patos/pkgs/rootfs/mkrootfs.nix

231 lines
6.5 KiB
Nix
Raw Normal View History

2025-03-17 10:18:30 +01:00
{
pkgs,
patosPkgs,
version,
runCommand,
}:
let
defaultPassword = "patos";
in
runCommand "patos-rootfs"
{
2025-03-17 17:03:52 +01:00
inherit version;
2025-03-17 22:22:35 +01:00
buildInputs = with pkgs;[
glibc
binutils
2025-03-17 10:18:30 +01:00
];
2025-03-17 22:22:35 +01:00
2025-03-17 10:18:30 +01:00
}
''
2025-02-26 10:44:36 +01:00
### create directory structure
2025-02-27 00:02:22 +01:00
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
$out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var
ln -sf /usr/bin $out/bin
ln -sf /usr/bin $out/sbin
ln -sf /usr/lib $out/lib
ln -sf /usr/lib $out/lib64
ln -sf /tmp $out/var/tmp
2025-02-21 12:22:21 +01:00
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
2025-03-17 10:18:30 +01:00
cp -Pr ${patosPkgs.systemd}/* $out/
2025-02-21 12:22:21 +01:00
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
ln -sf /usr/bin $out/usr/sbin
2025-02-21 12:22:21 +01:00
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
2025-03-17 22:22:35 +01:00
# enable in ramdisk instead
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
2025-02-26 10:44:36 +01:00
rm -f $out/usr/lib/systemd/ukify
rm -f $out/usr/bin/ukify
2025-02-21 12:22:21 +01:00
rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
2025-02-27 00:02:22 +01:00
ln -s /run/systemd/resolve/stub-resolv.conf $out/etc/resolv.conf
2025-02-21 12:22:21 +01:00
2025-02-25 11:40:34 +01:00
cat <<EOF > $out/etc/os-release
2025-02-25 18:01:44 +01:00
NAME=PatOS
PRETTY_NAME=PatOS v${version} (Pre-Alpha)
2025-02-25 18:01:44 +01:00
IMAGE_ID=patos
2025-02-25 11:40:34 +01:00
ID=patos
IMAGE_VERSION=${version}
VERSION=${version}
VERSION_ID=patos
BUILD_ID=somehash
2025-02-25 11:40:34 +01:00
EOF
cat <<EOF > $out/etc/issue
<<< Welcome to PatOS v${version} (Pre-Alpha) (\m) - \l >>>
EOF
2025-03-06 17:17:53 +01:00
# replace agetty with busybox getty (optionally autologin)
mkdir $out/usr/lib/systemd/system/serial-getty@.service.d
cat <<EOF > $out/usr/lib/systemd/system/serial-getty@.service.d/override.conf
[Service]
ExecStart=
2025-03-06 17:17:53 +01:00
ExecStart=-/bin/login -f root
EOF
2025-03-06 17:17:53 +01:00
# ExecStart=-/sbin/getty -L %I 115200 vt100
2025-03-04 14:20:13 +01:00
# Configure systemd-repart
2025-02-25 13:39:02 +01:00
cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
2025-03-17 22:22:35 +01:00
SizeMaxBytes=128M
SizeMinBytes=128M
2025-02-25 13:39:02 +01:00
EOF
cat <<EOF > $out/etc/repart.d/20-root-a.conf
2025-02-25 13:39:02 +01:00
[Partition]
Type=root
SizeMaxBytes=64M
SizeMinBytes=64M
EOF
cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
[Partition]
Type=root-verity
EOF
cat <<EOF > $out/etc/repart.d/30-root-b.conf
[Partition]
Type=root
Label=_empty
SizeMaxBytes=64M
SizeMinBytes=64M
ReadOnly=1
EOF
cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
[Partition]
Type=root-verity
Label=_empty
ReadOnly=1
2025-02-25 13:39:02 +01:00
EOF
cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
Format=btrfs
MakeDirectories=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
2025-03-04 15:31:03 +01:00
MountPoint=/var
2025-02-25 13:39:02 +01:00
Label=patos-state
Encrypt=tpm2
EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
Subvolumes=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
2025-03-09 14:42:28 +01:00
MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
MountPoint=/var/lib/extensions:subvol=/var/lib/extensions
MountPoint=/var/lib/portables:subvol=/var/lib/portables
2025-03-09 14:42:28 +01:00
MountPoint=/var/.snapshots:subvol=/var/.snapshots
2025-02-25 13:39:02 +01:00
SizeMinBytes=1G
