stuff

2025-05-30 22:59:10 +02:00 · 2025-05-30 22:59:10 +02:00 · ed3b006970
commit ed3b006970
parent 5a65308798
7 changed files with 179 additions and 56 deletions
--- a/common/secure-boot.nix
+++ b/common/secure-boot.nix
@ -1,12 +1,24 @@
-{self, attrName, config, lib, pkgs, ...}: let
+{
+  self,
+  attrName,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
  inherit (config.age) secrets;
-in{
+in
+{
  age.secrets.secure-boot.file = self + /secrets/secure-boot/${attrName}.tar.age;

-  system.activationScripts.secureboot = let
-    target = config.boot.lanzaboote.pkiBundle;
-  in ''
-    mkdir --parents ${target}
-    ${lib.getExe pkgs.gnutar} --extract --file ${secrets.secure-boot.path} --directory ${target}
-  '';
+  system.activationScripts.secureboot =
+    let
+      target = config.boot.lanzaboote.pkiBundle;
+    in
+    ''
+      rm --recursive --force -- ${lib.escapeShellArg target}
+      mkdir --parents -- ${lib.escapeShellArg target}
+      ${lib.getExe pkgs.gnutar} --extract --file ${lib.escapeShellArg secrets.secure-boot.path} --directory ${lib.escapeShellArg target}
+    '';
 }