Compare commits
13 commits
dln/push-s
...
main
Author | SHA1 | Date | |
---|---|---|---|
ab3050c1a9 | |||
6527361d52 | |||
c75262f15a | |||
2ad839ccfb | |||
0a269e5bd4 | |||
59d51cc407 | |||
fa55edf0de | |||
902c3eddf3 | |||
9b6a5d9199 | |||
5ecbea5105 | |||
e585707491 | |||
33f7afd87d | |||
04bd246a2a |
20 changed files with 293 additions and 212 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -6,3 +6,4 @@
|
|||
/target
|
||||
.*.swp
|
||||
.*.swo
|
||||
.nixos-test-history
|
||||
|
|
60
README.adoc
Normal file
60
README.adoc
Normal file
|
@ -0,0 +1,60 @@
|
|||
:showtitle:
|
||||
:toc: left
|
||||
:icons: font
|
||||
|
||||
= PatOS - Patagia OS
|
||||
|
||||
[link=https://ci.patagia.dev/repos/2,window=_blank]
|
||||
image::https://ci.patagia.dev/api/badges/2/status.svg[Build Status]
|
||||
|
||||
PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.
|
||||
|
||||
== Features
|
||||
|
||||
* Immutable read-only system
|
||||
* Trust chain verification using secure boot and dm-verity
|
||||
* Automatic updates and unattended rollbacks
|
||||
* Host/TPM bound data encryption by default
|
||||
|
||||
== Roadmap and status
|
||||
|
||||
[cols="3,1",options="header"]
|
||||
|===
|
||||
|Feature |Status
|
||||
|
||||
| A/B root partitions with discoverable partitions
|
||||
| ✅
|
||||
|
||||
| Verity protection of root partitions
|
||||
| ✅
|
||||
|
||||
| Encrypted state partition with tpm2 host binding
|
||||
| ✅
|
||||
|
||||
| Factory reset / clearing of state partition
|
||||
| ✅
|
||||
|
||||
| Automatic updates
|
||||
| ⚠️
|
||||
|
||||
| Installer
|
||||
| ❌
|
||||
|
||||
| Machine registration and provisioning
|
||||
| ❌
|
||||
|
||||
| Boot assessment w/automatic rollback
|
||||
| ❌
|
||||
|
||||
|===
|
||||
|
||||
== Community
|
||||
|
||||
* Source code: https://patagia.dev/Patagia/patos
|
||||
|
||||
|
||||
== License
|
||||
|
||||
Copyright (C) 2024 Patagia AB
|
||||
|
||||
Unless otherwise noted, all components are licenced under the Mozilla Public License Version 2.0.
|
|
@ -1,5 +0,0 @@
|
|||
# PatOS - Patagia OS
|
||||
|
||||
[![status-badge](https://ci.patagia.dev/api/badges/42/status.svg)](https://ci.patagia.dev/repos/42)
|
||||
|
||||
PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.
