patos/modules/image/builder.nix

{
  config,
  lib,
  options,
  pkgs,
  ...
}:
let
  inherit (pkgs.stdenv.hostPlatform) efiArch;

  initialPartitions = {
    "10-root" = {
      storePaths = [ config.system.build.toplevel ];
      repartConfig = {
        Type = "root";
        Minimize = "best";
        Format = "erofs";
        MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /srv /tmp /mnt /lib /efi";
        Verity = "data";
        VerityMatchKey = "root";
        SplitName = "root";
      };
    };

    "20-root-verity" = {
      repartConfig = {
        Type = "root-verity";
        Minimize = "best";
        Verity = "hash";
        VerityMatchKey = "root";
        SplitName = "verity";
      };
    };
  };

  # TODO: We don't need a combined image here - add dry-run flag to repart invocation
  verityRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
    inherit lib pkgs;
    system = null;
    modules = [
      (
        { modulesPath, ... }:
        {
          imports = [ (modulesPath + "/image/repart.nix") ];
          image.repart = {
            name = "verity";
            split = true;
            mkfsOptions = lib.mkIf config.image.compress {
              erofs = [
                "-zlz4hc,level=12"
                "-Efragments,dedupe,ztailpacking"
              ];
            };
            partitions = initialPartitions;
          };
        }
      )
    ];
  };

  rootPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
  verityPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";

  verityImgAttrs = builtins.fromJSON (
    builtins.readFile "${verityRepart.config.system.build.image}/repart-output.json"
  );
  rootAttrs = builtins.elemAt verityImgAttrs 0;
  verityAttrs = builtins.elemAt verityImgAttrs 1;

  rootUuid = rootAttrs.uuid;
  verityUuid = verityAttrs.uuid;
  verityRootHash = rootAttrs.roothash;

  finalPartitions = {
    "10-esp" = {
      contents = {
        "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
        "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
      };
      repartConfig = {
        Type = "esp";
        Format = "vfat";
        SizeMinBytes = "96M";
        SizeMaxBytes = "96M";
        SplitName = "-";
      };
    };
    "20-root-verity-a" = {
      repartConfig = {
        Type = "root-verity";
        Label = "verity-${config.system.image.version}";
        CopyBlocks = "${verityPart}";
        SplitName = "-";
        SizeMinBytes = "64M";
        SizeMaxBytes = "64M";
        UUID = "${verityUuid}";
        ReadOnly = 1;
      };
    };
    # TODO: Add signature partition for systemd-nspawn
    "22-root-a" = {
      repartConfig = {
        Type = "root";
        Label = "root-${config.system.image.version}";
        CopyBlocks = "${rootPart}";
        SplitName = "-";
        UUID = "${rootUuid}";
        ReadOnly = 1;
      };
    };
  };

  finalRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
    inherit lib pkgs;
    system = null;
    modules = [
      (
        { modulesPath, ... }:
        {
          imports = [ (modulesPath + "/image/repart.nix") ];
          image.repart = {
            name = "${config.system.image.id}";
            partitions = finalPartitions;
          };
        }
      )
    ];
  };

in
{

  # This fields is immutable by default, but can be overridden.
  options.system.nixos.codeName = lib.mkOption { readOnly = false; };
  options.system.nixos.release = lib.mkOption { readOnly = false; };

  # FIXME: Should be configured somehow
  config.system.nixos = {
    codeName = "Finn";
    distroId = "patos";
    distroName = "PatOS";
    release = "2024-11";
    variant_id = "server";
    variantName = "Server";
    vendorName = "PatOS";
  };

  options.image.compress = lib.mkEnableOption "image compression" // {
    default = true;
  };

  config.system.build = {
    inherit verityRootHash;

    image =
      (pkgs.linkFarm "image-release" [
        {
          name = "${config.system.image.id}_${config.system.image.version}.efi";
          path = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
        }
        {
          name = "${config.system.image.id}_${config.system.image.version}_${verityUuid}.verity";
          path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";
        }
        {
          name = "${config.system.image.id}_${config.system.image.version}_${rootUuid}.root";
          path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
        }
        {
          name = "${config.system.image.id}_${config.system.image.version}.img";
          path = "${finalRepart.config.system.build.image}/${finalRepart.config.image.repart.imageFileBasename}.raw";
        }
      ])
      // {
        imageFile = "${config.system.image.id}_${config.system.image.version}.img";
      };

  };

}
Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00			`{`
			`config,`
			`lib,`
feat: Add OS release info 2024-11-15 21:09:57 +01:00			`options,`
Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00			`pkgs,`
			`...`
			`}:`
			`let`
			`inherit (pkgs.stdenv.hostPlatform) efiArch;`

