heads/flake.nix

{
  description = "Optimized heads flake for Docker image with garbage collection protection";

  # Inputs define external dependencies and their sources.
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Using the unstable channel for the latest packages, while flake.lock fixates the commit reused until changed.
    flake-utils.url = "github:numtide/flake-utils"; # Utilities for flake functionality.
  };
  # Outputs are the result of the flake, including the development environment and Docker image.
  outputs = {
    self,
    flake-utils,
    nixpkgs,
    ...
  }:
    flake-utils.lib.eachDefaultSystem (system: let
      pkgs = nixpkgs.legacyPackages.${system}; # Accessing the legacy package set.
      lib = pkgs.lib; # The standard Nix packages library.

      # Dependencies are the packages required for the Heads project.
      # Organized into subsets for clarity and maintainability.
      deps = with pkgs; [
        # Core build utilities
        autoconf
        automake
        bashInteractive
        coreutils
        bc
        bison # Generate flashmap descriptor parser
        bzip2
        cacert
        ccache
        cmake
        cpio
        curl
        diffutils
        dtc
        e2fsprogs
        elfutils
        findutils
        flex
        gawk
        git
        gnat # required for libgfxinit under coreboot, hacked around for kgpe-d16
        gnugrep
        gnumake
        gnused
        gnutar
        gzip
        imagemagick # For bootsplash manipulation
        innoextract # ROM extraction for dGPU
        libtool
        m4
        ncurses5 # make menuconfig and slang
        nss
        openssl # needed for talos-2 kernel build
        parted
        patch
        perl
        pkg-config
        python3 # me_cleaner, coreboot
        rsync # coreboot
        sharutils
        texinfo
        unzip
        wget
        which
        xz
        zip
        zlib
        zlib.dev
      ] ++ [
        qemu_full #Heavier then qemu + qemu_kvm, but contains qemu-img + kvm and everything else needed to do development/testing cycles under docker
      ] ++ [
        # Additional tools for debugging/editing/testing
        vim # Mostly used amongst us, sorry if you'd like something else, open issue
        swtpm # QEMU requirement to emulate tpm1/tpm2
        dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support).
        diffoscopeMinimal # Not sure exactly what is packed here, let's try. Might need diffoscope if something is missing
        gnupg #to inject public key inside of qemu create rom through inject_gpg target of targets/qemu.mk TODO: remove when pflash supported by flashrom + modify code
        less # so 'git log' is usable
        moreutils # so that 'make 2>&1 | ts' can give timestamps
      ] ++ [
        # Tools for handling binary blobs in their compressed state. (blobs/xx30/vbios_[tw]530.sh)
        bundler
        p7zip
        ruby
        sudo # ( °-° )
        upx
        binwalk # Extract all components of a binary
        uefi-firmware-parser #Parse and extract further hidden UEFI blobs from binaries
      ];
    in {
      # The development shell includes all the dependencies.
      devShell = pkgs.mkShellNoCC {
        buildInputs = deps;
      };

      # myDevShell outputs environment variables necessary for development.
      packages.myDevShell =
        pkgs.runCommand "my-dev-shell" {}
        #bash
        ''
          grep \
            -e CMAKE_PREFIX_PATH \
            -e NIX_CC_WRAPPER_TARGET_TARGET \
            -e NIX_CFLAGS_COMPILE_FOR_TARGET \
            -e NIX_LDFLAGS_FOR_TARGET \
            -e PKG_CONFIG_PATH_FOR_TARGET \
            -e ACLOCAL_PATH \
            ${self.devShell.${system}} >$out
        '';

      # Docker image configuration for the Heads project.
      packages.dockerImage = pkgs.dockerTools.buildLayeredImage {
        name = "linuxboot/heads";
        tag = "dev-env";
        config.Entrypoint = ["bash" "-c" ''source /devenv.sh; if (( $# == 0 )); then exec bash; else exec "$0" "$@"; fi''];
        contents =
          deps
          ++ [
          pkgs.dockerTools.binSh
          pkgs.dockerTools.caCertificates
          pkgs.dockerTools.usrBinEnv
        ];
        enableFakechroot = true;
        fakeRootCommands =
          #bash
          ''
          set -e

          # Environment setup for the development shell.
          grep \
            -e NIX_CC_WRAPPER_TARGET_TARGET \
            -e NIX_CFLAGS_COMPILE_FOR_TARGET \
            -e NIX_LDFLAGS_FOR_TARGET \
            -e NIX_PKG_CONFIG_WRAPPER_TARGET \
            -e PKG_CONFIG_PATH_FOR_TARGET \
            -e ACLOCAL_PATH \
            ${self.devShell.${system}} >/devenv.sh

          mkdir /tmp; # Temporary directory for various operations.
          chmod 1777 /tmp

          # Ensure /etc/passwd and /etc/group exist with root entries
          echo "root:x:0:0:root:/root:/bin/bash" > /etc/passwd
          echo "root:x:0:" > /etc/group
          mkdir -p /root
          chmod 700 /root

          # Git configuration for safe directory access.
          echo -e '[safe]\n\tdirectory = *\n' > /root/.gitconfig
        '';
      };
    });
}