Compare commits
31 commits
lsjostro/p
...
main
Author | SHA1 | Date | |
---|---|---|---|
ab3050c1a9 | |||
6527361d52 | |||
c75262f15a | |||
2ad839ccfb | |||
0a269e5bd4 | |||
59d51cc407 | |||
fa55edf0de | |||
902c3eddf3 | |||
9b6a5d9199 | |||
5ecbea5105 | |||
e585707491 | |||
33f7afd87d | |||
04bd246a2a | |||
a4d0e10cc4 | |||
25333d5660 | |||
c59ea29957 | |||
da5bdb3d47 | |||
86cc203737 | |||
c8af180ee7 | |||
7e2a3488ef | |||
1a035e8c7c | |||
f406d0f98d | |||
2ce98c3fc0 | |||
7107398c24 | |||
384e62f837 | |||
38fdbbb048 | |||
01730a5957 | |||
0956b7f60f | |||
892d1b72f8 | |||
3f347427ed | |||
8c9fcd921d |
43 changed files with 1660 additions and 3270 deletions
5
.gitignore
vendored
5
.gitignore
vendored
|
@ -1,6 +1,9 @@
|
|||
.env
|
||||
.envrc
|
||||
.direnv
|
||||
.task
|
||||
result
|
||||
/result
|
||||
/target
|
||||
.*.swp
|
||||
.*.swo
|
||||
.nixos-test-history
|
||||
|
|
3
.rgignore
Normal file
3
.rgignore
Normal file
|
@ -0,0 +1,3 @@
|
|||
.direnv
|
||||
/result
|
||||
/target
|
|
@ -6,28 +6,6 @@ when:
|
|||
|
||||
steps:
|
||||
check:
|
||||
image: alpine
|
||||
volumes:
|
||||
- nix:/nix
|
||||
image: docker.io/nixpkgs/nix-flakes:nixos-24.05
|
||||
commands:
|
||||
# install nix
|
||||
- |
|
||||
test -f /nix/installer || wget -O /nix/installer https://github.com/DeterminateSystems/nix-installer/releases/download/v0.18.0/nix-installer-x86_64-linux
|
||||
chmod +x /nix/installer
|
||||
rm -f /nix/receipt.json /nix/nix-installer
|
||||
/nix/installer install linux --init=none --no-confirm
|
||||
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
|
||||
|
||||
# configure nix
|
||||
- |
|
||||
mkdir -p /etc/nix
|
||||
cat <<EOF > /etc/nix/nix.conf
|
||||
sandbox = false
|
||||
experimental-features = nix-command flakes
|
||||
EOF
|
||||
|
||||
# build
|
||||
- nix build .#patos_image
|
||||
|
||||
# check
|
||||
- nix flake check
|
||||
|
|
373
LICENSE
Normal file
373
LICENSE
Normal file
|
@ -0,0 +1,373 @@
|
|||
Mozilla Public License Version 2.0
|
||||
==================================
|
||||
|
||||
1. Definitions
|
||||
--------------
|
||||
|
||||
1.1. "Contributor"
|
||||
means each individual or legal entity that creates, contributes to
|
||||
the creation of, or owns Covered Software.
|
||||
|
||||
1.2. "Contributor Version"
|
||||
means the combination of the Contributions of others (if any) used
|
||||
by a Contributor and that particular Contributor's Contribution.
|
||||
|
||||
1.3. "Contribution"
|
||||
means Covered Software of a particular Contributor.
|
||||
|
||||
1.4. "Covered Software"
|
||||
means Source Code Form to which the initial Contributor has attached
|
||||
the notice in Exhibit A, the Executable Form of such Source Code
|
||||
Form, and Modifications of such Source Code Form, in each case
|
||||
including portions thereof.
|
||||
|
||||
1.5. "Incompatible With Secondary Licenses"
|
||||
means
|
||||
|
||||
(a) that the initial Contributor has attached the notice described
|
||||
in Exhibit B to the Covered Software; or
|
||||
|
||||
(b) that the Covered Software was made available under the terms of
|
||||
version 1.1 or earlier of the License, but not also under the
|
||||
terms of a Secondary License.
|
||||
|
||||
1.6. "Executable Form"
|
||||
means any form of the work other than Source Code Form.
|
||||
|
||||
1.7. "Larger Work"
|
||||
means a work that combines Covered Software with other material, in
|
||||
a separate file or files, that is not Covered Software.
|
||||
|
||||
1.8. "License"
|
||||
means this document.
|
||||
|
||||
1.9. "Licensable"
|
||||
means having the right to grant, to the maximum extent possible,
|
||||
whether at the time of the initial grant or subsequently, any and
|
||||
all of the rights conveyed by this License.
|
||||
|
||||
1.10. "Modifications"
|
||||
means any of the following:
|
||||
|
||||
(a) any file in Source Code Form that results from an addition to,
|
||||
deletion from, or modification of the contents of Covered
|
||||
Software; or
|
||||
|
||||
(b) any new file in Source Code Form that contains any Covered
|
||||
Software.
|
||||
|
||||
1.11. "Patent Claims" of a Contributor
|
||||
means any patent claim(s), including without limitation, method,
|
||||
process, and apparatus claims, in any patent Licensable by such
|
||||
Contributor that would be infringed, but for the grant of the
|
||||
License, by the making, using, selling, offering for sale, having
|
||||
made, import, or transfer of either its Contributions or its
|
||||
Contributor Version.
|
||||
|
||||
1.12. "Secondary License"
|
||||
means either the GNU General Public License, Version 2.0, the GNU
|
||||
Lesser General Public License, Version 2.1, the GNU Affero General
|
||||
Public License, Version 3.0, or any later versions of those
|
||||
licenses.
|
||||
|
||||
1.13. "Source Code Form"
|
||||
means the form of the work preferred for making modifications.
|
||||
|
||||
1.14. "You" (or "Your")
|
||||
means an individual or a legal entity exercising rights under this
|
||||
License. For legal entities, "You" includes any entity that
|
||||
controls, is controlled by, or is under common control with You. For
|
||||
purposes of this definition, "control" means (a) the power, direct
|
||||
or indirect, to cause the direction or management of such entity,
|
||||
whether by contract or otherwise, or (b) ownership of more than
|
||||
fifty percent (50%) of the outstanding shares or beneficial
|
||||
ownership of such entity.
|
||||
|
||||
2. License Grants and Conditions
|
||||
--------------------------------
|
||||
|
||||
2.1. Grants
|
||||
|
||||
Each Contributor hereby grants You a world-wide, royalty-free,
|
||||
non-exclusive license:
|
||||
|
||||
(a) under intellectual property rights (other than patent or trademark)
|
||||
Licensable by such Contributor to use, reproduce, make available,
|
||||
modify, display, perform, distribute, and otherwise exploit its
|
||||
Contributions, either on an unmodified basis, with Modifications, or
|
||||
as part of a Larger Work; and
|
||||
|
||||
(b) under Patent Claims of such Contributor to make, use, sell, offer
|
||||
for sale, have made, import, and otherwise transfer either its
|
||||
Contributions or its Contributor Version.
|
||||
|
||||
2.2. Effective Date
|
||||
|
||||
The licenses granted in Section 2.1 with respect to any Contribution
|
||||
become effective for each Contribution on the date the Contributor first
|
||||
distributes such Contribution.
|
||||
|
||||
2.3. Limitations on Grant Scope
|
||||
|
||||
The licenses granted in this Section 2 are the only rights granted under
|
||||
this License. No additional rights or licenses will be implied from the
|
||||
distribution or licensing of Covered Software under this License.
|
||||
Notwithstanding Section 2.1(b) above, no patent license is granted by a
|
||||
Contributor:
|
||||
|
||||
(a) for any code that a Contributor has removed from Covered Software;
|
||||
or
|
||||
|
||||
(b) for infringements caused by: (i) Your and any other third party's
|
||||
modifications of Covered Software, or (ii) the combination of its
|
||||
Contributions with other software (except as part of its Contributor
|
||||
Version); or
|
||||
|
||||
(c) under Patent Claims infringed by Covered Software in the absence of
|
||||
its Contributions.
|
||||
|
||||
This License does not grant any rights in the trademarks, service marks,
|
||||
or logos of any Contributor (except as may be necessary to comply with
|
||||
the notice requirements in Section 3.4).
|
||||
|
||||
2.4. Subsequent Licenses
|
||||
|
||||
No Contributor makes additional grants as a result of Your choice to
|
||||
distribute the Covered Software under a subsequent version of this
|
||||
License (see Section 10.2) or under the terms of a Secondary License (if
|
||||
permitted under the terms of Section 3.3).
|
||||
|
||||
2.5. Representation
|
||||
|
||||
Each Contributor represents that the Contributor believes its
|
||||
Contributions are its original creation(s) or it has sufficient rights
|
||||
to grant the rights to its Contributions conveyed by this License.
|
||||
|
||||
2.6. Fair Use
|
||||
|
||||
This License is not intended to limit any rights You have under
|
||||
applicable copyright doctrines of fair use, fair dealing, or other
|
||||
equivalents.
|
||||
|
||||
2.7. Conditions
|
||||
|
||||
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
|
||||
in Section 2.1.
|
||||
|
||||
3. Responsibilities
|
||||
-------------------
|
||||
|
||||
3.1. Distribution of Source Form
|
||||
|
||||
All distribution of Covered Software in Source Code Form, including any
|
||||
Modifications that You create or to which You contribute, must be under
|
||||
the terms of this License. You must inform recipients that the Source
|
||||
Code Form of the Covered Software is governed by the terms of this
|
||||
License, and how they can obtain a copy of this License. You may not
|
||||
attempt to alter or restrict the recipients' rights in the Source Code
|
||||
Form.
