fix: our own derivation for the kernel in order to be able to sign modules

pkgs/rootfs/default.nix

@@ -7,10 +7,12 @@
 }:
 let
   pname = "patos-rootfs";
+  defaultPassword = "patos";
 in
 stdenvNoCC.mkDerivation (finalAttrs: {
   inherit version;
   inherit pname;
+  inherit defaultPassword;
 
   buildInputs = with pkgs; [
     glibc
@@ -20,7 +22,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   glibcPatos = patosPkgs.glibc.out;
   systemd = patosPkgs.systemd.out;
   dbusBroker = patosPkgs.dbus-broker.out;
-  kernel = patosPkgs.kernel.kernel;
+  kernel = patosPkgs.kernel;
   busybox = patosPkgs.busybox.out;
   kmodLibs = pkgs.kmod.lib;
   kmodBin = pkgs.kmod.out;

pkgs/rootfs/mkrootfs.sh

@@ -62,6 +62,7 @@ Type=root
 SizeMaxBytes=256M
 SizeMinBytes=256M
 EOF
+
 cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
 [Partition]
 Type=root-verity
@@ -77,6 +78,7 @@ SizeMaxBytes=256M
 SizeMinBytes=256M
 ReadOnly=1
 EOF
+
 cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
 [Partition]
 Type=root-verity
@@ -90,13 +92,15 @@ cat <<EOF > $out/etc/repart.d/40-var.conf
 [Partition]
 Type=var
 Format=btrfs
-MakeDirectories=/var/lib/confexts /var/.snapshots
+MakeDirectories=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
 MountPoint=/var
 Label=patos-state
 Encrypt=tpm2
 EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
-Subvolumes=/var/lib/confexts /var/.snapshots
+Subvolumes=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
 MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
+MountPoint=/var/lib/extensions:subvol=/var/lib/extensions
+MountPoint=/var/lib/portables:subvol=/var/lib/portables
 MountPoint=/var/.snapshots:subvol=/var/.snapshots
 SizeMinBytes=1G
 Minimize=off
@@ -116,13 +120,9 @@ EOF
 cp -P $glibcPatos/lib/*.so* $out/usr/lib/
 
 ### install openssl
-cp -P $openssl/usr/lib/*.so* $out/usr/lib/
+cp -P $openssl/lib/*.so* $out/usr/lib/
 cp -Pr $openssl/etc/ssl $out/etc/
 
-### install kernel modules
-cp -r $kernel/lib/modules $out/usr/lib/
-find $out/usr/lib/modules -type d -exec chmod 755 {} \;
-
 ### install busybox
 cp $busybox/bin/busybox $out/usr/bin/
 $out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
@@ -150,11 +150,13 @@ cp -P $kmodLibs/lib/*.so* $out/usr/lib/
 cp -P $kmodBin/bin/* $out/usr/bin
 
 ### install libbpf
-cp -P $libbpf/lib/libbpf* $out/usr/lib
+cp -P $libbpf/lib/libbpf*.so* $out/usr/lib
 
 ### install ca cert bundle
-chmod 755 $out/etc/ssl
+chmod 755 $out/etc/ssl $out/etc/ssl/certs
 cp -P $cacert/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
+ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
+ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
 
 # setup default files
 $systemd/usr/bin/systemd-hwdb --root=$out --usr update
@@ -162,6 +164,13 @@ $systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf -
 cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
 cp $out/usr/share/factory/etc/locale.conf $out/etc/
 cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
+# install sys users
+mkdir creds
+echo -n $defaultPassword > creds/passwd.plaintext-password.root
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
+chmod 600 $out/etc/shadow
+rm -rf creds
+
 
 # Ephemeral machine-id until registration
 ln -sf /run/machine-id $out/etc/machine-id
@@ -171,7 +180,7 @@ rm -rf $out/usr/lib/pkgconfig
 
 ### Find and install all shared libs
 find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
-  grep -v systemd | grep -v glibc | grep -v openssl | grep -v tpm2 | grep -v devmapper | grep -v not | \
+  grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
   sort -u | xargs -I {} cp {} $out/usr/lib/
 
 find $out -type f -executable -exec chmod 755 {} \;
@@ -184,3 +193,8 @@ patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
 # strip binaries
 find $out -type f -executable -exec strip {} \;
 find $out -type d -exec chmod 755 {} \;
+
+### install kernel modules
+cp -r $kernel/lib/modules $out/usr/lib/
+find $out/usr/lib/modules -type d -exec chmod 755 {} \;
+