aboutsummaryrefslogtreecommitdiffstats
path: root/pkgs/by-name/ta/tails-iso/package.nix
blob: b74e4023c4a83d5c745e443741e3d8bf3cf60cef (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# nixos-config - My current NixOS configuration
#
# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This file is part of my nixos-config.
#
# You should have received a copy of the License along with this program.
# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
{
  stdenv,
  fetchurl,
  sequoia-sq,
  libarchive, # for bsdtar
}: let
  files = builtins.fromJSON (builtins.readFile (./files.json));

  checked_iso = stdenv.mkDerivation (finalAttrs: {
    pname = "tails-iso";
    version = "amd64-${files.version}";

    srcs = [
      (fetchurl {
        url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig";
        hash = files.files."iso.sig";
      })
      (fetchurl {
        url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso";
        hash = files.files."iso";
      })
      (fetchurl {
        url = "https://tails.net/tails-signing.key";
        hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k=";
      })
    ];

    dontUnpack = true;

    nativeBuildInputs = [
      sequoia-sq
    ];

    buildPhase =
      /*
      bash
      */
      ''
        for src in $srcs; do
          cp --recursive "$src" "$(stripHash "$src")"
        done

        sq verify \
          --signer-file=tails-signing.key \
          --signature-file=tails-${finalAttrs.version}.iso.sig \
          tails-${finalAttrs.version}.iso
      '';

    installPhase = ''
      cp tails-${finalAttrs.version}.iso "$out";
    '';
  });
in
  stdenv.mkDerivation {
    name = "live_iso_boot_entry";

    src = checked_iso;

    dontUnpack = true;

    nativeBuildInputs = [
      libarchive
    ];

    buildPhase = ''
      mkdir iso
      bsdtar -xf "$src" -C iso
    '';

    passthru = {
      inherit (files) version;
    };

    installPhase = ''
      install -D ./iso/live/initrd.img "$out/live/initrd.img"
      install -D ./iso/live/vmlinuz "$out/live/vmlinuz"
      install -D ./iso/live/filesystem.squashfs "$out/live/filesystem.squashfs"
    '';
  }
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-08 15:30:15 +0000