From 32f06a06fe0ebde13de6a693a97514261992e07d Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Tue, 17 Sep 2024 23:59:42 +0200
Subject: [PATCH 1/2] feat(sysupdate): Download from dl.patagia.dev. Add gpg
 authentication.

---
 modules/sysupdate.nix | 43 ++++++++++++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 9 deletions(-)

diff --git a/modules/sysupdate.nix b/modules/sysupdate.nix
index 949fbcb..7be5664 100644
--- a/modules/sysupdate.nix
+++ b/modules/sysupdate.nix
@@ -1,4 +1,33 @@
-{ config, ... }: {
+{ config, pkgs, ... }:
+let
+  gpgPubKeyStaging = ''
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
+    zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
+    aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
+    gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
+    OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
+    H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
+    GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
+    DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
+    +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
+    e5UE
+    =m2st
+    -----END PGP PUBLIC KEY BLOCK-----
+  '';
+  gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
+    mkdir -p $out
+    export GNUPGHOME=$out
+    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
+    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
+    rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
+  '';
+in
+{
+
+  environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
+
   systemd.sysupdate = {
     enable = true;
 
@@ -11,10 +40,8 @@
 
           # We could fetch updates from the network as well:
           #
-          # Path = "https://download.example.com/";
-          # Type = "url-file";
-          Path = "/var/updates/";
-          Type = "regular-file";
+          Path = "https://images.dl.patagia.dev/";
+          Type = "url-file";
         };
         Target = {
           InstancesMax = 2;
@@ -38,10 +65,8 @@
           MatchPattern = [
             "${config.boot.uki.name}_@v.img.xz"
           ];
-          # Path = "https://download.example.com/";
-          # Type = "url-file";
-          Path = "/var/updates/";
-          Type = "regular-file";
+          Path = "https://images.dl.patagia.dev/";
+          Type = "url-file";
         };
 
         Target = {

From a36dc01d514a8afde1c921ab3b4e985594aec345 Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Tue, 17 Sep 2024 23:59:42 +0200
Subject: [PATCH 2/2] feat(sysupdate): Download from dl.patagia.dev. Add gpg
 authentication.

---
 modules/sysupdate.nix | 42 +++++++++++++++++++++++++++++++++---------
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/modules/sysupdate.nix b/modules/sysupdate.nix
index 949fbcb..6a7b4f5 100644
--- a/modules/sysupdate.nix
+++ b/modules/sysupdate.nix
@@ -1,4 +1,32 @@
-{ config, ... }: {
+{ config, pkgs, ... }:
+let
+  gpgPubKeyStaging = ''
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
+    zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
+    aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
+    gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
+    OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
+    H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
+    GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
+    DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
+    +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
+    e5UE
+    =m2st
+    -----END PGP PUBLIC KEY BLOCK-----
+  '';
+  gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
+    mkdir -p $out
+    export GNUPGHOME=$out
+    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
+    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
+    rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
+  '';
+in
+{
+  environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
+
   systemd.sysupdate = {
     enable = true;
 
@@ -11,10 +39,8 @@
 
           # We could fetch updates from the network as well:
           #
-          # Path = "https://download.example.com/";
-          # Type = "url-file";
-          Path = "/var/updates/";
-          Type = "regular-file";
+          Path = "https://images.dl.patagia.dev/";
+          Type = "url-file";
         };
         Target = {
           InstancesMax = 2;
@@ -38,10 +64,8 @@
           MatchPattern = [
             "${config.boot.uki.name}_@v.img.xz"
           ];
-          # Path = "https://download.example.com/";
-          # Type = "url-file";
-          Path = "/var/updates/";
-          Type = "regular-file";
+          Path = "https://images.dl.patagia.dev/";
+          Type = "url-file";
         };
 
         Target = {