parent
b9f24be9a0
commit
8a9b26a34b
7 changed files with 52 additions and 37 deletions
30
flake.nix
30
flake.nix
|
|
@ -15,13 +15,19 @@
|
|||
flake-utils.lib.eachDefaultSystem (
|
||||
system:
|
||||
let
|
||||
version = "0.0.1";
|
||||
secureBoot = "false";
|
||||
microcode = "intel";
|
||||
updateUrl = "http://10.0.2.2:8000/";
|
||||
buildParams = {
|
||||
revision = self.shortRev or self.dirtyShortRev or "dirty";
|
||||
updateUrl = builtins.getEnv "PATOS_UPDATE_URL";
|
||||
secureBoot = builtins.getEnv "PATOS_ENABLE_SECURE_BOOT";
|
||||
version = "0.0.1";
|
||||
};
|
||||
|
||||
overlay = import ./overlays { inherit version; };
|
||||
pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; };
|
||||
overlay = import ./overlays (buildParams // { });
|
||||
|
||||
pkgs = import nixpkgs {
|
||||
inherit system;
|
||||
overlays = [ overlay ];
|
||||
};
|
||||
pkgsCross = import nixpkgs {
|
||||
inherit system;
|
||||
overlays = [ overlay ];
|
||||
|
|
@ -34,18 +40,18 @@
|
|||
packages = {
|
||||
default = self.packages.${system}.image;
|
||||
|
||||
image = pkgs.callPackage ./pkgs/image { inherit version updateUrl microcode secureBoot; };
|
||||
image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl secureBoot; };
|
||||
image = pkgs.callPackage ./pkgs/image (buildParams // { microcode = "intel"; });
|
||||
image-aarch64 = pkgsCross.callPackage ./pkgs/image (buildParams // { });
|
||||
|
||||
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
|
||||
qemu-aarch64-uefi-tpm = pkgs.callPackage ./utils/qemu-aarch64-uefi-tpm.nix { };
|
||||
|
||||
# systemd sysext packages
|
||||
debug-tools = pkgs.callPackage ./pkgs/sysext/debug-tools.nix { };
|
||||
debug-tools-aarch64 = pkgsCross.callPackage ./pkgs/sysext/debug-tools.nix { };
|
||||
debug-tools = pkgs.callPackage ./pkgs/sysext/debug-tools.nix (buildParams // { });
|
||||
debug-tools-aarch64 = pkgsCross.callPackage ./pkgs/sysext/debug-tools.nix (buildParams // { });
|
||||
|
||||
firewall-tools = pkgs.callPackage ./pkgs/sysext/firewall-tools.nix { };
|
||||
firewall-tools-aarch64 = pkgsCross.callPackage ./pkgs/sysext/firewall-tools.nix { };
|
||||
firewall-tools = pkgs.callPackage ./pkgs/sysext/firewall-tools.nix (buildParams // { });
|
||||
firewall-tools-aarch64 = pkgsCross.callPackage ./pkgs/sysext/firewall-tools.nix (buildParams // { });
|
||||
|
||||
linux-firmware = pkgs.callPackage ./pkgs/linux-firmware { };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -17,9 +17,7 @@ let
|
|||
VERSION_ID = osId;
|
||||
IMAGE_ID = name;
|
||||
IMAGE_VERSION = version;
|
||||
EXTENSION_RELOAD_MANAGER = "1";
|
||||
SYSEXT_LEVEL="1.0";
|
||||
};
|
||||
} // lib.optionalAttrs (services != []) { EXTENSION_RELOAD_MANAGER = "1"; };
|
||||
|
||||
metadataFile = lib.concatStringsSep "\n" (
|
||||
lib.mapAttrsToList (k: v: "${k}=${v}") (lib.filterAttrs (_: v: v != null) metadata)
|
||||
|
|
@ -122,6 +120,11 @@ runCommand name
|
|||
# TODO: pcks7 signature
|
||||
# openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
|
||||
# -inkey key.pem -signer cert.pem -outform der -out ${name}.roothash.p7s
|
||||
|
||||
pushd tree
|
||||
find . -ls > $out/"$name"_contents.txt
|
||||
popd
|
||||
|
||||
rm -rf tree
|
||||
sha256sum * > SHA256SUMS
|
||||
# TODO: add gpg signature
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
{
|
||||
version
|
||||
version,
|
||||
revision,
|
||||
...