|
32
flake.nix
32
flake.nix
|
@ -14,6 +14,10 @@
|
|||
pkgs = import nixpkgs { inherit system; };
|
||||
in
|
||||
{
|
||||
nixosModules.devel.imports = [
|
||||
./modules/profiles/devel.nix
|
||||
];
|
||||
|
||||
nixosModules.server.imports = [
|
||||
./modules/profiles/server.nix
|
||||
];
|
||||
|
@ -21,10 +25,31 @@
|
|||
nixosModules.image.imports = [
|
||||
./modules
|
||||
./modules/profiles/base.nix
|
||||
./modules/image/disk
|
||||
./modules/image
|
||||
];
|
||||
|
||||
packages.${system} = {
|
||||
devel =
|
||||
(nixpkgs.lib.nixosSystem {
|
||||
modules = [
|
||||
(
|
||||
{ lib, ... }:
|
||||
{
|
||||
nixpkgs.hostPlatform = system;
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
)
|
||||
{
|
||||
system.image.updates.url = "${updateUrl}";
|
||||
system.image.id = "patos";
|
||||
system.image.version = releaseVersion;
|
||||
image.compress = false;
|
||||
}
|
||||
self.nixosModules.image
|
||||
self.nixosModules.devel
|
||||
];
|
||||
}).config.system.build.updatePackage;
|
||||
|
||||
patos =
|
||||
(nixpkgs.lib.nixosSystem {
|
||||
modules = [
|
||||
|
@ -36,10 +61,6 @@
|
|||
}
|
||||
)
|
||||
{
|
||||
boot.kernelParams = [
|
||||
"console=ttyS0"
|
||||
"systemd.journald.forward_to_console"
|
||||
];
|
||||
system.image.updates.url = "${updateUrl}";
|
||||
system.image.id = "patos";
|
||||
system.image.version = releaseVersion;
|
||||
|
@ -53,7 +74,6 @@
|
|||
};
|
||||
|
||||
checks.${system} = {
|
||||
ssh-preseed = import ./tests/ssh-preseed.nix { inherit pkgs self; };
|
||||
podman = import ./tests/podman.nix { inherit pkgs self; };
|
||||
system-update = import ./tests/system-update.nix { inherit pkgs self; };
|
||||
};
|
||||
|
|
8
justfile
8
justfile
|
@ -15,5 +15,13 @@ build: build-image
|
|||
build-image:
|
||||
nix build .#patos
|
||||
|
||||
# Build PatOS image (developer mode)
|
||||
build-devel-image:
|
||||
nix build .#devel
|
||||
|
||||
run: build-image
|
||||
qemu-uefi-tpm ./result/*.img
|
||||
|
||||
run-devel: build-devel-image
|
||||
qemu-uefi-tpm ./result/*.img
|
||||
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
(final: prev: {
|
||||
|
||||
composefs = final.callPackage ../../pkgs/composefs.nix { inherit prev; };
|
||||
erofs-utils = final.callPackage ../../pkgs/erofs-utils.nix { inherit prev; };
|
||||
qemu_tiny = final.callPackage ../../pkgs/qemu.nix { inherit prev; };
|
||||
systemdUkify = final.callPackage ../../pkgs/systemd-ukify.nix { inherit prev; };
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
options,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
@ -46,10 +47,8 @@ let
|
|||
split = true;
|
||||
mkfsOptions = lib.mkIf config.image.compress {
|
||||
erofs = [
|
||||
"-zzstd,6" # Zstd compression
|
||||
"-T0" # Fixed timestamp for all files
|
||||
"-C1048576" # 1 MiB cluster size
|
||||
"-Efragments,dedupe,ztailpacking" # Extra features
|
||||
"-zlz4hc,level=12"
|
||||
"-Efragments,dedupe,ztailpacking"
|
||||
];
|
||||
};
|
||||
partitions = initialPartitions;
|
||||
|
@ -77,9 +76,22 @@ let
|
|||
contents = {
|
||||
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
|
||||
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
|
||||
"/default-ssh-authorized-keys.txt" = lib.mkIf config.system.image.sshKeys.enable {
|
||||
source = pkgs.writeText "ssh-keys" (lib.concatStringsSep "\n" config.system.image.sshKeys.keys);
|
||||
};
|
||||
"/EFI/memtest86/memtest86.efi".source = "${pkgs.memtest86plus}/memtest.efi";
|
||||
"/loader/entries/patos-factory-reset.conf".source = pkgs.writeText "patos-factory-reset.conf" ''
|
||||
title Patos Factory Reset
|
||||
efi /EFI/Linux/${config.system.boot.loader.ukiFile}
|
||||
options ${toString config.boot.kernelParams} systemd.factory_reset=yes
|
||||
sort-key z_factory_reset
|
||||
'';
|
||||
"/loader/entries/memtest86.conf".source = pkgs.writeText "memtest86.conf" ''
|
||||
title Memtest86+
|
||||
efi /EFI/memtest86/memtest86.efi
|
||||
options console=ttyS0
|
||||
sort-key z_memtest
|
||||
'';
|
||||
"/loader/loader.conf".source = pkgs.writeText "loader.conf" ''
|
||||
timeout 2
|
||||
'';
|
||||
};
|
||||
repartConfig = {
|
||||
Type = "esp";
