From 30efd12531b655af34ec1219d6b919cf81ab643b Mon Sep 17 00:00:00 2001
From: mjallen18 <matt.l.jallen@gmail.com>
Date: Mon, 17 Mar 2025 22:04:23 -0500
Subject: [PATCH] secureboot on nas eventually maybe

---
 .sops.yaml         |  1 +
 hosts/nas/sops.nix | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/.sops.yaml b/.sops.yaml
index 665d500..80ed639 100755
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,5 +13,6 @@ creation_rules:
       - *matt
       - *matt_pi4
       - *desktop
+      - *admin
       - *jallen-nas
       - *pi4
\ No newline at end of file
diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix
index ac36e80..1d9476b 100755
--- a/hosts/nas/sops.nix
+++ b/hosts/nas/sops.nix
@@ -112,6 +112,41 @@
     mode = "0600";
   };
 
+  sops.secrets."secureboot/GUID" = {
+    path = "/etc/secureboot/GUID";
+    mode = "0600";
+  };
+
+  sops.secrets."secureboot/keys/db-key" = {
+    path = "/etc/secureboot/keys/db/db.key";
+    mode = "0600";
+  };
+
+  sops.secrets."secureboot/keys/db-pem" = {
+    path = "/etc/secureboot/keys/db/db.pem";
+    mode = "0600";
+  };
+
+  sops.secrets."secureboot/keys/KEK-key" = {
+    path = "/etc/secureboot/keys/KEK/KEK.key";
+    mode = "0600";
+  };
+
+  sops.secrets."secureboot/keys/KEK-pem" = {
+    path = "/etc/secureboot/keys/KEK/KEK.pem";
+    mode = "0600";
+  };
+
+  sops.secrets."secureboot/keys/PK-key" = {
+    path = "/etc/secureboot/keys/PK/PK.key";
+    mode = "0600";
+  };
+
+  sops.secrets."secureboot/keys/PK-pem" = {
+    path = "/etc/secureboot/keys/PK/PK.pem";
+    mode = "0600";
+  };
+
   # Permission modes are in octal representation (same as chmod),
   # the digits represent: user|group|others
   # 7 - full (rwx)