feat(sysupdate): Download from dl.patagia.dev. Add gpg authentication. #2
7 changed files with 92 additions and 32 deletions
4
base.nix
4
base.nix
|
@ -1,4 +1,5 @@
|
|||
{ ... }: {
|
||||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
./modules/system_overrides.nix
|
||||
./modules/minimize.nix
|
||||
|
@ -7,5 +8,6 @@
|
|||
./modules/partitions.nix
|
||||
./modules/network.nix
|
||||
./modules/sysupdate.nix
|
||||
./modules/utils.nix
|
||||
];
|
||||
}
|
||||
|
|
4
justfile
4
justfile
|
@ -14,3 +14,7 @@ build: build-image
|
|||
# Build PatOS image
|
||||
build-image:
|
||||
nix build .#patos_image
|
||||
|
||||
run: build-image
|
||||
qemu-efi -hda ./result/disk.qcow2
|
||||
|
||||
|
|
|
@ -1,13 +1,24 @@
|
|||
{ pkgs, config, ... }: {
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
boot.uki.name = "patos";
|
||||
boot.kernelParams = [ "console=ttyS0" ];
|
||||
boot = {
|
||||
uki.name = "patos";
|
||||
kernelParams = [ "console=ttyS0" ];
|
||||
initrd.systemd.enable = true;
|
||||
};
|
||||
|
||||
system.nixos.release = "2024-09";
|
||||
system.nixos.codeName = "Finn";
|
||||
system.nixos = {
|
||||
codeName = "Finn";
|
||||
distroId = "patos";
|
||||
distroName = "PatOS";
|
||||
release = "2024-09";
|
||||
};
|
||||
|
||||
system.nixos.distroId = "patos";
|
||||
system.nixos.distroName = "PatOS";
|
||||
system.image.version = "0.0.1"; # FIXME: Use epoch version.
|
||||
|
||||
# Make the current system version visible in the prompt.
|
||||
|
@ -20,8 +31,6 @@
|
|||
|
||||
services.getty.autologinUser = "root";
|
||||
|
||||
boot.initrd.systemd.enable = true;
|
||||
|
||||
# Don't accumulate crap.
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
services.journald.extraConfig = ''
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
{ modulesPath, ... }: {
|
||||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
"${modulesPath}/profiles/minimal.nix"
|
||||
];
|
||||
|
||||
boot.enableContainers = false;
|
||||
boot.loader.grub.enable = false;
|
||||
|
||||
system.switch.enable = false;
|
||||
|
@ -14,6 +16,5 @@
|
|||
system.disableInstallerTools = true;
|
||||
programs.less.lessopen = null;
|
||||
programs.command-not-found.enable = false;
|
||||
boot.enableContainers = false;
|
||||
environment.defaultPackages = [ ];
|
||||
}
|
||||
|
|
|
@ -1,4 +1,11 @@
|
|||
{ config, pkgs, lib, modulesPath, ... }: {
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
imports = [
|
||||
"${modulesPath}/image/repart.nix"
|
||||
|
@ -15,16 +22,16 @@
|
|||
partitions = {
|
||||
"esp" = {
|
||||
contents = {
|
||||
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source =
|
||||
"${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
|
||||
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
|
||||
|
||||
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source =
|
||||
"${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
|
||||
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
|
||||
|
||||
# systemd-boot configuration
|
||||
"/loader/loader.conf".source = (pkgs.writeText "$out" ''
|
||||
timeout 3
|
||||
'');
|
||||
"/loader/loader.conf".source = (
|
||||
pkgs.writeText "$out" ''
|
||||
timeout 3
|
||||
''
|
||||
);
|
||||
};
|
||||
repartConfig = {
|
||||
Type = "esp";
|
||||
|
@ -39,7 +46,7 @@
|
|||
stripNixStorePrefix = true;
|
||||
repartConfig = {
|
||||
Type = "linux-generic";
|
||||
Label = "store_${config.system.image.version}";
|
||||
Label = "${config.boot.uki.name}_${config.system.image.version}";
|
||||
Format = "squashfs";
|
||||
Minimize = "off";
|
||||
ReadOnly = "yes";
|
||||
|
|
|
@ -1,4 +1,32 @@
|
|||
{ config, ... }: {
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
gpgPubKeyStaging = ''
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
|
||||
zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
|
||||
aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
|
||||
gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
|
||||
OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
|
||||
H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
|
||||
GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
|
||||
DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
|
||||
+0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
|
||||
e5UE
|
||||
=m2st
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
'';
|
||||
gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
|
||||
mkdir -p $out
|
||||
export GNUPGHOME=$out
|
||||
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
|
||||
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
|
||||
rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
|
||||
'';
|
||||
in
|
||||
{
|
||||
environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
|
||||
|
||||
systemd.sysupdate = {
|
||||
enable = true;
|
||||
|
||||
|
@ -9,12 +37,8 @@
|
|||
"${config.boot.uki.name}_@v.efi.xz"
|
||||
];
|
||||
|
||||
# We could fetch updates from the network as well:
|
||||
#
|
||||
# Path = "https://download.example.com/";
|
||||
# Type = "url-file";
|
||||
Path = "/var/updates/";
|
||||
Type = "regular-file";
|
||||
Path = "https://images.dl.patagia.dev/patos/";
|
||||
Type = "url-file";
|
||||
};
|
||||
Target = {
|
||||
InstancesMax = 2;
|
||||
|
@ -38,10 +62,8 @@
|
|||
MatchPattern = [
|
||||
"${config.boot.uki.name}_@v.img.xz"
|
||||
];
|
||||
# Path = "https://download.example.com/";
|
||||
# Type = "url-file";
|
||||
Path = "/var/updates/";
|
||||
Type = "regular-file";
|
||||
Path = "https://images.dl.patagia.dev/patos/";
|
||||
Type = "url-file";
|
||||
};
|
||||
|
||||
Target = {
|
||||
|
|
15
modules/utils.nix
Normal file
15
modules/utils.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
script = pkgs.writeShellScriptBin "patos-upgrade.sh" ''
|
||||
systemd-sysupdate --verify=no
|
||||
systemd-sysupdate --verify=no update --reboot
|
||||
'';
|
||||
in
|
||||
{
|
||||
environment.systemPackages = [ script ];
|
||||
}
|
Loading…
Reference in a new issue