From 4066b0a8944c11f355ecb98a16493ab283b3fcfb Mon Sep 17 00:00:00 2001
From: Lily Foster <lily@lily.flowers>
Date: Tue, 4 Apr 2023 06:38:19 -0400
Subject: [PATCH] nix: clean up fwupd-efi handling a little bit

---
 nix/modules/lanzaboote.nix | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
index dac07b3..92939db 100644
--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@@ -117,10 +117,23 @@ in
     systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
       # Tell fwupd to load its efi files from /run
       environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
+    };
+
+    systemd.services.fwupd-efi = lib.mkIf config.services.fwupd.enable {
+      description = "Sign fwupd EFI app";
+      # Exist with the lifetime of the fwupd service
+      wantedBy = [ "fwupd.service" ];
+      partOf = [ "fwupd.service" ];
+      before = [ "fwupd.service" ];
+      # Create runtime directory for signed efi app
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        RuntimeDirectory = "fwupd-efi";
+      };
       # Place the fwupd efi files in /run and sign them
-      preStart = ''
-        mkdir -p /run/fwupd-efi
-        cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
+      script = ''
+        ln -sf ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
         ${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
       '';
     };