2025-03-04 15:31:03 +01:00
Minimize=off
FactoryReset=yes
2025-02-25 13:39:02 +01:00
EOF
2025-03-04 14:08:13 +01:00
# as rootfs is read-only we need to configure the fstab and cryptsetup generators to look
2025-03-04 14:20:13 +01:00
# for config under /run (which are generated by systemd-repart in initrd)
rm -f $out/etc/systemd/system.conf
cat <<EOF > $out/etc/systemd/system.conf
[Manager]
DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
EOF
2025-02-21 12:22:21 +01:00
### install PatOS glibc
2025-03-17 10:18:30 +01:00
cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
2025-02-21 12:22:21 +01:00
### install openssl
2025-03-17 10:18:30 +01:00
cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
2025-02-21 12:22:21 +01:00
### install busybox
2025-03-17 10:18:30 +01:00
cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
2025-02-21 12:22:21 +01:00
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
2025-03-17 10:18:30 +01:00
cp -r ${patosPkgs.dbus-broker}/* $out/
2025-02-21 12:22:21 +01:00
### install kexec
2025-03-17 10:18:30 +01:00
cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
### install dmsetup udev rules
2025-03-17 10:18:30 +01:00
cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
### install btrfs progs
2025-03-17 10:18:30 +01:00
cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
2025-03-09 21:10:05 +01:00
### install tpm2 libs
2025-03-17 10:18:30 +01:00
cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
2025-02-21 12:22:21 +01:00
### install lib kmod
2025-03-17 10:18:30 +01:00
cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
cp -P ${pkgs.kmod}/bin/* $out/usr/bin
2025-02-21 12:22:21 +01:00
### install libbpf
2025-03-17 22:22:35 +01:00
cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
### install secure boot tools
cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
rm -f $out/usr/bin/tar
2025-03-17 22:22:35 +01:00
rm -f $out/usr/bin/blkid
cp -P ${pkgs.gnutar}/bin/tar $out/usr/bin/
2025-03-17 22:22:35 +01:00
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
2025-03-17 22:22:35 +01:00
cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
### install xq (jq clone)
2025-03-17 22:22:35 +01:00
cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
2025-03-17 22:22:35 +01:00
ln -sf /usr/bin/xq $out/usr/bin/jq
2025-02-21 12:22:21 +01:00
2025-03-09 21:10:05 +01:00
### install ca cert bundle
chmod 755 $out/etc/ssl $out/etc/ssl/certs
2025-03-17 10:18:30 +01:00
cp -P ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
2025-03-09 21:10:05 +01:00
2025-03-17 17:03:52 +01:00
# no need for pkgconfig, removing..
rm -rf $out/usr/lib/pkgconfig
# setup default files
2025-03-17 10:18:30 +01:00
${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
# install sys users
mkdir creds
2025-03-17 10:18:30 +01:00
echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
chmod 600 $out/etc/shadow
rm -rf creds
2025-03-09 21:10:05 +01:00
# Ephemeral machine-id until registration
ln -sf /run/machine-id $out/etc/machine-id
2025-02-21 12:22:21 +01:00
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
sort -u | xargs -I {} cp {} $out/usr/lib/
2025-03-09 21:10:05 +01:00
2025-02-21 12:22:21 +01:00
find $out -type f -executable -exec chmod 755 {} \;
2025-03-17 17:03:52 +01:00
# patch ELFs
find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
2025-02-21 12:22:21 +01:00
find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
# strip binaries
find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
2025-03-17 17:03:52 +01:00
# install kernel modules
2025-03-17 10:18:30 +01:00
cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
2025-03-17 10:18:30 +01:00
''