|
||||
|
||||
3.2. Distribution of Executable Form
|
||||
|
||||
If You distribute Covered Software in Executable Form then:
|
||||
|
||||
(a) such Covered Software must also be made available in Source Code
|
||||
Form, as described in Section 3.1, and You must inform recipients of
|
||||
the Executable Form how they can obtain a copy of such Source Code
|
||||
Form by reasonable means in a timely manner, at a charge no more
|
||||
than the cost of distribution to the recipient; and
|
||||
|
||||
(b) You may distribute such Executable Form under the terms of this
|
||||
License, or sublicense it under different terms, provided that the
|
||||
license for the Executable Form does not attempt to limit or alter
|
||||
the recipients' rights in the Source Code Form under this License.
|
||||
|
||||
3.3. Distribution of a Larger Work
|
||||
|
||||
You may create and distribute a Larger Work under terms of Your choice,
|
||||
provided that You also comply with the requirements of this License for
|
||||
the Covered Software. If the Larger Work is a combination of Covered
|
||||
Software with a work governed by one or more Secondary Licenses, and the
|
||||
Covered Software is not Incompatible With Secondary Licenses, this
|
||||
License permits You to additionally distribute such Covered Software
|
||||
under the terms of such Secondary License(s), so that the recipient of
|
||||
the Larger Work may, at their option, further distribute the Covered
|
||||
Software under the terms of either this License or such Secondary
|
||||
License(s).
|
||||
|
||||
3.4. Notices
|
||||
|
||||
You may not remove or alter the substance of any license notices
|
||||
(including copyright notices, patent notices, disclaimers of warranty,
|
||||
or limitations of liability) contained within the Source Code Form of
|
||||
the Covered Software, except that You may alter any license notices to
|
||||
the extent required to remedy known factual inaccuracies.
|
||||
|
||||
3.5. Application of Additional Terms
|
||||
|
||||
You may choose to offer, and to charge a fee for, warranty, support,
|
||||
indemnity or liability obligations to one or more recipients of Covered
|
||||
Software. However, You may do so only on Your own behalf, and not on
|
||||
behalf of any Contributor. You must make it absolutely clear that any
|
||||
such warranty, support, indemnity, or liability obligation is offered by
|
||||
You alone, and You hereby agree to indemnify every Contributor for any
|
||||
liability incurred by such Contributor as a result of warranty, support,
|
||||
indemnity or liability terms You offer. You may include additional
|
||||
disclaimers of warranty and limitations of liability specific to any
|
||||
jurisdiction.
|
||||
|
||||
4. Inability to Comply Due to Statute or Regulation
|
||||
---------------------------------------------------
|
||||
|
||||
If it is impossible for You to comply with any of the terms of this
|
||||
License with respect to some or all of the Covered Software due to
|
||||
statute, judicial order, or regulation then You must: (a) comply with
|
||||
the terms of this License to the maximum extent possible; and (b)
|
||||
describe the limitations and the code they affect. Such description must
|
||||
be placed in a text file included with all distributions of the Covered
|
||||
Software under this License. Except to the extent prohibited by statute
|
||||
or regulation, such description must be sufficiently detailed for a
|
||||
recipient of ordinary skill to be able to understand it.
|
||||
|
||||
5. Termination
|
||||
--------------
|
||||
|
||||
5.1. The rights granted under this License will terminate automatically
|
||||
if You fail to comply with any of its terms. However, if You become
|
||||
compliant, then the rights granted under this License from a particular
|
||||
Contributor are reinstated (a) provisionally, unless and until such
|
||||
Contributor explicitly and finally terminates Your grants, and (b) on an
|
||||
ongoing basis, if such Contributor fails to notify You of the
|
||||
non-compliance by some reasonable means prior to 60 days after You have
|
||||
come back into compliance. Moreover, Your grants from a particular
|
||||
Contributor are reinstated on an ongoing basis if such Contributor
|
||||
notifies You of the non-compliance by some reasonable means, this is the
|
||||
first time You have received notice of non-compliance with this License
|
||||
from such Contributor, and You become compliant prior to 30 days after
|
||||
Your receipt of the notice.
|
||||
|
||||
5.2. If You initiate litigation against any entity by asserting a patent
|
||||
infringement claim (excluding declaratory judgment actions,
|
||||
counter-claims, and cross-claims) alleging that a Contributor Version
|
||||
directly or indirectly infringes any patent, then the rights granted to
|
||||
You by any and all Contributors for the Covered Software under Section
|
||||
2.1 of this License shall terminate.
|
||||
|
||||
5.3. In the event of termination under Sections 5.1 or 5.2 above, all
|
||||
end user license agreements (excluding distributors and resellers) which
|
||||
have been validly granted by You or Your distributors under this License
|
||||
prior to termination shall survive termination.
|
||||
|
||||
************************************************************************
|
||||
* *
|
||||
* 6. Disclaimer of Warranty *
|
||||
* ------------------------- *
|
||||
* *
|
||||
* Covered Software is provided under this License on an "as is" *
|
||||
* basis, without warranty of any kind, either expressed, implied, or *
|
||||
* statutory, including, without limitation, warranties that the *
|
||||
* Covered Software is free of defects, merchantable, fit for a *
|
||||
* particular purpose or non-infringing. The entire risk as to the *
|
||||
* quality and performance of the Covered Software is with You. *
|
||||
* Should any Covered Software prove defective in any respect, You *
|
||||
* (not any Contributor) assume the cost of any necessary servicing, *
|
||||
* repair, or correction. This disclaimer of warranty constitutes an *
|
||||
* essential part of this License. No use of any Covered Software is *
|
||||
* authorized under this License except under this disclaimer. *
|
||||
* *
|
||||
************************************************************************
|
||||
|
||||
************************************************************************
|
||||
* *
|
||||
* 7. Limitation of Liability *
|
||||
* -------------------------- *
|
||||
* *
|
||||
* Under no circumstances and under no legal theory, whether tort *
|
||||
* (including negligence), contract, or otherwise, shall any *
|
||||
* Contributor, or anyone who distributes Covered Software as *
|
||||
* permitted above, be liable to You for any direct, indirect, *
|
||||
* special, incidental, or consequential damages of any character *
|
||||
* including, without limitation, damages for lost profits, loss of *
|
||||
* goodwill, work stoppage, computer failure or malfunction, or any *
|
||||
* and all other commercial damages or losses, even if such party *
|
||||
* shall have been informed of the possibility of such damages. This *
|
||||
* limitation of liability shall not apply to liability for death or *
|
||||
* personal injury resulting from such party's negligence to the *
|
||||
* extent applicable law prohibits such limitation. Some *
|
||||
* jurisdictions do not allow the exclusion or limitation of *
|
||||
* incidental or consequential damages, so this exclusion and *
|
||||
* limitation may not apply to You. *
|
||||
* *
|
||||
************************************************************************
|
||||
|
||||
8. Litigation
|
||||
-------------
|
||||
|
||||
Any litigation relating to this License may be brought only in the
|
||||
courts of a jurisdiction where the defendant maintains its principal
|
||||
place of business and such litigation shall be governed by laws of that
|
||||
jurisdiction, without reference to its conflict-of-law provisions.
|
||||
Nothing in this Section shall prevent a party's ability to bring
|
||||
cross-claims or counter-claims.
|
||||
|
||||
9. Miscellaneous
|
||||
----------------
|
||||
|
||||
This License represents the complete agreement concerning the subject
|
||||
matter hereof. If any provision of this License is held to be
|
||||
unenforceable, such provision shall be reformed only to the extent
|
||||
necessary to make it enforceable. Any law or regulation which provides
|
||||
that the language of a contract shall be construed against the drafter
|
||||
shall not be used to construe this License against a Contributor.
|
||||
|
||||
10. Versions of the License
|
||||
---------------------------
|
||||
|
||||
10.1. New Versions
|
||||
|
||||
Mozilla Foundation is the license steward. Except as provided in Section
|
||||
10.3, no one other than the license steward has the right to modify or
|
||||
publish new versions of this License. Each version will be given a
|
||||
distinguishing version number.
|
||||
|
||||
10.2. Effect of New Versions
|
||||
|
||||
You may distribute the Covered Software under the terms of the version
|
||||
of the License under which You originally received the Covered Software,
|
||||
or under the terms of any subsequent version published by the license
|
||||
steward.
|
||||
|
||||
10.3. Modified Versions
|
||||
|
||||
If you create software not governed by this License, and you want to
|
||||
create a new license for such software, you may create and use a
|
||||
modified version of this License if you rename the license and remove
|
||||
any references to the name of the license steward (except to note that
|
||||
such modified license differs from this License).
|
||||
|
||||
10.4. Distributing Source Code Form that is Incompatible With Secondary
|
||||
Licenses
|
||||
|
||||
If You choose to distribute Source Code Form that is Incompatible With
|
||||
Secondary Licenses under the terms of this version of the License, the
|
||||
notice described in Exhibit B of this License must be attached.
|
||||
|
||||
Exhibit A - Source Code Form License Notice
|
||||
-------------------------------------------
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public
|
||||
License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
If it is not possible or desirable to put the notice in a particular
|
||||
file, then You may include the notice in a location (such as a LICENSE
|
||||
file in a relevant directory) where a recipient would be likely to look
|
||||
for such a notice.
|
||||
|
||||
You may add additional accurate notices of copyright ownership.
|
||||
|
||||
Exhibit B - "Incompatible With Secondary Licenses" Notice
|
||||
---------------------------------------------------------
|
||||
|
||||
This Source Code Form is "Incompatible With Secondary Licenses", as
|
||||
defined by the Mozilla Public License, v. 2.0.
|
60
README.adoc
Normal file
60
README.adoc
Normal file
|
@ -0,0 +1,60 @@
|
|||
:showtitle:
|
||||
:toc: left
|
||||
:icons: font
|
||||
|
||||
= PatOS - Patagia OS
|
||||
|
||||
[link=https://ci.patagia.dev/repos/2,window=_blank]
|
||||
image::https://ci.patagia.dev/api/badges/2/status.svg[Build Status]
|
||||
|
||||
PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.
