patos/modules/image/updater.nix

{ config, lib, ... }:
{

  options.system.image.updates = {
    enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
      default = config.system.image.updates.url != null;
    };
    url = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
    };
  };

  config = lib.mkIf config.system.image.updates.enable {

    assertions = [
      { assertion = config.system.image.updates.url != null; }
    ];

    systemd.additionalUpstreamSystemUnits = [
      "systemd-bless-boot.service"
      "boot-complete.target"
      "dbus-org.freedesktop.sysupdate1.service"
      "systemd-sysupdated.service"
    ];

    environment.etc."sysupdate.d/10-uki.transfer" = {
      text = ''
        [Source]
        Path=${config.system.image.updates.url}
        MatchPattern=${config.boot.uki.name}_@v.efi
        Type=url-file

        [Target]
        InstancesMax=2
        MatchPattern=${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi
        Mode=0444
        Path=/EFI/Linux
        PathRelativeTo=esp
        TriesDone=0
        TriesLeft=3
        Type=regular-file

        [Transfer]
        Verify=no
        '';
    };

    environment.etc."sysupdate.d/20-root.transfer" = {
      text = ''
        [Source]
        Type=url-file
        Path=${config.system.image.updates.url}
        MatchPattern=${config.system.image.id}_@v_@u.verity

        [Target]
        Type=partition
        Path=auto
        MatchPattern=verity-@v
        MatchPartitionType=root-verity
        ReadOnly=1

        [Transfer]
        Verify=no
        '';
    };

    environment.etc."sysupdate.d/22-root.transfer" = {
      text = ''
        [Source]
        Type=url-file
        Path=${config.system.image.updates.url}
        MatchPattern=${config.system.image.id}_@v_@u.root

        [Target]
        Type=partition
        Path=auto
        MatchPattern=root-@v
        MatchPartitionType=root
        ReadOnly=1

        [Transfer]
        Verify=no
        '';
    };

  };

}
chore: cleanup config and bring settings over from earlier 2024-11-15 21:09:57 +01:00			`{ config, lib, ... }:`
			`{`
Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00
			`options.system.image.updates = {`
			`enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {`
			`default = config.system.image.updates.url != null;`
			`};`
			`url = lib.mkOption {`
			`type = lib.types.nullOr lib.types.str;`
			`default = null;`
			`};`
			`};`

			`config = lib.mkIf config.system.image.updates.enable {`

			`assertions = [`
			`{ assertion = config.system.image.updates.url != null; }`
			`];`

			`systemd.additionalUpstreamSystemUnits = [`
			`"systemd-bless-boot.service"`
			`"boot-complete.target"`
feat(systemd): enabled sysupdated 2025-02-10 10:49:11 +01:00			`"dbus-org.freedesktop.sysupdate1.service"`
			`"systemd-sysupdated.service"`
Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00			`];`

feat(systemd): enabled sysupdated 2025-02-10 10:49:11 +01:00			`environment.etc."sysupdate.d/10-uki.transfer" = {`
			`text = ''`
			`[Source]`
			`Path=${config.system.image.updates.url}`
			`MatchPattern=${config.boot.uki.name}_@v.efi`
			`Type=url-file`

			`[Target]`
			`InstancesMax=2`
			`MatchPattern=${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi`
			`Mode=0444`
			`Path=/EFI/Linux`
			`PathRelativeTo=esp`
			`TriesDone=0`
			`TriesLeft=3`
			`Type=regular-file`

			`[Transfer]`
			`Verify=no`
			`'';`
			`};`

			`environment.etc."sysupdate.d/20-root.transfer" = {`
			`text = ''`
			`[Source]`
			`Type=url-file`
			`Path=${config.system.image.updates.url}`
			`MatchPattern=${config.system.image.id}_@v_@u.verity`

			`[Target]`
			`Type=partition`
			`Path=auto`
			`MatchPattern=verity-@v`
			`MatchPartitionType=root-verity`
			`ReadOnly=1`

			`[Transfer]`
			`Verify=no`
			`'';`
			`};`

			`environment.etc."sysupdate.d/22-root.transfer" = {`
			`text = ''`
			`[Source]`
			`Type=url-file`
			`Path=${config.system.image.updates.url}`
			`MatchPattern=${config.system.image.id}_@v_@u.root`

			`[Target]`
			`Type=partition`
			`Path=auto`
			`MatchPattern=root-@v`
			`MatchPartitionType=root`
			`ReadOnly=1`

			`[Transfer]`
			`Verify=no`
			`'';`
			`};`

Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00			`};`

			`}`