Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Same key with nixos-rebuild --target-host TARGET #268

Open
ikervagyok opened this issue Dec 9, 2023 · 4 comments
Open

Same key with nixos-rebuild --target-host TARGET #268

ikervagyok opened this issue Dec 9, 2023 · 4 comments

Comments

@ikervagyok
Copy link

When deploying to multiple devices via nixos-rebuild switch --flake .#TARGET --target-host TARGET, is there a way to use the same key to sign all TARGET's images without exposing the keys? (IOW: not clone/mount of the /etc/secureboot folder on every machine deployed)

Disclaimer

  • I'm not sure if this request makes sense. I may have misunderstood how the trusted computing efforts should look when you are issuing your own keys for all of your "corporate" devices (in my case: desktop, laptop, steamdeck)
  • If it makes sense, I'm sure there are semi-secure ways of mounting the secrets remotely before deploying and similar. but I'd like to do it the "correct" way. Something like this for every machine TARGET deployed to:
    1. secureboot on TARGET trusts a key
    2. kernels/... signed with that key arrive on TARGET
    3. TARGET never holds private key.

Situation

I've just switched over my primary laptop (a Thinkpad) to use lanzaboote as explained in the quickstart guide. I really like how it works, now I'd like to switch over my other devices as well. I have a unified Nixos config for all my machines and I'm remotely deploying them in this fashion: nixos-rebuild switch --flake '/repos/Config/#HOSTNAME' --target-host HOSTNAME.

@Aleksanaa
Copy link

You can try environment.etc.something.path with your keys stored in agenix or sops-nix.

@RaitoBezarius
Copy link
Member

We have multiple PRs which may enable this sort of usecase in multiple forms in the future, sorry for the delay.

@phozzy
Copy link

phozzy commented Dec 12, 2024

@RaitoBezarius What PR do you mean here? Is it already there? I have a similar scenario here #414

@RaitoBezarius
Copy link
Member

This one: #229 for example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants