Include a new 'update' command to update the system. This works as follows: 1. Take a global, system-wide lock. 2. Create a BTRFS subvolume for the sys.updates VM to write the updates. 3. Bind-mount this subvolume into the VM's shared directory. 4. Start sys.updates to get the updates. 5. Wait for the VM to shut down. 6. Take a BTRFS snapshot of the subvolume. 7. Call syncfs() to flush all of the data on the subvolume. 8. Inspect the contents of the subvolume. Check that everything is a regular file and that the names are reasonable. Check that SHA256SUMS and SHA256SUMS.gpg are present. 9. Call systemd-sysupdate to run the actual update. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 8 ++- host/rootfs/default.nix | 17 ++++--- host/rootfs/file-list.mk | 5 ++ host/rootfs/image/etc/fstab | 1 + .../image/etc/sysupdate.d/50-verity.transfer | 21 ++++++++ host/rootfs/image/etc/sysupdate.d/60-root.transfer | 21 ++++++++ .../image/etc/sysupdate.d/70-kernel.transfer | 25 ++++++++++ host/rootfs/image/usr/bin/run-update | 54 ++++++++++++++++++++ host/rootfs/image/usr/bin/update | 56 +++++++++++++++++++++ host/rootfs/image/usr/bin/vm-start | 25 +++++++++- host/rootfs/os-release.in | 13 +++++ host/rootfs/os-release.in.license | 2 + host/rootfs/shell.nix | 2 +- update-signing-keys.gpg | 1 + update-signing-keys.gpg.license | 2 + update-url | 1 + update-url.license | 2 + vm/app/sysupdate.d/50-verity.transfer | 18 +++++++ vm/app/sysupdate.d/60-root.transfer | 18 +++++++ vm/app/sysupdate.d/70-kernel.transfer | 18 +++++++ vm/app/updates.nix | 57 ++++++++++++++++++++++ 21 files changed, 356 insertions(+), 11 deletions(-) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 4712d9063e9f2e3c9b8b7b4fb2a7e54d119c6840..2faa1e46c1a3bbbdf31baf1e972d9b4ecb389ae5 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -10,6 +10,7 @@ include file-list.mk dest = build/rootfs.erofs DIRS = \ + boot \ dev \ etc/s6-linux-init/env \ etc/s6-linux-init/run-image/configs \ @@ -47,11 +48,13 @@ DIRS = \ FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo -BUILD_FILES = build/etc/s6-rc +BUILD_FILES = build/etc/s6-rc build/etc/os-release $(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_FILES) build/empty build/fifo file-list.mk + set -euo pipefail; \ { \ cat $(PACKAGES_FILE) ;\ + printf '%s\n%s\n' ../../update-signing-keys.gpg /etc/systemd/import-pubring.gpg; \ for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file "$${file#image/}"; done ;\ for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\ printf 'build/empty\n%s\n' $(DIRS) ;\ @@ -99,6 +102,9 @@ debug: $(VMLINUX) .PHONY: debug +build/etc/os-release: os-release.in build/etc + sed 's#@VERSION@#$(VERSION)#g' < os-release.in > $@ + run: build/live.img $(EXT_FS) build/rootfs.verity.roothash ../../lib/kcmdline-utils.mk @set -x && \ ext="$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \ diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix index cb39f0d77b6640198da3ab840a2c8ca7cc1c91a1..c412fe17f45bde79f1efa42cadb29cfd5fbc3991 100644 --- a/host/rootfs/default.nix +++ b/host/rootfs/default.nix @@ -8,10 +8,10 @@ import ../../lib/call-package.nix ( }: pkgsStatic.callPackage ( -{ busybox, cloud-hypervisor, cryptsetup, dbus, erofs-utils, execline -, inkscape, inotify-tools, iproute2, jq, lib, mdevd, nixos -, runCommand, s6, s6-linux-init, s6-rc, socat, spectrum-host-tools -, stdenvNoCC, util-linux, virtiofsd, writeClosure +{ btrfs-progs, bash, busybox, cloud-hypervisor, cryptsetup, dbus +, erofs-utils, execline, inkscape, inotify-tools, iproute2, jq, lib +, mdevd, nixos, runCommand, s6, s6-linux-init, s6-rc, socat +, spectrum-host-tools, stdenvNoCC, util-linux, virtiofsd, writeClosure , xdg-desktop-portal-spectrum-host, xorg }: let @@ -40,8 +40,8 @@ let no_pgo_foot = foot.override { allowPgo = false; }; packages = [ - cloud-hypervisor crosvm cryptsetup dbus execline inotify-tools - iproute2 jq mdevd s6 s6-linux-init s6-rc socat + btrfs-progs cloud-hypervisor crosvm cryptsetup dbus execline + inotify-tools iproute2 jq mdevd s6 s6-linux-init s6-rc socat spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host (busybox.override { @@ -90,6 +90,7 @@ let appvm-firefox = callSpectrumPackage ../../vm/app/firefox.nix {}; appvm-foot = callSpectrumPackage ../../vm/app/foot.nix {}; appvm-gnome-text-editor = callSpectrumPackage ../../vm/app/gnome-text-editor.nix {}; + appvm-updates = callSpectrumPackage ../../vm/app/updates.nix {}; }; packagesSysroot = runCommand "packages-sysroot" { @@ -135,13 +136,15 @@ stdenvNoCC.mkDerivation { ../../lib/common.mk ../../lib/kcmdline-utils.mk ../../lib/verity.mk + ../../lib/kcmdline-utils.mk ../../scripts/make-erofs.sh ../../version + ../../update-signing-keys.gpg ]); }; sourceRoot = "source/host/rootfs"; - nativeBuildInputs = [ erofs-utils spectrum-build-tools s6-rc ]; + nativeBuildInputs = [ erofs-utils spectrum-build-tools s6-rc bash btrfs-progs ]; env = { PACKAGES = runCommand "packages" {} '' diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk index 9acaa1d90bed674814775becf89c1c847d0ce3e3..905422ebda0f70ce32def788e0c093527af293fc 100644 --- a/host/rootfs/file-list.mk +++ b/host/rootfs/file-list.mk @@ -42,13 +42,18 @@ FILES = \ image/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd \ image/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/run \ image/etc/s6-linux-init/scripts/rc.init \ + image/etc/sysupdate.d/50-verity.transfer \ + image/etc/sysupdate.d/60-root.transfer \ + image/etc/sysupdate.d/70-kernel.transfer \ image/etc/udev/rules.d/99-spectrum.rules \ image/etc/xdg/weston/autolaunch \ image/etc/xdg/weston/weston.ini \ image/usr/bin/assign-devices \ image/usr/bin/create-vm-dependencies \ image/usr/bin/run-appimage \ + image/usr/bin/run-update \ image/usr/bin/run-vmm \ + image/usr/bin/update \ image/usr/bin/vm-console \ image/usr/bin/vm-import \ image/usr/bin/vm-start \ diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab index 6a82ecc85090a37b13603b29f74ca6e554a28c33..78cec99f29dda993ad97048771097121a0e42622 100644 --- a/host/rootfs/image/etc/fstab +++ b/host/rootfs/image/etc/fstab @@ -4,3 +4,4 @@ proc /proc proc defaults 0 0 devpts /dev/pts devpts defaults,gid=4,mode=620 0 0 tmpfs /dev/shm tmpfs defaults 0 0 sysfs /sys sysfs defaults 0 0 +tmpfs /tmp tmpfs defaults,mode=0700 0 0 diff --git a/host/rootfs/image/etc/sysupdate.d/50-verity.transfer b/host/rootfs/image/etc/sysupdate.d/50-verity.transfer new file mode 100644 index 0000000000000000000000000000000000000000..07a698f3956e19f9f55efff52db51128c16a5b56 --- /dev/null +++ b/host/rootfs/image/etc/sysupdate.d/50-verity.transfer @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +# Uses example code from systemd man pages which is under MIT-0 +# (no attribution required). +[Transfer] +ProtectVersion=%A +Verify=yes + +[Source] +Type=url-file +Path=file:///run/updater +MatchPattern=Spectrum_OS_@v.verity + +[Target] +Type=partition +Path=auto +MatchPattern=Spectrum_OS_@v.verity +MatchPartitionType=root-verity +PartitionFlags=0 +ReadOnly=1 diff --git a/host/rootfs/image/etc/sysupdate.d/60-root.transfer b/host/rootfs/image/etc/sysupdate.d/60-root.transfer new file mode 100644 index 0000000000000000000000000000000000000000..ebc102d1d7f4341565cd452f1bd89ffe9640b361 --- /dev/null +++ b/host/rootfs/image/etc/sysupdate.d/60-root.transfer @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +# Uses example code from systemd man pages which is under MIT-0 +# (no attribution required). +[Transfer] +ProtectVersion=%A +Verify=yes + +[Source] +Type=url-file +Path=file:///run/updater +MatchPattern=Spectrum_OS_@v.root + +[Target] +Type=partition +Path=auto +MatchPattern=Spectrum_OS_@v +MatchPartitionType=root +PartitionFlags=0 +ReadOnly=1 diff --git a/host/rootfs/image/etc/sysupdate.d/70-kernel.transfer b/host/rootfs/image/etc/sysupdate.d/70-kernel.transfer new file mode 100644 index 0000000000000000000000000000000000000000..6f75dfb04abf5ae911be3ae95318685321a86f5f --- /dev/null +++ b/host/rootfs/image/etc/sysupdate.d/70-kernel.transfer @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +# Uses example code from systemd man pages which is under MIT-0 +# (no attribution required). +[Transfer] +ProtectVersion=%A +Verify=yes + +[Source] +Type=url-file +Path=file:///run/updater +MatchPattern=Spectrum_OS_@v.efi + +[Target] +Type=regular-file +Path=/EFI/Linux +PathRelativeTo=boot +MatchPattern=Spectrum_OS_@v+@l-@d.efi \ + Spectrum_OS_@v+@l.efi \ + Spectrum_OS_@v.efi +Mode=0644 +TriesLeft=3 +TriesDone=0 +InstancesLeft=2 diff --git a/host/rootfs/image/usr/bin/run-update b/host/rootfs/image/usr/bin/run-update new file mode 100644 index 0000000000000000000000000000000000000000..c1938df01189c26f6c7ffd4c0010fabdc5fb3405 --- /dev/null +++ b/host/rootfs/image/usr/bin/run-update @@ -0,0 +1,54 @@ +#!/bin/execlineb -S1 +# SPDX-License-Identifier: EUPL-1.2+ +# SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> + +backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX } +backtick -E id { basename -- $dir } + +if { mkdir -p /run/configs/${id}/fs } +if { redirfd -w 1 /run/configs/${id}/fs/type echo appimage } +if { touch /run/configs/${id}/fs/run } +if { mount --rbind $1 /run/configs/${id}/fs/run } +if { + ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux + /run/configs/${id} +} + +if { ln -s /run/configs/${id} ${dir}/config } + +if { create-vm-dependencies $id } + +piperw 4 3 +background { + fdclose 3 + fdmove 0 4 + + # Wait for the VMM to be up, then start the VM. + if { redirfd -w 1 /dev/null head -1 } + vm-start $id +} +fdclose 4 + +foreground { run-vmm $id } +fdclose 3 + +if { + forx -pE service { + dbus + vhost-user-fs + vhost-user-gpu + xdg-desktop-portal-spectrum-host + } + s6-instance-delete /run/service/${service} $id +} + +if { + forx -E mount { + /run/configs/${id}/fs/run + ${dir}/fs/config + ${dir}/fs/doc + } + umount $mount +} + +rm -r $dir /run/configs/${id} diff --git a/host/rootfs/image/usr/bin/update b/host/rootfs/image/usr/bin/update new file mode 100755 index 0000000000000000000000000000000000000000..8e147929cecbef5873cd02c946adf1355da444c6 --- /dev/null +++ b/host/rootfs/image/usr/bin/update @@ -0,0 +1,56 @@ +#!