From 834f28f89863b226c0b1e60a9cff38efecefaf29 Mon Sep 17 00:00:00 2001 From: Simon Gardling Date: Sat, 28 Mar 2026 04:15:26 -0700 Subject: [PATCH] secureboot: cleanup script permissions --- modules/secureboot.nix | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/modules/secureboot.nix b/modules/secureboot.nix index 472a602..d425c40 100644 --- a/modules/secureboot.nix +++ b/modules/secureboot.nix @@ -22,19 +22,20 @@ deps = [ "agenix" ]; text = '' #!/bin/sh - # Check if keys already exist (e.g., from disko-install) - if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then - echo "Secureboot keys already present, skipping extraction" + ( + umask 077 + # Check if keys already exist (e.g., from disko-install) + if [[ -d ${config.boot.lanzaboote.pkiBundle} && -f ${config.boot.lanzaboote.pkiBundle}/db.key ]]; then + echo "Secureboot keys already present, skipping extraction" + else + echo "Extracting secureboot keys from agenix" + rm -fr ${config.boot.lanzaboote.pkiBundle} || true + install -d -o root -g wheel -m 0500 ${config.boot.lanzaboote.pkiBundle} + ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle} + fi chown -R root:wheel ${config.boot.lanzaboote.pkiBundle} chmod -R 500 ${config.boot.lanzaboote.pkiBundle} - else - echo "Extracting secureboot keys from agenix" - rm -fr ${config.boot.lanzaboote.pkiBundle} || true - mkdir -p ${config.boot.lanzaboote.pkiBundle} - ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle} - chown -R root:wheel ${config.boot.lanzaboote.pkiBundle} - chmod -R 500 ${config.boot.lanzaboote.pkiBundle} - fi + ) ''; }; };