From a36dc01d514a8afde1c921ab3b4e985594aec345 Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Tue, 17 Sep 2024 23:59:42 +0200
Subject: [PATCH 1/2] feat(sysupdate): Download from dl.patagia.dev. Add gpg
authentication.
---
modules/sysupdate.nix | 42 +++++++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 9 deletions(-)
diff --git a/modules/sysupdate.nix b/modules/sysupdate.nix
index 949fbcb..6a7b4f5 100644
--- a/modules/sysupdate.nix
+++ b/modules/sysupdate.nix
@@ -1,4 +1,32 @@
-{ config, ... }: {
+{ config, pkgs, ... }:
+let
+ gpgPubKeyStaging = ''
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+ mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
+ zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
+ aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
+ gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
+ OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
+ H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
+ GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
+ DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
+ +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
+ e5UE
+ =m2st
+ -----END PGP PUBLIC KEY BLOCK-----
+ '';
+ gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
+ mkdir -p $out
+ export GNUPGHOME=$out
+ gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
+ gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
+ rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
+ '';
+in
+{
+ environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
+
systemd.sysupdate = {
enable = true;
@@ -11,10 +39,8 @@
# We could fetch updates from the network as well:
#
- # Path = "https://download.example.com/";
- # Type = "url-file";
- Path = "/var/updates/";
- Type = "regular-file";
+ Path = "https://images.dl.patagia.dev/";
+ Type = "url-file";
};
Target = {
InstancesMax = 2;
@@ -38,10 +64,8 @@
MatchPattern = [
"${config.boot.uki.name}_@v.img.xz"
];
- # Path = "https://download.example.com/";
- # Type = "url-file";
- Path = "/var/updates/";
- Type = "regular-file";
+ Path = "https://images.dl.patagia.dev/";
+ Type = "url-file";
};
Target = {
From b16bf9bcb89683beb86eb88545cc9587f5885206 Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Tue, 17 Sep 2024 23:59:42 +0200
Subject: [PATCH 2/2] feat(sysupdate): Download from dl.patagia.dev. Add gpg
authentication.
---
base.nix | 4 +++-
justfile | 4 ++++
modules/generic.nix | 27 +++++++++++++++++---------
modules/minimize.nix | 5 +++--
modules/partitions.nix | 25 +++++++++++++++---------
modules/sysupdate.nix | 44 +++++++++++++++++++++++++++++++-----------
modules/utils.nix | 15 ++++++++++++++
7 files changed, 92 insertions(+), 32 deletions(-)
create mode 100644 modules/utils.nix
diff --git a/base.nix b/base.nix
index 2c1076a..8e50f03 100644
--- a/base.nix
+++ b/base.nix
@@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
+{
imports = [
./modules/system_overrides.nix
./modules/minimize.nix
@@ -7,5 +8,6 @@
./modules/partitions.nix
./modules/network.nix
./modules/sysupdate.nix
+ ./modules/utils.nix
];
}
diff --git a/justfile b/justfile
index cd8f0fd..1a1b7a8 100644
--- a/justfile
+++ b/justfile
@@ -14,3 +14,7 @@ build: build-image
# Build PatOS image
build-image:
nix build .#patos_image
+
+run: build-image
+ qemu-efi -hda ./result/disk.qcow2
+
diff --git a/modules/generic.nix b/modules/generic.nix
index 00058ef..1f42ec6 100644
--- a/modules/generic.nix
+++ b/modules/generic.nix
@@ -1,13 +1,24 @@
-{ pkgs, config, ... }: {
+{
+ pkgs,
+ config,
+ lib,
+ ...
+}:
+{
- boot.uki.name = "patos";
- boot.kernelParams = [ "console=ttyS0" ];
+ boot = {
+ uki.name = "patos";
+ kernelParams = [ "console=ttyS0" ];
+ initrd.systemd.enable = true;
+ };
- system.nixos.release = "2024-09";
- system.nixos.codeName = "Finn";
+ system.nixos = {
+ codeName = "Finn";
+ distroId = "patos";
+ distroName = "PatOS";
+ release = "2024-09";
+ };
- system.nixos.distroId = "patos";
- system.nixos.distroName = "PatOS";
system.image.version = "0.0.1"; # FIXME: Use epoch version.
