diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/by-name/bo/boot/module.nix | 104 | ||||
| -rw-r--r-- | pkgs/by-name/ta/tails-iso/files.json | 7 | ||||
| -rw-r--r-- | pkgs/by-name/ta/tails-iso/package.nix | 21 | ||||
| -rwxr-xr-x | pkgs/by-name/ta/tails-iso/update.sh | 66 |
4 files changed, 155 insertions, 43 deletions
diff --git a/modules/by-name/bo/boot/module.nix b/modules/by-name/bo/boot/module.nix index b8c90d89..4dc9130a 100644 --- a/modules/by-name/bo/boot/module.nix +++ b/modules/by-name/bo/boot/module.nix @@ -19,37 +19,73 @@ }: let cfg = config.soispha.boot; - tailsPrefix = "EFI/tails"; + tails = let + tailsPrefix = "/EFI/tails"; + in { + root = "${tailsPrefix}/tails.iso"; + initrd = "${tailsPrefix}/initrd.img"; + vmlinuz = "${tailsPrefix}/vmlinuz-linux"; + }; + iso = pkgs.tails-iso; - iso_options = [ - "initrd=/${tailsPrefix}/initrd.img" - "boot=live" - "config" - "live-media=removable" - "nopersistence" - "noprompt" - "timezone=Etc/UTC" - "splash" - "noautologin" - "module=Tails" - "slab_nomerge" - "slub_debug=FZ" - "mce=0" - "vsyscall=none" - "init_on_free=1" - "mds=full,nosmt" - "page_alloc.shuffle=1" - "randomize_kstack_offset=on" - "efi_pstore.pstore_disable=1" - "erst_disable" - "spec_store_bypass_disable=on" - "systemd.condition_needs_update=no" - "quiet" + # From: + # - The extracted ISO's boot dir + # - Reverse engineered from: + # - `<tails iso squashfs>/usr/share/initramfs-tools/init` + # - `<tails iso squashfs>/usr/lib/live/boot/` + iso_options = + ## General options? + [ + "initrd=${tails.initrd}" + # "noprompt" + # "timezone=Etc/UTC" + # "config" + # "noautologin" + # "slab_nomerge" + # "slub_debug=FZ" + # "mce=0" + # "vsyscall=none" + # "init_on_free=1" + # "mds=full,nosmt" + # "page_alloc.shuffle=1" + # "randomize_kstack_offset=on" + # "efi_pstore.pstore_disable=1" + # "erst_disable" + # "spec_store_bypass_disable=on" + # "systemd.condition_needs_update=no" + ] + ## Systemd log options + ++ [ + "systemd.log_level=debug" + "systemd.log_target=console" + "console=tty1" + "systemd.journald.forward_to_console=1" + "systemd.unit=rescue.target" + ] + ## Options for the first `init` script + ++ [ + # Use the `*-live` scripts + "boot=live" - "rootflags=loop" - "root=/${tailsPrefix}/filesystem.squashfs" - ]; + # "splash" + "plymouth.enable=0" + + # "quiet" + "debug" + ] + ## Options for the `*-live` `init` scripts + ++ [ + "module=Tails" + + # TODO: RO-makes the fromiso not work <2026-06-08> + # "live-boot.read-only=/dev/nvme0*" + + # Don't store things persistently + "nopersistence" + + "fromiso=/dev/nvme0n1p1/${tails.root}" + ]; in { options.soispha.boot = { enable = lib.mkEnableOption "Bootloader configuration"; @@ -143,7 +179,7 @@ in { systemdCfg.extraFiles )} - ${lib.getExe pkgs.sbctl} sign "${bootMountPoint}/${tailsPrefix}/vmlinuz-linux" + ${lib.getExe pkgs.sbctl} sign "${bootMountPoint}/${tails.vmlinuz}" ${concatStrings ( mapAttrsToList (n: v: '' @@ -164,16 +200,16 @@ in { extraEntries = { "live.conf" = '' title Tails ${iso.passthru.version} Live ISO - linux /${tailsPrefix}/vmlinuz - initrd /${tailsPrefix}/initrd.img + linux ${tails.vmlinuz} + initrd ${tails.initrd} options ${builtins.concatStringsSep " " iso_options} ''; }; extraFiles = { - "/${tailsPrefix}/filesystem.squashfs" = "${iso}/live/filesystem.squashfs"; - "/${tailsPrefix}/vmlinuz" = "${iso}/live/vmlinuz"; - "/${tailsPrefix}/initrd.img" = "${iso}/live/initrd.img"; + "${tails.root}" = "${iso}/tails.iso"; + "${tails.vmlinuz}" = "${iso}/live/vmlinuz-linux"; + "${tails.initrd}" = "${iso}/live/initrd.img"; }; }; diff --git a/pkgs/by-name/ta/tails-iso/files.json b/pkgs/by-name/ta/tails-iso/files.json new