From 83b3f4de851813c0cd05c680cd6385f7852e18f0 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Thu, 30 Oct 2025 00:23:32 -0400
Subject: [PATCH] secureboot fixes I think

---
 install.sh     | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++
 secureboot.nix | 18 ++++++++++-----
 2 files changed, 72 insertions(+), 5 deletions(-)
 create mode 100755 install.sh

diff --git a/install.sh b/install.sh
new file mode 100755
index 0000000..66f5bd4
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DISK="${1:-}"
+FLAKE_DIR="$(dirname "$(realpath "$0")")"
+
+if [[ -z "$DISK" ]]; then
+    echo "Usage: $0 <disk_device>"
+    echo "Example: $0 /dev/nvme0n1"
+    echo "         $0 /dev/sda"
+    exit 1
+fi
+
+if [[ ! -b "$DISK" ]]; then
+    echo "Error: $DISK is not a block device"
+    exit 1
+fi
+
+echo "Installing NixOS to $DISK using flake at $FLAKE_DIR"
+
+# Create temporary directory for secureboot keys
+mkdir -p /tmp/secureboot
+
+# Function to cleanup on exit
+cleanup() {
+    echo "Cleaning up..."
+    rm -rf /tmp/secureboot 2>/dev/null || true
+}
+trap cleanup EXIT
+
+# Decrypt secureboot keys using the key in the repo
+echo "Decrypting secureboot keys..."
+if [[ ! -f "$FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key" ]]; then
+    echo "Error: usb-secrets-key not found at $FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key"
+    exit 1
+fi
+
+nix-shell -p age --run "age -d -i '$FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key' '$FLAKE_DIR/secrets/secureboot.tar.age'" | \
+    tar -x -C /tmp/secureboot
+
+echo "Secureboot keys extracted"
+
+# Check if disko-install is available
+if ! command -v disko-install >/dev/null 2>&1; then
+    echo "Running disko-install via nix..."
+    DISKO_INSTALL="nix run github:nix-community/disko#disko-install --"
+else
+    DISKO_INSTALL="disko-install"
+fi
+
+echo "Running disko-install to partition, format, and install NixOS..."
+
+# Run disko-install with secureboot keys available
+sudo $DISKO_INSTALL \
+    --mode format \
+    --flake "$FLAKE_DIR#muffin" \
+    --disk main "$DISK" \
+    --extra-files /tmp/secureboot /etc/secureboot \
+    --extra-files "$FLAKE_DIR/usb-secrets/usb-secrets" /mnt/usb-secrets
diff --git a/secureboot.nix b/secureboot.nix
index ac78827..472a602 100644
--- a/secureboot.nix
+++ b/secureboot.nix
@@ -22,11 +22,19 @@
       deps = [ "agenix" ];
       text = ''
         #!/bin/sh
-        rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-        mkdir -p ${config.boot.lanzaboote.pkiBundle}
-        ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
-        chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
-        chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+        # Check if keys already exist (e.g., from disko-install)
+        if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
+          echo "Secureboot keys already present, skipping extraction"
+          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+        else
+          echo "Extracting secureboot keys from agenix"
+          rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+          mkdir -p ${config.boot.lanzaboote.pkiBundle}
+          ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
+          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+        fi
       '';
     };
   };