fix(image): image need to include devicemapper setup tools and udev rules

2025-03-03 13:52:52 +01:00 · 2025-03-03 13:52:52 +01:00 · adb2e90c13
commit adb2e90c13
parent 0a6fc3af49
6 changed files with 106 additions and 19 deletions
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@ -29,6 +29,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
  tpm2Libs = patosPkgs.tpm2-tss.out;
  tpm2Tools = patosPkgs.tpm2-tools.out;
  kexec = patosPkgs.kexec.out;
+  lvm2 = patosPkgs.lvm2.out;
+  cryptsetup = pkgs.cryptsetup.bin;

  builder = ./mkrootfs.sh;
 })
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@ -15,6 +15,7 @@ cp -Pr $systemd/* $out/
 find $out -type d -exec chmod 755 {} \;
 rm -rf $out/usr/include
 rm -rf $out/usr/sbin
+ln -sf /usr/bin $out/usr/sbin
 rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
 rm -f $out/usr/lib/systemd/ukify
 rm -f $out/usr/bin/ukify
@ -52,6 +53,13 @@ cat <<EOF > $out/etc/repart.d/22-root.conf
 Type=root
 EOF

+mkdir $out/usr/lib/systemd/system/systemd-repart.service.d
+cat <<EOF > $out/usr/lib/systemd/system/systemd-repart.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=systemd-repart --dry-run=no --generate-crypttab=/etc/crypttab
+EOF
+
 cat <<EOF > $out/etc/repart.d/40-var.conf
 [Partition]
 Type=var
@ -59,26 +67,28 @@ UUID=4d21b016-b534-45c2-a9fb-5c16e091fd2d
 Format=btrfs
 Label=patos-state
 Minimize=off
+Encrypt=tpm2
+EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
 FactoryReset=yes
 SizeMinBytes=1G
 SplitName=-
 EOF

-cat <<EOF > $out/usr/lib/systemd/system/var.mount
-[Unit]
-Description=Mount for /var
-Before=local-fs.target
-After=systemd-repart.service
-
-[Mount]
-What=/dev/disk/by-label/patos-state
-Where=/var
-Type=btrfs
-Options=defaults
-
-[Install]
-WantedBy=multi-user.target
-EOF
+# cat <<EOF > $out/usr/lib/systemd/system/var.mount
+# [Unit]
+# Description=Mount for /var
+# Before=local-fs.target
+# After=systemd-repart.service
+#
+# [Mount]
+# What=/dev/mapper/patos-state
+# Where=/var
+# Type=btrfs
+# Options=defaults
+#
+# [Install]
+# WantedBy=multi-user.target
+# EOF

 cat <<EOF > $out/usr/lib/systemd/system/etc.mount
 [Unit]
@ -112,6 +122,11 @@ cp -r $dbusBroker/* $out/
 ### install kexec
 cp -Pr ${kexec}/sbin/kexec $out/usr/bin/

+### install dmsetup udev rules
+cp -P ${lvm2}/usr/bin/dmsetup $out/usr/bin/
+cp -P ${lvm2}/lib/libdevmapper.so* $out/usr/lib/
+cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
+
 ### install btrfs progs
 cp -Pr ${btrfs}/bin/* $out/usr/bin/
 cp -Pr ${btrfs}/lib/* $out/usr/lib/
@ -120,6 +135,9 @@ cp -Pr ${btrfs}/lib/* $out/usr/lib/
 cp -P ${tpm2Tools}/bin/* $out/usr/bin/
 cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/

+### install cryptsetup tools
+cp -P $cryptsetup/bin/* $out/usr/bin/
+
 ### install lib kmod
 cp -P $kmodLibs/lib/* $out/usr/lib
 cp -P $kmodBin/bin/* $out/usr/bin
@ -193,11 +211,11 @@ EOF
 chmod 644 $out/etc/group

 ### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
 find $out -type f -executable -exec chmod 755 {} \;

 # FIXME: ELF patching. Is there a better way?
-find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \;
+find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
 find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
 patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2