secureboot fixes I think

2025-10-30 00:23:32 -04:00
parent e2ba51580b
commit 83b3f4de85
2 changed files with 72 additions and 5 deletions
--- a/secureboot.nix
+++ b/secureboot.nix
@@ -22,11 +22,19 @@
      deps = [ "agenix" ];
      text = ''
        #!/bin/sh
-        rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-        mkdir -p ${config.boot.lanzaboote.pkiBundle}
-        ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
-        chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
-        chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+        # Check if keys already exist (e.g., from disko-install)
+        if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
+          echo "Secureboot keys already present, skipping extraction"
+          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+        else
+          echo "Extracting secureboot keys from agenix"
+          rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+          mkdir -p ${config.boot.lanzaboote.pkiBundle}
+          ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
+          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+        fi
      '';
    };
  };