patos/modules/image/updater.nix

{ config, lib, ... }:
{

  options.system.image.updates = {
    enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
      default = config.system.image.updates.url != null;
    };
    url = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
    };
  };

  config = lib.mkIf config.system.image.updates.enable {

    assertions = [
      { assertion = config.system.image.updates.url != null; }
    ];

    systemd.sysupdate.enable = true;
    systemd.sysupdate.reboot.enable = lib.mkDefault true;

    systemd.sysupdate.transfers = {
      "10-uki" = {
        Transfer = {
          Verify = "no";
        };
        Source = {
          Type = "url-file";
          Path = "${config.system.image.updates.url}";
          MatchPattern = "${config.boot.uki.name}_@v.efi";
        };
        Target = {
          Type = "regular-file";
          Path = "/EFI/Linux";
          PathRelativeTo = "esp";
          MatchPattern = "${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi";
          Mode = "0444";
          TriesLeft = 3;
          TriesDone = 0;
          InstancesMax = 2;
        };
      };
      "20-root-verity" = {
        Transfer = {
          Verify = "no";
        };
        Source = {
          Type = "url-file";
          Path = "${config.system.image.updates.url}";
          MatchPattern = "${config.system.image.id}_@v_@u.verity";
        };
        Target = {
          Type = "partition";
          Path = "auto";
          MatchPattern = "verity-@v";
          MatchPartitionType = "root-verity";
          ReadOnly = 1;
        };
      };
      "22-root" = {
        Transfer = {
          Verify = "no";
        };
        Source = {
          Type = "url-file";
          Path = "${config.system.image.updates.url}";
          MatchPattern = "${config.system.image.id}_@v_@u.root";
        };
        Target = {
          Type = "partition";
          Path = "auto";
          MatchPattern = "root-@v";
          MatchPartitionType = "root";
          ReadOnly = 1;
        };
      };
    };

    systemd.additionalUpstreamSystemUnits = [
      "systemd-bless-boot.service"
      "boot-complete.target"
    ];

  };

}
chore: cleanup config and bring settings over from earlier 2024-11-15 21:09:57 +01:00			`{ config, lib, ... }:`
			`{`
Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00
			`options.system.image.updates = {`
			`enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {`
			`default = config.system.image.updates.url != null;`
			`};`
			`url = lib.mkOption {`
			`type = lib.types.nullOr lib.types.str;`
			`default = null;`
			`};`
			`};`

			`config = lib.mkIf config.system.image.updates.enable {`

			`assertions = [`
			`{ assertion = config.system.image.updates.url != null; }`
			`];`

			`systemd.sysupdate.enable = true;`
			`systemd.sysupdate.reboot.enable = lib.mkDefault true;`

			`systemd.sysupdate.transfers = {`
			`"10-uki" = {`
			`Transfer = {`
			`Verify = "no";`
			`};`
			`Source = {`
			`Type = "url-file";`
			`Path = "${config.system.image.updates.url}";`
			`MatchPattern = "${config.boot.uki.name}_@v.efi";`
			`};`
			`Target = {`
			`Type = "regular-file";`
			`Path = "/EFI/Linux";`
			`PathRelativeTo = "esp";`
			`MatchPattern = "${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi";`
			`Mode = "0444";`
			`TriesLeft = 3;`
			`TriesDone = 0;`
			`InstancesMax = 2;`
			`};`
			`};`
			`"20-root-verity" = {`
			`Transfer = {`
			`Verify = "no";`
			`};`
			`Source = {`
			`Type = "url-file";`
			`Path = "${config.system.image.updates.url}";`
			`MatchPattern = "${config.system.image.id}_@v_@u.verity";`
			`};`
			`Target = {`
			`Type = "partition";`
			`Path = "auto";`
			`MatchPattern = "verity-@v";`
			`MatchPartitionType = "root-verity";`
			`ReadOnly = 1;`
			`};`
			`};`
			`"22-root" = {`
			`Transfer = {`
			`Verify = "no";`
			`};`
			`Source = {`
			`Type = "url-file";`
			`Path = "${config.system.image.updates.url}";`
			`MatchPattern = "${config.system.image.id}_@v_@u.root";`
			`};`
			`Target = {`
			`Type = "partition";`
			`Path = "auto";`
			`MatchPattern = "root-@v";`
			`MatchPartitionType = "root";`
			`ReadOnly = 1;`
			`};`
			`};`
			`};`

			`systemd.additionalUpstreamSystemUnits = [`
			`"systemd-bless-boot.service"`
			`"boot-complete.target"`
			`];`

			`};`

			`}`