/bin/execlineb -WS1 +# SPDX-License-Identifier: EUPL-1.2+ +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +# Steps: +# +# 1. Take a global, system-wide lock. +# 2. Create a BTRFS subvolume for the sys.updates VM to write the updates. +# 3. Bind-mount this subvolume into the VM's shared directory. +# 4. Start sys.updates to get the updates. +# 5. Wait for the VM to shut down. +# 6. Take a BTRFS snapshot of the subvolume. +# 7. Call syncfs() to flush all of the data on the subvolume. +# 8. Inspect the contents of the subvolume. +# Check that everything is a regular file and that the names are reasonable. +# Check that SHA256SUMS and SHA256SUMS.gpg are present. +# 9. Call systemd-sysupdate to run the actual update. + +if { mkdir -p -m 0700 /run/updater } +if { + case $1 { + /[0-9A-Za-z._/-]+ { true } + } + foreground { fdmove -c 1 2 echo 'Update directory path has forbidden characters or is not absolute' } + exit 1 +} +execline-cd $1 +s6-setlock /run/update-lock +foreground { + # This might fail with a "File exists" error, but that is fine. + foreground { redirfd -w 2 /dev/null btrfs subvolume create -- shared } + if { umask 0022 mkdir -p shared/etc/systemd shared/update-destination } + # TODO: use a safe copy program that is not vulnerable to symlink attacks. + # This should be okay as the directory has not been shared yet, but better + # safe than sorry. Also nosymfollow should be a mitigation, but still, + # better safe than sorry. + if { cp /etc/systemd/import-pubring.gpg shared/etc/systemd } + if { + if { + backtick -E update_vm_id { + backtick -E id_path { readlink /run/vm/by-name/sys.appvm-updates } + basename -- $id_path + } + vm-start $update_vm_id shared + } + if { btrfs subvolume snapshot -- shared private } + if { sync -- private } + if { updates-dir-check private/update-destination } + unshare --mount + if { mount --bind -o ro -- private/update-destination /run/updater } + /usr/lib/systemd/systemd-sysupdate update + } +} +importas -i sysupdate_exit_status "?" +foreground { btrfs subvolume delete -- shared private } +exit $sysupdate_exit_status diff --git a/host/rootfs/image/usr/bin/vm-start b/host/rootfs/image/usr/bin/vm-start index 67480e5215d8a8260ce3f03c67f71ba8f210c291..8ae8d94203345c4f3e8b6e46de0d139fda6c11d6 100755 --- a/host/rootfs/image/usr/bin/vm-start +++ b/host/rootfs/image/usr/bin/vm-start @@ -1,6 +1,24 @@ -#!/bin/execlineb -S1 +#!/bin/execlineb -Ws0 # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2022-2023, 2025 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +if { + case "${#}" { + 1 { true } + 2 { + multisubstitute { + define sourcedir ${2} + define fsdir /run/vm/by-id/${1}/fs/user + } + if { mkdir -p ${fsdir} } + foreground { redirfd -w 2 /dev/null umount ${fsdir} } + mount --bind -- ${sourcedir} ${fsdir} + } + } + foreground { fdmove -c 1 2 echo "Bad number of arguments ${#} (expected 1 or 3)" } + exit 100 +} foreground { s6-rc -bu change vm-env } @@ -20,4 +38,7 @@ foreground { redirfd -w 2 /dev/null s6-svwait -U /run/service/vmm/instance/${1} } -ch-remote --api-socket /run/vm/by-id/${1}/vmm boot +if { ch-remote --api-socket /run/vm/by-id/${1}/vmm boot } +case "${#}" { + 2 { s6-svwait -D /run/service/vmm/instance/${1} } +} diff --git a/host/rootfs/os-release.in b/host/rootfs/os-release.in new file mode 100644 index 0000000000000000000000000000000000000000..8a167a39366dedc6ff9024efdb98383ec84618ec --- /dev/null +++ b/host/rootfs/os-release.in @@ -0,0 +1,13 @@ +NAME="Spectrum OS" +ID="spectrum" +PRETTY_NAME="Spectrum OS @VERSION@" +VERSION=@VERSION@ +VERSION_ID=@VERSION@ +IMAGE_ID=spectrum_os_@VERSION@ +IMAGE_VERSION=@VERSION@ +RELEASE_TYPE=development +HOME_URL="https://www.spectrum-os.org" +BUG_REPORT_URL="mailto:discuss@spectrum-os.org" +ANSI_COLOR="1;34" +VENDOR_NAME="Spectrum" +VENDOR_URL="https://www.spectrum-os.org" diff --git a/host/rootfs/os-release.in.license b/host/rootfs/os-release.in.license new file mode 100644 index 0000000000000000000000000000000000000000..c4a0586a407fe14c3e0855749a7524ac3871dda4 --- /dev/null +++ b/host/rootfs/os-release.in.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix index bd234e90ee19bdfa6591d29c518cb0dc393b01c8..b5ed566062da03944567dd610c88e1a58523e303 100644 --- a/host/rootfs/shell.nix +++ b/host/rootfs/shell.nix @@ -3,7 +3,7 @@ # SPDX-FileCopyrightText: 2022 Unikie import ../../lib/call-package.nix ( -{ callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv +{ callSpectrumPackage, rootfs, srcOnly, stdenv , btrfs-progs, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux }: diff --git a/update-signing-keys.gpg b/update-signing-keys.gpg new file mode 100644 index 0000000000000000000000000000000000000000..b4c15467614ee15deef02af05f4c6554a1f7a013 --- /dev/null +++ b/update-signing-keys.gpg @@ -0,0 +1 @@ +NOT A VALID KEY - UPDATES WILL NOT WORK diff --git a/update-signing-keys.gpg.license b/update-signing-keys.gpg.license new file mode 100644 index 0000000000000000000000000000000000000000..c4a0586a407fe14c3e0855749a7524ac3871dda4 --- /dev/null +++ b/update-signing-keys.gpg.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> diff --git a/update-url b/update-url new file mode 100644 index 0000000000000000000000000000000000000000..a5b28fe9b3bbeb5e823c9e17c4765a074a83b350 --- /dev/null +++ b/update-url @@ -0,0 +1 @@ +https://your-spectrum-os-update-server.invalid/download-directory/ diff --git a/update-url.license b/update-url.license new file mode 100644 index 0000000000000000000000000000000000000000..c4a0586a407fe14c3e0855749a7524ac3871dda4 --- /dev/null +++ b/update-url.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> diff --git a/vm/app/sysupdate.d/50-verity.transfer b/vm/app/sysupdate.d/50-verity.transfer new file mode 100644 index 0000000000000000000000000000000000000000..e437860426b8a651ca20ee7bddff1a9b3cf39507 --- /dev/null +++ b/vm/app/sysupdate.d/50-verity.transfer @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +# Uses example code from systemd man pages which is under MIT-0 +# (no attribution required). +[Transfer] +Verify=yes + +[Source] +Type=url-file +Path=@UPDATE_URL@ +MatchPattern=Spectrum_OS_@v.verity + +[Target] +Type=regular-file +Path=/run/virtiofs/virtiofs0/user/update-destination +MatchPattern=Spectrum_OS_@v.verity +Mode=0644 diff --git a/vm/app/sysupdate.d/60-root.transfer b/vm/app/sysupdate.d/60-root.transfer new file mode 100644 index 0000000000000000000000000000000000000000..84ab4cd693342bb1118aa9525c797080c5b356dc --- /dev/null +++ b/vm/app/sysupdate.d/60-root.transfer @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +# Uses example code from systemd man pages which is under MIT-0 +# (no attribution required). +[Transfer] +Verify=yes + +[Source] +Type=url-file +Path=@UPDATE_URL@ +MatchPattern=Spectrum_OS_@v.root + +[Target] +Type=regular-file +Path=/run/virtiofs/virtiofs0/user/update-destination +MatchPattern=Spectrum_OS_@v.root +Mode=0644 diff --git a/vm/app/sysupdate.d/70-kernel.transfer b/vm/app/sysupdate.d/70-kernel.transfer new file mode 100644 index 0000000000000000000000000000000000000000..931944ac68483d864600748e469de9cd4829ff4a --- /dev/null +++ b/vm/app/sysupdate.d/70-kernel.transfer @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +# Uses example code from systemd man pages which is under MIT-0 +# (no attribution required). +[Transfer] +Verify=yes + +[Source] +Type=url-file +Path=@UPDATE_URL@ +MatchPattern=Spectrum_OS_@v.efi + +[Target] +Type=regular-file +Path=/run/virtiofs/virtiofs0/user/update-destination +MatchPattern=Spectrum_OS_@v.efi +Mode=0644 diff --git a/vm/app/updates.nix b/vm/app/updates.nix new file mode 100644 index 0000000000000000000000000000000000000000..30beca30e578b5c869eaedf2fd7e8913bf616a0c --- /dev/null +++ b/vm/app/updates.nix @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> + +import ../../lib/call-package.nix ( +{ callSpectrumPackage, lib, pkgsMusl, pkgsStatic, src, writeScript, systemd }: + +pkgsMusl.callPackage ( +{ stdenvNoCC, curl }: + +pkgsStatic.callPackage ( +{ execline, runCommand }: + +let + raw_update_url = builtins.readFile ../../update-url; + update-url = + if builtins.match "^https?://([[:alnum:]:./?=~-]|%[[:xdigit:]]{2})+/\n$" raw_update_url == null then + builtins.abort "Bad update URL" + else + builtins.substring 0 (builtins.stringLength raw_update_url - 1) raw_update_url; + sysupdate-d = stdenvNoCC.mkDerivation { + name = "spectrum-systemd-transfer-files"; + src = ./.; + installPhase = + '' + mkdir -- "$out" + ( + cd -- "$src" && + for i in sysupdate.d/*.transfer; do + s=''${i#sysupdate.d/} && + sed 's,@UPDATE_URL@,${update-url},g' < "$i" > "$out/$s" || exit + done + printf %s\\n '${update-url}' > "$out/update-url" + ) || exit + ''; + }; + l = lib.escapeShellArgs; + mountpoint = "/run/virtiofs/virtiofs0/user"; + sysupdate-path = "${systemd}/lib/systemd/systemd-sysupdate"; + runner = writeScript "update-run-script" ( + "#!/bin/sh --\n" + + builtins.concatStringsSep " && \\\n" [ + (l ["mount" "-toverlay" "-olowerdir=${mountpoint}/etc:/etc" "--" "overlay" "/etc"]) + (l [sysupdate-path "--definitions=${sysupdate-d}" "update"]) + (l ["${curl}/bin/curl" "-L" "--proto" "=http,https" + "-o" "${mountpoint}/update-destination/SHA256SUMS.gpg" + "--" "${update-url}SHA256SUMS.gpg"]) + (l ["${curl}/bin/curl" "-L" "--proto" "=http,https" + "-o" "${mountpoint}/update-destination/SHA256SUMS" + "--" "${update-url}/SHA256SUMS"]) + ]); +in + +callSpectrumPackage ../make-vm.nix {} { + providers.net = [ "sys.netvm" ]; + type = "nix"; + run = "${runner}"; +}) {}) {}) (_: {}) -- 2.51.2