secureboot keys

2024-09-19 13:31:56 -04:00 · 2024-09-19 13:31:56 -04:00 · 932b1f739b
commit 932b1f739b
parent 3700ff0ffe
6 changed files with 29 additions and 9 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,2 +1,3 @@
 nix/home-manager/secrets/factorio.nix filter=git-agecrypt diff=git-agecrypt
 nix/etcnixos/secrets/wifi-passwords.nix filter=git-agecrypt diff=git-agecrypt
+nix/etcnixos/secrets/secureboot.tar filter=git-agecrypt diff=git-agecrypt
--- a/git-agecrypt.toml
+++ b/git-agecrypt.toml
@ -1,9 +1,13 @@
 [config]
-"nix/etcnixos/secrets/wifi-passwords.nix" = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
-]
 "nix/home-manager/secrets/factorio.nix" = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
 ]
+"nix/etcnixos/secrets/secureboot.tar" = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
+]
+"nix/etcnixos/secrets/wifi-passwords.nix" = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
+]
--- a/4
+++ b/4
@ -7,11 +7,11 @@ format_system:
    run0 nixfmt /etc/nixos

 system_update:
-    run0 nix flake update --flake /etc/nixos
+    run0 nix flake update /etc/nixos
    run0 nixos-rebuild boot --impure

 home_update:
-    nix flake update --flake ~/.config/home-manager
+    nix flake update ~/.config/home-manager
    rm -fr ~/.gtkrc-2.0
    home-manager switch --impure

--- a/nix/etcnixos/flake.lock
+++ b/nix/etcnixos/flake.lock
@ -332,11 +332,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1726759964,
-        "narHash": "sha256-d7ej4YWIxJs81uxlQSeiAUTqRLHJFhEtmbqIltKN1SI=",
+        "lastModified": 1726766095,
+        "narHash": "sha256-QapPXaSkDmiaJ3WcCIvF8vnyzCfuxd0xgUO+H7ShJ5E=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6886cfd66b1a58135d1e262d76834f77b2235f35",
+        "rev": "223f611353f687cc301b0285f4fabe015d100754",
        "type": "github"
      },
      "original": {
--- a/nix/etcnixos/secrets/secureboot.tar
+++ b/nix/etcnixos/secrets/secureboot.tar
--- a/nix/etcnixos/system-mreow.nix
+++ b/nix/etcnixos/system-mreow.nix
@ -109,4 +109,19 @@
  #weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
  #if I move to another lock screen program, i will have to replace `swaylock`
  security.pam.services.swaylock = { };
+
+  system.activationScripts = {
+
+    "secureboot-keys".text =
+      let
+        secureboot_path = "/etc/secureboot";
+      in
+      ''
+        #!/bin/sh
+        rm -fr ${secureboot_path}
+        mkdir -p ${secureboot_path}
+        ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${secureboot_path}
+      '';
+
+  };
 }