93 lines
2.3 KiB
Nix
93 lines
2.3 KiB
Nix
{
|
|
pkgs,
|
|
patosPkgs,
|
|
runCommand,
|
|
...
|
|
}:
|
|
let
|
|
secureBootEnroll = ./secure-boot-enroll.sh;
|
|
in
|
|
runCommand "patos-initrd" {
|
|
inherit secureBootEnroll;
|
|
|
|
buildInputs = with pkgs; [
|
|
cpio
|
|
xz
|
|
];
|
|
}
|
|
''
|
|
echo "Building initram disk"
|
|
mkdir -p $out/root
|
|
pushd $out/root
|
|
|
|
### copy rootfs
|
|
cp -prP ${patosPkgs.rootfs}/* .
|
|
find . -type d -exec chmod 755 {} \;
|
|
mkdir sysroot
|
|
|
|
### create directories
|
|
ln -sf ../usr/lib/systemd/systemd init
|
|
|
|
### Create needed files
|
|
echo patos > ./etc/hostname
|
|
|
|
ln -sf /etc/os-release ./etc/initrd-release
|
|
|
|
# set default target to initrd inside initrd
|
|
ln -sf initrd.target ./usr/lib/systemd/system/default.target
|
|
|
|
# setup secure boot
|
|
cat $secureBootEnroll > ./usr/bin/secure-boot-enroll
|
|
chmod +x ./usr/bin/secure-boot-enroll
|
|
|
|
cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
|
|
[Unit]
|
|
Description=Enroll Secure Boot
|
|
DefaultDependencies=false
|
|
After=sysroot-run.mount
|
|
Requires=sysroot-run.mount
|
|
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
|
|
ConditionKernelCommandLine=patos.secureboot=true
|
|
ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/bin/secure-boot-enroll
|
|
RemainAfterExit=yes
|
|
EOF
|
|
ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
|
|
|
|
# bind mount /run to /sysroot/run
|
|
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
|
|
[Unit]
|
|
Before=initrd-fs.target
|
|
DefaultDependencies=false
|
|
|
|
[Mount]
|
|
Options=bind
|
|
What=/run
|
|
Where=/sysroot/run
|
|
EOF
|
|
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
|
|
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
|
|
|
|
# repart: generate crypttab and fstab under /run
|
|
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
|
|
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
|
|
[Unit]
|
|
After=sysroot-run.mount
|
|
Requires=sysroot-run.mount
|
|
|
|
[Service]
|
|
Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
|
|
ExecStart=
|
|
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
|
|
EOF
|
|
ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
|
|
|
|
# gen initrd
|
|
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
|
|
|
|
popd
|
|
rm -rf $out/root
|
|
''
|