From 34474788473be30b0d86a936e1709f6da23490dc Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 25 Mar 2025 11:33:11 -0400
Subject: [PATCH] secureboot: restrictive file permissions

---
 configuration.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configuration.nix b/configuration.nix
index 57f0ee0..b7f55ba 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -86,6 +86,8 @@
       rm -fr ${config.boot.lanzaboote.pkiBundle} || true
       mkdir -p ${config.boot.lanzaboote.pkiBundle}
       ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
+      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+      chmod -R 700 ${config.boot.lanzaboote.pkiBundle}
     '';
   };