patos/pkgs/image/default.nix

{
  pkgs,
  patosPkgs,
  version,
  runCommand,
  ...
}:
let
  pname = "patos-image";
in
runCommand pname {
  inherit version;

  buildInputs = with pkgs; [
    erofs-utils
    dosfstools
    mtools
    jq
  ];

  env = {
    # vfat options won't efi won't find the fs otherwise.
    SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
    SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
  };

  kernelCmdLine = "console=ttyS0";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
pushd $out

# Don't seem to work just to create a symlink to rootfs derivation?
# ln -sf $rootfs rootfs
mkdir rootfs
cp -prP ${patosPkgs.rootfs}/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;

# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target

# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket

# enable network services
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network

# enable confext/sysext services
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service

# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
Type=root
Format=erofs
Minimize=best
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
SplitName=root
EOF

cat <<EOF > init.repart.d/20-root-verity.conf
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
Minimize=best
SplitName=verity
EOF

#TODO: Add verity signature partition

${patosPkgs.systemd}/usr/bin/systemd-repart \
  --no-pager \
  --empty=create \
  --size=auto \
  --definitions=./init.repart.d \
  --split=true \
  --json=pretty \
  --root=$out \
  patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw

roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)

verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)

${patosPkgs.systemd}/usr/bin/ukify build \
  --linux ${patosPkgs.kernel}/bzImage \
  --initrd ${patosPkgs.initrd}/initrd.xz \
  --os-release @rootfs/etc/os-release \
  --cmdline "$kernelCmdLine roothash=$roothash" \
  -o patos_${version}.efi

# install ESP
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
  --secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
echo "timeout 2" > rootfs/boot/loader/loader.conf

# sign EFIs
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
  rootfs/boot/EFI/BOOT/BOOTX64.EFI  --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI

${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
  patos_${version}.efi --output=patos_${version}.efi

# install UKI
cp patos_${version}.efi rootfs/boot/EFI/Linux

echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf

# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
CopyFiles=/rootfs/boot:/
EOF

cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
CopyBlocks=/$rootPart
UUID=$rootUuid
SizeMinBytes=256M
SizeMaxBytes=256M
ReadOnly=1
EOF

cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
CopyBlocks=/$verityPart
UUID=$verityUuid
SizeMinBytes=10M
SizeMaxBytes=10M
ReadOnly=1
EOF

# finalize image ready for boot
${patosPkgs.systemd}/usr/bin/systemd-repart \
  --no-pager \
  --empty=create \
  --size=auto \
  --definitions=./final.repart.d \
  --root=$out \
  patos-${version}.raw > final-repart-output.json

rm -rf rootfs

popd
''
feat(systemd-repart): build image 2025-02-24 16:13:43 +01:00			`{`
			`pkgs,`
			`patosPkgs,`
chore: flake nix cleanup 2025-02-25 23:08:42 +01:00			`version,`
chore: clean up 2025-03-17 10:18:30 +01:00			`runCommand,`
feat(systemd-repart): build image 2025-02-24 16:13:43 +01:00			`...`
			`}:`
			`let`
			`pname = "patos-image";`
			`in`
chore: clean up 2025-03-17 10:18:30 +01:00			`runCommand pname {`
feat(systemd-repart): build image 2025-02-24 16:13:43 +01:00			`inherit version;`

			`buildInputs = with pkgs; [`
			`erofs-utils`
			`dosfstools`
			`mtools`
fix: rootfs now with verity and A/B prep 2025-03-07 15:18:51 +01:00			`jq`
feat(systemd-repart): build image 2025-02-24 16:13:43 +01:00			`];`

feat(systemd-repart): fix ESP. now its booting 2025-02-24 23:51:46 +01:00			`env = {`
feat(image): switching root 2025-02-25 11:40:34 +01:00			`# vfat options won't efi won't find the fs otherwise.`
feat(systemd-repart): fix ESP. now its booting 2025-02-24 23:51:46 +01:00			`SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";`
chore: even better erofs compression 2025-03-06 16:15:29 +01:00			`SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";`
feat(systemd-repart): fix ESP. now its booting 2025-02-24 23:51:46 +01:00			`};`

fix: rootfs now with verity and A/B prep 2025-03-07 15:18:51 +01:00			`kernelCmdLine = "console=ttyS0";`
chore: clean up 2025-03-17 10:18:30 +01:00			`}`
			`''`
			`mkdir -p $out/init.repart.d $out/final.repart.d $out/boot`
			`pushd $out`

