fix: deploy script did not set new generation

2023-09-26 15:55:21 +02:00 · 2023-09-26 15:55:21 +02:00 · 4b81b90d50
parent f2bc1b799a
commit 4b81b90d50
3 changed files with 21 additions and 31 deletions
--- a/README.md
+++ b/README.md
@ -48,13 +48,9 @@
 - `root` root user imported by every host

 ## Flake output structure
- `apps` executables used for editing this configuration
-    - `edit-secret` edit an age encrypted secret
-    - `rekey` rekey all secret files for the host's secret key, enabling agenix
-    - `rekey-save-output` only internal use
 - `checks` linting and other checks for this repository
    - `pre-commit-check` automatic checks executed as pre-commit hooks
- `nixosNodes` top level configs for hosts
+- `nixosHosts` top level configs for hosts
 - `nodes` alias to `nixosNodes`
 - `devshell` development shell using devshell
 - `formatter` nix code formatter
@ -85,6 +81,23 @@
 6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
 5. Deploy system

+### Add secureboot to new systems
+1. generate keys with `sbct create-keys'
+1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot`
+1. Copy the tar to local using scp and encrypt it using rage
+1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
+1. *DO NOT* forget to delete the unecrypted archives
+1. link `/run/secureboot` to `/etc/secureboot`
+1. This is necesarry since for your next apply the rekeyed keys are not yet available but needed for signing the boot files
+1. ensure the boot files are signed using `sbctl verify`
+1. Now reboot the computer into BIOS and enable secureboot
+    this may include removing any existing old keys
+1. bootctl should now read `Secure Boot: disabled (setup)`
+1. you can now enroll your secureboot keys using
+1. `sbctl enroll-keys`
+    If you want to be able to boot microsoft signed images append `--microsoft`
+1. Time to reboot and pray
+

 ## Deploy

--- a/modules/optional/secureboot.nix
+++ b/modules/optional/secureboot.nix
@ -4,30 +4,6 @@
  config,
  ...
 }: {
-  # HOW TO: Add secureboot to new systems
-  # generate keys with `sbct create-keys'
-  # tar the resulting folder using
-  # `tar cvf secureboot.tar -C /etc/secureboot .
-  # Copy the tar to local using scp
-  # and encrypt it using rage
-  # safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
-  # DO NOT forget to delete the unecrypted archives
-  # link /run/secureboot to /etc/secureboot
-  # This is necesarry since for the first
-  # apply the rekeyed keys are not yet available but needed for
-  # signing the boot files
-  # ensure the boot files are signed using
-  # `sbctl verify'
-  # Now reboot the computer into BIOS and
-  # enable secureboot, this may include
-  # removing old keys
-  # bootctl should now read
-  # `Secure Boot: disabled (setup)'
-  # you can now enroll your secureboot keys using
-  # `sbctl enroll-keys`
-  # If you want to be able to boot microsoft signed images append
-  # `--microsoft`
-  # Time to reboot and pray
  environment.systemPackages = [
    # For debugging and troubleshooting Secure Boot.
    (pkgs.sbctl.override
--- a/pkgs/deploy.nix
+++ b/pkgs/deploy.nix
@ -72,8 +72,9 @@
      (
      exec > >(trap "" INT TERM; sed "s/^/[0;32m$1:[0m /")
      exec 2> >(trap "" INT TERM; sed "s/^/[0;32m$1:[0m /" >&2)
-          	# shellcheck disable=SC2029
-          	ssh "$1" "$top_level/bin/switch-to-configuration" "$ACTION" \
+          	ssh "$1" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" \
+          	|| die "Error registering toplevel$1"
+          	ssh "$1" -- "$top_level/bin/switch-to-configuration" "$ACTION" \
          	|| die "Error activating toplevel for $1"
      )
          }