# nixos-config - My current NixOS configuration # # Copyright (C) 2025 Benedikt Peetz # SPDX-License-Identifier: GPL-3.0-or-later # # This file is part of my nixos-config. # # You should have received a copy of the License along with this program. # If not, see . {pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let checked_iso = pkgs.stdenv.mkDerivation (finalAttrs: { pname = "tails-iso"; version = "amd64-7.8"; srcs = [ (pkgs.fetchurl { url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig"; hash = "sha256-58vDQdXQYYqeVUHzupmDPtVVpSrxtT25+gwHe2OfvkA="; }) (pkgs.fetchurl { url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso"; hash = "sha256-ewLHQ+3iI3aHgvKdBgysQ9QAudQ7AM83WP+VdYFmxt0="; }) (pkgs.fetchurl { url = "https://tails.net/tails-signing.key"; hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k="; }) ]; dontUnpack = true; nativeBuildInputs = [ pkgs.sequoia-sq ]; buildPhase = /* bash */ '' for src in $srcs; do cp --recursive "$src" "$(stripHash "$src")" done sq verify \ --signer-file=tails-signing.key \ --signature-file=tails-${finalAttrs.version}.iso.sig \ tails-${finalAttrs.version}.iso ''; installPhase = '' cp tails-${finalAttrs.version}.iso "$out"; ''; }); in pkgs.stdenv.mkDerivation { name = "live_iso_boot_entry"; src = checked_iso; dontUnpack = true; nativeBuildInputs = with pkgs; [ libarchive # for bsdtar ]; buildPhase = '' mkdir iso bsdtar -xf "$src" -C iso ''; installPhase = '' install -D ./iso/live/initrd.img "$out/live/initramfs-linux.img" install -D ./iso/live/vmlinuz "$out/live/vmlinuz-linux" install -D "$src" "$out/tails.iso" ''; }