|
||||
|
||||
== Features
|
||||
|
||||
* Immutable read-only system
|
||||
* Trust chain verification using secure boot and dm-verity
|
||||
* Automatic updates and unattended rollbacks
|
||||
* Host/TPM bound data encryption by default
|
||||
|
||||
== Roadmap and status
|
||||
|
||||
[cols="3,1",options="header"]
|
||||
|===
|
||||
|Feature |Status
|
||||
|
||||
| A/B root partitions with discoverable partitions
|
||||
| ✅
|
||||
|
||||
| Verity protection of root partitions
|
||||
| ✅
|
||||
|
||||
| Encrypted state partition with tpm2 host binding
|
||||
| ✅
|
||||
|
||||
| Factory reset / clearing of state partition
|
||||
| ✅
|
||||
|
||||
| Automatic updates
|
||||
| ⚠️
|
||||
|
||||
| Installer
|
||||
| ❌
|
||||
|
||||
| Machine registration and provisioning
|
||||
| ❌
|
||||
|
||||
| Boot assessment w/automatic rollback
|
||||
| ❌
|
||||
|
||||
|===
|
||||
|
||||
== Community
|
||||
|
||||
* Source code: https://patagia.dev/Patagia/patos
|
||||
|
||||
|
||||
== License
|
||||
|
||||
Copyright (C) 2024 Patagia AB
|
||||
|
||||
Unless otherwise noted, all components are licenced under the Mozilla Public License Version 2.0.
|
|
@ -1,5 +0,0 @@
|
|||
# PatOS - Patagia OS
|
||||
|
||||
[![status-badge](https://ci.patagia.dev/api/badges/2/status.svg)](https://ci.patagia.dev/repos/2)
|
||||
|
||||
PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.
|
157
flake.lock
157
flake.lock
|
@ -1,169 +1,24 @@
|
|||
{
|
||||
"nodes": {
|
||||
"advisory-db": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1727353582,
|
||||
"narHash": "sha256-2csMEEOZhvowVKZNBHk1kMJqk72ZMrPj9LQYCzP6EKs=",
|
||||
"owner": "rustsec",
|
||||
"repo": "advisory-db",
|
||||
"rev": "cb905e6e405834bdff1eb1e20c9b10edb5403889",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "rustsec",
|
||||
"repo": "advisory-db",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"crane": {
|
||||
"locked": {
|
||||
"lastModified": 1727316705,
|
||||
"narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=",
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1726560853,
|
||||
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1726560853,
|
||||
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1728888510,
|
||||
"narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=",
|
||||
"owner": "nixos",
|
||||
"lastModified": 1731139594,
|
||||
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c",
|
||||
"rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"patagia-agent": {
|
||||
"inputs": {
|
||||
"advisory-db": "advisory-db",
|
||||
"crane": "crane",
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1728144622,
|
||||
"narHash": "sha256-EWH6pJE0HfHdIaelizOWqArgXZ2KJo0tb4EUCnUYQrY=",
|
||||
"ref": "main",
|
||||
"rev": "853f7f81b60ca687685cec3c817b75abbab86077",
|
||||
"revCount": 8,
|
||||
"type": "git",
|
||||
"url": "ssh://git@patagia.dev/patagia/patagia-agent"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "ssh://git@patagia.dev/patagia/patagia-agent"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"patagia-agent": "patagia-agent"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"patagia-agent",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1727490462,
|
||||
"narHash": "sha256-OrrPiNBiikv9BR464XTT75FzOq7tKAvMbMi7YOKVIeg=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "11a13e50debafae4ae802f1d6b8585101516dd93",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_2": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
195
flake.nix
195
flake.nix
|
@ -2,137 +2,90 @@
|
|||
description = "PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.";
|
||||
|
||||
inputs = {
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
|
||||
patagia-agent.url = "git+ssh://git@patagia.dev/patagia/patagia-agent?ref=main";
|
||||
patagia-agent.inputs.nixpkgs.follows = "nixpkgs";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
};
|
||||
|
||||
outputs =
|
||||
{ self, nixpkgs }:
|
||||
let
|
||||
releaseVersion = "0.0.1";
|
||||
system = "x86_64-linux";
|
||||
updateUrl = "https://images.dl.patagia.dev/patos/";
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
in
|
||||
{
|
||||
self,
|
||||
flake-utils,
|
||||
nixpkgs,
|
||||
patagia-agent,
|
||||
}:
|
||||
flake-utils.lib.eachDefaultSystem (
|
||||
system:
|
||||
let
|
||||
nixosModules.devel.imports = [
|
||||
./modules/profiles/devel.nix
|
||||
];
|
||||
|
||||
pkgs = import nixpkgs {
|
||||
inherit system;
|
||||
overlays = [
|
||||
(import ./overlays)
|
||||
];
|
||||
};
|
||||
nixosModules.server.imports = [
|
||||
./modules/profiles/server.nix
|
||||
];
|
||||
|
||||
# Prepare an update package for the system.
|
||||
mkUpdate =
|
||||
nixos:
|
||||
let
|
||||
config = nixos.config;
|
||||
in
|
||||
pkgs.runCommand "update-${config.system.image.version}"
|
||||
{
|
||||
nativeBuildInputs = with pkgs; [
|
||||
erofs-utils
|
||||
zstd
|
||||
];
|
||||
}
|
||||
''
|
||||
mkdir -p $out
|
||||
cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw $out/
|
||||
nixosModules.image.imports = [
|
||||
./modules
|
||||
./modules/profiles/base.nix
|
||||
./modules/image
|
||||
];
|
||||
|
||||
zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \
|
||||
-o $out/${config.system.boot.loader.ukiFile}.zst
|
||||
|
||||
zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \
|
||||
-o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst
|
||||
'';
|
||||
|
||||
# Prepare a ready-to-boot disk image.
|
||||
mkInstallImage =
|
||||
nixos:
|
||||
let
|
||||
config = nixos.config;
|
||||
in
|
||||
pkgs.runCommand "update-${config.system.image.version}"
|
||||
{
|
||||
nativeBuildInputs = with pkgs; [
|
||||
qemu
|
||||
zstd
|
||||
];
|
||||
}
|
||||
''
|
||||
mkdir -p $out
|
||||
cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/
|
||||
qemu-img convert -f raw -O qcow2 -C ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/disk.qcow2
|
||||
|
||||
zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \
|
||||
-o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst
|
||||
|
||||
zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \
|
||||
-o $out/${config.system.boot.loader.ukiFile}.zst
|
||||
'';
|
||||
in
|
||||
{
|
||||
devShell = pkgs.mkShell {
|
||||
packages = with pkgs; [
|
||||
erofs-utils
|
||||
just
|
||||
self.packages.${system}.qemu-efi
|
||||
];
|
||||
};
|
||||
|
||||
packages = {
|
||||
default = self.packages.${system}.patos_image;
|
||||
patos_image = mkInstallImage self.nixosConfigurations.${system}.patos;
|
||||
patos_update = mkUpdate self.nixosConfigurations.${system}.patos;
|
||||
|
||||
image = system.build;
|
||||
|
||||
# FIXME: only do for x86_64
|
||||
# A helper script to run the disk images above.
|
||||
qemu-efi = pkgs.writeShellApplication {
|
||||
name = "qemu-efi";
|
||||
|
||||
runtimeInputs = [ pkgs.qemu_kvm ];
|
||||
|
||||
text = ''
|
||||
qemu-system-x86_64 \
|
||||
-smp 4 -m 2048 -machine q35,accel=kvm \
|
||||
-bios ${pkgs.OVMF.fd}/FV/OVMF.fd \
|
||||
-snapshot \
|
||||
-display none \
|
||||
-serial stdio "$@"
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
nixosConfigurations = rec {
|
||||
patos = nixpkgs.lib.nixosSystem {
|
||||
specialArgs.pkgs = pkgs;
|
||||
system = system;
|
||||
packages.${system} = {
|
||||
devel =
|
||||
(nixpkgs.lib.nixosSystem {
|
||||
modules = [
|
||||
(
|
||||
{ lib, ... }:
|
||||
{
|
||||
nixpkgs.hostPlatform = system;
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
)
|
||||
{
|
||||
_module.args = {
|
||||
inherit patagia-agent;
|
||||
};
|
||||
system.image.updates.url = "${updateUrl}";
|
||||
system.image.id = "patos";
|
||||
system.image.version = releaseVersion;
|
||||
image.compress = false;
|
||||
}
|
||||
./modules/kernel
|
||||
./modules/filesystems.nix
|
||||
./modules/generic.nix
|
||||
./modules/minimize.nix
|
||||
./modules/network.nix
|
||||
# ./modules/patagia-agent.nix
|
||||
./modules/partitions.nix
|
||||
./modules/system_overrides.nix
|
||||
./modules/sysupdate.nix
|
||||
./modules/utils.nix
|
||||
self.nixosModules.image
|
||||
self.nixosModules.devel
|
||||
];
|
||||
};
|
||||
};
|
||||
}).config.system.build.updatePackage;
|
||||
|
||||
}
|
||||
);
|
||||
patos =
|
||||
(nixpkgs.lib.nixosSystem {
|
||||
modules = [
|
||||
(
|
||||
{ lib, ... }:
|
||||
{
|
||||
nixpkgs.hostPlatform = system;
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
)
|
||||
{
|
||||
system.image.updates.url = "${updateUrl}";
|
||||
system.image.id = "patos";
|
||||
system.image.version = releaseVersion;
|
||||
}
|
||||
self.nixosModules.image
|
||||
self.nixosModules.server
|
||||
];
|
||||
}).config.system.build.updatePackage;
|
||||
|
||||
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { inherit pkgs; };
|
||||
};
|
||||
|
||||
checks.${system} = {
|
||||
podman = import ./tests/podman.nix { inherit pkgs self; };
|
||||
system-update = import ./tests/system-update.nix { inherit pkgs self; };
|
||||
};
|
||||
|
||||
devShells.${system}.default = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
erofs-utils
|
||||
just
|
||||
self.packages.${system}.qemu-uefi-tpm
