50 lines
1.5 KiB
Nix
50 lines
1.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
inputs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
inputs.lanzaboote.nixosModules.lanzaboote
|
|
];
|
|
|
|
boot = {
|
|
loader.systemd-boot.enable = lib.mkForce false;
|
|
|
|
lanzaboote = {
|
|
enable = true;
|
|
# sbctl expects the bundle at /var/lib/sbctl; muffin uses /etc/secureboot
|
|
# because it is wiped on every activation there (impermanence) — desktops
|
|
# extract to the historical sbctl path so existing tooling keeps working.
|
|
pkiBundle = "/var/lib/sbctl";
|
|
};
|
|
};
|
|
|
|
system.activationScripts = {
|
|
# Extract the secureboot PKI bundle from the agenix-decrypted tar. Mirrors
|
|
# modules/server-lanzaboote-agenix.nix; skip when keys are already present
|
|
# (e.g., disko-install staged them via --extra-files).
|
|
"secureboot-keys" = {
|
|
deps = [ "agenix" ];
|
|
text = ''
|
|
#!/bin/sh
|
|
(
|
|
umask 077
|
|
if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
|
|
echo "secureboot keys already present, skipping extraction"
|
|
else
|
|
echo "extracting secureboot keys from agenix"
|
|
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
|
|
install -d -o root -g wheel -m 0500 ${config.boot.lanzaboote.pkiBundle}
|
|
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
|
|
fi
|
|
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
|
|
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
|
|
)
|
|
'';
|
|
};
|
|
};
|
|
}
|