2 files changed, 105 insertions, 28 deletions

diff --git a/modules/by-name/bo/boot/module.nix b/modules/by-name/bo/boot/module.nix
index 6a0c0cf7..4dc9130a 100644
--- a/modules/by-name/bo/boot/module.nix
+++ b/modules/by-name/bo/boot/module.nix
@@ -19,7 +19,73 @@
 }: let
   cfg = config.soispha.boot;
 
-  tailsPrefix = "EFI/tails";
+  tails = let
+    tailsPrefix = "/EFI/tails";
+  in {
+    root = "${tailsPrefix}/tails.iso";
+    initrd = "${tailsPrefix}/initrd.img";
+    vmlinuz = "${tailsPrefix}/vmlinuz-linux";
+  };
+
+  iso = pkgs.tails-iso;
+
+  # From:
+  # - The extracted ISO's boot dir
+  # - Reverse engineered from:
+  #     - `<tails iso squashfs>/usr/share/initramfs-tools/init`
+  #     - `<tails iso squashfs>/usr/lib/live/boot/`
+  iso_options =
+    ## General options?
+    [
+      "initrd=${tails.initrd}"
+      # "noprompt"
+      # "timezone=Etc/UTC"
+      # "config"
+      # "noautologin"
+      # "slab_nomerge"
+      # "slub_debug=FZ"
+      # "mce=0"
+      # "vsyscall=none"
+      # "init_on_free=1"
+      # "mds=full,nosmt"
+      # "page_alloc.shuffle=1"
+      # "randomize_kstack_offset=on"
+      # "efi_pstore.pstore_disable=1"
+      # "erst_disable"
+      # "spec_store_bypass_disable=on"
+      # "systemd.condition_needs_update=no"
+    ]
+    ## Systemd log options
+    ++ [
+      "systemd.log_level=debug"
+      "systemd.log_target=console"
+      "console=tty1"
+      "systemd.journald.forward_to_console=1"
+      "systemd.unit=rescue.target"
+    ]
+    ## Options for the first `init` script
+    ++ [
+      # Use the `*-live` scripts
+      "boot=live"
+
+      # "splash"
+      "plymouth.enable=0"
+
+      # "quiet"
+      "debug"
+    ]
+    ## Options for the `*-live` `init` scripts
+    ++ [
+      "module=Tails"
+
+      # TODO: RO-makes the fromiso not work <2026-06-08>
+      # "live-boot.read-only=/dev/nvme0*"
+
+      # Don't store things persistently
+      "nopersistence"
+
+      "fromiso=/dev/nvme0n1p1/${tails.root}"
+    ];
 in {
   options.soispha.boot = {
     enable = lib.mkEnableOption "Bootloader configuration";
@@ -113,7 +179,7 @@ in {
                   systemdCfg.extraFiles
                 )}
 
-                ${lib.getExe pkgs.sbctl} sign "${bootMountPoint}/${tailsPrefix}/vmlinuz-linux"
+                ${lib.getExe pkgs.sbctl} sign "${bootMountPoint}/${tails.vmlinuz}"
 
                 ${concatStrings (
                   mapAttrsToList (n: v: ''
@@ -133,19 +199,17 @@ in {
 
           extraEntries = {
             "live.conf" = ''
-              title Tails Live ISO
-              linux /${tailsPrefix}/vmlinuz-linux
-              initrd /${tailsPrefix}/initramfs-linux.img
-              options root=/${tailsPrefix}/tails.iso
+              title Tails ${iso.passthru.version} Live ISO
+              linux ${tails.vmlinuz}
+              initrd ${tails.initrd}
+              options ${builtins.concatStringsSep " " iso_options}
             '';
           };
 
-          extraFiles = let
-            iso = import ./tails_iso.nix {inherit pkgs;};
-          in {
-            "/${tailsPrefix}/tails.iso" = "${iso}/tails.iso";
-            "/${tailsPrefix}/vmlinuz-linux" = "${iso}/live/vmlinuz-linux";
-            "/${tailsPrefix}/initramfs-linux.img" = "${iso}/live/initramfs-linux.img";
+          extraFiles = {
+            "${tails.root}" = "${iso}/tails.iso";
+            "${tails.vmlinuz}" = "${iso}/live/vmlinuz-linux";
+            "${tails.initrd}" = "${iso}/live/initrd.img";
           };
         };
 
diff --git a/modules/by-name/bo/boot/tails_iso.nix b/pkgs/by-name/ta/tails-iso/package.nix
index ec2b740b..87bfd0b2 100644
--- a/modules/by-name/bo/boot/tails_iso.nix
+++ b/pkgs/by-name/ta/tails-iso/package.nix
@@ -7,21 +7,28 @@
 #
 # You should have received a copy of the License along with this program.
 # If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
-{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let
-  checked_iso = pkgs.stdenv.mkDerivation (finalAttrs: {
-    pname = "tails-iso";
-    version = "amd64-7.8";
+{
+  stdenv,
+  fetchurl,
+  sequoia-sq,
+  libarchive, # for bsdtar
+}: let
+  files = builtins.fromJSON (builtins.readFile (./files.json));
+
+  checked_iso = stdenv.mkDerivation (finalAttrs: {
+    pname = "raw-tails-iso";
+    version = "amd64-${files.version}";
 
     srcs = [
-      (pkgs.fetchurl {
+      (fetchurl {
         url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig";
-        hash = "sha256-58vDQdXQYYqeVUHzupmDPtVVpSrxtT25+gwHe2OfvkA=";
+        hash = files.files."iso.sig";
       })
-      (pkgs.fetchurl {
+      (fetchurl {
         url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso";
-        hash = "sha256-ewLHQ+3iI3aHgvKdBgysQ9QAudQ7AM83WP+VdYFmxt0=";
+        hash = files.files."iso";
       })
-      (pkgs.fetchurl {
+      (fetchurl {
         url = "https://tails.net/tails-signing.key";
         hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k=";
       })
@@ -30,7 +37,7 @@
     dontUnpack = true;
 
     nativeBuildInputs = [
-      pkgs.sequoia-sq
+      sequoia-sq
     ];
 
     buildPhase =
@@ -53,15 +60,16 @@
     '';
   });
 in
-  pkgs.stdenv.mkDerivation {
-    name = "live_iso_boot_entry";
+  stdenv.mkDerivation {
+    pname = "tails-iso-package";
+    inherit (checked_iso) version;
 
     src = checked_iso;
 
     dontUnpack = true;
 
-    nativeBuildInputs = with pkgs; [
-      libarchive # for bsdtar
+    nativeBuildInputs = [
+      libarchive
     ];
 
     buildPhase = ''
@@ -69,10 +77,15 @@ in
       bsdtar -xf "$src" -C iso
     '';
 
+    passthru = {
+      inherit (files) version;
+    };
+
     installPhase = ''
-      install -D ./iso/live/initrd.img "$out/live/initramfs-linux.img"
+      install -D "$src" "$out/tails.iso"
       install -D ./iso/live/vmlinuz "$out/live/vmlinuz-linux"
+      install -D ./iso/live/initrd.img "$out/live/initrd.img"
 
-      install -D "$src" "$out/tails.iso"
+      chmod --recursive -x $out/tails.iso $out/live/*
     '';
   }