fix: deploy script did not set new generation

README.md

@@ -48,13 +48,9 @@
 - `root` root user imported by every host
 
 ## Flake output structure
-- `apps` executables used for editing this configuration
-    - `edit-secret` edit an age encrypted secret
-    - `rekey` rekey all secret files for the host's secret key, enabling agenix
-    - `rekey-save-output` only internal use
 - `checks` linting and other checks for this repository
     - `pre-commit-check` automatic checks executed as pre-commit hooks
-- `nixosNodes` top level configs for hosts
+- `nixosHosts` top level configs for hosts
 - `nodes` alias to `nixosNodes`
 - `devshell` development shell using devshell
 - `formatter` nix code formatter
@@ -85,6 +81,23 @@
 6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
 5. Deploy system
 
+### Add secureboot to new systems
+1. generate keys with `sbct create-keys'
+1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot`
+1. Copy the tar to local using scp and encrypt it using rage
+1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
+1. *DO NOT* forget to delete the unecrypted archives
+1. link `/run/secureboot` to `/etc/secureboot`
+1. This is necesarry since for your next apply the rekeyed keys are not yet available but needed for signing the boot files
+1. ensure the boot files are signed using `sbctl verify`
+1. Now reboot the computer into BIOS and enable secureboot
+    this may include removing any existing old keys
+1. bootctl should now read `Secure Boot: disabled (setup)`
+1. you can now enroll your secureboot keys using
+1. `sbctl enroll-keys`
+    If you want to be able to boot microsoft signed images append `--microsoft`
+1. Time to reboot and pray
+
 
 ## Deploy
 

modules/optional/secureboot.nix

@@ -4,30 +4,6 @@
   config,
   ...
 }: {
-  # HOW TO: Add secureboot to new systems
-  # generate keys with `sbct create-keys'
-  # tar the resulting folder using
-  # `tar cvf secureboot.tar -C /etc/secureboot .
-  # Copy the tar to local using scp
-  # and encrypt it using rage
-  # safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
-  # DO NOT forget to delete the unecrypted archives
-  # link /run/secureboot to /etc/secureboot
-  # This is necesarry since for the first
-  # apply the rekeyed keys are not yet available but needed for
-  # signing the boot files
-  # ensure the boot files are signed using
-  # `sbctl verify'
-  # Now reboot the computer into BIOS and
-  # enable secureboot, this may include
-  # removing old keys
-  # bootctl should now read
-  # `Secure Boot: disabled (setup)'
-  # you can now enroll your secureboot keys using
-  # `sbctl enroll-keys`
-  # If you want to be able to boot microsoft signed images append
-  # `--microsoft`
-  # Time to reboot and pray
   environment.systemPackages = [
     # For debugging and troubleshooting Secure Boot.
     (pkgs.sbctl.override

pkgs/deploy.nix

@@ -72,8 +72,9 @@
       (
       exec > >(trap "" INT TERM; sed "s/^/$1: /")
       exec 2> >(trap "" INT TERM; sed "s/^/$1: /" >&2)
-          	# shellcheck disable=SC2029
+          	ssh "$1" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" \
-          	ssh "$1" "$top_level/bin/switch-to-configuration" "$ACTION" \
+          	|| die "Error registering toplevel$1"
+          	ssh "$1" -- "$top_level/bin/switch-to-configuration" "$ACTION" \
           	|| die "Error activating toplevel for $1"
       )
           }