feat: introduce lanzaboote profile

2025-12-06 09:07:21 +01:00 · 2024-12-28 13:13:53 +01:00 · 2024-12-28 13:13:53 +01:00 · c011c9bfdd
commit c011c9bfdd
parent 71a9020d17
6 changed files with 65 additions and 58 deletions
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -78,14 +78,14 @@ function update_sops_file() {

    SOPS_FILE=".sops.yaml"
    sed -i "{
-                                            # Remove any * and & entries for this host
-                                            /[*&]$key_name/ d;
-                                            # Inject a new age: entry
-                                            # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
-                                            /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
-                                            # Inject a new hosts or user: entry
-                                            /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
-                                            }" $SOPS_FILE
+                                              # Remove any * and & entries for this host
+                                              /[*&]$key_name/ d;
+                                              # Inject a new age: entry
+                                              # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
+                                              /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
+                                              # Inject a new hosts or user: entry
+                                              /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
+                                              }" $SOPS_FILE
    green "Updating .sops.yaml"
    cd -
 }
@ -210,10 +210,8 @@ fi
 green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
 $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"

-if [[ $SECUREBOOT == "true" ]]; then
-    green "Injecting initialSetup"
-    $ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
-fi
+green "Injecting initialSetup"
+$ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"

 mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
 $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
@ -244,10 +242,10 @@ if [[ $SECUREBOOT == "true" ]]; then
    read -ra scp_call <<< "${scp_cmd}"
    sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
    $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
-    # ------------------------
-    green "restoring hardware-configuration"
-    sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
 fi
+# ------------------------
+green "Disabling initialSetup"
+sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix

 if [ -n "$persist_dir" ]; then
    $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"