diff --git a/README.md b/README.md index bc39466..5339ec3 100644 --- a/README.md +++ b/README.md @@ -48,13 +48,9 @@ - `root` root user imported by every host ## Flake output structure -- `apps` executables used for editing this configuration - - `edit-secret` edit an age encrypted secret - - `rekey` rekey all secret files for the host's secret key, enabling agenix - - `rekey-save-output` only internal use - `checks` linting and other checks for this repository - `pre-commit-check` automatic checks executed as pre-commit hooks -- `nixosNodes` top level configs for hosts +- `nixosHosts` top level configs for hosts - `nodes` alias to `nixosNodes` - `devshell` development shell using devshell - `formatter` nix code formatter @@ -85,6 +81,23 @@ 6. Retrieve hostkeys using `ssh-keyscan | grep -o 'ssh-ed25519.*' > host//secrets/host.pub 5. Deploy system +### Add secureboot to new systems +1. generate keys with `sbct create-keys' +1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot` +1. Copy the tar to local using scp and encrypt it using rage +1. safe the encrypted archive to `hosts//secrets/secureboot.tar.age` +1. *DO NOT* forget to delete the unecrypted archives +1. link `/run/secureboot` to `/etc/secureboot` +1. This is necesarry since for your next apply the rekeyed keys are not yet available but needed for signing the boot files +1. ensure the boot files are signed using `sbctl verify` +1. Now reboot the computer into BIOS and enable secureboot + this may include removing any existing old keys +1. bootctl should now read `Secure Boot: disabled (setup)` +1. you can now enroll your secureboot keys using +1. `sbctl enroll-keys` + If you want to be able to boot microsoft signed images append `--microsoft` +1. Time to reboot and pray + ## Deploy diff --git a/modules/optional/secureboot.nix b/modules/optional/secureboot.nix index b60f42d..6136158 100644 --- a/modules/optional/secureboot.nix +++ b/modules/optional/secureboot.nix @@ -4,30 +4,6 @@ config, ... }: { - # HOW TO: Add secureboot to new systems - # generate keys with `sbct create-keys' - # tar the resulting folder using - # `tar cvf secureboot.tar -C /etc/secureboot . - # Copy the tar to local using scp - # and encrypt it using rage - # safe the encrypted archive to hosts//secrets/secureboot.tar.age - # DO NOT forget to delete the unecrypted archives - # link /run/secureboot to /etc/secureboot - # This is necesarry since for the first - # apply the rekeyed keys are not yet available but needed for - # signing the boot files - # ensure the boot files are signed using - # `sbctl verify' - # Now reboot the computer into BIOS and - # enable secureboot, this may include - # removing old keys - # bootctl should now read - # `Secure Boot: disabled (setup)' - # you can now enroll your secureboot keys using - # `sbctl enroll-keys` - # If you want to be able to boot microsoft signed images append - # `--microsoft` - # Time to reboot and pray environment.systemPackages = [ # For debugging and troubleshooting Secure Boot. (pkgs.sbctl.override diff --git a/pkgs/deploy.nix b/pkgs/deploy.nix index 1a58731..55c878a 100644 --- a/pkgs/deploy.nix +++ b/pkgs/deploy.nix @@ -72,8 +72,9 @@ ( exec > >(trap "" INT TERM; sed "s/^/$1: /") exec 2> >(trap "" INT TERM; sed "s/^/$1: /" >&2) - # shellcheck disable=SC2029 - ssh "$1" "$top_level/bin/switch-to-configuration" "$ACTION" \ + ssh "$1" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" \ + || die "Error registering toplevel$1" + ssh "$1" -- "$top_level/bin/switch-to-configuration" "$ACTION" \ || die "Error activating toplevel for $1" ) }