diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-10-18 17:07:46 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-10-18 17:07:46 +0200 |
| commit | c52c7f314ccadcc2fcd91e28c8fd1b88f6d5ce0c (patch) | |
| tree | e8b947710b467b32740598ff574982097836f66c /modules/by-name/bo/boot/iso_entry | |
| parent | chore(pkgs/yt): 1.2.1 -> 1.3.0 (diff) | |
| download | nixos-config-c52c7f314ccadcc2fcd91e28c8fd1b88f6d5ce0c.zip | |
refactor(modules): Move all system modules to `by-name`
From now on all modules should be added to the new `by-name` directory.
This should help remove the (superficial and utterly useless)
distinction between `home-manager` and `NixOS` modules.
Diffstat (limited to 'modules/by-name/bo/boot/iso_entry')
| -rw-r--r-- | modules/by-name/bo/boot/iso_entry/archlive_iso.nix | 77 | ||||
| -rw-r--r-- | modules/by-name/bo/boot/iso_entry/signing_key.nix | 18 |
2 files changed, 95 insertions, 0 deletions
diff --git a/modules/by-name/bo/boot/iso_entry/archlive_iso.nix b/modules/by-name/bo/boot/iso_entry/archlive_iso.nix new file mode 100644 index 00000000..d19a4a87 --- /dev/null +++ b/modules/by-name/bo/boot/iso_entry/archlive_iso.nix @@ -0,0 +1,77 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let + signing_key = import ./signing_key.nix {inherit pkgs;}; + + checked_iso = pkgs.stdenv.mkDerivation { + pname = "archlinux-iso"; + version = "2024.05.01"; + + srcs = [ + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig"; + hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4="; + }) + (pkgs.fetchurl { + url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso"; + hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw="; + }) + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/b2sums.txt"; + hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw="; + }) + ]; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + buildPhase = + /* + bash + */ + '' + cp -r "${signing_key}" ./release-key.pgp + for src in $srcs; do + cp -r "$src" "$(stripHash "$src")" + done + + sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt + + # As per the directions from: https://archlinux.org/download/ + + # blake hash check + b2sum -c ./b2sums_clean.txt + + # pgp signature check + sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso + ''; + + installPhase = '' + cp archlinux-2024.05.01-x86_64.iso "$out"; + ''; + }; +in + pkgs.stdenv.mkDerivation { + name = "live_iso_boot_entry"; + + src = checked_iso; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + libarchive # for bsdtar + ]; + + buildPhase = '' + mkdir iso + bsdtar -xf "$src" -C iso + ''; + + installPhase = '' + install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img" + install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux" + + install -D "$src" "$out/archlinux.iso" + ''; + } diff --git a/modules/by-name/bo/boot/iso_entry/signing_key.nix b/modules/by-name/bo/boot/iso_entry/signing_key.nix new file mode 100644 index 00000000..788447be --- /dev/null +++ b/modules/by-name/bo/boot/iso_entry/signing_key.nix @@ -0,0 +1,18 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: +pkgs.stdenv.mkDerivation { + name = "archlinux_signing_keys"; + + outputHash = "sha256-evGWzkxMaZw3rlixKsyWCS/ZvNuZ+OfXQb6sgiHz9XY="; + outputHashAlgo = "sha256"; + NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + dontUnpack = true; + + buildPhase = '' + sq --verbose --no-cert-store --no-key-store network wkd fetch pierre@archlinux.org --output "$out" + ''; +} |