From f7c2392be2ec56ce06a2535753cbd539102dae44 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Mon, 9 Sep 2024 11:18:51 +0200
Subject: [PATCH] image: update mkosi to 24.3 (#3342)

* flake: format

* image: update mkosi to 24.3

This updates mkosi to a next-version of v24.3, which is now available in nixpkgs. This removes the non-hermetic `uidmap` dependency, which is a great advantage. It will also be less of an effort to upgrade to v25 going forward.
Changes required are keeping `/var/cache` around (which is reproducible for our images, so no problem), as mkosi needs files from it in the build process. mkosi now additionally requires an explicit option to fetch the signing keys for the package repositories from the internet. A hack was required to satisfy the Bazel package, which should probably be solved properly at some point.
---
 flake.lock                |  12 ++--
 flake.nix                 | 140 ++++++++++++++++++++++----------------
 image/base/mkosi.conf     |   1 +
 image/base/mkosi.postinst |  16 +++++
 image/initrd/mkosi.conf   |   1 +
 image/system/mkosi.conf   |   1 +
 6 files changed, 106 insertions(+), 65 deletions(-)

diff --git a/flake.lock b/flake.lock
index e66669ccb..a633bfa33 100644
--- a/flake.lock
+++ b/flake.lock
@@ -36,11 +36,11 @@
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1717399147,
-        "narHash": "sha256-eCWaE/q1VItpFAxxLVt171MdtDcjEnwi6QB/yuF73JU=",
+        "lastModified": 1725816686,
+        "narHash": "sha256-0Kq2MkQ/sQX1rhWJ/ySBBQlBJBUK8mPMDcuDhhdBkSU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4a4ecb0ab415c9fccfb005567a215e6a9564cdf5",
+        "rev": "add0443ee587a0c44f22793b8c8649a0dbc3bb00",
         "type": "github"
       },
       "original": {
@@ -83,11 +83,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715947971,
-        "narHash": "sha256-1YpxN5R3lEQnOUg94B2B/Ah2WDABUQTZ6kpyQMPt/xI=",
+        "lastModified": 1725522308,
+        "narHash": "sha256-AtsFZ92WkVkH8fd0Xa0D6/PR84/dtOH6gpM4mtn32Hk=",
         "owner": "edgelesssys",
         "repo": "uplosi",
-        "rev": "73b6208ac21603bb69e8079fa8be821e590de286",
+        "rev": "c8a482de299b5442f558d7381f0cbf898e0de0e1",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 657d09f28..ddd1521c7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,76 +21,98 @@
   };
 
   outputs =
-    { self
-    , nixpkgsUnstable
-    , nixpkgsBazel
-    , flake-utils
-    , uplosi
-    }:
-    flake-utils.lib.eachDefaultSystem (system:
-    let
-      pkgsUnstable = import nixpkgsUnstable { inherit system; };
-
-      bazelPkgsUnstable = import nixpkgsBazel { inherit system; };
-
-      callPackage = pkgsUnstable.callPackage;
-
-      mkosiDev = (pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
-        propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ (with pkgsUnstable;  [
-          # package management
-          dnf5
-          rpm
-          createrepo_c
-
-          # filesystem tools
-          squashfsTools # mksquashfs
-          dosfstools # mkfs.vfat
-          mtools # mcopy
-          cryptsetup # dm-verity
-          util-linux # flock
-          kmod # depmod
-          cpio # cpio
-          zstd # zstd
-          xz # xz
-
-          # utils
-          gnused # sed
-          gnugrep # grep
-        ]);
-      }));
-
-      uplosiDev = uplosi.outputs.packages."${system}".uplosi;
-
-      openssl-static = pkgsUnstable.openssl.override { static = true; };
-
-      bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { pkgs = bazelPkgsUnstable; nixpkgs = nixpkgsBazel; };
-
-    in
     {
-      packages.mkosi = mkosiDev;
+      self,
+      nixpkgsUnstable,
+      nixpkgsBazel,
+      flake-utils,
+      uplosi,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgsUnstable = import nixpkgsUnstable { inherit system; };
 
