Image building take 2

We want verity protected partitions as well as encrypted state/data along with verified boot.
This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! 

https://github.com/petm5/nixlet/
This commit is contained in:
Daniel Lundin 2024-11-11 23:02:38 +01:00
parent da5bdb3d47
commit c59ea29957
Signed by: dln
SSH key fingerprint: SHA256:dQy1Xj3UiqJYpKR5ggQ2bxgz4jCH8IF+k3AB8o0kmdI
39 changed files with 1311 additions and 3272 deletions

191
flake.nix
View file

@ -2,151 +2,70 @@
description = "PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.";
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
patagia-agent.url = "git+ssh://git@patagia.dev/patagia/patagia-agent?ref=main";
patagia-agent.inputs.nixpkgs.follows = "nixpkgs";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs =
{ self, nixpkgs }:
let
releaseVersion = "0.0.1";
system = "x86_64-linux";
updateUrl = "https://images.dl.patagia.dev/patos/";
pkgs = import nixpkgs { inherit system; };
in
{
self,
flake-utils,
nixpkgs,
patagia-agent,
}:
flake-utils.lib.eachDefaultSystem (
system:
let
nixosModules.server.imports = [
./modules/profiles/server.nix
];
pkgs = import nixpkgs {
inherit system;
overlays = [
(import ./overlays)
];
};
nixosModules.image.imports = [
./modules
./modules/profiles/base.nix
./modules/image/disk
];
# Prepare an update package for the system.
mkUpdate =
nixos:
let
config = nixos.config;
in
pkgs.runCommand "update-${config.system.image.version}"
{
nativeBuildInputs = with pkgs; [
erofs-utils
zstd
];
}
''
mkdir -p $out
cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw $out/
zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \
-o $out/${config.system.boot.loader.ukiFile}.zst
zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \
-o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst
'';
# Prepare a ready-to-boot disk image.
mkInstallImage =
nixos:
let
config = nixos.config;
in
pkgs.runCommand "update-${config.system.image.version}"
{
nativeBuildInputs = with pkgs; [
qemu
zstd
];
}
''
mkdir -p $out
cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/
qemu-img convert -f raw -O qcow2 -C ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/disk.qcow2
zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \
-o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst
zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \
-o $out/${config.system.boot.loader.ukiFile}.zst
'';
in
{
devShells.${system}.default = pkgs.mkShell {
packages = with pkgs; [
erofs-utils
just
self.packages.${system}.qemu-efi
squashfs-tools-ng
];
};
packages = {
default = self.packages.${system}.patos_image;
patos_image = mkInstallImage self.nixosConfigurations.${system}.patos;
patos_update = mkUpdate self.nixosConfigurations.${system}.patos;
image = system.build;
# FIXME: only do for x86_64
# A helper script to run the disk images above.
qemu-efi = pkgs.writeShellApplication {
name = "qemu-efi";
runtimeInputs = [ pkgs.qemu_kvm ];
text = ''
set -ex
state="/tmp/qemu-$USER"
mkdir -p "$state"
chmod 700 "$state"
qemu-system-x86_64 \
-cpu host \
-machine q35,accel=kvm \
-m 4G \
-smp 8 \
-display none \
-chardev "stdio,id=char0,mux=on,logfile=$state/serial.log,signal=off" \
-serial chardev:char0 \
-mon chardev=char0 \
-drive "if=pflash,format=raw,unit=0,readonly=on,file=${pkgs.OVMF.firmware}" \
-drive "if=pflash,format=raw,unit=1,readonly=on,file=${pkgs.OVMF.variables}" \
-netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
-device virtio-net-pci,netdev=net00 \
"$@"
'';
};
};
nixosConfigurations = rec {
patos = nixpkgs.lib.nixosSystem {
specialArgs.pkgs = pkgs;
system = system;
packages.${system} = {
patos =
(nixpkgs.lib.nixosSystem {
modules = [
(
{ lib, ... }:
{
nixpkgs.hostPlatform = system;
system.stateVersion = "24.05";
}
)
{
_module.args = {
inherit patagia-agent;
};
boot.kernelParams = [
"console=ttyS0"
"systemd.journald.forward_to_console"
];
system.image.updates.url = "${updateUrl}";
system.image.id = "patos";
system.image.version = releaseVersion;
}
./modules/kernel
./modules/filesystems.nix
./modules/generic.nix
./modules/minimize.nix
./modules/network.nix
# ./modules/patagia-agent.nix
./modules/partitions.nix
./modules/system_overrides.nix
./modules/sysext.nix
./modules/sysupdate.nix
./modules/utils.nix
self.nixosModules.image
self.nixosModules.server
];
};
};
}).config.system.build.updatePackage;
}
);
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { inherit pkgs; };
};
checks.${system} = {
ssh-preseed = import ./tests/ssh-preseed.nix { inherit pkgs self; };
podman = import ./tests/podman.nix { inherit pkgs self; };
system-update = import ./tests/system-update.nix { inherit pkgs self; };
};
devShells.${system}.default = pkgs.mkShell {
buildInputs = with pkgs; [
erofs-utils
just
self.packages.${system}.qemu-uefi-tpm
squashfs-tools-ng
];
};
};
}