From b16bf9bcb89683beb86eb88545cc9587f5885206 Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Tue, 17 Sep 2024 23:59:42 +0200
Subject: [PATCH] feat(sysupdate): Download from dl.patagia.dev. Add gpg
 authentication.

---
 base.nix               |  4 +++-
 justfile               |  4 ++++
 modules/generic.nix    | 27 +++++++++++++++++---------
 modules/minimize.nix   |  5 +++--
 modules/partitions.nix | 25 +++++++++++++++---------
 modules/sysupdate.nix  | 44 +++++++++++++++++++++++++++++++-----------
 modules/utils.nix      | 15 ++++++++++++++
 7 files changed, 92 insertions(+), 32 deletions(-)
 create mode 100644 modules/utils.nix

diff --git a/base.nix b/base.nix
index 2c1076a..8e50f03 100644
--- a/base.nix
+++ b/base.nix
@@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
+{
   imports = [
     ./modules/system_overrides.nix
     ./modules/minimize.nix
@@ -7,5 +8,6 @@
     ./modules/partitions.nix
     ./modules/network.nix
     ./modules/sysupdate.nix
+    ./modules/utils.nix
   ];
 }
diff --git a/justfile b/justfile
index cd8f0fd..1a1b7a8 100644
--- a/justfile
+++ b/justfile
@@ -14,3 +14,7 @@ build: build-image
 # Build PatOS image
 build-image:
   nix build .#patos_image
+
+run: build-image
+  qemu-efi -hda ./result/disk.qcow2
+  
diff --git a/modules/generic.nix b/modules/generic.nix
index 00058ef..1f42ec6 100644
--- a/modules/generic.nix
+++ b/modules/generic.nix
@@ -1,13 +1,24 @@
-{ pkgs, config, ... }: {
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
 
-  boot.uki.name = "patos";
-  boot.kernelParams = [ "console=ttyS0" ];
+  boot = {
+    uki.name = "patos";
+    kernelParams = [ "console=ttyS0" ];
+    initrd.systemd.enable = true;
+  };
 
-  system.nixos.release = "2024-09";
-  system.nixos.codeName = "Finn";
+  system.nixos = {
+    codeName = "Finn";
+    distroId = "patos";
+    distroName = "PatOS";
+    release = "2024-09";
+  };
 
-  system.nixos.distroId = "patos";
-  system.nixos.distroName = "PatOS";
   system.image.version = "0.0.1"; # FIXME: Use epoch version.
 
   # Make the current system version visible in the prompt.
@@ -20,8 +31,6 @@
 
   services.getty.autologinUser = "root";
 
-  boot.initrd.systemd.enable = true;
-
   # Don't accumulate crap.
   boot.tmp.cleanOnBoot = true;
   services.journald.extraConfig = ''
diff --git a/modules/minimize.nix b/modules/minimize.nix
index 1e62db1..2bc8cff 100644
--- a/modules/minimize.nix
+++ b/modules/minimize.nix
@@ -1,8 +1,10 @@
-{ modulesPath, ... }: {
+{ modulesPath, ... }:
+{
   imports = [
     "${modulesPath}/profiles/minimal.nix"
   ];
 
+  boot.enableContainers = false;
   boot.loader.grub.enable = false;
 
   system.switch.enable = false;
@@ -14,6 +16,5 @@
   system.disableInstallerTools = true;
   programs.less.lessopen = null;
   programs.command-not-found.enable = false;
-  boot.enableContainers = false;
   environment.defaultPackages = [ ];
 }
diff --git a/modules/partitions.nix b/modules/partitions.nix
index c900c24..0510348 100644
--- a/modules/partitions.nix
+++ b/modules/partitions.nix
@@ -1,4 +1,11 @@
-{ config, pkgs, lib, modulesPath, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}:
+{
 
   imports = [
     "${modulesPath}/image/repart.nix"
@@ -15,16 +22,16 @@
       partitions = {
         "esp" = {
           contents = {
-            "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source =
-              "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
+            "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
 
-            "/EFI/Linux/${config.system.boot.loader.ukiFile}".source =
-              "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+            "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
 
             # systemd-boot configuration
-            "/loader/loader.conf".source = (pkgs.writeText "$out" ''
-              timeout 3
-            '');
+            "/loader/loader.conf".source = (
+              pkgs.writeText "$out" ''
+                timeout 3
+              ''
+            );
           };
           repartConfig = {
             Type = "esp";
@@ -39,7 +46,7 @@
           stripNixStorePrefix = true;
           repartConfig = {
             Type = "linux-generic";
-            Label = "store_${config.system.image.version}";
+            Label = "${config.boot.uki.name}_${config.system.image.version}";
             Format = "squashfs";
             Minimize = "off";
             ReadOnly = "yes";
diff --git a/modules/sysupdate.nix b/modules/sysupdate.nix
index 949fbcb..8f126e8 100644
--- a/modules/sysupdate.nix
+++ b/modules/sysupdate.nix
@@ -1,4 +1,32 @@
-{ config, ... }: {
+{ config, pkgs, ... }:
+let
+  gpgPubKeyStaging = ''
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
+    zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
+    aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
+    gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
+    OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
+    H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
+    GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
+    DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
+    +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
+    e5UE
+    =m2st
+    -----END PGP PUBLIC KEY BLOCK-----
+  '';
+  gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
+    mkdir -p $out
+    export GNUPGHOME=$out
+    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
+    gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
+    rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
+  '';
+in
+{
+  environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
+
   systemd.sysupdate = {
     enable = true;
 
@@ -9,12 +37,8 @@
             "${config.boot.uki.name}_@v.efi.xz"
           ];
 
-          # We could fetch updates from the network as well:
-          #
-          # Path = "https://download.example.com/";
-          # Type = "url-file";
-          Path = "/var/updates/";
-          Type = "regular-file";
+          Path = "https://images.dl.patagia.dev/patos/";
+          Type = "url-file";
         };
         Target = {
           InstancesMax = 2;
@@ -38,10 +62,8 @@
           MatchPattern = [
             "${config.boot.uki.name}_@v.img.xz"
           ];
-          # Path = "https://download.example.com/";
-          # Type = "url-file";
-          Path = "/var/updates/";
-          Type = "regular-file";
+          Path = "https://images.dl.patagia.dev/patos/";
+          Type = "url-file";
         };
 
         Target = {
diff --git a/modules/utils.nix b/modules/utils.nix
new file mode 100644
index 0000000..9fbad21
--- /dev/null
+++ b/modules/utils.nix
@@ -0,0 +1,15 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  script = pkgs.writeShellScriptBin "patos-upgrade.sh" ''
+    systemd-sysupdate --verify=no
+    systemd-sysupdate --verify=no update --reboot
+  '';
+in
+{
+  environment.systemPackages = [ script ];
+}
-- 
2.47.0