* flake: format
* image: update mkosi to 24.3
This updates mkosi to a next-version of v24.3, which is now available in nixpkgs. This removes the non-hermetic `uidmap` dependency, which is a great advantage. It will also be less of an effort to upgrade to v25 going forward.
Changes required are keeping `/var/cache` around (which is reproducible for our images, so no problem), as mkosi needs files from it in the build process. mkosi now additionally requires an explicit option to fetch the signing keys for the package repositories from the internet. A hack was required to satisfy the Bazel package, which should probably be solved properly at some point.
* vpn: ship our own container image
The container image used in the VPN chart should be reproducible and
stable. We're sticking close to the original nixery.dev version by
building the image with nix ourselves, and then publishing the single
layer from the result with Bazel OCI rules. The resulting image should
be handled similar to s3proxy: it's built as a part of the Constellation
release process and then consumed from a Helm chart in our registry.
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
Cryptsetup and libvirt are new.
OpenSSL was moved with the rest.
The dynamic libaries cryptsetup and libvirt also ship a file called closure.tar,
that contains the transitive closure for all of their dependencies.
This tar file can be used as a container image layer or added to a bootable OS image
to provide the runtime dependencies required for dynamic linking.
Additionally, they ship a `rpath` file. This can be used together with patchelf to
fix the RPATH of binaries produced by Bazel.
