Patagia/patos
Patagia/patos
1
1
Code Issues4 Pull requests6 Activity

chore: clean up

Browse source
This commit is contained in:
Lars Sjöström 2025-03-17 10:18:30 +01:00
parent 1725120a49
commit a3e2a970f8
No known key found for this signature in database
11 changed files with 845 additions and 772 deletions

80
flake.nix
View file

@ -22,22 +22,14 @@
{
packages = {
default = patosPkgs.image;
image = pkgs.callPackage ./pkgs/image {
inherit patosPkgs;
inherit version;
};
rootfs = pkgs.callPackage ./pkgs/rootfs {
inherit patosPkgs;
inherit version;
};
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix {
inherit patosPkgs;
inherit version;
};
image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version; };
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
kernel = pkgs.callPackage ./pkgs/kernel { };
glibc = pkgs.callPackage ./pkgs/glibc { };
busybox = pkgs.callPackage ./pkgs/busybox { };
openssl = pkgs.callPackage ./pkgs/openssl { };
cert = pkgs.callPackage ./pkgs/cert { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
@ -51,38 +43,38 @@
name = "debug-tools";
version = "0.0.1";
packages = [
{ drv = pkgs.curl; path = "bin/curl"; }
{ drv = pkgs.bash; path = "bin/bash"; }
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
{ drv = pkgs.keyutils; path = "bin/keyctl"; }
{ drv = pkgs.gnutar; path = "bin/tar"; }
{ drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
{ drv = pkgs.strace; path = "bin/strace"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
{ drv = patosPkgs.openssl; path = "bin/openssl"; }
{ drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
{ drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
{ drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
# shared lib required for cryptsetup
{ drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
{ drv = pkgs.popt; path = "lib/libpopt.so.0"; }
{ drv = pkgs.popt; path = "lib/libpopt.so"; }
# shared lib required for mkfs.erofs
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
# shared lib required for binutils
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
# shared lib required for strace
{ drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
{ drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
{ drv = pkgs.curl; path = "bin/curl"; }
{ drv = pkgs.bash; path = "bin/bash"; }
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
{ drv = pkgs.keyutils; path = "bin/keyctl"; }
{ drv = pkgs.gnutar; path = "bin/tar"; }
{ drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
{ drv = pkgs.strace; path = "bin/strace"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
{ drv = patosPkgs.openssl; path = "bin/openssl"; }
{ drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
{ drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
{ drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
# shared lib required for cryptsetup
{ drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
{ drv = pkgs.popt; path = "lib/libpopt.so.0"; }
{ drv = pkgs.popt; path = "lib/libpopt.so"; }
# shared lib required for mkfs.erofs
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
# shared lib required for binutils
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
# shared lib required for strace
{ drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
{ drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
];
};
};

17
pkgs/cert/default.nix Normal file
View file

@ -0,0 +1,17 @@
{
runCommand,
pkgs,
}:
runCommand "patagia-certs"
{
buildInputs = with pkgs; [
openssl
];
}
''
mkdir -pv $out
openssl req -new -x509 -days 365 -nodes -out $out/cert.pem -keyout $out/key.pem -subj "/CN=patagia-signing"
''

149
pkgs/image/default.nix
View file

@ -1,16 +1,15 @@
{
pkgs,
stdenvNoCC,
patosPkgs,
version,
runCommand,
...
}:
let
pname = "patos-image";
in
stdenvNoCC.mkDerivation (finalAttrs: {
runCommand pname {
inherit version;
inherit pname;
buildInputs = with pkgs; [
erofs-utils
@ -27,12 +26,142 @@ stdenvNoCC.mkDerivation (finalAttrs: {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
systemd = patosPkgs.systemd.out;
kernel = patosPkgs.kernel;
initrd = patosPkgs.initrd.out;
rootfs = patosPkgs.rootfs.out;
kernelCmdLine = "console=ttyS0";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
pushd $out
builder = ./mkimage.sh;
})
# Don't seem to work just to create a symlink to rootfs derivation?
# ln -sf $rootfs rootfs
mkdir rootfs
cp -prP ${patosPkgs.rootfs}/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
# enable network services
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
# enable confext/sysext services
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
Type=root
Format=erofs
Minimize=best
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
SplitName=root
EOF
cat <<EOF > init.repart.d/20-root-verity.conf
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
Minimize=best
SplitName=verity
EOF
#TODO: Add verity signature partition
${patosPkgs.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./init.repart.d \
--split=true \
--json=pretty \
--root=$out \
patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
${patosPkgs.systemd}/usr/bin/ukify build \
--linux ${patosPkgs.kernel}/bzImage \
--initrd ${patosPkgs.initrd}/initrd.xz \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
# install ESP
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
--secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
echo "timeout 2" > rootfs/boot/loader/loader.conf
# sign EFIs
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
patos_${version}.efi --output=patos_${version}.efi
# install UKI
cp patos_${version}.efi rootfs/boot/EFI/Linux
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
CopyBlocks=/$rootPart
UUID=$rootUuid
SizeMinBytes=256M
SizeMaxBytes=256M
ReadOnly=1
EOF
cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
CopyBlocks=/$verityPart
UUID=$verityUuid
SizeMinBytes=10M
SizeMaxBytes=10M
ReadOnly=1
EOF
# finalize image ready for boot
${patosPkgs.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./final.repart.d \
--root=$out \
patos-$version.raw > final-repart-output.json
rm -rf rootfs
popd
''

140
pkgs/image/mkimage.sh
View file

@ -1,140 +0,0 @@
set -ex -o pipefail
mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
pushd $out
# Don't seem to work just to create a symlink to rootfs derivation?
# ln -sf $rootfs rootfs
mkdir rootfs
cp -prP $rootfs/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
# enable network services
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
# enable confext/sysext services
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
Type=root
Format=erofs
Minimize=best
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
SplitName=root
EOF
cat <<EOF > init.repart.d/20-root-verity.conf
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
Minimize=best
SplitName=verity
EOF
#TODO: Add verity signature partition
$systemd/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./init.repart.d \
--split=true \
--json=pretty \
--root=$out \
patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
$systemd/usr/bin/ukify build \
--linux $kernel/bzImage \
--initrd $initrd/initrd.xz \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
# Secure boot
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
# install ESP
SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
--secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
echo "timeout 2" > rootfs/boot/loader/loader.conf
# sign EFIs
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
patos_${version}.efi --output=patos_${version}.efi
# install UKI
cp patos_${version}.efi rootfs/boot/EFI/Linux
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
CopyBlocks=/${rootPart}
UUID=${rootUuid}
SizeMinBytes=256M
SizeMaxBytes=256M
ReadOnly=1
EOF
cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
CopyBlocks=/${verityPart}
UUID=${verityUuid}
SizeMinBytes=10M
SizeMaxBytes=10M
ReadOnly=1
EOF
# finalize image ready for boot
$systemd/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./final.repart.d \
--root=$out \
patos-$version.raw > final-repart-output.json
rm -rf rootfs
popd

20
pkgs/kernel/default.nix
View file

@ -3,13 +3,13 @@ let
version = "6.13.7";
hash = "sha256-Ojm2IDi3rC9D0mofhLQoPhl4BOHoF61jfpo9h0xHgB0=";
in
(pkgs.callPackage ./manual-config.nix {}) {
version = "${version}-patos1";
modDirVersion = version;
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
hash = hash;
};
configfile = ./generic.config;
allowImportFromDerivation = true;
}
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
modDirVersion = version;
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
hash = hash;
};
configfile = ./generic.config;
allowImportFromDerivation = true;
}

7
pkgs/kernel/generic.config
View file

@ -522,10 +522,6 @@ CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_ENTRY=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_DEBUG_FS=y
#CONFIG_DEBUG_INFO_BTF_MODULES=y
#CONFIG_DEBUG_INFO_BTF=y
#CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
#CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
CONFIG_DEBUG_INFO=n
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_LIST=y
@ -1401,9 +1397,8 @@ CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=n
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_MODULES=y

981
pkgs/kernel/manual-config.nix
View file

File diff suppressed because it is too large Load diff

38
pkgs/rootfs/default.nix
View file

@ -1,38 +0,0 @@
{
pkgs,
stdenvNoCC,
patosPkgs,
version,
...
}:
let
pname = "patos-rootfs";
defaultPassword = "patos";
in
stdenvNoCC.mkDerivation (finalAttrs: {
inherit version;
inherit pname;
inherit defaultPassword;
buildInputs = with pkgs; [
glibc
binutils
];
glibcPatos = patosPkgs.glibc.out;
systemd = patosPkgs.systemd.out;
dbusBroker = patosPkgs.dbus-broker.out;
kernel = patosPkgs.kernel;
busybox = patosPkgs.busybox.out;
kmodLibs = pkgs.kmod.lib;
kmodBin = pkgs.kmod.out;
cacert = pkgs.cacert.out;
libbpf = pkgs.libbpf.out;
btrfs = pkgs.btrfs-progs.out;
tpm2Libs = patosPkgs.tpm2-tss.out;
kexec = patosPkgs.kexec.out;
lvm2 = patosPkgs.lvm2.out;
openssl = patosPkgs.openssl.out;
builder = ./mkrootfs.sh;
})

