Patagia/patos
Patagia/patos
1
1
Code Issues4 Pull requests6 Activity
patos/pkgs/rootfs/mkinitrd.nix

110 lines
2.7 KiB
Nix
Raw Blame History

{
pkgs,
patosPkgs,
runCommand,
...
}:
runCommand "patos-initrd" {
buildInputs = with pkgs; [
cpio
xz
];
}
''
echo "Building initram disk"
mkdir -p $out/root
pushd $out/root
### copy rootfs
cp -prP ${patosPkgs.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot
### create directories
ln -sf ../usr/lib/systemd/systemd init
### Create needed files
echo patos > ./etc/hostname
ln -sf /etc/os-release ./etc/initrd-release
# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target
# setup secure boot
cat <<EOF > ./usr/bin/secure-boot-enroll
#!/bin/sh
set -ex -o pipefail
SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')
[ "\$SETUP_MODE" = "false" ] && exit 0
cat <<EOL> /run/sbctl.yml
---
keydir: /sysroot/boot/sbctl/keys
guid: /sysroot/boot/sbctl/GUID
EOL
ESP=\$(blkid --label ESP)
mount \$ESP /sysroot/boot && \
sbctl --config /run/sbctl.yml create-keys && \
sbctl --config /run/sbctl.yml enroll-keys --yolo && \
# Sign EFIs
find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
umount /sysroot/boot && \
systemctl reboot -f
EOF
chmod +x ./usr/bin/secure-boot-enroll
cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
[Unit]
Description=Enroll Secure Boot
DefaultDependencies=false
After=sysroot-run.mount
Requires=sysroot-run.mount
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
[Service]
Type=oneshot
ExecStart=/usr/bin/secure-boot-enroll
RemainAfterExit=yes
EOF
ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
Before=initrd-fs.target
DefaultDependencies=false
[Mount]
Options=bind
What=/run
Where=/sysroot/run
EOF
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
# repart: generate crypttab and fstab under /run
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
[Unit]
After=sysroot-run.mount
Requires=sysroot-run.mount
[Service]
Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
ExecStart=
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
popd
rm -rf $out/root
''
Reference in a new issue View git blame Copy permalink