feat: add sysupdate definitions

pkgs/image/default.nix

@@ -3,13 +3,14 @@
   patosPkgs,
   version,
   runCommand,
-  ...
+  updateUrl
 }:
 let
   pname = "patos-image";
 in
 runCommand pname {
   inherit version;
+  inherit updateUrl;
 
   buildInputs = with pkgs; [
     erofs-utils
@@ -24,7 +25,7 @@ runCommand pname {
     SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
   };
 
-  kernelCmdLine = "console=ttyS0";
+  kernelCmdLine = "console=ttyS0 patos.secureboot=true";
 }
 ''
 mkdir -p $out/init.repart.d $out/final.repart.d
@@ -70,6 +71,63 @@ ExecStartPost=rm -rf /boot/sbctl
 EOF
 ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
 
+# sysupdate
+mkdir -p rootfs/etc/sysupdate.d
+cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer
+[Source]
+Path=${updateUrl}
+MatchPattern=patos_@v.efi
+Type=url-file
+
+[Target]
+InstancesMax=2
+MatchPattern=patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi
+Mode=0444
+Path=/EFI/Linux
+PathRelativeTo=esp
+TriesDone=0
+TriesLeft=3
+Type=regular-file
+
+[Transfer]
+Verify=no
+EOF
+
+cat <<EOF > rootfs/etc/sysupdate.d/20-root.transfer
+[Source]
+Type=url-file
+Path=${updateUrl}
+MatchPattern=patos_@v_@u.verity
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=verity-@v
+MatchPartitionType=root-verity
+ReadOnly=1
+
+[Transfer]
+Verify=no
+EOF
+
+cat <<EOF > rootfs/etc/sysupdate.d/22-root.transfer
+[Source]
+Type=url-file
+Path=${updateUrl}
+MatchPattern=patos_@v_@u.root
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=root-@v
+MatchPartitionType=root
+ReadOnly=1
+
+[Transfer]
+Verify=no
+EOF
+
+
 # Initial partitioning
 cat <<EOF > init.repart.d/10-root.conf
 [Partition]
@@ -146,8 +204,8 @@ cat <<EOF > final.repart.d/10-esp.conf
 [Partition]
 Type=esp
 Format=vfat
-SizeMinBytes=96M
-SizeMaxBytes=96M
+SizeMinBytes=128M
+SizeMaxBytes=128M
 CopyFiles=/rootfs/boot:/
 EOF