|
||||
}:
|
||||
|
||||
final: prev: {
|
||||
|
|
@ -15,7 +17,7 @@ final: prev: {
|
|||
systemd = final.callPackage ../pkgs/systemd { };
|
||||
dbus-broker = final.callPackage ../pkgs/dbus-broker { };
|
||||
|
||||
rootfs = final.callPackage ../pkgs/rootfs/mkrootfs.nix { inherit version; };
|
||||
initrd = final.callPackage ../pkgs/rootfs/mkinitrd.nix { inherit version; };
|
||||
rootfs = final.callPackage ../pkgs/rootfs/mkrootfs.nix { inherit version revision; };
|
||||
initrd = final.callPackage ../pkgs/rootfs/mkinitrd.nix { };
|
||||
});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
stdenv,
|
||||
pkgs,
|
||||
version,
|
||||
revision,
|
||||
runCommand,
|
||||
updateUrl,
|
||||
microcode ? "",
|
||||
|
|
@ -12,13 +13,13 @@ let
|
|||
pname = "patos-image";
|
||||
in
|
||||
runCommand pname {
|
||||
inherit version microcode updateUrl secureBoot;
|
||||
versionString = "${version}+${revision}-${stdenv.system}";
|
||||
|
||||
mcode = lib.optionalString (microcode == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
|
||||
+ lib.optionalString (microcode == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
|
||||
|
||||
# aarch64 doesn't support compressed kernel images
|
||||
kernelImage = lib.optionalString (stdenv.hostPlatform.isAarch64 == true) "Image"
|
||||
kernelImage = lib.optionalString (stdenv.hostPlatform.isAarch64 == true) "Image"
|
||||
+ lib.optionalString (stdenv.hostPlatform.isx86_64 == true) "bzImage";
|
||||
|
||||
nativeBuildInputs = with pkgs; [
|
||||
|
|
@ -196,9 +197,9 @@ ${pkgs.patos.systemd}/usr/bin/systemd-repart \
|
|||
--split=true \
|
||||
--json=pretty \
|
||||
--root=$out \
|
||||
patos_$version.raw > init-repart-output.json
|
||||
patos_$versionString.raw > init-repart-output.json
|
||||
|
||||
rm -f patos_$version.raw
|
||||
rm -f patos_$versionString.raw
|
||||
|
||||
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
|
||||
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
|
||||
|
|
@ -207,8 +208,8 @@ rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
|
|||
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
|
||||
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
|
||||
|
||||
ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
|
||||
ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
|
||||
ln -sf patos_$versionString.verity.raw patos_$versionString_$verityUuid.verity
|
||||
ln -sf patos_$versionString.root.raw patos_$versionString_$rootUuid.root
|
||||
|
||||
${pkgs.patos.systemd}/usr/bin/ukify build \
|
||||
--linux ${pkgs.patos.kernel}/$kernelImage \
|
||||
|
|
@ -216,7 +217,7 @@ ${pkgs.patos.systemd}/usr/bin/ukify build \
|
|||
$mcode \
|
||||
--os-release @rootfs/etc/os-release \
|
||||
--cmdline "$kernelCmdLine roothash=$roothash" \
|
||||
-o patos_${version}.efi
|
||||
-o patos_$versionString.efi
|
||||
|
||||
# install ESP
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${pkgs.patos.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
|
||||
|
|
@ -240,7 +241,7 @@ EOF
|
|||
echo "timeout 2" > rootfs/boot/loader/loader.conf
|
||||
|
||||
# install UKI
|
||||
cp patos_${version}.efi rootfs/boot/EFI/Linux
|
||||
cp patos_$versionString.efi rootfs/boot/EFI/Linux
|
||||
|
||||
# Final partitioning
|
||||
cat <<EOF > final.repart.d/10-esp.conf
|
||||
|
|
@ -255,7 +256,7 @@ EOF
|
|||
cat <<EOF > final.repart.d/20-root.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Label=root-${version}
|
||||
Label=root-$versionString
|
||||
CopyBlocks=$out/$rootPart
|
||||
UUID=$rootUuid
|
||||
SizeMinBytes=64M
|
||||
|
|
@ -266,7 +267,7 @@ EOF
|
|||
cat <<EOF > final.repart.d/22-root-verity.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Label=verity-${version}
|
||||
Label=verity-$versionString
|
||||
CopyBlocks=$out/$verityPart
|
||||
UUID=$verityUuid
|
||||
ReadOnly=1
|
||||
|
|
@ -278,7 +279,7 @@ ${pkgs.patos.systemd}/usr/bin/systemd-repart \
|
|||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./final.repart.d \
|
||||
patos_${version}.img > final-repart-output.json
|
||||
patos_$versionString.img > final-repart-output.json
|
||||
|
||||
rm -rf rootfs init.repart.d final.repart.d *.json
|
||||
sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
pkgs,
|
||||
version,
|
||||
revision,
|
||||
runCommand,
|
||||
}:
|
||||
let
|
||||
|
|
@ -53,11 +54,11 @@ ID=patos
|
|||
IMAGE_VERSION=${version}
|
||||
VERSION=${version}
|
||||
VERSION_ID=patos
|
||||
BUILD_ID=somehash
|
||||
BUILD_ID=${revision}
|
||||
EOF
|
||||
|
||||
cat <<EOF > $out/etc/issue
|
||||
<<< Welcome to PatOS v${version} (Pre-Alpha) (\m) - \l >>>
|
||||
<<< Welcome to PatOS v${version}-${revision} (Pre-Alpha) (\m) - \l >>>
|
||||
|
||||
EOF
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs }:
|
||||
{ pkgs, version, revision,... }:
|
||||
pkgs.callPackage ../../lib/make-sysext.nix {
|
||||
name = "debug-tools";
|
||||
version = "0.0.1";
|
||||
name = "patos-debug-tools";
|
||||
version = "${version}-${revision}";
|
||||
packages = [
|
||||
{ drv = pkgs.curl; path = "bin/"; }
|
||||
{ drv = pkgs.bash; path = "bin/"; }
|
||||
|
|
@ -27,6 +27,8 @@ pkgs.callPackage ../../lib/make-sysext.nix {
|
|||
{ drv = pkgs.patos.openssl; path = "bin/openssl"; }
|
||||
# shared lib required for mkfs.erofs
|
||||
{ drv = pkgs.lz4.lib; path = "lib/"; }
|
||||
{ drv = pkgs.xxHash; path = "lib/"; }
|
||||
{ drv = pkgs.libdeflate; path = "lib/"; }
|
||||
# shared lib required for cryptsetup
|
||||
{ drv = pkgs.popt; path = "lib/"; }
|
||||
# shared lib required for strace
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs }:
|
||||
{ pkgs, version, revision, ... }:
|
||||
pkgs.callPackage ../../lib/make-sysext.nix {
|
||||
name = "firewall-tools";
|
||||
version = "0.0.1";
|
||||
name = "patos-firewall-tools";
|
||||
version = "${version}-${revision}";
|
||||
packages = [
|
||||
# network/firewalling
|
||||
{ drv = pkgs.iproute2; path = "bin/"; }
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue