FSS rotation after first boot

Signed-off-by: Julius Koskela <julius.koskela@unikie.com>

Author: juliuskoskela

modules/common/logging/fss.nix

@@ -37,8 +37,9 @@
 # Operational Notes:
 # -----------------
 # 1. First Boot (per component):
-#    - journal-fss-setup.service runs before systemd-journald
+#    - journal-fss-setup.service runs after systemd-journald is ready
 #    - Generates sealing keys with configured seal interval
+#    - Rotates journal to start using FSS keys immediately
 #    - Extracts verification key to cfg.keyPath/<hostname>/verification-key
 #    - Each component creates its own subdirectory with independent keys
 #    - CRITICAL: Backup all verification-keys to secure offline storage
@@ -157,6 +158,14 @@ let
         exit 1
       fi
 
+      # Rotate journal to start using FSS keys immediately
+      # Per systemd documentation, rotation is required after --setup-keys
+      # to create a new journal file that uses the FSS keys
+      echo "Rotating journal to enable sealing..."
+      if ! journalctl --rotate; then
+        echo "Warning: Journal rotation failed - sealing may not start until next natural rotation"
+      fi
+
       # Create sentinel file to prevent re-initialization
       touch "$INIT_FILE"
       chmod 0644 "$INIT_FILE"
@@ -414,24 +423,18 @@ in
       ];
 
     # One-shot service to generate FSS keys on first boot
+    # Runs after journald is ready, then rotates journal to enable sealing
     systemd.services.journal-fss-setup = {
       description = "Setup Forward Secure Sealing keys for systemd journal";
       documentation = [ "man:journalctl(1)" ];
 
-      wantedBy = [ "sysinit.target" ];
-      before = [
-        "systemd-journald.service"
-        "systemd-journal-flush.service"
-      ];
-      after = [ "local-fs.target" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "systemd-journald.service" ];
+      wants = [ "systemd-journald.service" ];
 
       unitConfig = {
-        # Prevent implicit After=basic.target which creates ordering cycle
-        DefaultDependencies = false;
         # Only run if not already initialized
         ConditionPathExists = "!${cfg.keyPath}/initialized";
-        # Ensure journal directory is ready and writable
-        ConditionPathIsReadWrite = "/var/log/journal";
       };
 
       serviceConfig = {
@@ -441,22 +444,6 @@ in
       };
     };
 
-    # Make journald sockets wait for FSS setup before starting
-    # This ensures FSS keys are configured before any journal entries are written.
-    # Adding After= to the socket units themselves is required because:
-    # - journald sockets have DefaultDependencies=no
-    # - Before= on our service doesn't create a dependency from socket to service
-    # - Only explicit After= on the socket creates proper ordering
-    systemd.sockets."systemd-journald" = {
-      after = [ "journal-fss-setup.service" ];
-      wants = [ "journal-fss-setup.service" ];
-    };
-
-    systemd.sockets."systemd-journald-dev-log" = {
-      after = [ "journal-fss-setup.service" ];
-      wants = [ "journal-fss-setup.service" ];
-    };
-
     # Service to verify journal integrity
     systemd.services.journal-fss-verify = {
       description = "Verify systemd journal integrity using Forward Secure Sealing";

tests/logging/test_scripts/fss-test.nix

@@ -174,7 +174,7 @@ writeShellApplication {
 
     # Test 6: Check verification timer
     info "Test 6: Checking verification timer..."
-    if systemctl list-unit-files | grep -q "journal-fss-verify.timer"; then
+    if systemctl list-unit-files 2>/dev/null | grep -q "journal-fss-verify.timer"; then
       if systemctl is-active --quiet journal-fss-verify.timer; then
         pass "journal-fss-verify.timer is active"
         NEXT_RUN=$(systemctl list-timers journal-fss-verify --no-pager 2>/dev/null | grep journal-fss-verify | awk '{print $1, $2}' || echo "unknown")