file mode 100644 index 00000000..0e42badf --- /dev/null +++ b/pkgs/by-name/ta/tails-iso/files.json @@ -0,0 +1,7 @@ +{ + "version": "7.8.1", + "files": { + "iso.sig": "sha256-DQm+EHe0KllmzLQzGU61cqaRDNjhU3KUCtDzHKDwWck=", + "iso": "sha256-Y4Sch1ZgWUODi9rxcXimVrFvicXPCN6SgLvINvJGcvw=" + } +} diff --git a/pkgs/by-name/ta/tails-iso/package.nix b/pkgs/by-name/ta/tails-iso/package.nix index d790befd..87bfd0b2 100644 --- a/pkgs/by-name/ta/tails-iso/package.nix +++ b/pkgs/by-name/ta/tails-iso/package.nix @@ -13,20 +13,20 @@ sequoia-sq, libarchive, # for bsdtar }: let - version = "7.8.1"; + files = builtins.fromJSON (builtins.readFile (./files.json)); checked_iso = stdenv.mkDerivation (finalAttrs: { - pname = "tails-iso"; - version = "amd64-${version}"; + pname = "raw-tails-iso"; + version = "amd64-${files.version}"; srcs = [ (fetchurl { url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig"; - hash = "sha256-DQm+EHe0KllmzLQzGU61cqaRDNjhU3KUCtDzHKDwWck="; + hash = files.files."iso.sig"; }) (fetchurl { url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso"; - hash = "sha256-Y4Sch1ZgWUODi9rxcXimVrFvicXPCN6SgLvINvJGcvw="; + hash = files.files."iso"; }) (fetchurl { url = "https://tails.net/tails-signing.key"; @@ -61,7 +61,8 @@ }); in stdenv.mkDerivation { - name = "live_iso_boot_entry"; + pname = "tails-iso-package"; + inherit (checked_iso) version; src = checked_iso; @@ -77,12 +78,14 @@ in ''; passthru = { - inherit version; + inherit (files) version; }; installPhase = '' + install -D "$src" "$out/tails.iso" + install -D ./iso/live/vmlinuz "$out/live/vmlinuz-linux" install -D ./iso/live/initrd.img "$out/live/initrd.img" - install -D ./iso/live/vmlinuz "$out/live/vmlinuz" - install -D ./iso/live/filesystem.squashfs "$out/live/filesystem.squashfs" + + chmod --recursive -x $out/tails.iso $out/live/* ''; } diff --git a/pkgs/by-name/ta/tails-iso/update.sh b/pkgs/by-name/ta/tails-iso/update.sh new file mode 100755 index 00000000..5a2a81cd --- /dev/null +++ b/pkgs/by-name/ta/tails-iso/update.sh @@ -0,0 +1,66 @@ +#! /usr/bin/env sh + +set -e + +tmpHomePath="$(mktemp -d "${TMPDIR:-/tmp}/nix-prefetch-url-XXXXXXXXXX")" +cleanup() { + chmod -R u+w "$tmpHomePath" + rm -rf "$tmpHomePath" +} +trap cleanup EXIT + +info() { + echo "$1" 1>&2 +} + +# Returns a name based on the url and reference +# +# This function needs to be in sync with nix's fetchgit implementation +# of urlToName() to re-use the same nix store paths. +url_to_name() { + url=$1 + + basename "$url" .git | cut -d: -f2 +} + +get_sha256() { + url="$1" + storePathName="$(url_to_name "$url")" + hashType="sha256" + + tmpOut="$tmpHomePath/$storePathName" + info "Prefetching '$url'..." + + curl --follow "$url" >"$tmpOut" + + # Compute the hash. + hash=$(nix-hash --flat --type "$hashType" --sri "$tmpOut") + + # Add the downloaded file to the Nix store. + finalPath=$(nix-store --add-fixed "$hashType" "$tmpOut") + + info " -> Downloaded to '$finalPath'" + echo "$hash" +} + +old_version="$(jq .version --raw-output <./files.json)" +new_version="$(curl --follow https://download.tails.net/tails/stable/ 2>/dev/null | html2text -links | grep --regexp='\s*[0-9]\. tails-amd64-' | sed 's/\s*[0-9]\. tails-amd64-\(.*\)\//\1/')" + +if [ "$old_version" = "$new_version" ]; then + # No need to update. + info exit 0 +fi + +final_version="amd64-$new_version" + +cat <<EOF | jq . | tee ./files.json +{ + "version": "$new_version", + "files": { + "iso.sig": "$(get_sha256 "https://tails.net/torrents/files/tails-$final_version.iso.sig")", + "iso": "$(get_sha256 "https://download.tails.net/tails/stable/tails-$final_version/tails-$final_version.iso")" + } +} +EOF + +# vim: ft=sh |