f
commit 551a87372f
parent 9454b2723d
1 changed files with 14 additions and 1 deletions
--- a/etcnixos/system-mreow.nix
+++ b/etcnixos/system-mreow.nix
@ -65,7 +65,7 @@ in
    lanzaboote = {
      enable = true;
      # TODO: proper secrets management so this is not stored in nix store
-      pkiBundle = "${(untar { src = "${./secrets/secureboot.tar}"; })}";
+      pkiBundle = "/var/lib/sbctl";
    };

    # Bootloader.
@ -80,6 +80,19 @@ in
    };
  };

+  system.activationScripts = {
+    # extract all my secureboot keys
+    "secureboot-keys".text = ''
+      #!/bin/sh
+      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+      mkdir -p ${config.boot.lanzaboote.pkiBundle}
+      ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
+      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+      chmod -R 700 ${config.boot.lanzaboote.pkiBundle}
+    '';
+  };
+
+
  programs.gamescope = {
    enable = true;
    capSysNice = true;