Merge pull request #17 from petm5/dev

petm5 · web-flow · commit d9088ad6bda9 · 2025-05-28T19:01:08.000-04:00
Nixlet v0.3.1
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.2.1
+0.3.1
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -11,43 +11,50 @@
     updateUrl = "https://github.com/petm5/nixlet/releases/latest/download";
     releaseVersion = nixpkgs.lib.strings.trim (builtins.readFile ./VERSION);
     baseConfig = [
+      (nixpkgs + "/nixos/modules/image/repart.nix")
+      ./modules/image/repart-image-verity-store-defaults.nix
+      ./modules/image/repart-image-compress.nix
+      ./modules/image/update-package.nix
+      ./modules/image/initrd-repart-expand.nix
+      ./modules/image/sysupdate-verity-store.nix
       ./modules/profiles/minimal.nix
       ./modules/profiles/image-based.nix
       ./modules/profiles/server.nix
       ./modules/hardware/generic-pc.nix
       (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
-      ./modules/image/repart-verity-store.nix
-      ./modules/image/initrd-repart-expand.nix
-      ./modules/image/sysupdate-verity-store.nix
       {
         nixpkgs.hostPlatform = "x86_64-linux";
         system.stateVersion = "24.05";
         system.image.updates.url = "${updateUrl}";
         system.image.id = "nixlet";
         system.image.version = releaseVersion;
+        boot.kernelPackages = pkgs.linuxPackages_latest;
       }
     ];
   in {
-    packages.x86_64-linux.nixlet = (nixpkgs.lib.nixosSystem {
+    nixosSystems.x86_64-linux.nixlet = nixpkgs.lib.nixosSystem {
       modules = baseConfig;
-    }).config.system.build.updatePackage;
-    packages.x86_64-linux.nixlet-insecure = (nixpkgs.lib.nixosSystem {
+    };
+    nixosSystems.x86_64-linux.nixlet-insecure = nixpkgs.lib.nixosSystem {
       modules = baseConfig ++ [ {
         system.image.filesystems.encrypt = false;
         system.image.id = nixpkgs.lib.mkOverride 0 "nixlet-insecure";
       } ];
-    }).config.system.build.updatePackage;
+    };
+    packages.x86_64-linux.nixlet = self.nixosSystems.x86_64-linux.nixlet.config.system.build.updatePackage;
+    packages.x86_64-linux.nixlet-insecure = self.nixosSystems.x86_64-linux.nixlet-insecure.config.system.build.updatePackage;
     checks.x86_64-linux = nixpkgs.lib.listToAttrs (map (test: nixpkgs.lib.nameValuePair "${test}" (import ./tests/${test}.nix {
       pkgs = nixpkgs.legacyPackages."x86_64-linux";
       inherit self;
     })) [ "integration" "system-update" ]);
     apps.x86_64-linux.nixlet-live-test = let
+      testSystem = self.nixosSystems.x86_64-linux.nixlet-insecure;
       script = (import ./tests/common.nix rec {
         inherit self;
         pkgs = nixpkgs.legacyPackages."x86_64-linux";
         lib = pkgs.lib;
       }).makeInteractiveTest {
-        image = "${self.packages.x86_64-linux.nixlet-insecure}/${self.packages.x86_64-linux.nixlet-insecure.combinedImage}";
+        image = "${testSystem.config.system.build.finalImage}/${testSystem.config.image.fileName}";
       };
     in {
       type = "app";
diff --git a/modules/image/initrd-repart-expand.nix b/modules/image/initrd-repart-expand.nix
@@ -62,6 +62,8 @@ in {
       };
     };
 
+    boot.initrd.systemd.additionalUpstreamUnits = [ "initrd-usr-fs.target" ];
+
     boot.initrd.systemd.services.systemd-repart.after = lib.mkForce [ ];
 