-      packages.uplosi = uplosiDev;
+        bazelPkgsUnstable = import nixpkgsBazel { inherit system; };
 
-      packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };
+        callPackage = pkgsUnstable.callPackage;
 
-      packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        mkosiDev = (
+          pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
+            propagatedBuildInputs =
+              oldAttrs.propagatedBuildInputs
+              ++ (with pkgsUnstable; [
+                # package management
+                dnf5
+                rpm
+                createrepo_c
 
-      packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+                # filesystem tools
+                squashfsTools # mksquashfs
+                dosfstools # mkfs.vfat
+                mtools # mcopy
+                cryptsetup # dm-verity
+                util-linux # flock
+                kmod # depmod
+                cpio # cpio
+                zstd # zstd
+                xz # xz
 
-      packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+                # utils
+                gnused # sed
+                gnugrep # grep
+              ]);
+          })
+        );
 
-      packages.vpn = callPackage ./nix/container/vpn/vpn.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        uplosiDev = uplosi.outputs.packages."${system}".uplosi;
 
-      packages.awscli2 = pkgsUnstable.awscli2;
+        openssl-static = pkgsUnstable.openssl.override { static = true; };
 
-      packages.bazel_7 = bazel_7;
+        bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix {
+          pkgs = bazelPkgsUnstable;
+          nixpkgs = nixpkgsBazel;
+        };
 
-      packages.createrepo_c = pkgsUnstable.createrepo_c;
+      in
+      {
+        packages.mkosi = mkosiDev;
 
-      packages.dnf5 = pkgsUnstable.dnf5;
+        packages.uplosi = uplosiDev;
 
-      devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; };
+        packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };
 
-      formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
-    });
+        packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.libvirt = callPackage ./nix/cc/libvirt.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.vpn = callPackage ./nix/container/vpn/vpn.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };
+
+        packages.awscli2 = pkgsUnstable.awscli2;
+
+        packages.bazel_7 = bazel_7;
+
+        packages.createrepo_c = pkgsUnstable.createrepo_c;
+
+        packages.dnf5 = pkgsUnstable.dnf5;
+
+        devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; };
+
+        formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
+      }
+    );
 }
diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf
index dad6a0e9f..5deab82c8 100644
--- a/image/base/mkosi.conf
+++ b/image/base/mkosi.conf
@@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes
 
 [Output]
 Format=tar
diff --git a/image/base/mkosi.postinst b/image/base/mkosi.postinst
index 62b680654..728e5ad17 100755
--- a/image/base/mkosi.postinst
+++ b/image/base/mkosi.postinst
@@ -15,3 +15,19 @@ cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/"
 
 # copy rpmdb to outputs
 cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/"
+
+# FIXME(msanft):
+# Hack to satisfy Bazel's [output expectations](./BUILD.bazel).
+# 2 Bazel packages can't share the same output paths, as it seems, and the
+# files being copied around here aren't large, so copying them around doesn't
+# hurt.
+cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/lts-packagemanifest"
+cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/lts-.rpm.lock"
+cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/lts-rpmdb.sqlite"
+cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/lts-rpmdb.sqlite-shm"
+cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/lts-rpmdb.sqlite-wal"
+cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/mainline-packagemanifest"
+cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/mainline-.rpm.lock"
+cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/mainline-rpmdb.sqlite"
+cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/mainline-rpmdb.sqlite-shm"
+cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/mainline-rpmdb.sqlite-wal"
diff --git a/image/initrd/mkosi.conf b/image/initrd/mkosi.conf
index 18dc92361..bceb53c8a 100644
--- a/image/initrd/mkosi.conf
+++ b/image/initrd/mkosi.conf
@@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes
 
 [Output]
 Format=cpio
diff --git a/image/system/mkosi.conf b/image/system/mkosi.conf
index fc956f06e..d97bbc1bb 100644
--- a/image/system/mkosi.conf
+++ b/image/system/mkosi.conf
@@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes
 
 [Output]
 Format=disk