feat: add service units to sysext

lib/make-sysext.nix

@@ -5,6 +5,7 @@
 
   name,
   packages,
+  services,
   osId ? "patos",
   version ? null,
 }:
@@ -16,6 +17,8 @@ let
     VERSION_ID = osId;
     IMAGE_ID = name;
     IMAGE_VERSION = version;
+    EXTENSION_RELOAD_MANAGER = "1";
+    SYSEXT_LEVEL="1.0";
   };
 
   metadataFile = lib.concatStringsSep "\n" (
@@ -91,9 +94,20 @@ runCommand name
       patchelf --set-interpreter /lib/$ldLinux $destfile || true
     }
 
+    do_service () {
+      local unit="$1"
+      local content="$2"
+
+      mkdir -p $out/tree/usr/lib/systemd/system/multi-user.target.wants/
+      echo "$content" > $out/tree/usr/lib/systemd/system/"$unit".service
+      # enable in multi-user.target
+      ln -s ../"$unit".service $out/tree/usr/lib/systemd/system/multi-user.target.wants/"$unit".service
+    }
+
     mkdir -p $out/tree
 
     ${lib.concatStringsSep "\n" (map doCopy packages)}
+    ${lib.concatStringsSep "\n" (map (service: "do_service '${service.unit}' '${service.content}'") services)}
 
     # bake metadata into the structure
     if ! [ -f $out/tree/usr/lib/extension-release.d/extension-release."${name}" ]; then

pkgs/image/default.nix

@@ -85,6 +85,28 @@ ExecStartPost=rm -rf /boot/sbctl
 EOF
 ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
 
+# forked from flatcar https://github.com/flatcar/init/blob/flatcar-master/systemd/system/ensure-sysext.service
+cat <<EOF > rootfs/usr/lib/systemd/system/ensure-sysext.service
+[Unit]
+BindsTo=systemd-sysext.service
+After=systemd-sysext.service
+DefaultDependencies=no
+ConditionDirectoryNotEmpty=|/etc/extensions
+ConditionDirectoryNotEmpty=|/run/extensions
+ConditionDirectoryNotEmpty=|/var/lib/extensions
+ConditionDirectoryNotEmpty=|/usr/local/lib/extensions
+ConditionDirectoryNotEmpty=|/usr/lib/extensions
+ConditionPathExists=!/etc/initrd-release
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/systemctl daemon-reload
+ExecStart=/usr/bin/systemctl restart --no-block sockets.target timers.target multi-user.target
+[Install]
+WantedBy=sysinit.target
+EOF
+ln -sf ../ensure-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/ensure-sysext.service
+
 # sysupdate
 mkdir -p rootfs/etc/sysupdate.d
 cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer

pkgs/sysext/debug-tools.nix

@@ -10,6 +10,7 @@ pkgs.callPackage ../../lib/make-sysext.nix {
     { drv = pkgs.strace; path = "bin/"; }
     { drv = pkgs.cryptsetup; path = "bin/"; }
     { drv = pkgs.erofs-utils; path = "bin/"; }
+    { drv = pkgs.dropbear; path = "bin/"; }
     { drv = pkgs.binutils-unwrapped; path = "bin/"; }
     { drv = pkgs.binutils-unwrapped.lib; path = "lib/"; }
     { drv = pkgs.util-linuxMinimal; path = "bin/"; }
@@ -29,4 +30,26 @@ pkgs.callPackage ../../lib/make-sysext.nix {
     { drv = pkgs.readline.out; path = "lib/"; }
     { drv = pkgs.ncurses.out; path = "lib/"; }
   ];
+  services = [{
+      unit = "dropbear";
+      content = ''
+        [Unit]
+        Description=Dropbear SSH server
+        After=network.target
+        Wants=network.target
+
+        [Service]
+        Type=forking
+        ExecStartPre=/bin/mkdir -p /run/dropbear
+        ExecStartPre=/bin/sh -c "if [ ! -f /run/dropbear/dropbear_rsa_host_key ]; then /usr/bin/dropbearkey -t rsa -f /run/dropbear/dropbear_rsa_host_key -s 2048; fi"
+        ExecStart=/usr/bin/dropbear -p 22 -r /run/dropbear/dropbear_rsa_host_key
+        ExecReload=/bin/kill -HUP $MAINPID
+        KillMode=process
+        Restart=on-failure
+        RestartSec=5s
+
+        [Install]
+        WantedBy=multi-user.target
+      '';
+    }];
 }