|
||||
squashfs-tools-ng
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
15
justfile
15
justfile
|
@ -13,12 +13,15 @@ build: build-image
|
|||
|
||||
# Build PatOS image
|
||||
build-image:
|
||||
nix build .#patos_image
|
||||
nix build .#patos
|
||||
|
||||
# Build PatOS update image
|
||||
build-update:
|
||||
nix build .#patos_update
|
||||
# Build PatOS image (developer mode)
|
||||
build-devel-image:
|
||||
nix build .#devel
|
||||
|
||||
run: build-image
|
||||
qemu-efi -hda ./result/disk.qcow2
|
||||
|
||||
qemu-uefi-tpm ./result/*.img
|
||||
|
||||
run-devel: build-devel-image
|
||||
qemu-uefi-tpm ./result/*.img
|
||||
|
||||
|
|
15
modules/config/minimal-modules.nix
Normal file
15
modules/config/minimal-modules.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
boot = {
|
||||
bootspec.enable = false;
|
||||
initrd.kernelModules = config.boot.kernelModules;
|
||||
kernel.enable = false; # No kernel or modules in the rootfs
|
||||
modprobeConfig.enable = false;
|
||||
};
|
||||
|
||||
system.build = {
|
||||
inherit (config.boot.kernelPackages) kernel;
|
||||
};
|
||||
|
||||
system.modulesTree = [ config.boot.kernelPackages.kernel ] ++ config.boot.extraModulePackages;
|
||||
}
|
26
modules/config/minimal-system.nix
Normal file
26
modules/config/minimal-system.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ ... }:
|
||||
{
|
||||
|
||||
nixpkgs.overlays = [
|
||||
(final: prev: {
|
||||
|
||||
composefs = final.callPackage ../../pkgs/composefs.nix { inherit prev; };
|
||||
qemu_tiny = final.callPackage ../../pkgs/qemu.nix { inherit prev; };
|
||||
systemdUkify = final.callPackage ../../pkgs/systemd-ukify.nix { inherit prev; };
|
||||
|
||||
# # FIXME: Revisit + refine these below in a future image minimization effort
|
||||
#
|
||||
# util-linux = prev.util-linux.override {
|
||||
# ncursesSupport = false;
|
||||
# nlsSupport = false;
|
||||
# };
|
||||
#
|
||||
# dbus = prev.dbus.override {
|
||||
# enableSystemd = false;
|
||||
# x11Support = false;
|
||||
# };
|
||||
|
||||
})
|
||||
];
|
||||
|
||||
}
|
6
modules/default.nix
Normal file
6
modules/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./config/minimal-modules.nix
|
||||
./config/minimal-system.nix
|
||||
];
|
||||
}
|
|
@ -1,44 +0,0 @@
|
|||
{ config, ... }: {
|
||||
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
algorithm = "zstd";
|
||||
memoryPercent = 20;
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
fsType = "tmpfs";
|
||||
options = [
|
||||
"size=20%"
|
||||
];
|
||||
};
|
||||
|
||||
"/var" =
|
||||
let
|
||||
partConf = config.image.repart.partitions."var".repartConfig;
|
||||
in
|
||||
{
|
||||
device = "/dev/disk/by-partuuid/${partConf.UUID}";
|
||||
fsType = partConf.Format;
|
||||
};
|
||||
|
||||
"/boot" =
|
||||
let
|
||||
partConf = config.image.repart.partitions."esp".repartConfig;
|
||||
in
|
||||
{
|
||||
device = "/dev/disk/by-partuuid/${partConf.UUID}";
|
||||
fsType = partConf.Format;
|
||||
};
|
||||
|
||||
"/nix/store" =
|
||||
let
|
||||
partConf = config.image.repart.partitions."store".repartConfig;
|
||||
in
|
||||
{
|
||||
device = "/dev/disk/by-partlabel/${partConf.Label}";
|
||||
fsType = partConf.Format;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,65 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
boot = {
|
||||
enableContainers = false;
|
||||
initrd.systemd.enable = true;
|
||||
initrd.compressor = "zstd";
|
||||
kernelParams = [
|
||||
"console=ttyS0"
|
||||
];
|
||||
loader.efi.canTouchEfiVariables = true;
|
||||
loader.grub.enable = false;
|
||||
loader.systemd-boot.enable = true;
|
||||
uki.name = "patos";
|
||||
};
|
||||
|
||||
system.image.version = "0.0.1"; # FIXME: Use epoch version.
|
||||
|
||||
system.nixos = {
|
||||
codeName = "Finn";
|
||||
distroId = "patos";
|
||||
distroName = "PatOS";
|
||||
release = "2024-09";
|
||||
};
|
||||
|
||||
system.switch.enable = false;
|
||||
|
||||
# Make the current system version visible in the prompt.
|
||||
programs.bash.promptInit = ''
|
||||
export PS1="\u@\h (version ${config.system.image.version}) \w $ "
|
||||
'';
|
||||
|
||||
# Not compatible with system.etc.overlay.enable yet.
|
||||
# users.mutableUsers = false;
|
||||
|
||||
services.getty.autologinUser = "root";
|
||||
|
||||
# Temporary files
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
boot.tmp.useTmpfs = true;
|
||||
systemd.services.nix-daemon = {
|
||||
environment.TMPDIR = "/var/tmp";
|
||||
};
|
||||
|
||||
services.journald.extraConfig = ''
|
||||
SystemMaxUse=10M
|
||||
'';
|
||||
|
||||
services.fstrim.enable = true;
|
||||
|
||||
# Debugging
|
||||
environment.systemPackages = with pkgs; [
|
||||
(runCommand "systemd-sysupdate" { } ''
|
||||
mkdir -p $out/bin
|
||||
ln -s ${config.systemd.package}/lib/systemd/systemd-sysupdate $out/bin
|
||||
'')
|
||||
];
|
||||
|
||||
system.stateVersion = "24.11";
|
||||
}
|
196
modules/image/builder.nix
Normal file
196
modules/image/builder.nix
Normal file
|
@ -0,0 +1,196 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
options,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (pkgs.stdenv.hostPlatform) efiArch;
|
||||
|
||||
initialPartitions = {
|
||||
"10-root" = {
|
||||
storePaths = [ config.system.build.toplevel ];
|
||||
repartConfig = {
|
||||
Type = "root";
|
||||
Minimize = "best";
|
||||
Format = "erofs";
|
||||
MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /srv /tmp /mnt /lib /efi";
|
||||
Verity = "data";
|
||||
VerityMatchKey = "root";
|
||||
SplitName = "root";
|
||||
};
|
||||
};
|
||||
|
||||
"20-root-verity" = {
|
||||
repartConfig = {
|
||||
Type = "root-verity";
|
||||
Minimize = "best";
|
||||
Verity = "hash";
|
||||
VerityMatchKey = "root";
|
||||
SplitName = "verity";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: We don't need a combined image here - add dry-run flag to repart invocation
|
||||
verityRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
|
||||
inherit lib pkgs;
|
||||
system = null;
|
||||
modules = [
|
||||
(
|
||||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/image/repart.nix") ];
|
||||
image.repart = {
|
||||
name = "verity";
|
||||
split = true;
|
||||
mkfsOptions = lib.mkIf config.image.compress {
|
||||
erofs = [
|
||||
"-zlz4hc,level=12"
|
||||
"-Efragments,dedupe,ztailpacking"
|
||||
];
|
||||
};
|
||||
partitions = initialPartitions;
|
||||
};
|
||||
}
|
||||
)
|
||||
];
|
||||
};
|
||||
|
||||
rootPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
|
||||
verityPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";
|
||||
|
||||
verityImgAttrs = builtins.fromJSON (
|
||||
builtins.readFile "${verityRepart.config.system.build.image}/repart-output.json"
|
||||
);
|
||||
rootAttrs = builtins.elemAt verityImgAttrs 0;
|
||||
verityAttrs = builtins.elemAt verityImgAttrs 1;
|
||||
|
||||
rootUuid = rootAttrs.uuid;
|
||||
verityUuid = verityAttrs.uuid;
|
||||
verityRootHash = rootAttrs.roothash;
|
||||
|
||||
finalPartitions = {
|
||||
"10-esp" = {
|
||||
contents = {
|
||||
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
|
||||
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
|
||||
"/EFI/memtest86/memtest86.efi".source = "${pkgs.memtest86plus}/memtest.efi";
|
||||
"/loader/entries/patos-factory-reset.conf".source = pkgs.writeText "patos-factory-reset.conf" ''
|
||||
title Patos Factory Reset
|
||||
efi /EFI/Linux/${config.system.boot.loader.ukiFile}
|
||||
options ${toString config.boot.kernelParams} systemd.factory_reset=yes
|
||||
sort-key z_factory_reset
|
||||
'';
|
||||
"/loader/entries/memtest86.conf".source = pkgs.writeText "memtest86.conf" ''
|
||||
title Memtest86+
|
||||
efi /EFI/memtest86/memtest86.efi
|
||||
options console=ttyS0
|
||||
sort-key z_memtest
|
||||
'';
|
||||
"/loader/loader.conf".source = pkgs.writeText "loader.conf" ''
|
||||
timeout 2
|
||||
'';
|
||||
};
|
||||
repartConfig = {
|
||||
Type = "esp";
|
||||
Format = "vfat";
|
||||
SizeMinBytes = "96M";
|
||||
SizeMaxBytes = "96M";
|
||||
SplitName = "-";
|
||||
};
|
||||
};
|
||||
"20-root-verity-a" = {
|
||||
repartConfig = {
|
||||
Type = "root-verity";
|
||||
Label = "verity-${config.system.image.version}";
|
||||
CopyBlocks = "${verityPart}";
|
||||
SplitName = "-";
|
||||
SizeMinBytes = "64M";
|
||||
SizeMaxBytes = "64M";
|
||||
UUID = "${verityUuid}";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
};
|
||||
# TODO: Add signature partition for systemd-nspawn
|
||||
"22-root-a" = {
|
||||
repartConfig = {
|
||||
Type = "root";
|
||||
Label = "root-${config.system.image.version}";
|
||||
CopyBlocks = "${rootPart}";
|
||||
SplitName = "-";
|
||||
UUID = "${rootUuid}";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
finalRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
|
||||
inherit lib pkgs;
|
||||
system = null;
|
||||
modules = [
|
||||
(
|
||||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/image/repart.nix") ];
|
||||
image.repart = {
|
||||
name = "${config.system.image.id}";
|
||||
partitions = finalPartitions;
|
||||
};
|
||||
}
|
||||
)
|
||||
];
