diff --git a/flake.lock b/flake.lock index e66669ccb..a633bfa33 100644 --- a/flake.lock +++ b/flake.lock @@ -36,11 +36,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1717399147, - "narHash": "sha256-eCWaE/q1VItpFAxxLVt171MdtDcjEnwi6QB/yuF73JU=", + "lastModified": 1725816686, + "narHash": "sha256-0Kq2MkQ/sQX1rhWJ/ySBBQlBJBUK8mPMDcuDhhdBkSU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4a4ecb0ab415c9fccfb005567a215e6a9564cdf5", + "rev": "add0443ee587a0c44f22793b8c8649a0dbc3bb00", "type": "github" }, "original": { @@ -83,11 +83,11 @@ ] }, "locked": { - "lastModified": 1715947971, - "narHash": "sha256-1YpxN5R3lEQnOUg94B2B/Ah2WDABUQTZ6kpyQMPt/xI=", + "lastModified": 1725522308, + "narHash": "sha256-AtsFZ92WkVkH8fd0Xa0D6/PR84/dtOH6gpM4mtn32Hk=", "owner": "edgelesssys", "repo": "uplosi", - "rev": "73b6208ac21603bb69e8079fa8be821e590de286", + "rev": "c8a482de299b5442f558d7381f0cbf898e0de0e1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 657d09f28..ddd1521c7 100644 --- a/flake.nix +++ b/flake.nix @@ -21,76 +21,98 @@ }; outputs = - { self - , nixpkgsUnstable - , nixpkgsBazel - , flake-utils - , uplosi - }: - flake-utils.lib.eachDefaultSystem (system: - let - pkgsUnstable = import nixpkgsUnstable { inherit system; }; - - bazelPkgsUnstable = import nixpkgsBazel { inherit system; }; - - callPackage = pkgsUnstable.callPackage; - - mkosiDev = (pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec { - propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ (with pkgsUnstable; [ - # package management - dnf5 - rpm - createrepo_c - - # filesystem tools - squashfsTools # mksquashfs - dosfstools # mkfs.vfat - mtools # mcopy - cryptsetup # dm-verity - util-linux # flock - kmod # depmod - cpio # cpio - zstd # zstd - xz # xz - - # utils - gnused # sed - gnugrep # grep - ]); - })); - - uplosiDev = uplosi.outputs.packages."${system}".uplosi; - - openssl-static = pkgsUnstable.openssl.override { static = true; }; - - bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { pkgs = bazelPkgsUnstable; nixpkgs = nixpkgsBazel; }; - - in { - packages.mkosi = mkosiDev; + self, + nixpkgsUnstable, + nixpkgsBazel, + flake-utils, + uplosi, + }: + flake-utils.lib.eachDefaultSystem ( + system: + let + pkgsUnstable = import nixpkgsUnstable { inherit system; }; - packages.uplosi = uplosiDev; + bazelPkgsUnstable = import nixpkgsBazel { inherit system; }; - packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; }; + callPackage = pkgsUnstable.callPackage; - packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; + mkosiDev = ( + pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec { + propagatedBuildInputs = + oldAttrs.propagatedBuildInputs + ++ (with pkgsUnstable; [ + # package management + dnf5 + rpm + createrepo_c - packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; + # filesystem tools + squashfsTools # mksquashfs + dosfstools # mkfs.vfat + mtools # mcopy + cryptsetup # dm-verity + util-linux # flock + kmod # depmod + cpio # cpio + zstd # zstd + xz # xz - packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; + # utils + gnused # sed + gnugrep # grep + ]); + }) + ); - packages.vpn = callPackage ./nix/container/vpn/vpn.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; }; + uplosiDev = uplosi.outputs.packages."${system}".uplosi; - packages.awscli2 = pkgsUnstable.awscli2; + openssl-static = pkgsUnstable.openssl.override { static = true; }; - packages.bazel_7 = bazel_7; + bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { + pkgs = bazelPkgsUnstable; + nixpkgs = nixpkgsBazel; + }; - packages.createrepo_c = pkgsUnstable.createrepo_c; + in + { + packages.mkosi = mkosiDev; - packages.dnf5 = pkgsUnstable.dnf5; + packages.uplosi = uplosiDev; - devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; }; + packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; }; - formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt; - }); + packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; + }; + + packages.libvirt = callPackage ./nix/cc/libvirt.nix { + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; + }; + + packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; + }; + + packages.vpn = callPackage ./nix/container/vpn/vpn.nix { + pkgs = pkgsUnstable; + pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; + }; + + packages.awscli2 = pkgsUnstable.awscli2; + + packages.bazel_7 = bazel_7; + + packages.createrepo_c = pkgsUnstable.createrepo_c; + + packages.dnf5 = pkgsUnstable.dnf5; + + devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; }; + + formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt; + } + ); } diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf index dad6a0e9f..5deab82c8 100644 --- a/image/base/mkosi.conf +++ b/image/base/mkosi.conf @@ -1,6 +1,7 @@ [Distribution] Distribution=fedora Release=40 +RepositoryKeyFetch=yes [Output] Format=tar diff --git a/image/base/mkosi.postinst b/image/base/mkosi.postinst index 62b680654..728e5ad17 100755 --- a/image/base/mkosi.postinst +++ b/image/base/mkosi.postinst @@ -15,3 +15,19 @@ cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/" # copy rpmdb to outputs cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/" + +# FIXME(msanft): +# Hack to satisfy Bazel's [output expectations](./BUILD.bazel). +# 2 Bazel packages can't share the same output paths, as it seems, and the +# files being copied around here aren't large, so copying them around doesn't +# hurt. +cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/lts-packagemanifest" +cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/lts-.rpm.lock" +cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/lts-rpmdb.sqlite" +cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/lts-rpmdb.sqlite-shm" +cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/lts-rpmdb.sqlite-wal" +cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/mainline-packagemanifest" +cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/mainline-.rpm.lock" +cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/mainline-rpmdb.sqlite" +cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/mainline-rpmdb.sqlite-shm" +cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/mainline-rpmdb.sqlite-wal" diff --git a/image/initrd/mkosi.conf b/image/initrd/mkosi.conf index 18dc92361..bceb53c8a 100644 --- a/image/initrd/mkosi.conf +++ b/image/initrd/mkosi.conf @@ -1,6 +1,7 @@ [Distribution] Distribution=fedora Release=40 +RepositoryKeyFetch=yes [Output] Format=cpio diff --git a/image/system/mkosi.conf b/image/system/mkosi.conf index fc956f06e..d97bbc1bb 100644 --- a/image/system/mkosi.conf +++ b/image/system/mkosi.conf @@ -1,6 +1,7 @@ [Distribution] Distribution=fedora Release=40 +RepositoryKeyFetch=yes [Output] Format=disk