			`initialPartitions = {`
			`"10-root" = {`
			`storePaths = [ config.system.build.toplevel ];`
			`repartConfig = {`
			`Type = "root";`
			`Minimize = "best";`
			`Format = "erofs";`
			`MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /srv /tmp /mnt /lib /efi";`
			`Verity = "data";`
			`VerityMatchKey = "root";`
			`SplitName = "root";`
			`};`
			`};`

			`"20-root-verity" = {`
			`repartConfig = {`
			`Type = "root-verity";`
			`Minimize = "best";`
			`Verity = "hash";`
			`VerityMatchKey = "root";`
			`SplitName = "verity";`
			`};`
			`};`
			`};`

			`# TODO: We don't need a combined image here - add dry-run flag to repart invocation`
			`verityRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {`
			`inherit lib pkgs;`
			`system = null;`
			`modules = [`
			`(`
			`{ modulesPath, ... }:`
			`{`
			`imports = [ (modulesPath + "/image/repart.nix") ];`
			`image.repart = {`
			`name = "verity";`
			`split = true;`
			`mkfsOptions = lib.mkIf config.image.compress {`
			`erofs = [`
			`"-zlz4hc,level=12"`
			`"-Efragments,dedupe,ztailpacking"`
			`];`
			`};`
			`partitions = initialPartitions;`
			`};`
			`}`
			`)`
			`];`
			`};`

			`rootPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";`
			`verityPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";`

			`verityImgAttrs = builtins.fromJSON (`
			`builtins.readFile "${verityRepart.config.system.build.image}/repart-output.json"`
			`);`
			`rootAttrs = builtins.elemAt verityImgAttrs 0;`
			`verityAttrs = builtins.elemAt verityImgAttrs 1;`

			`rootUuid = rootAttrs.uuid;`
			`verityUuid = verityAttrs.uuid;`
			`verityRootHash = rootAttrs.roothash;`

			`finalPartitions = {`
			`"10-esp" = {`
			`contents = {`
			`"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";`
			`"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";`
			`};`
			`repartConfig = {`
			`Type = "esp";`
			`Format = "vfat";`
			`SizeMinBytes = "96M";`
			`SizeMaxBytes = "96M";`
			`SplitName = "-";`
			`};`
			`};`
			`"20-root-verity-a" = {`
			`repartConfig = {`
			`Type = "root-verity";`
			`Label = "verity-${config.system.image.version}";`
			`CopyBlocks = "${verityPart}";`
			`SplitName = "-";`
			`SizeMinBytes = "64M";`
			`SizeMaxBytes = "64M";`
			`UUID = "${verityUuid}";`
			`ReadOnly = 1;`
			`};`
			`};`
			`# TODO: Add signature partition for systemd-nspawn`
			`"22-root-a" = {`
			`repartConfig = {`
			`Type = "root";`
			`Label = "root-${config.system.image.version}";`
			`CopyBlocks = "${rootPart}";`
			`SplitName = "-";`
			`UUID = "${rootUuid}";`
			`ReadOnly = 1;`
			`};`
			`};`
			`};`

			`finalRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {`
			`inherit lib pkgs;`
			`system = null;`
			`modules = [`
			`(`
			`{ modulesPath, ... }:`
			`{`
			`imports = [ (modulesPath + "/image/repart.nix") ];`
			`image.repart = {`
			`name = "${config.system.image.id}";`
			`partitions = finalPartitions;`
			`};`
			`}`
			`)`
			`];`
			`};`

			`in`
			`{`

feat: Add OS release info 2024-11-15 21:09:57 +01:00			`# This fields is immutable by default, but can be overridden.`
			`options.system.nixos.codeName = lib.mkOption { readOnly = false; };`
			`options.system.nixos.release = lib.mkOption { readOnly = false; };`

			`# FIXME: Should be configured somehow`
			`config.system.nixos = {`
			`codeName = "Finn";`
			`distroId = "patos";`
			`distroName = "PatOS";`
			`release = "2024-11";`
			`variant_id = "server";`
			`variantName = "Server";`
			`vendorName = "PatOS";`
			`};`

Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00			`options.image.compress = lib.mkEnableOption "image compression" // {`
			`default = true;`
			`};`

			`config.system.build = {`
			`inherit verityRootHash;`

			`image =`
			`(pkgs.linkFarm "image-release" [`
			`{`
			`name = "${config.system.image.id}_${config.system.image.version}.efi";`
			`path = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";`
			`}`
			`{`
			`name = "${config.system.image.id}_${config.system.image.version}_${verityUuid}.verity";`
			`path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";`
			`}`
			`{`
			`name = "${config.system.image.id}_${config.system.image.version}_${rootUuid}.root";`
			`path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";`
			`}`
			`{`
			`name = "${config.system.image.id}_${config.system.image.version}.img";`
			`path = "${finalRepart.config.system.build.image}/${finalRepart.config.image.repart.imageFileBasename}.raw";`
			`}`
			`])`
			`// {`
			`imageFile = "${config.system.image.id}_${config.system.image.version}.img";`
			`};`

			`};`

			`}`