feat: ✨ read config from a file inside /etc

install.fish

@@ -2,6 +2,9 @@
 cp ./src/snap-pac-uki.fish /usr/local/bin/snap-pac-uki
 echo "installed creation script."
 
+cp ./src/config.fish /etc/snap-pac-uki/config.fish
+echo "installed config script."
+
 cp ./pacman/* /usr/share/libalpm/hooks/
 echo "installed pacman hooks."
 

src/config.fish

@@ -0,0 +1,44 @@
+function config -d "sets some configuration variables"
+
+    # A directory where ukis can be built.
+    #
+    # It is recommended to keep this within /tmp, as the generated data will not
+    # be needed later.
+    # It is recommended to not set this to a path with data inside. This program
+    # will sometimes remove all content of specific subfolders.
+    set -g CFG_BUILD_DIR "/tmp/snap-pac-uki"
+
+    # The subvolume to use on the kernel command line when generating current
+    # images.
+    set -g CFG_DEFAULT_SUBVOL "@"
+
+    # The device the EFI partition resides on
+    set -g CFG_EFI_DEV "/dev/nvme0n1"
+
+    # The "efi directory" that will contain the ukis
+    set -g CFG_EFI_PATH "\EFI\Linux"
+
+    # The efi partitions number on the device
+    set -g CFG_EFI_PART "1"
+
+    # The snapper config name
+    set -g CFG_SNAPSHOT_CONFIG "root"
+
+    # The linux fs path containing all snapshot data
+    set -g CFG_SNAPSHOT_PATH "/.snapshots"
+
+    # The name of the subvolume containing all snapshots
+    set -g CFG_SNAPSHOT_SUBVOL "@snapshots"
+
+    # The directory to put uki files in
+    set -g CFG_UKI_DIR "/efi/EFI/Linux"
+
+    # Whether generated uki files should be signed
+    set -g CFG_SECUREBOOT "yes"
+
+    # The path to the .key file with which to sign uki files
+    set -g CFG_SECUREBOOT_KEY "/etc/secureboot/keys/db/db.key"
+
+    # The path to the .crt file with which to sign uki files
+    set -g CFG_SECUREBOOT_CERT "/etc/secureboot/keys/db/db.crt"
+end

src/snap-pac-uki.fish

@@ -9,6 +9,8 @@ function check_deps -d "checks if all dependencies are available"
     set -l dependencies \
         "efibootmgr" \
         "jq" \
+        "rg" \
+        "sbsign" \
         "sed" \
         "snapper" \
 
@@ -21,18 +23,6 @@ function check_deps -d "checks if all dependencies are available"
     end
 end
 
-function config -d "sets some configuration variables"
-    set -g CFG_BUILD_DIR "/tmp/snap-pac-uki"
-    set -g CFG_DEFAULT_SUBVOL "@"
-    set -g CFG_EFI_DEV "/dev/nvme0n1"
-    set -g CFG_EFI_PATH "\EFI\Linux"
-    set -g CFG_EFI_PART "1"
-    set -g CFG_SNAPSHOT_CONFIG "root"
-    set -g CFG_SNAPSHOT_PATH "/.snapshots"
-    set -g CFG_SNAPSHOT_SUBVOL "@snapshots"
-    set -g CFG_UKI_DIR "/efi/EFI/Linux"
-end
-
 function find_tasks -d "finds out what the program needs to do"
     set -ge TASK_UKI
 
@@ -70,7 +60,17 @@ function create_uki -d "creates a new uki" -a variant id
         --add-section .splash="$prefix/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
         --add-section .linux="$prefix/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \
         --add-section .initrd="$prefix/boot/initramfs-linux$fallback.img" --change-section-vma .initrd=0x3000000 \
-        "$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi"
+        "$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi.unsigned"
+
+    # sign
+    if test "$CFG_SECUREBOOT" = "yes"
+        sbsign --key $CFG_SECUREBOOT_KEY \
+            --cert $CFG_SECUREBOOT_CERT \
+            --output "$bd/arch-linux$fallback$snid.efi" \
+            "$bd/arch-linux$fallback$snid.efi.unsigned"
+    else # otherwise move unsigned efi to location
+        mv "$bd/arch-linux$fallback$snid.efi.unsigned" "$bd/arch-linux$fallback$snid.efi"
+    end
 end
 
 function create_snapshot_uki -d "creates an uki for a snapshot" -a id
@@ -123,6 +123,7 @@ end
 function main
     # prepare for execution
     check_deps
+    source "/etc/snap-pac-uki/config.fish"
     config
 
     switch $argv[1]