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
|
||||
# This fields is immutable by default, but can be overridden.
|
||||
options.system.nixos.codeName = lib.mkOption { readOnly = false; };
|
||||
options.system.nixos.release = lib.mkOption { readOnly = false; };
|
||||
|
||||
# FIXME: Should be configured somehow
|
||||
config.system.nixos = {
|
||||
codeName = "Finn";
|
||||
distroId = "patos";
|
||||
distroName = "PatOS";
|
||||
release = "2024-11";
|
||||
variant_id = "server";
|
||||
variantName = "Server";
|
||||
vendorName = "PatOS";
|
||||
};
|
||||
|
||||
options.image.compress = lib.mkEnableOption "image compression" // {
|
||||
default = true;
|
||||
};
|
||||
|
||||
config.system.build = {
|
||||
inherit verityRootHash;
|
||||
|
||||
image =
|
||||
(pkgs.linkFarm "image-release" [
|
||||
{
|
||||
name = "${config.system.image.id}_${config.system.image.version}.efi";
|
||||
path = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
|
||||
}
|
||||
{
|
||||
name = "${config.system.image.id}_${config.system.image.version}_${verityUuid}.verity";
|
||||
path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";
|
||||
}
|
||||
{
|
||||
name = "${config.system.image.id}_${config.system.image.version}_${rootUuid}.root";
|
||||
path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
|
||||
}
|
||||
{
|
||||
name = "${config.system.image.id}_${config.system.image.version}.img";
|
||||
path = "${finalRepart.config.system.build.image}/${finalRepart.config.image.repart.imageFileBasename}.raw";
|
||||
}
|
||||
])
|
||||
// {
|
||||
imageFile = "${config.system.image.id}_${config.system.image.version}.img";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
136
modules/image/default.nix
Normal file
136
modules/image/default.nix
Normal file
|
@ -0,0 +1,136 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
imports = [
|
||||
./updater.nix
|
||||
./builder.nix
|
||||
./veritysetup.nix
|
||||
];
|
||||
|
||||
system.build.updatePackage = pkgs.runCommand "update-package" { } ''
|
||||
mkdir "$out"
|
||||
cd "$out"
|
||||
cp "${config.system.build.image}"/* .
|
||||
${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
|
||||
'';
|
||||
|
||||
systemd.repart.partitions = {
|
||||
"10-esp" = {
|
||||
Type = "esp";
|
||||
Format = "vfat";
|
||||
SizeMinBytes = "96M";
|
||||
SizeMaxBytes = "96M";
|
||||
};
|
||||
"20-root-verity-a" = {
|
||||
Type = "root-verity";
|
||||
SizeMinBytes = "64M";
|
||||
SizeMaxBytes = "64M";
|
||||
};
|
||||
"22-root-a" = {
|
||||
Type = "root";
|
||||
SizeMinBytes = "512M";
|
||||
SizeMaxBytes = "512M";
|
||||
};
|
||||
"30-root-verity-b" = {
|
||||
Type = "root-verity";
|
||||
SizeMinBytes = "64M";
|
||||
SizeMaxBytes = "64M";
|
||||
Label = "_empty";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
"32-root-b" = {
|
||||
Type = "root";
|
||||
SizeMinBytes = "512M";
|
||||
SizeMaxBytes = "512M";
|
||||
Label = "_empty";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
"40-var" = {
|
||||
Type = "var";
|
||||
UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
|
||||
Format = "btrfs";
|
||||
Label = "patos-state";
|
||||
Minimize = "off";
|
||||
FactoryReset = "yes";
|
||||
Encrypt = "tpm2";
|
||||
SizeMinBytes = "2G";
|
||||
SplitName = "-";
|
||||
};
|
||||
};
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.uki.name = "patos";
|
||||
|
||||
boot.initrd = {
|
||||
compressor = "zstd";
|
||||
compressorArgs = [ "-8" ];
|
||||
|
||||
luks.forceLuksSupportInInitrd = true;
|
||||
kernelModules = [
|
||||
"dm_mod"
|
||||
"dm_crypt"
|
||||
] ++ config.boot.initrd.luks.cryptoModules;
|
||||
|
||||
supportedFilesystems = {
|
||||
btrfs = true;
|
||||
erofs = true;
|
||||
};
|
||||
|
||||
systemd.enable = true;
|
||||
systemd.repart.enable = true;
|
||||
systemd.services.systemd-repart = {
|
||||
after = lib.mkForce [ "sysroot.mount" ];
|
||||
requires = [ "sysroot.mount" ];
|
||||
serviceConfig.Environment = [
|
||||
"SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
system.etc.overlay.mutable = false;
|
||||
users.mutableUsers = false;
|
||||
|
||||
boot.kernelParams = [
|
||||
"rootfstype=erofs"
|
||||
"rootflags=ro"
|
||||
"roothash=${config.system.build.verityRootHash}"
|
||||
];
|
||||
|
||||
fileSystems =
|
||||
let
|
||||
parts = config.systemd.repart.partitions;
|
||||
in
|
||||
{
|
||||
"/var" = {
|
||||
fsType = parts."40-var".Format;
|
||||
device = "/dev/mapper/var";
|
||||
encrypted = {
|
||||
enable = true;
|
||||
blkDev = "/dev/disk/by-partuuid/${parts."40-var".UUID}";
|
||||
label = "var";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Required to mount the efi partition
|
||||
boot.kernelModules = [
|
||||
"vfat"
|
||||
"nls_cp437"
|
||||
"nls_iso8859-1"
|
||||
];
|
||||
|
||||
environment.etc."machine-id" = {
|
||||
text = "";
|
||||
mode = "0755";
|
||||
};
|
||||
|
||||
# Refuse to boot on mount failure
|
||||
systemd.targets."sysinit".requires = [ "local-fs.target" ];
|
||||
}
|
87
modules/image/updater.nix
Normal file
87
modules/image/updater.nix
Normal file
|
@ -0,0 +1,87 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
|
||||
options.system.image.updates = {
|
||||
enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
|
||||
default = config.system.image.updates.url != null;
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.system.image.updates.enable {
|
||||
|
||||
assertions = [
|
||||
{ assertion = config.system.image.updates.url != null; }
|
||||
];
|
||||
|
||||
systemd.sysupdate.enable = true;
|
||||
systemd.sysupdate.reboot.enable = lib.mkDefault true;
|
||||
|
||||
systemd.sysupdate.transfers = {
|
||||
"10-uki" = {
|
||||
Transfer = {
|
||||
Verify = "no";
|
||||
};
|
||||
Source = {
|
||||
Type = "url-file";
|
||||
Path = "${config.system.image.updates.url}";
|
||||
MatchPattern = "${config.boot.uki.name}_@v.efi";
|
||||
};
|
||||
Target = {
|
||||
Type = "regular-file";
|
||||
Path = "/EFI/Linux";
|
||||
PathRelativeTo = "esp";
|
||||
MatchPattern = "${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi";
|
||||
Mode = "0444";
|
||||
TriesLeft = 3;
|
||||
TriesDone = 0;
|
||||
InstancesMax = 2;
|
||||
};
|
||||
};
|
||||
"20-root-verity" = {
|
||||
Transfer = {
|
||||
Verify = "no";
|
||||
};
|
||||
Source = {
|
||||
Type = "url-file";
|
||||
Path = "${config.system.image.updates.url}";
|
||||
MatchPattern = "${config.system.image.id}_@v_@u.verity";
|
||||
};
|
||||
Target = {
|
||||
Type = "partition";
|
||||
Path = "auto";
|
||||
MatchPattern = "verity-@v";
|
||||
MatchPartitionType = "root-verity";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
};
|
||||
"22-root" = {
|
||||
Transfer = {
|
||||
Verify = "no";
|
||||
};
|
||||
Source = {
|
||||
Type = "url-file";
|
||||
Path = "${config.system.image.updates.url}";
|
||||
MatchPattern = "${config.system.image.id}_@v_@u.root";
|
||||
};
|
||||
Target = {
|
||||
Type = "partition";
|
||||
Path = "auto";
|
||||
MatchPattern = "root-@v";
|
||||
MatchPartitionType = "root";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.additionalUpstreamSystemUnits = [
|
||||
"systemd-bless-boot.service"
|
||||
"boot-complete.target"
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
}
|
39
modules/image/veritysetup.nix
Normal file
39
modules/image/veritysetup.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
|
||||
options.boot.initrd.systemd.root = lib.mkOption {
|
||||
type = lib.types.enum [
|
||||
"fstab"
|
||||
"gpt-auto"
|
||||
""
|
||||
];
|
||||
};
|
||||
|
||||
config.boot.initrd = {
|
||||
|
||||
kernelModules = [
|
||||
"dm_mod"
|
||||
"dm_verity"
|
||||
];
|
||||
|
||||
systemd = {
|
||||
|
||||
# Required to activate systemd-fstab-generator
|
||||
root = "";
|
||||
|
||||
additionalUpstreamUnits = [
|
||||
"veritysetup-pre.target"
|
||||
"veritysetup.target"
|
||||
"remote-veritysetup.target"
|
||||
];
|
||||
|
||||
storePaths = [
|
||||
"${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
|
||||
"${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
boot.kernelPackages =
|
||||
let
|
||||
version = "6.11.2";
|
||||
in
|
||||
pkgs.linuxPackagesFor (
|
||||
pkgs.linuxManualConfig {
|
||||
version = "${version}-patos1";
|
||||
modDirVersion = version;
|
||||
src = pkgs.fetchurl {
|
||||
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
|
||||
sha256 = "ec9ef7a0b9cebb55940e1ef87a1f9e1004b10456a119dc386bb3e565b0d39c42";
|
||||
};
|
||||
configfile = ./generic.config;
|
||||
allowImportFromDerivation = true;
|
||||
}
|
||||
);
|
||||
}
|
File diff suppressed because it is too large
Load diff
|
@ -1,18 +0,0 @@
|
|||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
"${modulesPath}/profiles/minimal.nix"
|
||||
];
|
||||
|
||||
nix.enable = false;
|
||||
system.disableInstallerTools = true;
|
||||
system.etc.overlay.enable = true;
|
||||
systemd.sysusers.enable = true;
|
||||
|
||||
programs.less.lessopen = null;
|
||||
programs.command-not-found.enable = false;
|
||||
|
||||
environment.defaultPackages = [ ];
|
||||
|
||||
security.sudo.enable = false;
