secureboot: cleanup script permissions

2026-03-28 04:15:26 -07:00
parent 2409d1b01b
commit 834f28f898
1 changed files with 12 additions and 11 deletions
--- a/modules/secureboot.nix
+++ b/modules/secureboot.nix
@@ -22,19 +22,20 @@
      deps = [ "agenix" ];
      text = ''
        #!/bin/sh
-        # Check if keys already exist (e.g., from disko-install)
-        if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
-          echo "Secureboot keys already present, skipping extraction"
+        (
+          umask 077
+          # Check if keys already exist (e.g., from disko-install)
+          if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then
+            echo "Secureboot keys already present, skipping extraction"
+          else
+            echo "Extracting secureboot keys from agenix"
+            rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+            install -d -o root -g wheel -m 0500 ${config.boot.lanzaboote.pkiBundle}
+            ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
+          fi
          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
-        else
-          echo "Extracting secureboot keys from agenix"
-          rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-          mkdir -p ${config.boot.lanzaboote.pkiBundle}
-          ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
-          chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
-          chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
-        fi
+        )
      '';
    };
  };