diff options
Diffstat (limited to '')
-rw-r--r-- | sys/boot/archlive_iso.nix | 77 | ||||
-rw-r--r-- | sys/boot/default.nix | 41 | ||||
-rw-r--r-- | sys/boot/signing_key.nix | 18 |
3 files changed, 126 insertions, 10 deletions
diff --git a/sys/boot/archlive_iso.nix b/sys/boot/archlive_iso.nix new file mode 100644 index 00000000..d19a4a87 --- /dev/null +++ b/sys/boot/archlive_iso.nix @@ -0,0 +1,77 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let + signing_key = import ./signing_key.nix {inherit pkgs;}; + + checked_iso = pkgs.stdenv.mkDerivation { + pname = "archlinux-iso"; + version = "2024.05.01"; + + srcs = [ + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/archlinux-2024.05.01-x86_64.iso.sig"; + hash = "sha256-QOGYng6a7zA5EJKGotDccJ7fD2MmPPXQEdVr1kjJvi4="; + }) + (pkgs.fetchurl { + url = "https://mirror.informatik.tu-freiberg.de/arch/iso/latest/archlinux-2024.05.01-x86_64.iso"; + hash = "sha256-G0oE74pzUIUqEwcO5JhEKwh6YHoYhAtN19mYZ+tfakw="; + }) + (pkgs.fetchurl { + url = "https://archlinux.org/iso/2024.05.01/b2sums.txt"; + hash = "sha256-HSMS13hHXFKKQsCA8spa7XtirHCBTmePwhOsStVPbHw="; + }) + ]; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + buildPhase = + /* + bash + */ + '' + cp -r "${signing_key}" ./release-key.pgp + for src in $srcs; do + cp -r "$src" "$(stripHash "$src")" + done + + sed '2d;3d;4d' b2sums.txt > b2sums_clean.txt + + # As per the directions from: https://archlinux.org/download/ + + # blake hash check + b2sum -c ./b2sums_clean.txt + + # pgp signature check + sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso + ''; + + installPhase = '' + cp archlinux-2024.05.01-x86_64.iso "$out"; + ''; + }; +in + pkgs.stdenv.mkDerivation { + name = "live_iso_boot_entry"; + + src = checked_iso; + + dontUnpack = true; + + nativeBuildInputs = with pkgs; [ + libarchive # for bsdtar + ]; + + buildPhase = '' + mkdir iso + bsdtar -xf "$src" -C iso + ''; + + installPhase = '' + install -D ./iso/arch/boot/x86_64/initramfs-linux.img "$out/live/initramfs-linux.img" + install -D ./iso/arch/boot/x86_64/vmlinuz-linux "$out/live/vmlinuz-linux" + + install -D "$src" "$out/archlinux.iso" + ''; + } diff --git a/sys/boot/default.nix b/sys/boot/default.nix index 9606c7b3..625394e8 100644 --- a/sys/boot/default.nix +++ b/sys/boot/default.nix @@ -1,8 +1,4 @@ -{ - pkgs, - lib, - ... -}: { +{pkgs, ...}: { boot = { initrd = { #compressor = "lz4"; @@ -15,14 +11,39 @@ lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; + + settings = { + }; }; loader = { - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - systemd-boot.enable = lib.mkForce false; + systemd-boot = { + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + enable = false; + + # Disable editing the kernel command line (which could allow someone to become root) + editor = false; + + extraEntries = { + "live.conf" = '' + title Archlinux Live ISO + linux /live/vmlinuz-linux + initrd /live/initramfs-linux.img + options img_loop=/archlinux.iso copytoram + ''; + }; + + extraFiles = let + iso = import ./archlive_iso.nix {inherit pkgs;}; + in { + "archlinux.iso" = "${iso}/archlinux.iso"; + "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img"; + "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux"; + }; + }; grub = { enable = false; diff --git a/sys/boot/signing_key.nix b/sys/boot/signing_key.nix new file mode 100644 index 00000000..788447be --- /dev/null +++ b/sys/boot/signing_key.nix @@ -0,0 +1,18 @@ +{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: +pkgs.stdenv.mkDerivation { + name = "archlinux_signing_keys"; + + outputHash = "sha256-evGWzkxMaZw3rlixKsyWCS/ZvNuZ+OfXQb6sgiHz9XY="; + outputHashAlgo = "sha256"; + NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + nativeBuildInputs = with pkgs; [ + sequoia-sq + ]; + + dontUnpack = true; + + buildPhase = '' + sq --verbose --no-cert-store --no-key-store network wkd fetch pierre@archlinux.org --output "$out" + ''; +} |