			`# Don't seem to work just to create a symlink to rootfs derivation?`
			`# ln -sf $rootfs rootfs`
			`mkdir rootfs`
			`cp -prP ${patosPkgs.rootfs}/* rootfs/`
			`find rootfs/ -type d -exec chmod 755 {} \;`

			`# set default target to multi-user`
			`ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target`

			`# enable dbus`
			`ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service`
			`ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket`

			`# enable network services`
			`ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service`
			`ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service`
			`ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service`
			`# enable default network config`
			`mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network`

			`# enable confext/sysext services`
			`ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service`
			`ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service`

			`# Initial partitioning`
			`cat <<EOF > init.repart.d/10-root.conf`
			`[Partition]`
			`Type=root`
			`Format=erofs`
			`Minimize=best`
			`CopyFiles=/rootfs:/`
			`Verity=data`
			`VerityMatchKey=root`
			`SplitName=root`
			`EOF`

			`cat <<EOF > init.repart.d/20-root-verity.conf`
			`[Partition]`
			`Type=root-verity`
			`Verity=hash`
			`VerityMatchKey=root`
			`Minimize=best`
			`SplitName=verity`
			`EOF`

			`#TODO: Add verity signature partition`

			`${patosPkgs.systemd}/usr/bin/systemd-repart \`
			`--no-pager \`
			`--empty=create \`
			`--size=auto \`
			`--definitions=./init.repart.d \`
			`--split=true \`
			`--json=pretty \`
			`--root=$out \`
			`patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw`

			`roothash=$(jq -r '.[0].roothash' init-repart-output.json)`
			`rootPart=$(jq -r '.[0].split_path' init-repart-output.json)`
			`rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)`

			`verityPart=$(jq -r '.[1].split_path' init-repart-output.json)`
			`verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)`

			`${patosPkgs.systemd}/usr/bin/ukify build \`
			`--linux ${patosPkgs.kernel}/bzImage \`
			`--initrd ${patosPkgs.initrd}/initrd.xz \`
			`--os-release @rootfs/etc/os-release \`
			`--cmdline "$kernelCmdLine roothash=$roothash" \`
			`-o patos_${version}.efi`

			`# install ESP`
			`SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \`
			`--secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem`
			`echo "timeout 2" > rootfs/boot/loader/loader.conf`

			`# sign EFIs`
			`${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \`
			`rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI`

			`${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \`
			`patos_${version}.efi --output=patos_${version}.efi`

			`# install UKI`
			`cp patos_${version}.efi rootfs/boot/EFI/Linux`

			`echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf`

			`# Final partitioning`
			`cat <<EOF > final.repart.d/10-esp.conf`
			`[Partition]`
			`Type=esp`
			`Format=vfat`
			`SizeMinBytes=160M`
			`SizeMaxBytes=160M`
			`CopyFiles=/rootfs/boot:/`
			`EOF`

			`cat <<EOF > final.repart.d/20-root.conf`
			`[Partition]`
			`Type=root`
			`Label=root-${version}`
			`CopyBlocks=/$rootPart`
			`UUID=$rootUuid`
			`SizeMinBytes=256M`
			`SizeMaxBytes=256M`
			`ReadOnly=1`
			`EOF`

			`cat <<EOF > final.repart.d/22-root-verity.conf`
			`[Partition]`
			`Type=root-verity`
			`Label=verity-${version}`
			`CopyBlocks=/$verityPart`
			`UUID=$verityUuid`
			`SizeMinBytes=10M`
			`SizeMaxBytes=10M`
			`ReadOnly=1`
			`EOF`

			`# finalize image ready for boot`
			`${patosPkgs.systemd}/usr/bin/systemd-repart \`
			`--no-pager \`
			`--empty=create \`
			`--size=auto \`
			`--definitions=./final.repart.d \`
			`--root=$out \`
chore: more clean up 2025-03-17 17:03:52 +01:00			`patos-${version}.raw > final-repart-output.json`
chore: clean up 2025-03-17 10:18:30 +01:00
			`rm -rf rootfs`
feat(image): switching root 2025-02-25 11:40:34 +01:00
chore: clean up 2025-03-17 10:18:30 +01:00			`popd`
			`''`
No results found.