|
||||
|
@ -134,6 +146,21 @@ let
|
|||
in
|
||||
{
|
||||
|
||||
# This fields is immutable by default, but can be overridden.
|
||||
options.system.nixos.codeName = lib.mkOption { readOnly = false; };
|
||||
options.system.nixos.release = lib.mkOption { readOnly = false; };
|
||||
|
||||
# FIXME: Should be configured somehow
|
||||
config.system.nixos = {
|
||||
codeName = "Finn";
|
||||
distroId = "patos";
|
||||
distroName = "PatOS";
|
||||
release = "2024-11";
|
||||
variant_id = "server";
|
||||
variantName = "Server";
|
||||
vendorName = "PatOS";
|
||||
};
|
||||
|
||||
options.image.compress = lib.mkEnableOption "image compression" // {
|
||||
default = true;
|
||||
};
|
|
@ -8,7 +8,6 @@
|
|||
|
||||
imports = [
|
||||
./updater.nix
|
||||
./ssh.nix
|
||||
./builder.nix
|
||||
./veritysetup.nix
|
||||
];
|
||||
|
@ -20,9 +19,6 @@
|
|||
${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
|
||||
'';
|
||||
|
||||
boot.initrd.systemd.enable = true;
|
||||
|
||||
boot.initrd.systemd.repart.enable = true;
|
||||
systemd.repart.partitions = {
|
||||
"10-esp" = {
|
||||
Type = "esp";
|
||||
|
@ -54,46 +50,74 @@
|
|||
Label = "_empty";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
"40-home" = {
|
||||
Type = "home";
|
||||
"40-var" = {
|
||||
Type = "var";
|
||||
UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
|
||||
Format = "btrfs";
|
||||
SizeMinBytes = "512M";
|
||||
Label = "patos-state";
|
||||
Minimize = "off";
|
||||
FactoryReset = "yes";
|
||||
Encrypt = "tpm2";
|
||||
SizeMinBytes = "2G";
|
||||
SplitName = "-";
|
||||
};
|
||||
};
|
||||
|
||||
boot.initrd.compressor = "zstd";
|
||||
boot.initrd.compressorArgs = [ "-8" ];
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.uki.name = "patos";
|
||||
|
||||
boot.initrd.luks.forceLuksSupportInInitrd = true;
|
||||
boot.initrd.kernelModules = [
|
||||
"dm_mod"
|
||||
"dm_crypt"
|
||||
] ++ config.boot.initrd.luks.cryptoModules;
|
||||
boot.initrd = {
|
||||
compressor = "zstd";
|
||||
compressorArgs = [ "-8" ];
|
||||
|
||||
boot.initrd.supportedFilesystems = {
|
||||
btrfs = true;
|
||||
erofs = true;
|
||||
luks.forceLuksSupportInInitrd = true;
|
||||
kernelModules = [
|
||||
"dm_mod"
|
||||
"dm_crypt"
|
||||
] ++ config.boot.initrd.luks.cryptoModules;
|
||||
|
||||
supportedFilesystems = {
|
||||
btrfs = true;
|
||||
erofs = true;
|
||||
};
|
||||
|
||||
systemd.enable = true;
|
||||
systemd.repart.enable = true;
|
||||
systemd.services.systemd-repart = {
|
||||
after = lib.mkForce [ "sysroot.mount" ];
|
||||
requires = [ "sysroot.mount" ];
|
||||
serviceConfig.Environment = [
|
||||
"SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
system.etc.overlay.mutable = false;
|
||||
users.mutableUsers = false;
|
||||
|
||||
boot.initrd.systemd.services.systemd-repart.after = lib.mkForce [ "sysroot.mount" ];
|
||||
boot.initrd.systemd.services.systemd-repart.requires = [ "sysroot.mount" ];
|
||||
|
||||
boot.kernelParams = [
|
||||
"rootfstype=erofs"
|
||||
"rootflags=ro"
|
||||
"roothash=${config.system.build.verityRootHash}"
|
||||
];
|
||||
|
||||
fileSystems."/var" = {
