ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
46cad549ef
heads/flake.nix
Thierry Laurion 46cad549ef
WiP flake.nix: make docker image usable for testing as well, target: qemu-coreboot-whiptail-tpm2 with swtpm and canokey for smartcard 
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker.
- protect roots from garbage collection (WiP)
  - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes
   - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now.
- CircleCI bumped to use v0.0.9 version including this
- CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again

So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now.
That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there

TODO:
- make docker creating nicer in the Nix way.
- Add canokey support under targets/qemu.mk
- add canokey board version

At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9)
- And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 20:51:18 -04:00

162 lines
5.5 KiB
Nix
Raw Blame History

{
description = "Optimized heads flake for Docker image with garbage collection protection";
# Inputs define external dependencies and their sources.
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Using the unstable channel for the latest packages, while flake.lock fixates the commit reused until changed.
flake-utils.url = "github:numtide/flake-utils"; # Utilities for flake functionality.
};
# Outputs are the result of the flake, including the development environment and Docker image.
outputs = { self, nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (system: let
pkgs = nixpkgs.legacyPackages.${system}; # Accessing the legacy package set.
lib = pkgs.lib; # The standard Nix packages library.
# Dependencies are the packages required for the Heads project.
# Organized into subsets for clarity and maintainability.
deps = with pkgs; [
# Core build utilities
autoconf
automake
bashInteractive
coreutils
bc
bison
bzip2
cacert
ccache
cmake
cpio
curl
diffutils
dtc
e2fsprogs
elfutils
findutils
flex
gawk
git
gnat
gnugrep
gnumake
gnused
gnutar
gzip
imagemagick # For bootsplash manipulation.
innoextract # ROM extraction for dGPU.
libtool
m4
ncurses5
openssl
parted
patch
perl
pkg-config
python3 # me_cleaner, coreboot.
rsync # coreboot.
sharutils
texinfo
unzip
wget
which
xz
zip
zlib
zlib.dev
] ++ [
# Packages for qemu support with Canokey integration.
qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement (RTFM).
canokey-qemu # Canokey lib for qemu build-time compilation.
(qemu.override {
canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available.
})
] ++ [
# Additional tools for editing and testing.
vim # Mostly used amongst us, sorry if you'd like something else, open issue.
swtpm # QEMU requirement to emulate tpm1/tpm2.
dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support).
] ++ [
# Tools for handling binary blobs and compression.
bundler
p7zip
ruby
sudo
upx
];
# Stripping binaries to reduce size, while ensuring functionality is not affected.
stripBinaries = map (pkg: if pkg?isDerivation then pkg.overrideAttrs (oldAttrs: {
postInstall = oldAttrs.postInstall or "" + ''
strip $out/bin/* || true
'';
}) else pkg) deps;
in {
# The development shell includes all the dependencies.
devShell = pkgs.mkShellNoCC {
buildInputs = stripBinaries ++ [ pkgs.nix ]; # Include the Nix package to provide nix-collect-garbage.
shellHook = ''
# Create a garbage collection root for the Nix profile
mkdir -p /nix/var/nix/gcroots/per-user/$(whoami)
echo $(readlink -f $HOME/.nix-profile) > /nix/var/nix/gcroots/per-user/$(whoami)/profile
# Perform garbage collection to clean up any unnecessary files.
nix-collect-garbage -d
'';
};
# myDevShell outputs environment variables necessary for development.
packages.myDevShell =
pkgs.runCommand "my-dev-shell" {}
#bash
''
grep \
-e CMAKE_PREFIX_PATH \
-e NIX_CC_WRAPPER_TARGET_TARGET \
-e NIX_CFLAGS_COMPILE_FOR_TARGET \
-e NIX_LDFLAGS_FOR_TARGET \
-e PKG_CONFIG_PATH_FOR_TARGET \
-e ACLOCAL_PATH \
${self.devShell.${system}} >$out
'';
# Docker image configuration for the Heads project.
packages.dockerImage = pkgs.dockerTools.buildLayeredImage {
name = "linuxboot/heads"; # Image name.
tag = "dev-env"; # Image tag.
config.Entrypoint = ["bash" "-c" ''source /devenv.sh; if (( $# == 0 )); then exec bash; else exec "$@"; fi'']; # Entrypoint configuration.
# Contents of the Docker image, including stripped binaries for size optimization.
contents = stripBinaries ++ [
pkgs.dockerTools.binSh
pkgs.dockerTools.caCertificates
pkgs.dockerTools.usrBinEnv
];
enableFakechroot = true; # Enable fakechroot for compatibility.
# Fake root commands to set up the environment inside the Docker image.
fakeRootCommands =
#bash
''
set -e
# Environment setup for the development shell.
grep \
-e NIX_CC_WRAPPER_TARGET_TARGET \
-e NIX_CFLAGS_COMPILE_FOR_TARGET \
-e NIX_LDFLAGS_FOR_TARGET \
-e NIX_PKG_CONFIG_WRAPPER_TARGET \
-e PKG_CONFIG_PATH_FOR_TARGET \
-e ACLOCAL_PATH \
${self.devShell.${system}} >/devenv.sh
# Git configuration for safe directory access.
printf '[safe]\n\tdirectory = *\n' >/.gitconfig
mkdir /tmp; # Temporary directory for various operations.
'';
};
});
}
Reference in New Issue View Git Blame Copy Permalink