Same key with nixos-rebuild --target-host TARGET

[ikervagyok]

When deploying to multiple devices via nixos-rebuild switch --flake .#TARGET --target-host TARGET, is there a way to use the same key to sign all TARGET's images without exposing the keys? (IOW: not clone/mount of the /etc/secureboot folder on every machine deployed)

Disclaimer

• I'm not sure if this request makes sense. I may have misunderstood how the trusted computing efforts should look when you are issuing your own keys for all of your "corporate" devices (in my case: desktop, laptop, steamdeck)
• If it makes sense, I'm sure there are semi-secure ways of mounting the secrets remotely before deploying and similar. but I'd like to do it the "correct" way. Something like this for every machine TARGET deployed to:
  1. secureboot on TARGET trusts a key
  2. kernels/... signed with that key arrive on TARGET
  3. TARGET never holds private key.

Situation

I've just switched over my primary laptop (a Thinkpad) to use lanzaboote as explained in the quickstart guide. I really like how it works, now I'd like to switch over my other devices as well. I have a unified Nixos config for all my machines and I'm remotely deploying them in this fashion: nixos-rebuild switch --flake '/repos/Config/#HOSTNAME' --target-host HOSTNAME.

[Aleksanaa]

You can try environment.etc.something.path with your keys stored in agenix or sops-nix.

[RaitoBezarius]

We have multiple PRs which may enable this sort of usecase in multiple forms in the future, sorry for the delay.