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
{ config, ... }: {
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
|
||||
# Easy debugging.
|
||||
firewall.enable = false;
|
||||
};
|
||||
|
||||
# Faster boot.
|
||||
systemd.network.wait-online.enable = false;
|
||||
}
|
|
@ -1,103 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
imports = [
|
||||
"${modulesPath}/image/repart.nix"
|
||||
];
|
||||
|
||||
image.repart =
|
||||
let
|
||||
efiArch = pkgs.stdenv.hostPlatform.efiArch;
|
||||
in
|
||||
{
|
||||
name = config.boot.uki.name;
|
||||
split = true;
|
||||
|
||||
mkfsOptions = {
|
||||
erofs = [
|
||||
# "-zzstd,6" # Zstd compression
|
||||
# "-zlz4hc,12"
|
||||
"-T0" # Fixed timestamp for all files
|
||||
"-C262144" # 256 KiB cluster size
|
||||
# "-C65536" # 64 KiB cluster size
|
||||
# "-C1048576" # 1 MiB cluster size
|
||||
"-Efragments,dedupe,ztailpacking" # Extra features
|
||||
];
|
||||
};
|
||||
|
||||
partitions = {
|
||||
"esp" = {
|
||||
contents = {
|
||||
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
|
||||
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
|
||||
|
||||
# systemd-boot configuration
|
||||
"/loader/loader.conf".source = (
|
||||
pkgs.writeText "$out" ''
|
||||
timeout 0
|
||||
''
|
||||
# FIXME: should not be 0 in prod
|
||||
);
|
||||
};
|
||||
repartConfig = {
|
||||
Type = "esp";
|
||||
UUID = "c12a7328-f81f-11d2-ba4b-00a0c93ec93b"; # Well known
|
||||
Format = "vfat";
|
||||
SizeMinBytes = "256M";
|
||||
SplitName = "-";
|
||||
};
|
||||
};
|
||||
"store" = {
|
||||
storePaths = [ config.system.build.toplevel ];
|
||||
stripNixStorePrefix = true;
|
||||
repartConfig = {
|
||||
Type = "linux-generic";
|
||||
Label = "${config.boot.uki.name}_${config.system.image.version}";
|
||||
Format = "erofs";
|
||||
Minimize = "best";
|
||||
ReadOnly = "yes";
|
||||
SizeMinBytes = "1G";
|
||||
SizeMaxBytes = "1G";
|
||||
SplitName = "store";
|
||||
};
|
||||
};
|
||||
|
||||
# Placeholder for the second installed Nix store.
|
||||
"store-empty" = {
|
||||
repartConfig = {
|
||||
Type = "linux-generic";
|
||||
Label = "_empty";
|
||||
Minimize = "off";
|
||||
SizeMinBytes = "1G";
|
||||
SizeMaxBytes = "1G";
|
||||
SplitName = "-";
|
||||
};
|
||||
};
|
||||
|
||||
# Persistent storage
|
||||
"var" = {
|
||||
repartConfig = {
|
||||
Type = "var";
|
||||
UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
|
||||
Format = "xfs";
|
||||
Label = "nixos-persistent";
|
||||
Minimize = "off";
|
||||
|
||||
# Has to be large enough to hold update files.
|
||||
SizeMinBytes = "2G";
|
||||
SizeMaxBytes = "2G";
|
||||
SplitName = "-";
|
||||
|
||||
# Wiping this gives us a clean state.
|
||||
FactoryReset = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
utils,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
|
||||
system.activationScripts.patagia-agent = ''
|
||||
mkdir -p /var/lib/extensions
|
||||
mkdir -p /etc/systemd/extensions
|
||||
'';
|
||||
|
||||
environment.etc."sysupdate.patagia-agent.d".source =
|
||||
let
|
||||
format = pkgs.formats.ini { listToValue = toString; };
|
||||
in
|
||||
utils.systemdUtils.lib.definitions "sysupdate.patagia-agent.d" format {
|
||||
"10-image.conf" = {
|
||||
Source = {
|
||||
MatchPattern = "patagia-agent_@v.raw";
|
||||
Path = "https://images.dl.patagia.dev/patagia-agent/";
|
||||
Type = "url-file";
|
||||
};
|
||||
|
||||
Target = {
|
||||
InstancesMax = 2;
|
||||
Path = "/var/lib/extensions";
|
||||
CurrentSymlink = "/etc/systemd/extensions/patagia-agent.raw";
|
||||
Type = "regular-file";
|
||||
MatchPattern = "patagia-agent_@v.raw";
|
||||
};
|
||||
|
||||
Transfer = {
|
||||
Verify = "no"; # FIXME: verify
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
95
modules/profiles/base.nix
Normal file
95
modules/profiles/base.nix
Normal file
|
@ -0,0 +1,95 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/profiles/image-based-appliance.nix")
|
||||
(modulesPath + "/profiles/perlless.nix")
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
# system.forbiddenDependenciesRegexes = lib.mkForce [ ];
|
||||
|
||||
nixpkgs.flake.setNixPath = false;
|
||||
nixpkgs.flake.setFlakeRegistry = false;
|
||||
boot.enableContainers = false;
|
||||
|
||||
boot.kernelModules = [
|
||||
"zram"
|
||||
"usb_storage"
|
||||
"uas"
|
||||
"sd_mod"
|
||||
"r8169"
|
||||
"ehci-hcd"
|
||||
"ehci-pci"
|
||||
"xhci-hcd"
|
||||
"xhci-pci"
|
||||
"xhci-pci-renesas"
|
||||
"nvme"
|
||||
"virtio_net"
|
||||
];
|
||||
|
||||
system.etc.overlay.mutable = lib.mkDefault false;
|
||||
|
||||
systemd.watchdog = lib.mkDefault {
|
||||
runtimeTime = "10s";
|
||||
rebootTime = "30s";
|
||||
};
|
||||
|
||||
zramSwap.enable = true;
|
||||
|
||||
# FIXME: fstrim should only be enabled for virtual machine images?
|
||||
services.fstrim.enable = true;
|
||||
|
||||
users.allowNoPasswordLogin = true;
|
||||
users.users.root.home = lib.mkForce "/";
|
||||
|
||||
security.sudo.enable = lib.mkDefault false;
|
||||
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.isInGroup("wheel")) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
'';
|
||||
};
|
||||
|
||||
i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
|
||||
|
||||
# Console
|
||||
|
||||
systemd.enableEmergencyMode = false;
|
||||
boot.consoleLogLevel = lib.mkDefault 1;
|
||||
boot.kernelParams = [
|
||||
"panic=1"
|
||||
"boot.panic_on_fail"
|
||||
# "nomodeset"
|
||||
"console=ttyS0,115200n8"
|
||||
"earlyprintk=ttyS0,115200n8"
|
||||
"systemd.mask=systemd-vconsole-setup.service" # FIXME: Figure out why vconsole-setup fails when loading keymap
|
||||
];
|
||||
|
||||
# This is vi country
|
||||
programs.nano.enable = false;
|
||||
programs.vim.enable = true;
|
||||
programs.vim.defaultEditor = lib.mkDefault true;
|
||||
|
||||
# Temporary file
|
||||
boot.tmp.useTmpfs = true;
|
||||
|
||||
# Logging
|
||||
services.journald = {
|
||||
storage = "volatile";
|
||||
extraConfig = ''
|
||||
SystemMaxUse=10M
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
39
modules/profiles/devel.nix
Normal file
39
modules/profiles/devel.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
imports = [ ./server.nix ];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_unprivileged_port_start" = 0;
|
||||
};
|
||||
|
||||
boot.kernelParams = [
|
||||
"systemd.log_level=info"
|
||||
"systemd.log_target=console"
|
||||
"systemd.journald.forward_to_console"
|
||||
];
|
||||
|
||||
users.users."admin" = {
|
||||
isNormalUser = true;
|
||||
linger = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
home = "/var/home/admin";
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
subuid = {
|
||||
text = "admin:100000:65536";
|
||||
mode = "0644";
|
||||
};
|
||||
|
||||
subgid = {
|
||||
text = "admin:100000:65536";
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
|
||||
services.getty.autologinUser = "admin";
|
||||
}
|
65
modules/profiles/network.nix
Normal file
65
modules/profiles/network.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
# Use networkd
|
||||
networking.useNetworkd = true;
|
||||
systemd.network.wait-online.enable = true;
|
||||
|
||||
# Firewall
|
||||
networking.firewall.enable = false;
|
||||
networking.nftables.enable = lib.mkDefault true;
|
||||
|
||||
# DNS
|
||||
services.resolved = {
|
||||
fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured
|
||||
extraConfig = ''
|
||||
DNSStubListener=no
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
# Configuration
|
||||
networking.hostName = "";
|
||||
|
||||
# Kernel
|
||||
boot.kernel.sysctl = {
|
||||
"net.core.default_qdisc" = "fq"; # FIXME: manage these with networkd?
