WIP: Build image from scratch / without NixOS.

An experiment to see if we can minimize the PatOS project even further,
and not have to adapt NixOS packages and config for our needs.

systemd/0017-meson.build-do-not-create-systemdstatedir.patch

@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: nikstur <nikstur@outlook.com>
+Date: Mon, 6 Nov 2023 22:51:38 +0100
+Subject: [PATCH] meson.build: do not create systemdstatedir
+
+---
+ meson.build | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index bffda86845..cb5dcec0f9 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2781,7 +2781,6 @@ install_data('LICENSE.GPL2',
+ install_subdir('LICENSES',
+                install_dir : docdir)
+ 
+-install_emptydir(systemdstatedir)
+ 
+ #####################################################################
+ 

systemd/default.nix

@@ -0,0 +1,315 @@
+{
+  fetchFromGitHub,
+  lib,
+  pkgs,
+  stdenv,
+  targetPackages,
+  ...
+}:
+let
+  version = "257.3";
+
+  # Use the command below to update `releaseTimestamp` on every (major) version
+  # change. More details in the commentary at mesonFlags.
+  # command:
+  #  $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
+  #     jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
+  releaseTimestamp = "1734643670";
+
+  pname = "systemd";
+in
+stdenv.mkDerivation (finalAttrs: {
+  inherit version;
+
+  pname = pname;
+
+  src = fetchFromGitHub {
+    owner = "systemd";
+    repo = "systemd";
+    rev = "v${version}";
+    hash = "sha256-GvRn55grHWR6M+tA86RMzqinuXNpPZzRB4ApuGN/ZvU=";
+  };
+
+  patches = [
+    ./0017-meson.build-do-not-create-systemdstatedir.patch
+  ];
+
+  nativeBuildInputs = with pkgs; [
+    bash
+    pkg-config
+    makeBinaryWrapper
+    gperf
+    ninja
+    meson
+    glibcLocales
+    getent
+    m4
+    autoPatchelfHook
+
+    intltool
+    gettext
+
+    libxslt
+    docbook_xsl
+    docbook_xml_dtd_42
+    docbook_xml_dtd_45
+    bash
+    (buildPackages.python3Packages.python.withPackages (
+      ps: with ps; [
+        lxml
+        jinja2
+        ps.pyelftools
+      ]
+    ))
+
+    bpftools
+    buildPackages.llvmPackages.clang
+    buildPackages.llvmPackages.libllvm
+  ];
+
+  outputs = [
+    "out"
+    "dev"
+  ];
+
+  separateDebugInfo = true;
+
+  autoPatchelfFlags = [ "--keep-libc" ];
+
+  hardeningDisable = [
+    # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523
+    "trivialautovarinit"
+    # breaks clang -target bpf; should be fixed to filter target?
+    "zerocallusedregs"
+    "shadowstack"
+  ];
+
+  buildInputs = with pkgs; [
+    libxcrypt
+    libcap
+    libuuid
+    linuxHeaders
+    bashInteractive # for patch shebangs
+    libgcrypt
+    libgpg-error
+    openssl
+    acl
+    libapparmor
+    audit
+    zlib
+    bzip2
+    lz4
+    xz
+    zstd
+    elfutils
+    kexec-tools
+    kmod
+    libidn2
+    libseccomp
+    libselinux
+    iptables
+    p11-kit
+    libfido2
+    pam
+    pcre2
+    libbpf
+    tpm2-tss
+    qrencode
+    libarchive
+    (lib.getDev curl)
+    (lib.getDev cryptsetup.dev)
+    (python3Packages.python.withPackages (ps: with ps; [ pefile ]))
+    (llvmPackages.compiler-rt.override {
+      doFakeLibgcc = true;
+    })
+  ];
+
+  mesonBuildType = "release";
+
