about summary refs log tree commit diff stats
path: root/modules/system/boot/iso_entry
diff options
context:
space:
mode:
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-05-20 16:10:21 +0200
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-05-20 16:14:26 +0200
commit368cb6b0d25db2ae23be42ad51584de059997e51 (patch)
tree3282e45d3ebced63c8498a47e83a255c35de620b /modules/system/boot/iso_entry
parentrefactor(hm): Rename to `modules/home` (diff)
downloadnixos-config-368cb6b0d25db2ae23be42ad51584de059997e51.tar.gz
nixos-config-368cb6b0d25db2ae23be42ad51584de059997e51.zip
refactor(sys): Modularize and move to `modules/system` or `pkgs`
Diffstat (limited to 'modules/system/boot/iso_entry')
-rw-r--r--modules/system/boot/iso_entry/archlive_iso.nix77
-rw-r--r--modules/system/boot/iso_entry/signing_key.nix18
2 files changed, 95 insertions, 0 deletions
diff --git a/modules/system/boot/iso_entry/archlive_iso.nix b/modules/system/boot/iso_entry/archlive_iso.nix
new file mode 100644
index 00000000..d19a4a87
--- /dev/null
+++ b/modules/system/boot/iso_entry/archlive_iso.nix
@@ -0,0 +1,77 @@
+{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let
+  signing_key = import ./signing_key.nix {inherit pkgs;};
+
+  checked_iso = pkgs.stdenv.mkDerivation {
+    pname = "archlinux-iso";
+    version = "2024.05.01";
+
+    srcs = [
+      (pkgs.fetchurl {
+        url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig";
+        hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4=";
+      })
+      (pkgs.fetchurl {
+        url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso";
+        hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw=";
+      })
+      (pkgs.fetchurl {
+        url = "https://archlinux.org/iso/2024.05.01/b2sums.txt";
+        hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw=";
+      })
+    ];
+
+    dontUnpack = true;
+
+    nativeBuildInputs = with pkgs; [
+      sequoia-sq
+    ];
+
+    buildPhase =
+      /*
+      bash
+      */
+      ''
+        cp -r "${signing_key}" ./release-key.pgp
+        for src in $srcs; do
+          cp -r  "$src" "$(stripHash "$src")"
+        done
+
+        sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt
+
+        # As per the directions from: https://archlinux.org/download/
+
+        # blake hash check
+        b2sum -c ./b2sums_clean.txt
+
+        # pgp signature check
+        sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso
+      '';
+
+    installPhase = ''
+      cp archlinux-2024.05.01-x86_64.iso "$out";
+    '';
+  };
+in
+  pkgs.stdenv.mkDerivation {
+    name = "live_iso_boot_entry";
+
+    src = checked_iso;
+
+    dontUnpack = true;
+
+    nativeBuildInputs = with pkgs; [
+      libarchive # for bsdtar
+    ];
+
+    buildPhase = ''
+      mkdir iso
+      bsdtar -xf "$src" -C iso
+    '';
+
+    installPhase = ''
+      install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img"
+      install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux"
+
+      install -D "$src" "$out/archlinux.iso"
+    '';
+  }
diff --git a/modules/system/boot/iso_entry/signing_key.nix b/modules/system/boot/iso_entry/signing_key.nix
new file mode 100644
index 00000000..788447be
--- /dev/null
+++ b/modules/system/boot/iso_entry/signing_key.nix
@@ -0,0 +1,18 @@
+{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}:
+pkgs.stdenv.mkDerivation {
+  name = "archlinux_signing_keys";
+
+  outputHash = "sha256-evGWzkxMaZw3rlixKsyWCS/ZvNuZ+OfXQb6sgiHz9XY=";
+  outputHashAlgo = "sha256";
+  NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+
+  nativeBuildInputs = with pkgs; [
+    sequoia-sq
+  ];
+
+  dontUnpack = true;
+
+  buildPhase = ''
+    sq --verbose --no-cert-store --no-key-store network wkd fetch pierre@archlinux.org --output "$out"
+  '';
+}