use facter good

1 files changed, 26 insertions, 0 deletions

diff --git a/labsrv01/configuration.nix b/labsrv01/configuration.nix
index 9d37f38..81dae08 100644
--- a/labsrv01/configuration.nix
+++ b/labsrv01/configuration.nix
@@ -10,6 +10,7 @@
   imports = [
     ./disk-config.nix
   ];
+  hardware.facter.reportPath = ./facter.json;
 
   nix = {
     extraOptions = ''
@@ -134,4 +135,29 @@
       RemainAfterExit = true;
     };
   };
+
+  # Create and enroll Secure Boot keys on first boot
+  systemd.services.sbctl-setup = {
+    description = "Create and enroll Secure Boot keys";
+    wantedBy = [ "multi-user.target" ];
+    unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID";
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    script = ''
+      echo "Creating Secure Boot keys..."
+      ${pkgs.sbctl}/bin/sbctl create-keys
+
+      # Check if we're in Setup Mode
+      if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then
+        echo "UEFI is in Setup Mode, enrolling keys..."
+        ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft
+      else
+        echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot."
+      fi
+    '';
+  };
 }