Patagia/patos
Patagia/patos
1
1
Code Issues 4 Pull requests 3 Activity

Merge pull request 'feat(sysupdate): Download from dl.patagia.dev. Add gpg authentication.' (#2) from dln/push-yvoswzszumxx into main
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details

Browse source 
Reviewed-on: #2
This commit is contained in:
Daniel Lundin 2024-10-03 22:16:32 +00:00
commit 07039d2ae2
7 changed files with 92 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
base.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./modules/system_overrides.nix
./modules/minimize.nix
@ -7,5 +8,6 @@
./modules/partitions.nix
./modules/network.nix
./modules/sysupdate.nix
./modules/utils.nix
];
}

4
justfile
View file

@ -14,3 +14,7 @@ build: build-image
# Build PatOS image
build-image:
nix build .#patos_image
run: build-image
qemu-efi -hda ./result/disk.qcow2

27
modules/generic.nix
View file

@ -1,13 +1,24 @@
{ pkgs, config, ... }: {
{
pkgs,
config,
lib,
...
}:
{
boot.uki.name = "patos";
boot.kernelParams = [ "console=ttyS0" ];
boot = {
uki.name = "patos";
kernelParams = [ "console=ttyS0" ];
initrd.systemd.enable = true;
};
system.nixos.release = "2024-09";
system.nixos.codeName = "Finn";
system.nixos = {
codeName = "Finn";
distroId = "patos";
distroName = "PatOS";
release = "2024-09";
};
system.nixos.distroId = "patos";
system.nixos.distroName = "PatOS";
system.image.version = "0.0.1"; # FIXME: Use epoch version.
# Make the current system version visible in the prompt.
@ -20,8 +31,6 @@
services.getty.autologinUser = "root";
boot.initrd.systemd.enable = true;
# Don't accumulate crap.
boot.tmp.cleanOnBoot = true;
services.journald.extraConfig = ''

5
modules/minimize.nix
View file

@ -1,8 +1,10 @@
{ modulesPath, ... }: {
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/profiles/minimal.nix"
];
boot.enableContainers = false;
boot.loader.grub.enable = false;
system.switch.enable = false;
@ -14,6 +16,5 @@
system.disableInstallerTools = true;
programs.less.lessopen = null;
programs.command-not-found.enable = false;
boot.enableContainers = false;
environment.defaultPackages = [ ];
}

25
modules/partitions.nix
View file

@ -1,4 +1,11 @@
{ config, pkgs, lib, modulesPath, ... }: {
{
config,
pkgs,
lib,
modulesPath,
...
}:
{
imports = [
"${modulesPath}/image/repart.nix"
@ -15,16 +22,16 @@
partitions = {
"esp" = {
contents = {
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source =
"${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source =
"${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
# systemd-boot configuration
"/loader/loader.conf".source = (pkgs.writeText "$out" ''
timeout 3
'');
"/loader/loader.conf".source = (
pkgs.writeText "$out" ''
timeout 3
''
);
};
repartConfig = {
Type = "esp";
@ -39,7 +46,7 @@
stripNixStorePrefix = true;
repartConfig = {
Type = "linux-generic";
Label = "store_${config.system.image.version}";
Label = "${config.boot.uki.name}_${config.system.image.version}";
Format = "squashfs";
Minimize = "off";
ReadOnly = "yes";

44
modules/sysupdate.nix
View file

@ -1,4 +1,32 @@
{ config, ... }: {
{ config, pkgs, ... }:
let
gpgPubKeyStaging = ''
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
+0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
e5UE
=m2st
-----END PGP PUBLIC KEY BLOCK-----
'';
gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
mkdir -p $out
export GNUPGHOME=$out
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
'';
in
{
environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
systemd.sysupdate = {
enable = true;
@ -9,12 +37,8 @@
"${config.boot.uki.name}_@v.efi.xz"
];
# We could fetch updates from the network as well:
#
# Path = "https://download.example.com/";
# Type = "url-file";
Path = "/var/updates/";
Type = "regular-file";
Path = "https://images.dl.patagia.dev/patos/";
Type = "url-file";
};
Target = {
InstancesMax = 2;
@ -38,10 +62,8 @@
MatchPattern = [
"${config.boot.uki.name}_@v.img.xz"
];
# Path = "https://download.example.com/";
# Type = "url-file";
Path = "/var/updates/";
Type = "regular-file";
Path = "https://images.dl.patagia.dev/patos/";
Type = "url-file";
};
Target = {

15
modules/utils.nix Normal file
View file

@ -0,0 +1,15 @@
{
config,
pkgs,
lib,
...
}:
let
script = pkgs.writeShellScriptBin "patos-upgrade.sh" ''
systemd-sysupdate --verify=no
systemd-sysupdate --verify=no update --reboot
'';
in
{
environment.systemPackages = [ script ];
}