# nixos-config - My current NixOS configuration # # Copyright (C) 2025 Benedikt Peetz # SPDX-License-Identifier: GPL-3.0-or-later # # This file is part of my nixos-config. # # You should have received a copy of the License along with this program. # If not, see . { stdenv, fetchurl, sequoia-sq, libarchive, # for bsdtar }: let files = builtins.fromJSON (builtins.readFile (./files.json)); checked_iso = stdenv.mkDerivation (finalAttrs: { pname = "tails-iso"; version = "amd64-${files.version}"; srcs = [ (fetchurl { url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig"; hash = files.files."iso.sig"; }) (fetchurl { url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso"; hash = files.files."iso"; }) (fetchurl { url = "https://tails.net/tails-signing.key"; hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k="; }) ]; dontUnpack = true; nativeBuildInputs = [ sequoia-sq ]; buildPhase = /* bash */ '' for src in $srcs; do cp --recursive "$src" "$(stripHash "$src")" done sq verify \ --signer-file=tails-signing.key \ --signature-file=tails-${finalAttrs.version}.iso.sig \ tails-${finalAttrs.version}.iso ''; installPhase = '' cp tails-${finalAttrs.version}.iso "$out"; ''; }); in stdenv.mkDerivation { name = "live_iso_boot_entry"; src = checked_iso; dontUnpack = true; nativeBuildInputs = [ libarchive ]; buildPhase = '' mkdir iso bsdtar -xf "$src" -C iso ''; passthru = { inherit (files) version; }; installPhase = '' install -D ./iso/live/initrd.img "$out/live/initrd.img" install -D ./iso/live/vmlinuz "$out/live/vmlinuz" install -D ./iso/live/filesystem.squashfs "$out/live/filesystem.squashfs" ''; }