+  doCheck = false; # fails a bunch of tests
+
+  preConfigure = ''
+    mesonFlagsArray+=(-Dntp-servers="0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org")
+    export LC_ALL="en_US.UTF-8";
+  '';
+
+  postPatch =
+    ''
+      substituteInPlace src/basic/path-util.h --replace "@defaultPathNormal@" "${placeholder "out"}/bin/"
+    ''
+    + ''
+      substituteInPlace meson.build \
+        --replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
+    ''
+    + ''
+      substituteInPlace src/ukify/ukify.py \
+        --replace \
+        "'readelf'" \
+        "'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'" \
+        --replace \
+        "/usr/lib/systemd/boot/efi" \
+        "$out/lib/systemd/boot/efi"
+    ''
+    # Finally, patch shebangs in scripts used at build time. This must not patch
+    # scripts that will end up in the output, to avoid build platform references
+    # when cross-compiling.
+    + ''
+      shopt -s extglob
+      patchShebangs tools test src/!(rpm|kernel-install|ukify) src/kernel-install/test-kernel-install.sh
+    '';
+
+  # trigger the test -n "$DESTDIR" || mutate in upstreams build system
+  preInstall = ''
+    export DESTDIR=/
+  '';
+
+  mesonFlags = [
+
+    "--prefix=${placeholder "out"}"
+
+    # Options
+
+    # We bump this attribute on every (major) version change to ensure that we
+    # have known-good value for a timestamp that is in the (not so distant)
+    # past. This serves as a lower bound for valid system timestamps during
+    # startup. Systemd will reset the system timestamp if this date is +- 15
+    # years from the system time.
+    # See the systemd v250 release notes for further details:
+    #   https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
+    (lib.mesonOption "time-epoch" releaseTimestamp)
+
+    (lib.mesonOption "version-tag" version)
+    (lib.mesonOption "mode" "release")
+    (lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
+
+    (lib.mesonOption "debug-shell" "${pkgs.bashInteractive}/bin/bash")
+    (lib.mesonOption "pamconfdir" "${placeholder "out"}/etc/pam.d")
+    (lib.mesonOption "shellprofiledir" "${placeholder "out"}/etc/profile.d")
+    (lib.mesonOption "kmod-path" "${pkgs.kmod}/bin/kmod")
+    (lib.mesonOption "dbuspolicydir" "${placeholder "out"}/share/dbus-1/system.d")
+    (lib.mesonOption "dbussessionservicedir" "${placeholder "out"}/share/dbus-1/services")
+    (lib.mesonOption "dbussystemservicedir" "${placeholder "out"}/share/dbus-1/system-services")
+    # pkgconfig
+    (lib.mesonOption "pkgconfiglibdir" "${placeholder "dev"}/lib/pkgconfig")
+    (lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig")
+
+    # SBAT
+    (lib.mesonOption "sbat-distro" "patos")
+    (lib.mesonOption "sbat-distro-summary" "PatOS")
+    (lib.mesonOption "sbat-distro-url" "https://patagia.io/")
+    (lib.mesonOption "sbat-distro-pkgname" pname)
+    (lib.mesonOption "sbat-distro-version" version)
+
+    # Users
+    (lib.mesonOption "system-uid-max" "999")
+    (lib.mesonOption "system-gid-max" "999")
+
+    # SysVinit
+    (lib.mesonOption "sysvinit-path" "")
+    (lib.mesonOption "sysvrcnd-path" "")
+
+    # SSH
+    # Disabled for now until someone makes this work.
+    (lib.mesonOption "sshconfdir" "no")