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=0755" ];
|
||||
};
|
||||
fileSystems =
|
||||
let
|
||||
parts = config.systemd.repart.partitions;
|
||||
in
|
||||
{
|
||||
"/var" = {
|
||||
fsType = parts."40-var".Format;
|
||||
device = "/dev/mapper/var";
|
||||
encrypted = {
|
||||
enable = true;
|
||||
blkDev = "/dev/disk/by-partuuid/${parts."40-var".UUID}";
|
||||
label = "var";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Required to mount the efi partition
|
||||
boot.kernelModules = [
|
||||
|
@ -102,27 +126,11 @@
|
|||
"nls_iso8859-1"
|
||||
];
|
||||
|
||||
# Store SSH host keys on /home since /etc is read-only
|
||||
services.openssh.hostKeys = [
|
||||
{
|
||||
path = "/home/.ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
];
|
||||
|
||||
environment.etc."machine-id" = {
|
||||
text = "";
|
||||
mode = "0755";
|
||||
};
|
||||
|
||||
boot.initrd.systemd.services.systemd-repart.serviceConfig.Environment = [
|
||||
"SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
|
||||
];
|
||||
|
||||
# Refuse to boot on mount failure
|
||||
systemd.targets."sysinit".requires = [ "local-fs.target" ];
|
||||
|
||||
# Make sure home gets mounted
|
||||
systemd.targets."local-fs".requires = [ "home.mount" ];
|
||||
|
||||
}
|
|
@ -1,40 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
options.system.image.sshKeys = {
|
||||
enable = lib.mkEnableOption "provisioning of default SSH keys from ESP";
|
||||
keys = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.singleLineStr;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.system.image.sshKeys.enable {
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion = config.services.openssh.enable;
|
||||
message = "OpenSSH must be enabled to preseed authorized keys";
|
||||
}
|
||||
];
|
||||
|
||||
systemd.services."default-ssh-keys" = {
|
||||
script = ''
|
||||
mkdir -p /home/admin/.ssh/
|
||||
cat /efi/default-ssh-authorized-keys.txt >> /home/admin/.ssh/authorized_keys
|
||||
'';
|
||||
wantedBy = [
|
||||
"sshd.service"
|
||||
"sshd.socket"
|
||||
];
|
||||
unitConfig = {
|
||||
ConditionPathExists = [
|
||||
"/home/admin"
|
||||
"!/home/admin/.ssh/authorized_keys"
|
||||
"/efi/default-ssh-authorized-keys.txt"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
|
@ -1,4 +1,5 @@
|
|||
{ config, lib, ... }: {
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
|
||||
options.system.image.updates = {
|
||||
enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
|
|
@ -16,8 +16,7 @@
|
|||
|
||||
nixpkgs.flake.setNixPath = false;
|
||||
nixpkgs.flake.setFlakeRegistry = false;
|
||||
|
||||
networking.hostName = "patos";
|
||||
boot.enableContainers = false;
|
||||
|
||||
boot.kernelModules = [
|
||||
"zram"
|
||||
|
@ -35,8 +34,6 @@
|
|||
];
|
||||
|
||||
system.etc.overlay.mutable = lib.mkDefault false;
|
||||
users.mutableUsers = lib.mkDefault false;
|
||||
|
||||
|
||||
systemd.watchdog = lib.mkDefault {
|
||||
runtimeTime = "10s";
|
||||
|
@ -45,14 +42,17 @@
|
|||
|
||||
zramSwap.enable = true;
|
||||
|
||||
services.openssh.settings.PasswordAuthentication = lib.mkDefault false;
