titaniumtown/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secureboot keys things

Browse Source
This commit is contained in:
Simon Gardling 2025-03-25 23:43:03 -04:00
parent 9454b2723d
commit 551a87372f
Signed by: titaniumtown
GPG Key ID: 9AB28AC10ECE533D
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
etcnixos/system-mreow.nix
View File

@ -65,7 +65,7 @@ in
lanzaboote = { lanzaboote = {
enable = true; enable = true;
# TODO: proper secrets management so this is not stored in nix store # TODO: proper secrets management so this is not stored in nix store
pkiBundle = "${(untar { src = "${./secrets/secureboot.tar}"; })}"; pkiBundle = "/var/lib/sbctl";
}; };
# Bootloader. # Bootloader.
@ -80,6 +80,19 @@ in
}; };
}; };
system.activationScripts = {
# extract all my secureboot keys
"secureboot-keys".text = ''
#!/bin/sh
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle}
${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 700 ${config.boot.lanzaboote.pkiBundle}
'';
};
programs.gamescope = { programs.gamescope = {
enable = true; enable = true;
capSysNice = true; capSysNice = true;