titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secureboot fixes I think

Browse Source
This commit is contained in:
Simon Gardling 2025-10-30 00:23:32 -04:00
parent e2ba51580b
commit 83b3f4de85
Signed by: titaniumtown
GPG Key ID: 9AB28AC10ECE533D
2 changed files with 72 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
install.sh Executable file
View File

@ -0,0 +1,59 @@
#!/usr/bin/env bash
set -euo pipefail
DISK="${1:-}"
FLAKE_DIR="$(dirname "$(realpath "$0")")"
if [[ -z "$DISK" ]]; then
echo "Usage: $0 <disk_device>"
echo "Example: $0 /dev/nvme0n1"
echo " $0 /dev/sda"
exit 1
fi
if [[ ! -b "$DISK" ]]; then
echo "Error: $DISK is not a block device"
exit 1
fi
echo "Installing NixOS to $DISK using flake at $FLAKE_DIR"
# Create temporary directory for secureboot keys
mkdir -p /tmp/secureboot
# Function to cleanup on exit
cleanup() {
echo "Cleaning up..."
rm -rf /tmp/secureboot 2>/dev/null || true
}
trap cleanup EXIT
# Decrypt secureboot keys using the key in the repo
echo "Decrypting secureboot keys..."
if [[ ! -f "$FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key" ]]; then
echo "Error: usb-secrets-key not found at $FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key"
exit 1
fi
nix-shell -p age --run "age -d -i '$FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key' '$FLAKE_DIR/secrets/secureboot.tar.age'" | \
tar -x -C /tmp/secureboot
echo "Secureboot keys extracted"
# Check if disko-install is available
if ! command -v disko-install >/dev/null 2>&1; then
echo "Running disko-install via nix..."
DISKO_INSTALL="nix run github:nix-community/disko#disko-install --"
else
DISKO_INSTALL="disko-install"
fi
echo "Running disko-install to partition, format, and install NixOS..."
# Run disko-install with secureboot keys available
sudo $DISKO_INSTALL \
--mode format \
--flake "$FLAKE_DIR#muffin" \
--disk main "$DISK" \
--extra-files /tmp/secureboot /etc/secureboot \
--extra-files "$FLAKE_DIR/usb-secrets/usb-secrets" /mnt/usb-secrets

8
secureboot.nix
View File

@ -22,11 +22,19 @@
deps = [ "agenix" ]; deps = [ "agenix" ];
text = '' text = ''
#!/bin/sh #!/bin/sh
# Check if keys already exist (e.g., from disko-install)
if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
echo "Secureboot keys already present, skipping extraction"
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
else
echo "Extracting secureboot keys from agenix"
rm -fr ${config.boot.lanzaboote.pkiBundle} || true rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle} mkdir -p ${config.boot.lanzaboote.pkiBundle}
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle} ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle} chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle} chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
fi
''; '';
}; };
}; };