     boot.initrd.supportedFilesystems.btrfs = true;
diff --git a/modules/image/repart-image-compress.nix b/modules/image/repart-image-compress.nix
@@ -0,0 +1,3 @@
+{
+  image.repart.mkfsOptions.erofs = [ "-zlz4hc,12" "-C1048576" "-Efragments,dedupe,ztailpacking" ];
+}
diff --git a/modules/image/repart-image-verity-store-defaults.nix b/modules/image/repart-image-verity-store-defaults.nix
@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (pkgs.stdenv.hostPlatform) efiArch;
+  inherit (config.image.repart.verityStore) partitionIds;
+in {
+  assertions = [
+    { assertion = config.boot.initrd.systemd.enable; }
+  ];
+
+  fileSystems."/nix/store" = {
+    device = "/usr/nix/store";
+    options = [ "bind" ];
+  };
+
+  boot.kernelParams = [ "mount.usrfstype=erofs" "mount.usrflags=ro" ];
+
+  image.repart = {
+    verityStore.enable = true;
+
+    partitions = {
+      ${partitionIds.esp} = {
+        contents = {
+          # Include systemd-boot
+          "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source =
+            "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
+        };
+        repartConfig = {
+          Type = "esp";
+          Format = "vfat";
+          SizeMinBytes = "96M";
+          SplitName = "-";
+        };
+      };
+      ${partitionIds.store-verity}.repartConfig = {
+        SizeMinBytes = "64M";
+        SizeMaxBytes = "64M";
+        Label = "verity-${config.system.image.version}";
+        SplitName = "verity";
+        ReadOnly = 1;
+      };
+      ${partitionIds.store}.repartConfig = {
+        Minimize = "best";
+        Label = "usr-${config.system.image.version}";
+        SplitName = "usr";
+        ReadOnly = 1;
+      };
+    };
+  };
+}
diff --git a/modules/image/repart-verity-store.nix b/modules/image/repart-verity-store.nix
diff --git a/modules/image/update-package.nix b/modules/image/update-package.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }: let
+  finalImage = config.system.build.finalImage.override {
+    split = true;
+  };
+
+  verityImgAttrs = builtins.fromJSON (builtins.readFile "${finalImage}/repart-output.json");
+  # HACK: Magic indices are used to select partitions, which is error-prone
+  usrAttrs = builtins.elemAt verityImgAttrs 2;
+  verityAttrs = builtins.elemAt verityImgAttrs 1;
+
+  usrUuid = usrAttrs.uuid;
+  verityUuid = verityAttrs.uuid;
+in {
+  system.build.updatePackage = let
+    updateFiles = [
+      {
+        name = "${config.system.image.id}_${config.system.image.version}.efi";
+        path = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+      }
+      {
+        name = "${config.system.image.id}_${config.system.image.version}_${verityUuid}.verity";
+        path = "${finalImage}/${config.image.baseName}.verity.raw";
+      }
+      {
+        name = "${config.system.image.id}_${config.system.image.version}_${usrUuid}.usr";
+        path = "${finalImage}/${config.image.baseName}.usr.raw";
+      }
+    ];
+    createHash = { name, path }: lib.concatStringsSep "  " [ (builtins.hashFile "sha256" path) name ];
+  in (pkgs.linkFarm "${config.system.build.image.pname}-update-package" (updateFiles ++ [
+    {
+      name = "${config.system.image.id}_${config.system.image.version}.img";
+      path = "${finalImage}/${config.image.baseName}.raw";
+    }
+    {
+      name = "SHA256SUMS";
+      path = pkgs.writeText "sha256sums.txt" (lib.concatLines (map createHash updateFiles));
+    }
+  ]));
+}
diff --git a/tests/common.nix b/tests/common.nix
@@ -14,26 +14,28 @@ in rec {
     inherit pkgs lib;
     system = null;
     modules = [
-      ../modules/image/repart-verity-store.nix
+      (pkgs.path + "/nixos/modules/image/repart.nix")
+      ../modules/image/repart-image-verity-store-defaults.nix
+      ../modules/image/update-package.nix
       ../modules/image/initrd-repart-expand.nix
       ../modules/image/sysupdate-verity-store.nix
       ../modules/profiles/minimal.nix
       ../modules/profiles/image-based.nix
       ../modules/profiles/server.nix
       (pkgs.path + "/nixos/modules/profiles/qemu-guest.nix")
       {
+        boot.kernelPackages = pkgs.linuxPackages_latest;
         users.allowNoPasswordLogin = true;
         system.stateVersion = lib.versions.majorMinor lib.version;
-        system.image.id = lib.mkDefault "test";
+        system.image.id = lib.mkDefault "nixos-appliance";
         system.image.version = lib.mkDefault "1";
         networking.hosts."10.0.2.1" = [ "server.test" ];
         boot.kernelParams = [
           "x-systemd.device-timeout=10s"
           "console=ttyS0,115200n8"
-          "panic=0" "boot.panic_on_fail"
         ];
         # Use weak compression
-        system.image.compress = false;
+        image.repart.compression.enable = false;
         boot.initrd.compressor = "zstd";
         boot.initrd.compressorArgs = [ "-2" ];
       }
@@ -44,7 +46,7 @@ in rec {
 
   makeImage = extraConfig: let
     system = makeSystem extraConfig;
-  in "${system.config.system.build.updatePackage}/${system.config.system.build.updatePackage.combinedImage}";
+  in "${system.config.system.build.finalImage}/${system.config.image.fileName}";
 
   makeUpdatePackage = extraConfig: let
     system = makeSystem extraConfig;
@@ -130,7 +132,6 @@ in rec {
     flagsStr = lib.concatStringsSep " " flags;
     startCommand = "${qemuCommand} ${flagsStr}";
     mutableImage = "nixlet-disk.qcow2";
-    tpmFolder = "emulated_tpm";
     qemuImgCommand = "${qemu}/bin/qemu-img";
     imgFlags = [
       "create"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ image.repart.mkfsOptions.erofs = [ "-zlz4hc,12" "-C1048576" "-Efragments,dedupe,ztailpacking" ];`
	`3`	`+}`