|
||||
# FIXME: fstrim should only be enabled for virtual machine images?
|
||||
services.fstrim.enable = true;
|
||||
|
||||
users.allowNoPasswordLogin = true;
|
||||
users.users.root.home = lib.mkForce "/";
|
||||
|
||||
security.sudo.enable = lib.mkDefault false;
|
||||
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
extraConfig =''
|
||||
extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.isInGroup("wheel")) {
|
||||
return polkit.Result.YES;
|
||||
|
@ -63,17 +63,17 @@
|
|||
|
||||
i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
|
||||
|
||||
systemd.enableEmergencyMode = false;
|
||||
console.enable = false;
|
||||
systemd.services."getty@tty1".enable = lib.mkDefault false;
|
||||
systemd.services."autovt@".enable = lib.mkDefault false;
|
||||
# Console
|
||||
|
||||
boot.tmp.useTmpfs = true;
|
||||
systemd.enableEmergencyMode = false;
|
||||
boot.consoleLogLevel = lib.mkDefault 1;
|
||||
boot.kernelParams = [
|
||||
"panic=1"
|
||||
"boot.panic_on_fail"
|
||||
"nomodeset"
|
||||
# "nomodeset"
|
||||
"console=ttyS0,115200n8"
|
||||
"earlyprintk=ttyS0,115200n8"
|
||||
"systemd.mask=systemd-vconsole-setup.service" # FIXME: Figure out why vconsole-setup fails when loading keymap
|
||||
];
|
||||
|
||||
# This is vi country
|
||||
|
@ -81,6 +81,15 @@
|
|||
programs.vim.enable = true;
|
||||
programs.vim.defaultEditor = lib.mkDefault true;
|
||||
|
||||
# Temporary file
|
||||
boot.tmp.useTmpfs = true;
|
||||
|
||||
# Logging
|
||||
services.journald.storage = "volatile";
|
||||
services.journald = {
|
||||
storage = "volatile";
|
||||
extraConfig = ''
|
||||
SystemMaxUse=10M
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
||||
|
|
39
modules/profiles/devel.nix
Normal file
39
modules/profiles/devel.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
imports = [ ./server.nix ];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_unprivileged_port_start" = 0;
|
||||
};
|
||||
|
||||
boot.kernelParams = [
|
||||
"systemd.log_level=info"
|
||||
"systemd.log_target=console"
|
||||
"systemd.journald.forward_to_console"
|
||||
];
|
||||
|
||||
users.users."admin" = {
|
||||
isNormalUser = true;
|
||||
linger = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
home = "/var/home/admin";
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
subuid = {
|
||||
text = "admin:100000:65536";
|
||||
mode = "0644";
|
||||
};
|
||||
|
||||
subgid = {
|
||||
text = "admin:100000:65536";
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
|
||||
services.getty.autologinUser = "admin";
|
||||
}
|
|
@ -1,23 +1,32 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
# Use TCP BBR
|
||||
boot.kernel.sysctl = {
|
||||
"net.core.default_qdisc" = "fq";
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
};
|
||||
|
||||
services.resolved.extraConfig = ''
|
||||
DNSStubListener=no
|
||||
'';
|
||||
|
||||
networking.firewall.enable = false;
|
||||
|
||||
networking.nftables.enable = lib.mkDefault true;
|
||||
|
||||
# Use networkd
|
||||
networking.useNetworkd = true;
|
||||
systemd.network.wait-online.enable = true;
|
||||
|
||||
# Explicitly load networking modules
|
||||
# Firewall
|
||||
networking.firewall.enable = false;
|
||||
networking.nftables.enable = lib.mkDefault true;
|
||||
|
||||
# DNS
|
||||
services.resolved = {
|
||||
fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured
|
||||
extraConfig = ''
|
||||
DNSStubListener=no
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
# Configuration
|
||||
networking.hostName = "";
|
||||
|
||||
# Kernel
|
||||
boot.kernel.sysctl = {
|
||||
"net.core.default_qdisc" = "fq"; # FIXME: manage these with networkd?
