image: update mkosi to 24.3 (#3342)

* flake: format * image: update mkosi to 24.3 This updates mkosi to a next-version of v24.3, which is now available in nixpkgs. This removes the non-hermetic `uidmap` dependency, which is a great advantage. It will also be less of an effort to upgrade to v25 going forward. Changes required are keeping `/var/cache` around (which is reproducible for our images, so no problem), as mkosi needs files from it in the build process. mkosi now additionally requires an explicit option to fetch the signing keys for the package repositories from the internet. A hack was required to satisfy the Bazel package, which should probably be solved properly at some point.
2024-10-01 01:36:09 -04:00 · 2024-09-09 11:18:51 +02:00 · 2024-09-09 11:18:51 +02:00 · f7c2392be2
commit f7c2392be2
parent 5720fcc330
6 changed files with 106 additions and 65 deletions
--- a/flake.lock
+++ b/flake.lock
@ -36,11 +36,11 @@
    },
    "nixpkgsUnstable": {
      "locked": {
-        "lastModified": 1717399147,
-        "narHash": "sha256-eCWaE/q1VItpFAxxLVt171MdtDcjEnwi6QB/yuF73JU=",
+        "lastModified": 1725816686,
+        "narHash": "sha256-0Kq2MkQ/sQX1rhWJ/ySBBQlBJBUK8mPMDcuDhhdBkSU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4a4ecb0ab415c9fccfb005567a215e6a9564cdf5",
+        "rev": "add0443ee587a0c44f22793b8c8649a0dbc3bb00",
        "type": "github"
      },
      "original": {
@ -83,11 +83,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715947971,
-        "narHash": "sha256-1YpxN5R3lEQnOUg94B2B/Ah2WDABUQTZ6kpyQMPt/xI=",
+        "lastModified": 1725522308,
+        "narHash": "sha256-AtsFZ92WkVkH8fd0Xa0D6/PR84/dtOH6gpM4mtn32Hk=",
        "owner": "edgelesssys",
        "repo": "uplosi",
-        "rev": "73b6208ac21603bb69e8079fa8be821e590de286",
+        "rev": "c8a482de299b5442f558d7381f0cbf898e0de0e1",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -21,13 +21,15 @@
  };

  outputs =
-    { self
-    , nixpkgsUnstable
-    , nixpkgsBazel
-    , flake-utils
-    , uplosi
+    {
+      self,
+      nixpkgsUnstable,
+      nixpkgsBazel,
+      flake-utils,
+      uplosi,
    }:
-    flake-utils.lib.eachDefaultSystem (system:
+    flake-utils.lib.eachDefaultSystem (
+      system:
      let
        pkgsUnstable = import nixpkgsUnstable { inherit system; };

@ -35,8 +37,11 @@

        callPackage = pkgsUnstable.callPackage;

-      mkosiDev = (pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
-        propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ (with pkgsUnstable;  [
+        mkosiDev = (
+          pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
+            propagatedBuildInputs =
+              oldAttrs.propagatedBuildInputs
+              ++ (with pkgsUnstable; [
                # package management
                dnf5
                rpm
@ -57,13 +62,17 @@
                gnused # sed
                gnugrep # grep
              ]);
-      }));
+          })
+        );

        uplosiDev = uplosi.outputs.packages."${system}".uplosi;

        openssl-static = pkgsUnstable.openssl.override { static = true; };

-      bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { pkgs = bazelPkgsUnstable; nixpkgs = nixpkgsBazel; };
+        bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix {
+          pkgs = bazelPkgsUnstable;
+          nixpkgs = nixpkgsBazel;
+        };

      in
      {
@ -73,13 +82,25 @@

        packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };

-      packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };

-      packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        packages.libvirt = callPackage ./nix/cc/libvirt.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };

-      packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };

-      packages.vpn = callPackage ./nix/container/vpn/vpn.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
+        packages.vpn = callPackage ./nix/container/vpn/vpn.nix {
+          pkgs = pkgsUnstable;
+          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+        };

        packages.awscli2 = pkgsUnstable.awscli2;

@ -92,5 +113,6 @@
        devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; };

        formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
-    });
+      }
+    );
 }
--- a/image/base/mkosi.conf
+++ b/image/base/mkosi.conf
@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes

 [Output]
 Format=tar
--- a/image/base/mkosi.postinst
+++ b/image/base/mkosi.postinst
@ -15,3 +15,19 @@ cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/"

 # copy rpmdb to outputs
 cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/"
+
+# FIXME(msanft):
+# Hack to satisfy Bazel's [output expectations](./BUILD.bazel).
+# 2 Bazel packages can't share the same output paths, as it seems, and the
+# files being copied around here aren't large, so copying them around doesn't
+# hurt.
+cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/lts-packagemanifest"
+cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/lts-.rpm.lock"
+cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/lts-rpmdb.sqlite"
+cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/lts-rpmdb.sqlite-shm"
+cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/lts-rpmdb.sqlite-wal"
+cp "${OUTPUTDIR}/packagemanifest" "${OUTPUTDIR}/mainline-packagemanifest"
+cp "${OUTPUTDIR}/.rpm.lock" "${OUTPUTDIR}/mainline-.rpm.lock"
+cp "${OUTPUTDIR}/rpmdb.sqlite" "${OUTPUTDIR}/mainline-rpmdb.sqlite"
+cp "${OUTPUTDIR}/rpmdb.sqlite-shm" "${OUTPUTDIR}/mainline-rpmdb.sqlite-shm"
+cp "${OUTPUTDIR}/rpmdb.sqlite-wal" "${OUTPUTDIR}/mainline-rpmdb.sqlite-wal"
--- a/image/initrd/mkosi.conf
+++ b/image/initrd/mkosi.conf
@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes

 [Output]
 Format=cpio
--- a/image/system/mkosi.conf
+++ b/image/system/mkosi.conf
@ -1,6 +1,7 @@
 [Distribution]
 Distribution=fedora
 Release=40
+RepositoryKeyFetch=yes

 [Output]
 Format=disk