secureboot

1 files changed, 4 insertions, 27 deletions

diff --git a/labsrv01/configuration.nix b/labsrv01/configuration.nix
index eda606d..0642b65 100644
--- a/labsrv01/configuration.nix
+++ b/labsrv01/configuration.nix
@@ -9,6 +9,7 @@
 {
   imports = [
     ./disk-config.nix
+    ./secureboot.nix
   ];
   hardware.facter.reportPath = ./facter.json;
 
@@ -17,9 +18,11 @@
       experimental-features = ca-derivations nix-command flakes
     '';
     settings = {
+      trusted-users = [ "root" "kjtsanaktsidis" ];
       substituters = [
         "https://cache.nixos.org"
-        "https://cache.ngi0.nixos.org/"
+        # the ca-derivations cache seems to be down
+        # "https://cache.ngi0.nixos.org/"
       ];
       trusted-public-keys = [
         "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="
@@ -42,7 +45,6 @@
     };
   };
 
-  boot.loader.systemd-boot.enable = true;
   system.stateVersion = "25.11";
   swapDevices = [
     {
@@ -135,29 +137,4 @@
       RemainAfterExit = true;
     };
   };
-
-  # Create and enroll Secure Boot keys on first boot
-  systemd.services.sbctl-setup = {
-    description = "Create and enroll Secure Boot keys";
-    wantedBy = [ "multi-user.target" ];
-    unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID";
-
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-
-    script = ''
-      echo "Creating Secure Boot keys..."
-      ${pkgs.sbctl}/bin/sbctl create-keys
-
-      # Check if we're in Setup Mode
-      if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then
-        echo "UEFI is in Setup Mode, enrolling keys..."
-        ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft
-      else
-        echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot."
-      fi
-    '';
-  };
 }