install: cleanup key and secrets handling

2025-11-20 21:02:33 -05:00 · 2025-11-20 21:02:33 -05:00 · bc55d4203f
commit bc55d4203f
parent 8d420ea86b
4 changed files with 5 additions and 6 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,3 +1,3 @@
 secrets/** filter=git-crypt diff=git-crypt
-usb-secrets/usb-secrets/usb-secrets-key filter=git-crypt diff=git-crypt
+usb-secrets/usb-secrets-key* filter=git-crypt diff=git-crypt

--- a/install.sh
+++ b/install.sh
@ -30,12 +30,12 @@ trap cleanup EXIT

 # Decrypt secureboot keys using the key in the repo
 echo "Decrypting secureboot keys..."
-if [[ ! -f "$FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key" ]]; then
-    echo "Error: usb-secrets-key not found at $FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key"
+if [[ ! -f "$FLAKE_DIR/usb-secrets/usb-secrets-key" ]]; then
+    echo "Error: usb-secrets-key not found at $FLAKE_DIR/usb-secrets/usb-secrets-key"
    exit 1
 fi

-nix-shell -p age --run "age -d -i '$FLAKE_DIR/usb-secrets/usb-secrets/usb-secrets-key' '$FLAKE_DIR/secrets/secureboot.tar.age'" | \
+nix-shell -p age --run "age -d -i '$FLAKE_DIR/usb-secrets/usb-secrets-key' '$FLAKE_DIR/secrets/secureboot.tar.age'" | \
    tar -x -C /tmp/secureboot

 echo "Secureboot keys extracted"
@ -56,4 +56,4 @@ sudo $DISKO_INSTALL \
    --flake "$FLAKE_DIR#muffin" \
    --disk main "$DISK" \
    --extra-files /tmp/secureboot /etc/secureboot \
-    --extra-files "$FLAKE_DIR/usb-secrets/usb-secrets" /mnt/usb-secrets
+    --extra-files "$FLAKE_DIR/usb-secrets/usb-secrets-key" /mnt/usb-secrets/usb-secrets-key
--- a/usb-secrets/usb-secrets/usb-secrets-key
+++ b/usb-secrets/usb-secrets/usb-secrets-key
--- a/usb-secrets/usb-secrets/usb-secrets-key.pub
+++ b/usb-secrets/usb-secrets/usb-secrets-key.pub
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8+eSX2LH5wEHVG9sSv97ceD5zdTarV0lRvoUso4A7p USB secrets decryption key
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8+eSX2LH5wEHVG9sSv97ceD5zdTarV0lRvoUso4A7p USB secrets decryption key`