67
pkgs/rootfs/mkinitrd.nix
View file

@ -1,23 +1,66 @@
{
pkgs,
stdenvNoCC,
patosPkgs,
version,
runCommand,
...
}:
let
pname = "patos-ramdisk";
in
stdenvNoCC.mkDerivation (finalAttrs: {
inherit version;
inherit pname;
runCommand "patos-initrd" {
buildInputs = with pkgs; [
cpio
xz
];
}
''
echo "Building initram disk"
mkdir -p $out/root
pushd $out/root
rootfs = patosPkgs.rootfs.out;
### copy rootfs
cp -prP ${patosPkgs.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot
builder = ./mkinitrd.sh;
})
### create directories
ln -sf ../usr/lib/systemd/systemd init
### Create needed files
echo patos > ./etc/hostname
ln -sf /etc/os-release ./etc/initrd-release
# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target
# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
Before=initrd-fs.target
DefaultDependencies=false
[Mount]
Options=bind
What=/run
Where=/sysroot/run
EOF
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
# repart: generate crypttab and fstab under /run
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
[Unit]
After=sysroot-run.mount
Requires=sysroot-run.mount
[Service]
Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
ExecStart=
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
popd
rm -rf $out/root
''

53
pkgs/rootfs/mkinitrd.sh
View file

@ -1,53 +0,0 @@
set -ex -p pipefail
echo "Building initram disk"
mkdir -p $out/root
pushd $out/root
### copy rootfs
cp -prP $rootfs/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot
### create directories
ln -sf ../usr/lib/systemd/systemd init
### Create needed files
echo patos > ./etc/hostname
ln -sf /etc/os-release ./etc/initrd-release
# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target
# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
Before=initrd-fs.target
DefaultDependencies=false
[Mount]
Options=bind
What=/run
Where=/sysroot/run
EOF
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
# repart: generate crypttab and fstab under /run
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
[Unit]
After=sysroot-run.mount
Requires=sysroot-run.mount
[Service]
Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
ExecStart=
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
popd
rm -rf $out/root

65
pkgs/rootfs/mkrootfs.sh → pkgs/rootfs/mkrootfs.nix
View file

@ -1,5 +1,22 @@
set -ex -o pipefail
{
pkgs,
patosPkgs,
version,
runCommand,
...
}:
let
defaultPassword = "patos";
in
runCommand "patos-rootfs"
{
buildInputs = [
pkgs.glibc
pkgs.binutils
];
}
''
### create directory structure
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
$out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
@ -11,7 +28,7 @@ ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
echo "Installing systemd"
cp -Pr $systemd/* $out/
cp -Pr ${patosPkgs.systemd}/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
@ -117,57 +134,57 @@ ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTE
EOF
### install PatOS glibc
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
### install openssl
cp -P $openssl/lib/*.so* $out/usr/lib/
cp -Pr $openssl/etc/ssl $out/etc/
cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
### install busybox
cp $busybox/bin/busybox $out/usr/bin/
cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
cp -r $dbusBroker/* $out/
cp -r ${patosPkgs.dbus-broker}/* $out/
### install kexec
cp -Pr ${kexec}/sbin/kexec $out/usr/bin/
cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
### install dmsetup udev rules
cp -P ${lvm2}/usr/bin/dmsetup $out/usr/bin/
cp -P ${lvm2}/lib/libdevmapper.so* $out/usr/lib/
cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
### install btrfs progs
cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
### install tpm2 libs
cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
### install lib kmod
cp -P $kmodLibs/lib/*.so* $out/usr/lib/
cp -P $kmodBin/bin/* $out/usr/bin
cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
cp -P ${pkgs.kmod}/bin/* $out/usr/bin
### install libbpf
cp -P $libbpf/lib/libbpf*.so* $out/usr/lib
cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib
### install ca cert bundle
chmod 755 $out/etc/ssl $out/etc/ssl/certs
cp -P $cacert/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
cp -P ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
# setup default files
$systemd/usr/bin/systemd-hwdb --root=$out --usr update
$systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
# install sys users
mkdir creds
echo -n $defaultPassword > creds/passwd.plaintext-password.root
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
chmod 600 $out/etc/shadow
rm -rf creds
@ -195,6 +212,6 @@ find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
### install kernel modules
cp -r $kernel/lib/modules $out/usr/lib/
cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
''