# Make the current system version visible in the prompt.
@@ -20,8 +31,6 @@
services.getty.autologinUser = "root";
- boot.initrd.systemd.enable = true;
-
# Don't accumulate crap.
boot.tmp.cleanOnBoot = true;
services.journald.extraConfig = ''
diff --git a/modules/minimize.nix b/modules/minimize.nix
index 1e62db1..2bc8cff 100644
--- a/modules/minimize.nix
+++ b/modules/minimize.nix
@@ -1,8 +1,10 @@
-{ modulesPath, ... }: {
+{ modulesPath, ... }:
+{
imports = [
"${modulesPath}/profiles/minimal.nix"
];
+ boot.enableContainers = false;
boot.loader.grub.enable = false;
system.switch.enable = false;
@@ -14,6 +16,5 @@
system.disableInstallerTools = true;
programs.less.lessopen = null;
programs.command-not-found.enable = false;
- boot.enableContainers = false;
environment.defaultPackages = [ ];
}
diff --git a/modules/partitions.nix b/modules/partitions.nix
index c900c24..0510348 100644
--- a/modules/partitions.nix
+++ b/modules/partitions.nix
@@ -1,4 +1,11 @@
-{ config, pkgs, lib, modulesPath, ... }: {
+{
+ config,
+ pkgs,
+ lib,
+ modulesPath,
+ ...
+}:
+{
imports = [
"${modulesPath}/image/repart.nix"
@@ -15,16 +22,16 @@
partitions = {
"esp" = {
contents = {
- "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source =
- "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
+ "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
- "/EFI/Linux/${config.system.boot.loader.ukiFile}".source =
- "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+ "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
# systemd-boot configuration
- "/loader/loader.conf".source = (pkgs.writeText "$out" ''
- timeout 3
- '');
+ "/loader/loader.conf".source = (
+ pkgs.writeText "$out" ''
+ timeout 3
+ ''
+ );
};
repartConfig = {
Type = "esp";
@@ -39,7 +46,7 @@
stripNixStorePrefix = true;
repartConfig = {
Type = "linux-generic";
- Label = "store_${config.system.image.version}";
+ Label = "${config.boot.uki.name}_${config.system.image.version}";
Format = "squashfs";
Minimize = "off";
ReadOnly = "yes";
diff --git a/modules/sysupdate.nix b/modules/sysupdate.nix
index 949fbcb..8f126e8 100644
--- a/modules/sysupdate.nix
+++ b/modules/sysupdate.nix
@@ -1,4 +1,32 @@
-{ config, ... }: {
+{ config, pkgs, ... }:
+let
+ gpgPubKeyStaging = ''
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+ mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
+ zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
+ aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
+ gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
+ OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
+ H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
+ GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
+ DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
+ +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
+ e5UE
+ =m2st
+ -----END PGP PUBLIC KEY BLOCK-----
+ '';
+ gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
+ mkdir -p $out
+ export GNUPGHOME=$out
+ gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
+ gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
+ rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
+ '';
+in
+{
+ environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
+
systemd.sysupdate = {
enable = true;
@@ -9,12 +37,8 @@
"${config.boot.uki.name}_@v.efi.xz"
];
- # We could fetch updates from the network as well:
- #
- # Path = "https://download.example.com/";
- # Type = "url-file";
- Path = "/var/updates/";
- Type = "regular-file";
+ Path = "https://images.dl.patagia.dev/patos/";
+ Type = "url-file";
};
Target = {
InstancesMax = 2;
@@ -38,10 +62,8 @@
MatchPattern = [
"${config.boot.uki.name}_@v.img.xz"
];
- # Path = "https://download.example.com/";
- # Type = "url-file";
- Path = "/var/updates/";
- Type = "regular-file";
+ Path = "https://images.dl.patagia.dev/patos/";
+ Type = "url-file";
};
Target = {
diff --git a/modules/utils.nix b/modules/utils.nix
new file mode 100644
index 0000000..9fbad21
--- /dev/null
+++ b/modules/utils.nix
@@ -0,0 +1,15 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+let
+ script = pkgs.writeShellScriptBin "patos-upgrade.sh" ''
+ systemd-sysupdate --verify=no
+ systemd-sysupdate --verify=no update --reboot
+ '';
+in
+{
+ environment.systemPackages = [ script ];
+}