logging: fix FSS journal rotation after key setup

Per systemd documentation, journalctl --rotate is required after
--setup-keys to create a new journal file that uses the FSS keys.
Without rotation, entries in the existing journal remain unsealed.

Changes:
- Add journalctl --rotate after FSS key generation
- Update test script to use verification key for sealed journals
- Simplify service dependencies (no socket ordering needed)

Signed-off-by: Julius Koskela <julius.koskela@unikie.com>

Author: juliuskoskela

modules/common/logging/fss.nix

@@ -37,8 +37,9 @@
 # Operational Notes:
 # -----------------
 # 1. First Boot (per component):
-#    - journal-fss-setup.service runs before systemd-journald
+#    - journal-fss-setup.service runs after systemd-journald is ready
 #    - Generates sealing keys with configured seal interval
+#    - Rotates journal to start using FSS keys immediately
 #    - Extracts verification key to cfg.keyPath/<hostname>/verification-key
 #    - Each component creates its own subdirectory with independent keys
 #    - CRITICAL: Backup all verification-keys to secure offline storage
@@ -157,6 +158,14 @@ let
         exit 1
       fi
 
+      # Rotate journal to start using FSS keys immediately
+      # Per systemd documentation, rotation is required after --setup-keys
+      # to create a new journal file that uses the FSS keys
+      echo "Rotating journal to enable sealing..."
+      if ! journalctl --rotate; then
+        echo "Warning: Journal rotation failed - sealing may not start until next natural rotation"
+      fi
+
       # Create sentinel file to prevent re-initialization
       touch "$INIT_FILE"
       chmod 0644 "$INIT_FILE"
@@ -414,21 +423,18 @@ in
       ];
 
     # One-shot service to generate FSS keys on first boot
+    # Runs after journald is ready, then rotates journal to enable sealing
     systemd.services.journal-fss-setup = {
       description = "Setup Forward Secure Sealing keys for systemd journal";
       documentation = [ "man:journalctl(1)" ];
 
-      wantedBy = [ "sysinit.target" ];
-      before = [ "systemd-journald.service" ];
-      after = [ "local-fs.target" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "systemd-journald.service" ];
+      wants = [ "systemd-journald.service" ];
 
       unitConfig = {
-        # Prevent implicit After=basic.target which creates ordering cycle
-        DefaultDependencies = false;
         # Only run if not already initialized
         ConditionPathExists = "!${cfg.keyPath}/initialized";
-        # Ensure journal directory is ready and writable
-        ConditionPathIsReadWrite = "/var/log/journal";
       };
 
       serviceConfig = {

tests/logging/test_scripts/fss-test.nix

@@ -141,10 +141,31 @@ writeShellApplication {
 
     # Test 5: Run journal verification
     info "Test 5: Running journal verification..."
+
+    # Find and use verification key (same logic as verify service)
+    # Without the key, sealed journals will fail verification with "Required key not available"
+    VERIFY_KEY=""
+    for KEY_PATH in \
+      "/persist/common/journal-fss/$HOSTNAME/verification-key" \
+      "/etc/common/journal-fss/$HOSTNAME/verification-key"; do
+      if [ -f "$KEY_PATH" ] && [ -s "$KEY_PATH" ]; then
+        VERIFY_KEY=$(cat "$KEY_PATH")
+        echo "   Using verification key from $KEY_PATH"
+        break
+      fi
+    done
+
+    VERIFY_CMD="journalctl --verify"
+    if [ -n "$VERIFY_KEY" ]; then
+      VERIFY_CMD="journalctl --verify --verify-key=$VERIFY_KEY"
+    else
+      echo "   WARNING: No verification key found - sealed journals may fail verification"
+    fi
+
     VERIFY_OUTPUT=""
     VERIFY_EXIT=0
 
-    if VERIFY_OUTPUT=$(journalctl --verify 2>&1); then
+    if VERIFY_OUTPUT=$($VERIFY_CMD 2>&1); then
       VERIFY_EXIT=0
     else
       VERIFY_EXIT=$?
@@ -174,7 +195,7 @@ writeShellApplication {
 
     # Test 6: Check verification timer
     info "Test 6: Checking verification timer..."
-    if systemctl list-unit-files | grep -q "journal-fss-verify.timer"; then
+    if systemctl list-unit-files 2>/dev/null | grep -q "journal-fss-verify.timer"; then
       if systemctl is-active --quiet journal-fss-verify.timer; then
         pass "journal-fss-verify.timer is active"
         NEXT_RUN=$(systemctl list-timers journal-fss-verify --no-pager 2>/dev/null | grep journal-fss-verify | awk '{print $1, $2}' || echo "unknown")