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
};
|
||||
|
||||
# Modules
|
||||
boot.kernelModules = [
|
||||
"ip_tables"
|
||||
"x_tables"
|
||||
|
|
|
@ -7,36 +7,11 @@
|
|||
imports = [
|
||||
(modulesPath + "/profiles/minimal.nix")
|
||||
./network.nix
|
||||
./sysext.nix
|
||||
];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_unprivileged_port_start" = 0;
|
||||
};
|
||||
|
||||
users.users."admin" = {
|
||||
isNormalUser = true;
|
||||
linger = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
subuid = {
|
||||
text = "admin:100000:65536";
|
||||
mode = "0644";
|
||||
};
|
||||
|
||||
subgid = {
|
||||
text = "admin:100000:65536";
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
system.image.sshKeys.enable = true;
|
||||
system.image.sshKeys.keys = [
|
||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIHMAEZx02kbHrEygyPQYStiXlrIe6EIqBCv7anIkL0pAAAABHNzaDo= dln1"
|
||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln2"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDx+7ZEJi7lUCAtoHRRIduJzH3hrpx4YS1f0ZxrJ+uW dln3"
|
||||
boot.kernelParams = [
|
||||
"quiet"
|
||||
];
|
||||
|
||||
virtualisation.podman.enable = true;
|
||||
|
|
23
modules/profiles/sysext.nix
Normal file
23
modules/profiles/sysext.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ ... }:
|
||||
{
|
||||
system.activationScripts.sysext = ''
|
||||
mkdir -p /var/lib/confexts
|
||||
mkdir -p /var/lib/extensions
|
||||
mkdir -p /etc/systemd/extensions
|
||||
'';
|
||||
|
||||
systemd.additionalUpstreamSystemUnits = [
|
||||
"systemd-confext.service"
|
||||
"systemd-sysext.service"
|
||||
];
|
||||
|
||||
# systemd.services."systemd-confext" = {
|
||||
# enable = true;
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# };
|
||||
|
||||
# systemd.services."systemd-sysext.service" = {
|
||||
# enable = true;
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# };
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
{ prev, ... }:
|
||||
|
||||
# Build mkfs.erofs with zstd support
|
||||
prev.erofs-utils.overrideAttrs (final: p: {
|
||||
buildInputs = p.buildInputs ++ [ prev.zstd ];
|
||||
configureFlags = p.configureFlags ++ [
|
||||
"--enable-multithreading"
|
||||
"--enable-zstd"
|
||||
];
|
||||
})
|
|
@ -1,7 +0,0 @@
|
|||
{ prev, ... }:
|
||||
|
||||
prev.openssh.overrideAttrs (final: prev: {
|
||||
doCheck = false;
|
||||
doInstallCheck = false;
|
||||
dontCheck = true;
|
||||
})
|
|
@ -38,11 +38,12 @@ rec {
|
|||
"systemd.journald.forward_to_console=1"
|
||||
];
|
||||
image.compress = false;
|
||||
boot.uki.name = lib.mkForce "test";
|
||||
boot.initrd.compressor = lib.mkForce "zstd";
|
||||
boot.initrd.compressorArgs = lib.mkForce [ "-8" ];
|
||||
}
|
||||
(pkgs.path + "/nixos/modules/testing/test-instrumentation.nix")
|
||||
self.nixosModules.server
|
||||
self.nixosModules.devel
|
||||
self.nixosModules.image
|
||||
extraConfig
|
||||
];
|
||||
|
|
|
@ -1,37 +0,0 @@
|
|||
{ pkgs, self }:
|
||||
let
|
||||
lib = pkgs.lib;
|
||||
test-common = import ./common.nix { inherit self lib pkgs; };
|
||||
sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs;
|
||||
|
||||
image = test-common.makeImage {
|
||||
system.image.sshKeys.keys = [ sshKeys.snakeOilPublicKey ];
|
||||
system.extraDependencies = [ sshKeys.snakeOilPrivateKey ];
|
||||
};
|
||||
|
||||
in
|
||||
test-common.makeImageTest {
|
||||
name = "ssh-preseed";
|
||||
inherit image;
|
||||
script = ''
|
||||
start_tpm()
|
||||
machine.start()
|
||||
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
machine.succeed("[ -e /efi/default-ssh-authorized-keys.txt ]")
|
||||
machine.succeed("[ -e /home/admin/.ssh/authorized_keys ]")
|
||||
|
||||
machine.wait_for_open_port(22)
|
||||
|
||||
machine.succeed(
|
||||
"cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil"
|
||||
)
|
||||
machine.succeed("chmod 600 privkey.snakeoil")
|
||||
|
||||
machine.succeed(
|
||||
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil admin@127.0.0.1 true",
|
||||
timeout=30
|
||||
)
|
||||
'';
|
||||
}
|
Loading…
Reference in a new issue