diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-05-20 16:10:21 +0200 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-05-20 16:14:26 +0200 |
commit | 368cb6b0d25db2ae23be42ad51584de059997e51 (patch) | |
tree | 3282e45d3ebced63c8498a47e83a255c35de620b /modules/system/boot/iso_entry | |
parent | refactor(hm): Rename to `modules/home` (diff) | |
download | nixos-config-368cb6b0d25db2ae23be42ad51584de059997e51.tar.gz nixos-config-368cb6b0d25db2ae23be42ad51584de059997e51.zip |
refactor(sys): Modularize and move to `modules/system` or `pkgs`
Diffstat (limited to 'modules/system/boot/iso_entry')
-rw-r--r-- | modules/system/boot/iso_entry/archlive_iso.nix | 77 | ||||
-rw-r--r-- | modules/system/boot/iso_entry/signing_key.nix | 18 |
2 files changed, 95 insertions, 0 deletions
diff --git a/modules/system/boot/iso_entry/archlive_iso.nix b/modules/system/boot/iso_entry/archlive_iso.nix new file mode 100644 index 00000000..d19a4a87 --- /dev/null +++ b/modules/system/boot/iso_entry/archlive_iso.nix @@ -0,0 +1,77 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let + signing_key = import ./signing_key.nix {inherit pkgs;}; + + checked_iso = pkgs.stdenv.mkDerivation { + pname = "archlinux-iso"; + version = "2024.05.01"; + + srcs = [ + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig"; + hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4="; + }) + (pkgs.fetchurl { + url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso"; + hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw="; + }) + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/b2sums.txt"; + hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw="; + }) + ]; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + buildPhase = + /* + bash + */ + '' + cp -r "${signing_key}" ./release-key.pgp + for src in $srcs; do + cp -r "$src" "$(stripHash "$src")" + done + + sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt + + # As per the directions from: https://archlinux.org/download/ + + # blake hash check + b2sum -c ./b2sums_clean.txt + + # pgp signature check + sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso + ''; + + installPhase = '' + cp archlinux-2024.05.01-x86_64.iso "$out"; + ''; + }; +in + pkgs.stdenv.mkDerivation { + name = "live_iso_boot_entry"; + + src = checked_iso; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + libarchive # for bsdtar + ]; + + buildPhase = '' + mkdir iso + bsdtar -xf "$src" -C iso + ''; + + installPhase = '' + install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img" + install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux" + + install -D "$src" "$out/archlinux.iso" + ''; + } diff --git a/modules/system/boot/iso_entry/signing_key.nix b/modules/system/boot/iso_entry/signing_key.nix new file mode 100644 index 00000000..788447be --- /dev/null +++ b/modules/system/boot/iso_entry/signing_key.nix @@ -0,0 +1,18 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: +pkgs.stdenv.mkDerivation { + name = "archlinux_signing_keys"; + + outputHash = "sha256-evGWzkxMaZw3rlixKsyWCS/ZvNuZ+OfXQb6sgiHz9XY="; + outputHashAlgo = "sha256"; + NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + dontUnpack = true; + + buildPhase = '' + sq --verbose --no-cert-store --no-key-store network wkd fetch pierre@archlinux.org --output "$out" + ''; +} |