From 74d3631b69ec02eb103c3b5da7401007923dbbac Mon Sep 17 00:00:00 2001
From: Conor Budworth <ikarus@qoko.ro>
Date: Sun, 9 Nov 2025 21:57:20 +0100
Subject: [PATCH] Add firstboot.sh

---
 firstboot.sh | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 firstboot.sh

diff --git a/firstboot.sh b/firstboot.sh
new file mode 100644
index 0000000..f77fdce
--- /dev/null
+++ b/firstboot.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -euo pipefail
+source /root/install/.env || true
+
+log() { echo "[firstboot] $*"; }
+
+log "Starting Secure Boot setup"
+
+if [[ "${SECUREBOOT_ENABLE}" == true ]]; then
+  mkdir -p "${SECUREBOOT_KEY_DIR}"
+  cd "${SECUREBOOT_KEY_DIR}"
+
+  if ! sbctl status &>/dev/null; then
+    log "Initialising sbctl and creating keys"
+    sbctl create-keys
+  fi
+
+  log "Signing boot binaries"
+  sbctl sign -s /boot/EFI/Linux/*.efi || true
+  sbctl sign -s /boot/EFI/BOOT/*.efi || true
+
+  log "Verifying signatures"
+  sbctl verify
+fi
+
+if [[ "${TPM2_ENABLE}" == true ]]; then
+  log "Re-enrolling TPM2 after Secure Boot enabled"
+  systemd-cryptenroll --tpm2-device=auto /dev/disk/by-partlabel/"Linux LUKS" || true
+fi
+
+log "Disabling firstboot service"
+systemctl disable firstboot.service
+
+log "Secure boot setup complete"