+    (lib.mesonOption "sshdconfdir" "no")
+
+    # Features
+
+    # Tests
+    (lib.mesonBool "tests" false)
+    (lib.mesonEnable "glib" false)
+    (lib.mesonEnable "dbus" false)
+
+    # Compression
+    (lib.mesonEnable "bzip2" true)
+    (lib.mesonEnable "lz4" true)
+    (lib.mesonEnable "xz" true)
+    (lib.mesonEnable "zstd" true)
+    (lib.mesonEnable "zlib" true)
+
+    # NSS
+    (lib.mesonEnable "nss-resolve" true)
+    (lib.mesonBool "nss-myhostname" true)
+    (lib.mesonBool "nss-systemd" true)
+
+    # Cryptsetup
+    (lib.mesonEnable "libcryptsetup" true)
+    (lib.mesonEnable "libcryptsetup-plugins" true)
+    (lib.mesonEnable "p11kit" true)
+
+    # FIDO2
+    (lib.mesonEnable "libfido2" true)
+    (lib.mesonEnable "openssl" true)
+
+    # Password Quality
+    (lib.mesonEnable "pwquality" false)
+    (lib.mesonEnable "passwdqc" false)
+
+    # Remote
+    (lib.mesonEnable "remote" false)
+    (lib.mesonEnable "microhttpd" false)
+
+    (lib.mesonEnable "pam" true)
+    (lib.mesonEnable "acl" true)
+    (lib.mesonEnable "audit" true)
+    (lib.mesonEnable "apparmor" true)
+    (lib.mesonEnable "gcrypt" true)
+    (lib.mesonEnable "importd" true)
+    (lib.mesonEnable "homed" true)
+    (lib.mesonEnable "polkit" true)
+    (lib.mesonEnable "elfutils" true)
+    (lib.mesonEnable "libcurl" true)
+    (lib.mesonEnable "libidn" false)
+    (lib.mesonEnable "libidn2" true)
+    (lib.mesonEnable "libiptc" true)
+    (lib.mesonEnable "repart" true)
+    (lib.mesonEnable "sysupdate" true)
+    (lib.mesonEnable "seccomp" true)
+    (lib.mesonEnable "selinux" true)
+    (lib.mesonEnable "tpm2" true)
+    (lib.mesonEnable "pcre2" true)
+    (lib.mesonEnable "bpf-framework" true)
+    (lib.mesonEnable "bootloader" true)
+    (lib.mesonEnable "ukify" true)
+    (lib.mesonEnable "kmod" true)
+    (lib.mesonEnable "qrencode" true)
+    (lib.mesonEnable "vmspawn" true)
+    (lib.mesonEnable "libarchive" true)
+    (lib.mesonEnable "xenctrl" false)
+    (lib.mesonEnable "gnutls" false)
+    (lib.mesonEnable "xkbcommon" false)
+    (lib.mesonEnable "man" true)
+
+    (lib.mesonBool "analyze" true)
+    (lib.mesonBool "logind" true)
+    (lib.mesonBool "localed" true)
+    (lib.mesonBool "hostnamed" true)
+    (lib.mesonBool "machined" true)
+    (lib.mesonBool "networkd" true)
+    (lib.mesonBool "oomd" true)
+    (lib.mesonBool "portabled" true)
+    (lib.mesonBool "hwdb" true)
+    (lib.mesonBool "timedated" true)
+    (lib.mesonBool "timesyncd" true)
+    (lib.mesonBool "userdb" true)
+    (lib.mesonBool "coredump" true)
+    (lib.mesonBool "firstboot" true)
+    (lib.mesonBool "resolve" true)
+    (lib.mesonBool "sysusers" true)
+    (lib.mesonBool "efi" true)
+    (lib.mesonBool "utmp" true)
+    (lib.mesonBool "log-trace" true)
+
+    (lib.mesonBool "kernel-install" true)
+    (lib.mesonBool "quotacheck" false)
+    (lib.mesonBool "ldconfig" false)
+    (lib.mesonBool "install-sysconfdir" false)
+    (lib.mesonBool "create-log-dirs" false)
+    (lib.mesonBool "smack" true)
+    (lib.mesonBool "b_pie" true)
+
+    (lib.mesonOption "bashcompletiondir" "no")
+    (lib.mesonOption "zshcompletiondir" "no")
+  ];
+
+})

systemd/result

@@ -0,0 +1 @@
+/nix/store/jw8923rfwly76yb8ynp5r65cvg4g9m0f-systemd-257.3