modules/by-name/bo/boot/tails_iso.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

# nixos-config - My current NixOS configuration
#
# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This file is part of my nixos-config.
#
# You should have received a copy of the License along with this program.
# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let
  checked_iso = pkgs.stdenv.mkDerivation (finalAttrs: {
    pname = "tails-iso";
    version = "amd64-7.8";

    srcs = [
      (pkgs.fetchurl {
        url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig";
        hash = "sha256-58vDQdXQYYqeVUHzupmDPtVVpSrxtT25+gwHe2OfvkA=";
      })
      (pkgs.fetchurl {
        url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso";
        hash = "sha256-ewLHQ+3iI3aHgvKdBgysQ9QAudQ7AM83WP+VdYFmxt0=";
      })
      (pkgs.fetchurl {
        url = "https://tails.net/tails-signing.key";
        hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k=";
      })
    ];

    dontUnpack = true;

    nativeBuildInputs = [
      pkgs.sequoia-sq
    ];

    buildPhase =
      /*
      bash
      */
      ''
        for src in $srcs; do
          cp --recursive "$src" "$(stripHash "$src")"
        done

        sq verify \
          --signer-file=tails-signing.key \
          --signature-file=tails-${finalAttrs.version}.iso.sig \
          tails-${finalAttrs.version}.iso
      '';

    installPhase = ''
      cp tails-${finalAttrs.version}.iso "$out";
    '';
  });
in
  pkgs.stdenv.mkDerivation {
    name = "live_iso_boot_entry";

    src = checked_iso;

    dontUnpack = true;

    nativeBuildInputs = with pkgs; [
      libarchive # for bsdtar
    ];

    buildPhase = ''
      mkdir iso
      bsdtar -xf "$src" -C iso
    '';

    installPhase = ''
      install -D ./iso/live/initrd.img "$out/live/initramfs-linux.img"
      install -D ./iso/live/vmlinuz "$out/live/vmlinuz-linux"

      install -D "$src" "$out/tails.iso"
    '';
  }