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
};
|
||||
|
||||
# Modules
|
||||
boot.kernelModules = [
|
||||
"ip_tables"
|
||||
"x_tables"
|
||||
"nf_tables"
|
||||
"nft_ct"
|
||||
"nft_log"
|
||||
"nf_log_syslog"
|
||||
"nft_fib"
|
||||
"nft_fib_inet"
|
||||
"nft_compat"
|
||||
"nft_nat"
|
||||
"nft_chain_nat"
|
||||
"nft_masq"
|
||||
"nfnetlink"
|
||||
"xt_conntrack"
|
||||
"nf_conntrack"
|
||||
"nf_log_syslog"
|
||||
"nf_nat"
|
||||
"af_packet"
|
||||
"bridge"
|
||||
"veth"
|
||||
"tcp_bbr"
|
||||
"sch_fq_codel"
|
||||
"ipt_rpfilter"
|
||||
"ip6t_rpfilter"
|
||||
"sch_fq"
|
||||
"tun"
|
||||
"tap"
|
||||
"xt_MASQUERADE"
|
||||
"xt_mark"
|
||||
"xt_comment"
|
||||
"xt_multiport"
|
||||
"xt_addrtype"
|
||||
];
|
||||
|
||||
}
|
18
modules/profiles/server.nix
Normal file
18
modules/profiles/server.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
imports = [
|
||||
(modulesPath + "/profiles/minimal.nix")
|
||||
./network.nix
|
||||
./sysext.nix
|
||||
];
|
||||
|
||||
boot.kernelParams = [
|
||||
"quiet"
|
||||
];
|
||||
|
||||
virtualisation.podman.enable = true;
|
||||
}
|
23
modules/profiles/sysext.nix
Normal file
23
modules/profiles/sysext.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ ... }:
|
||||
{
|
||||
system.activationScripts.sysext = ''
|
||||
mkdir -p /var/lib/confexts
|
||||
mkdir -p /var/lib/extensions
|
||||
mkdir -p /etc/systemd/extensions
|
||||
'';
|
||||
|
||||
systemd.additionalUpstreamSystemUnits = [
|
||||
"systemd-confext.service"
|
||||
"systemd-sysext.service"
|
||||
];
|
||||
|
||||
# systemd.services."systemd-confext" = {
|
||||
# enable = true;
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# };
|
||||
|
||||
# systemd.services."systemd-sysext.service" = {
|
||||
# enable = true;
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# };
|
||||
}
|
|
@ -1,5 +0,0 @@
|
|||
{ lib, options, ... }: {
|
||||
# This fields is immutable by default, but can be overridden.
|
||||
options.system.nixos.codeName = lib.mkOption { readOnly = false; };
|
||||
options.system.nixos.release = lib.mkOption { readOnly = false; };
|
||||
}
|
|
@ -1,96 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
gpgPubKeyStaging = ''
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
|
||||
zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
|
||||
aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
|
||||
gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
|
||||
OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
|
||||
H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
|
||||
GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
|
||||
DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
|
||||
+0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
|
||||
e5UE
|
||||
=m2st
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
'';
|
||||
gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
|
||||
mkdir -p $out
|
||||
export GNUPGHOME=$out
|
||||
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
|
||||
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
|
||||
rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
|
||||
'';
|
||||
in
|
||||
{
|
||||
environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
|
||||
|
||||
systemd.additionalUpstreamSystemUnits = [
|
||||
"systemd-sysext.service"
|
||||
];
|
||||
|
||||
systemd.services."systemd-sysext.service".enable = true;
|
||||
|
||||
systemd.sysupdate = {
|
||||
enable = true;
|
||||
|
||||
transfers = {
|
||||
"10-uki" = {
|
||||
Source = {
|
||||
MatchPattern = [
|
||||
"${config.boot.uki.name}_@v.efi.xz"
|
||||
];
|
||||
|
||||
Path = "https://images.dl.patagia.dev/patos/";
|
||||
Type = "url-file";
|
||||
};
|
||||
Target = {
|
||||
InstancesMax = 2;
|
||||
MatchPattern = [
|
||||
"${config.boot.uki.name}_@v.efi"
|
||||
];
|
||||
|
||||
Mode = "0444";
|
||||
Path = "/EFI/Linux";
|
||||
PathRelativeTo = "boot";
|
||||
|
||||
Type = "regular-file";
|
||||
};
|
||||
Transfer = {
|
||||
ProtectVersion = "%A";
|
||||
Verify = "no";
|
||||
};
|
||||
};
|
||||
|
||||
"20-store" = {
|
||||
Source = {
|
||||
MatchPattern = [
|
||||
"${config.boot.uki.name}_@v.img.xz"
|
||||
];
|
||||
Path = "https://images.dl.patagia.dev/patos/";
|
||||
Type = "url-file";
|
||||
};
|
||||
|
||||
Target = {
|
||||
InstancesMax = 2;
|
||||
|
||||
# This doesn't work, because / is a tmpfs and the heuristic is not that smart.
|
||||
#
|
||||
# Path = "auto";
|
||||
Path = "/dev/sda";
|
||||
|
||||
MatchPattern = "${config.boot.uki.name}_@v";
|
||||
|
||||
Type = "partition";
|
||||
ReadOnly = "yes";
|
||||
};
|
||||
Transfer = {
|
||||
Verify = "no";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
script = pkgs.writeShellScriptBin "patos-upgrade.sh" ''
|
||||
systemd-sysupdate --verify=no
|
||||
systemd-sysupdate --verify=no update --reboot
|
||||
'';
|
||||
in
|
||||
{
|
||||
environment.systemPackages = [
|
||||
# pkgs.ncdu
|
||||
script
|
||||
];
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
final: prev: {
|
||||
# Build mkfs.erofs with zstd support
|
||||
erofs-utils = prev.erofs-utils.overrideAttrs (old: {
|
||||
buildInputs = old.buildInputs ++ [ prev.zstd ];
|
||||
configureFlags = old.configureFlags ++ [
|
||||
"--enable-multithreading"
|
||||
"--enable-zstd"
|
||||
];
|
||||
});
|
||||
|
||||
util-linux = prev.util-linux.override {
|
||||
ncursesSupport = false;
|
||||
nlsSupport = false;
|
||||
};
|
||||
|
||||
dbus = prev.dbus.override {
|
||||
x11Support = false;
|
||||
};
|
||||
}
|
5
pkgs/composefs.nix
Normal file
5
pkgs/composefs.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ prev, ... }:
|
||||
|
||||
prev.composefs.overrideAttrs (final: prev: {
|
||||
doCheck = false;
|
||||
})
|
12
pkgs/linux-firmware.nix
Normal file
12
pkgs/linux-firmware.nix
Normal file
|
@ -0,0 +1,12 @@
|
|||
{ stdenv, lib
|
||||
, linux-firmware
|
||||
, fwDirs
|
||||
}: stdenv.mkDerivation {
|
||||
pname = "linux-firmware-minimal";
|
||||
version = linux-firmware.version;
|
||||
buildCommand = lib.concatStringsSep "\n" (
|
||||
[''mkdir -p "$out/lib/firmware"'']
|
||||
++ (map (name: ''
|
||||
cp -r "${linux-firmware}/lib/firmware/${name}" "$out/lib/firmware/${name}"
|
||||
'') fwDirs));
|
||||
}
|
30
pkgs/qemu.nix
Normal file
30
pkgs/qemu.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{ prev, pkgs, ... }:
|
||||
|
||||
(prev.qemu_test.override {
|
||||
enableDocs = false;
|
||||
capstoneSupport = false;
|
||||
guestAgentSupport = false;
|
||||
tpmSupport = false;
|
||||
libiscsiSupport = false;
|
||||
usbredirSupport = false;
|
||||
canokeySupport = false;
|
||||
hostCpuTargets = [ "x86_64-softmmu" ];
|
||||
}).overrideDerivation (old: {
|
||||
postFixup = ''
|
||||
rm -r "$out/share/icons"
|
||||
cp "${pkgs.OVMF.fd + "/FV/OVMF.fd"}" "$out/share/qemu/"
|
||||
'';
|
||||
configureFlags = old.configureFlags ++ [
|
||||
"--disable-tcg"
|
||||
"--disable-tcg-interpreter"
|
||||
"--disable-docs"
|
||||
"--disable-install-blobs"
|
||||
"--disable-slirp"
|
||||
"--disable-virtfs"
|
||||
"--disable-virtfs-proxy-helper"
|
||||
"--disable-vhost-user-blk-server"
|
||||
"--without-default-features"
|
||||
"--enable-kvm"
|
||||
"--disable-tools"
|
||||
];
|
||||
})
|
48
pkgs/systemd-ukify.nix
Normal file
48
pkgs/systemd-ukify.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
{ prev, ... }:
|
||||
|
||||
prev.systemd.override {
|
||||
withAcl = false;
|
||||
withAnalyze = false;
|
||||
withApparmor = false;
|
||||
withAudit = false;
|
||||
withEfi = true;
|
||||
withCompression = false;
|
||||
withCoredump = false;
|
||||
withCryptsetup = false;
|
||||
withRepart = false;
|
||||
withDocumentation = false;
|
||||
withFido2 = false;
|
||||
withFirstboot = false;
|
||||
withHomed = false;
|
||||
withHostnamed = false;
|
||||
withHwdb = false;
|
||||
withImportd = false;
|
||||
withIptables = false;
|
||||
withKmod = false;
|
||||
withLibBPF = false;
|
||||
withLibidn2 = false;
|
||||
withLocaled = false;
|
||||
withLogind = false;
|
||||
withMachined = false;
|
||||
withNetworkd = false;
|
||||
withNss = false;
|
||||
withOomd = false;
|
||||
withPam = false;
|
||||
withPasswordQuality = false;
|
||||
withPCRE2 = false;
|
||||
withPolkit = false;
|
||||
withPortabled = false;
|
||||
withQrencode = false;
|
||||
withRemote = false;
|
||||
withResolved = false;
|
||||
withShellCompletions = false;
|
||||
withSysusers = false;
|
||||
withSysupdate = false;
|
||||
withTimedated = false;
|
||||
withTimesyncd = false;
|
||||
withTpm2Tss = false;
|
||||
withUkify = true;
|
||||
withUserDb = false;
|
||||
withUtmp = false;
|
||||
withVmspawn = false;
|
||||
}
|
10
pkgs/systemd.nix
Normal file
10
pkgs/systemd.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ prev, ... }:
|
||||
|
||||
prev.systemd.override {
|
||||
withAcl = false;
|
||||
withApparmor = false;
|
||||
withDocumentation = false;
|
||||
withRemote = false;
|
||||
withShellCompletions = false;
|
||||
withVmspawn = false;
|
||||
}
|
155
tests/common.nix
Normal file
155
tests/common.nix
Normal file
|
@ -0,0 +1,155 @@
|
|||
{
|
||||
self,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
with import (pkgs.path + "/nixos/lib/testing-python.nix") {
|
||||
inherit pkgs;
|
||||
inherit (pkgs.hostPlatform) system;
|
||||
};
|
||||
|
||||
let
|
||||
qemu-common = import (pkgs.path + "/nixos/lib/qemu-common.nix") { inherit lib pkgs; };
|
||||
|
||||
in
|
||||
rec {
|
||||
|
||||
makeSystem =
|
||||
extraConfig:
|
||||
(import (pkgs.path + "/nixos/lib/eval-config.nix")) {
|
||||
inherit pkgs lib;
|
||||
system = null;
|
||||
modules = [
|
||||
{
|
||||
nixpkgs.hostPlatform = pkgs.hostPlatform;
|
||||
}
|
||||
{
|
||||
users.allowNoPasswordLogin = true;
|
||||
system.stateVersion = lib.versions.majorMinor lib.version;
|
||||
system.image.id = lib.mkDefault "test";
|
||||
system.image.version = lib.mkDefault "1";
|
||||
networking.hosts."10.0.2.1" = [ "server.test" ];
|
||||
}
|
||||
{
|
||||
boot.kernelParams = [
|
||||
"console=ttyS0,115200n8"
|
||||
"systemd.journald.forward_to_console=1"
|
||||
];
|
||||
image.compress = false;
|
||||
boot.uki.name = lib.mkForce "test";
|
||||
boot.initrd.compressor = lib.mkForce "zstd";
|
||||
boot.initrd.compressorArgs = lib.mkForce [ "-8" ];
|
||||
}
|
||||
(pkgs.path + "/nixos/modules/testing/test-instrumentation.nix")
|
||||
self.nixosModules.devel
|
||||
self.nixosModules.image
|
||||
extraConfig
|
||||
];
|
||||
};
|
||||
|
||||
makeImage =
|
||||
extraConfig:
|
||||
let
|
||||
system = makeSystem extraConfig;
|
||||
in
|
||||
"${system.config.system.build.image}/${system.config.system.build.image.imageFile}";
|
||||
|
||||
makeUpdatePackage =
|
||||
extraConfig:
|
||||
let
|
||||
system = makeSystem extraConfig;
|
||||
in
|
||||
"${system.config.system.build.updatePackage}";
|
||||
|
||||
makeImageTest =
|
||||
{
|
||||
name,
|
||||
image,
|
||||
script,
|
||||
httpRoot ? null,
|
||||
}:
|
||||
let
|
||||
qemu = qemu-common.qemuBinary pkgs.qemu_test;
|
||||
flags = [
|
||||
"-m"
|
||||
"512M"
|
||||
"-drive"
|
||||
"if=pflash,format=raw,unit=0,readonly=on,file=${pkgs.OVMF.firmware}"
|
||||
"-drive"
|
||||
"if=pflash,format=raw,unit=1,readonly=on,file=${pkgs.OVMF.variables}"
|
||||
"-drive"
|
||||
"if=virtio,file=${mutableImage}"
|
||||
"-chardev"
|
||||
"socket,id=chrtpm,path=${tpmFolder}/swtpm-sock"
|
||||
"-tpmdev"
|
||||
"emulator,id=tpm0,chardev=chrtpm"
|
||||
"-device"
|
||||
"tpm-tis,tpmdev=tpm0"
|
||||
"-netdev"
|
||||
(
|
||||
"'user,id=net0"
|
||||
+ (lib.optionalString (
|
||||
httpRoot != null
|
||||
) ",guestfwd=tcp:10.0.2.1:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${httpRoot}")
|
||||
+ "'"
|
||||
)
|
||||
"-device"
|
||||
"virtio-net-pci,netdev=net0"
|
||||
];
|
||||
flagsStr = lib.concatStringsSep " " flags;
|
||||
startCommand = "${qemu} ${flagsStr}";
|
||||
mutableImage = "/tmp/linked-image.qcow2";
|
||||
tpmFolder = "/tmp/emulated_tpm";
|
||||
indentLines = str: lib.concatLines (map (s: " " + s) (lib.splitString "\n" str));
|
||||
in
|
||||
makeTest {
|
||||
inherit name;
|
||||
nodes = { };
|
||||
testScript =
|
||||
''
|
||||
import os
|
||||
import subprocess
|
||||
|
||||
subprocess.check_call(
|
||||
[
|
||||
"qemu-img",
|
||||
"create",
|
||||
"-f",
|
||||
"qcow2",
|
||||
"-F",
|
||||
"raw",
|
||||
"-b",
|
||||
"${image}",
|
||||
"${mutableImage}",
|
||||
]
|
||||
)
|
||||
subprocess.check_call(["qemu-img", "resize", "${mutableImage}", "4G"])
|
||||
|
||||
os.mkdir("${tpmFolder}")
|
||||
os.mkdir("${tpmFolder}/swtpm")
|
||||
|
||||
def start_tpm():
|
||||
subprocess.Popen(
|
||||
[
|
||||
"${pkgs.swtpm}/bin/swtpm",
|
||||
"socket",
|
||||
"--tpmstate", "dir=${tpmFolder}/swtpm",
|
||||
"--ctrl", "type=unixio,path=${tpmFolder}/swtpm-sock",
|
||||
"--tpm2"
|
||||
]
|
||||
)
|
||||
|
||||
machine = create_machine("${startCommand}")
|
||||
|
||||
try:
|
||||
''
|
||||
+ indentLines script
|
||||
+ ''
|
||||
finally:
|
||||
machine.shutdown()
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
9
tests/lib.nix
Normal file
9
tests/lib.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
test:
|
||||
{ pkgs, self }:
|
||||
let nixos-lib = import (pkgs.path + "/nixos/lib") {};
|
||||
in (nixos-lib.runTest {
|
||||
hostPkgs = pkgs;
|
||||
defaults.documentation.enable = false;
|
||||
node.specialArgs = { inherit self; };
|
||||
imports = [ test ];
|
||||
}).config.result
|
22
tests/podman.nix
Normal file
22
tests/podman.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{ pkgs, self }: let
|
||||
|
||||
lib = pkgs.lib;
|
||||
test-common = import ./common.nix { inherit self lib pkgs; };
|
||||
|
||||
image = test-common.makeImage { };
|
||||
|
||||
in test-common.makeImageTest {
|
||||
name = "podman";
|
||||
inherit image;
|
||||
script = ''
|
||||
start_tpm()
|
||||
machine.start()
|
||||
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.wait_for_unit("network-online.target")
|
||||
|
||||
machine.succeed("tar cv --files-from /dev/null | su admin -l -c 'podman import - scratchimg'")
|
||||
|
||||
machine.succeed("su admin -l -c 'podman run --rm -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg true'")
|
||||
'';
|
||||
}
|
45
tests/system-update.nix
Normal file
45
tests/system-update.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
{ pkgs, self }: let
|
||||
|
||||
lib = pkgs.lib;
|
||||
test-common = import ./common.nix { inherit self lib pkgs; };
|
||||
|
||||
initialImage = test-common.makeImage {
|
||||
system.image.version = "1";
|
||||
system.image.updates.url = "http://server.test/";
|
||||
# The default root-b is too small for uncompressed test images
|
||||
systemd.repart.partitions."32-root-b" = {
|
||||
SizeMinBytes = lib.mkForce "1G";
|
||||
SizeMaxBytes = lib.mkForce "1G";
|
||||
};
|
||||
};
|
||||
|
||||
updatePackage = test-common.makeUpdatePackage {
|
||||
system.image.version = "2";
|
||||
system.image.updates.url = "http://server.test/";
|
||||
};
|
||||
|
||||
in test-common.makeImageTest {
|
||||
name = "system-update";
|
||||
image = initialImage;
|
||||
httpRoot = updatePackage;
|
||||
script = ''
|
||||
start_tpm()
|
||||
machine.start()
|
||||
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.wait_for_unit("network-online.target")
|
||||
|
||||
machine.succeed("/run/current-system/sw/lib/systemd/systemd-sysupdate update")
|
||||
|
||||
machine.shutdown()
|
||||
|
||||
start_tpm()
|
||||
machine.start()
|
||||
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
machine.succeed('. /etc/os-release; [ "$IMAGE_VERSION" == "2" ]')
|
||||
|
||||
machine.wait_for_unit("systemd-bless-boot.service")
|
||||
'';
|
||||
}
|
49
utils/qemu-uefi-tpm.nix
Normal file
49
utils/qemu-uefi-tpm.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
pkgs.writeShellApplication {
|
||||
name = "qemu-uefi-tpm";
|
||||
|
||||
runtimeInputs = with pkgs; [
|
||||
qemu
|
||||
swtpm
|
||||
];
|
||||
|
||||
text =
|
||||
let
|
||||
tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
|
||||
in
|
||||
''
|
||||
set -ex
|
||||
state="/tmp/patos-qemu-$USER"
|
||||
rm -rf "$state"
|
||||
mkdir -m 700 "$state"
|
||||
qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G
|
||||
|
||||
swtpm socket -d --tpmstate dir="$state" \
|
||||
--ctrl type=unixio,path="$state/swtpm-sock" \
|
||||
--tpm2 \
|
||||
--log level=20
|
||||
|
||||
qemu-system-x86_64 \
|
||||
-enable-kvm \
|
||||
-machine q35,accel=kvm \
|
||||
-cpu host \
|
||||
-smp 8 \
|
||||
-m 4G \
|
||||
-display none \
|
||||
-chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
|
||||
-serial chardev:char0 \
|
||||
-mon chardev=char0 \
|
||||
-drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
|
||||
-drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
|
||||
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
|
||||
-tpmdev emulator,id=tpm0,chardev=chrtpm \
|
||||
-device tpm-tis,tpmdev=tpm0 \
|
||||
-netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
|
||||
-device virtio-net-pci,netdev=net00 \
|
||||
-drive "format=qcow2,file=$state/disk.qcow2"
|
||||
'';
|
||||
}
|
Loading…
Reference in a new issue