Make portable and sysext work

Proven by recognition through systemd-dissect.

mkosi.conf

@@ -13,10 +13,10 @@ MinimumVersion=20.2
 
 [Validation]
 # Use RSA 2048 keys for wide UEFI compatibility
-SecureBootKey=signing-keys/rafeOS_secureboot.key
-SecureBootCertificate=signing-keys/rafeOS_secureboot.crt
-VerityKey=signing-keys/rafeOS_secureboot.key
-VerityCertificate=signing-keys/rafeOS_secureboot.crt
+SecureBootKey=signing-keys/rafeOS.secure-boot.key
+SecureBootCertificate=signing-keys/rafeOS.secure-boot.crt
+VerityKey=signing-keys/rafeOS.secure-boot.key
+VerityCertificate=signing-keys/rafeOS.secure-boot.crt
 
 [Host]
 Incremental=true

mkosi.images/mkosi/mkosi.build.chroot

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -eu
+
+OUTPUT="${IMAGE_ID}_${IMAGE_VERSION}.sysext"
+mkdir -p "$DESTDIR/usr/lib/extension-release.d/"
+cat >"$DESTDIR/usr/lib/extension-release.d/extension-release.$OUTPUT" <<EOF
+SYSEXT_SCOPE=system
+SYSEXT_PRETTY_NAME="mkosi — Build Bespoke OS Images"
+EOF

mkosi.images/mkosi/mkosi.conf

@@ -2,9 +2,11 @@
 Dependencies=base
 
 [Output]
+# See: https://uapi-group.org/specifications/specs/extension_image/
 Format=sysext
 Overlay=yes
-Output=mkosi_%v.sysext
+ImageId=mkosi
+Output=%i_%v.%t
 SectorSize=4096
 # For Reproducible Builds
 Seed=834dd70f55be43cc9934b20fc0b7f7be

mkosi.images/mkosi/mkosi.postinst.chroot

@@ -1,14 +0,0 @@
-#!/bin/bash
-set -eu
-
-mkdir -p /usr/lib/extension-release.d/
-cat >/usr/lib/extension-release.d/extension-release.mkosi <<EOF
-ID=rafeOS
-SYSEXT_ID=mkosi
-SYSEXT_SCOPE=system
-EOF
-
-# The default profiles mount the host's /etc/resolv.conf into our
-# image. For that the file to mount over needs to exist. Let's create
-# it here.
-touch /etc/resolv.conf

mkosi.images/openssh/mkosi.build.chroot

@@ -0,0 +1,21 @@
+#!/bin/sh
+set -eu
+
+DIRS="etc dev proc run sys tmp usr/lib var/tmp"
+
+for dir in $DIRS
+do
+    mkdir -p "$DESTDIR/$dir"
+done
+
+touch "$DESTDIR/etc/machine-id"
+touch "$DESTDIR/etc/resolv.conf"
+
+cat <<EOF >"$DESTDIR/usr/lib/os-release"
+ID=arch
+SYSEXT_ID="$IMAGE_ID"
+SYSEXT_VERSION_ID="$IMAGE_VERSION"
+SYSEXT_SCOPE=portable
+PORTABLE_PRETTY_NAME="OpenSSH SSH daemon"
+PORTABLE_PREFIXES=sshd
+EOF

mkosi.images/openssh/mkosi.conf

@@ -2,9 +2,11 @@
 Dependencies=base
 
 [Output]
+# See: https://systemd.io/PORTABLE_SERVICES/
 Format=portable
 Overlay=yes
-Output=openssh_%v.portable
+ImageId=openssh
+Output=%i_%v.%t
 SectorSize=4096
 # For Reproducible Builds
 Seed=834dd70f55be43cc9934b20fc0b7f7be

mkosi.images/openssh/mkosi.postinst.chroot

@@ -1,15 +0,0 @@
-#!/bin/bash
-set -eu
-
-cat >/usr/lib/os-release <<EOF
-ID=rafeOS
-SYSEXT_ID=openssh
-SYSEXT_SCOPE=portable
-PORTABLE_PREFIXES=sshd
-PORTABLE_PRETTY_NAME="OpenSSH Portable Service"
-EOF
-
-# The default profiles mount the host's /etc/resolv.conf into our
-# image. For that the file to mount over needs to exist. Let's create
-# it here.
-touch /etc/resolv.conf

signing-keys/genkeys.sh

@@ -24,8 +24,8 @@ generate_key_pair() {
     fi
 
     # Default filenames
-    PRIVATE_KEY_FILE="${IMAGE_ID}_${FILENAME_PREFIX}.key"
-    CERTIFICATE_FILE="${IMAGE_ID}_${FILENAME_PREFIX}.crt"
+    PRIVATE_KEY_FILE="${IMAGE_ID}.${FILENAME_PREFIX}.key"
+    CERTIFICATE_FILE="${IMAGE_ID}.${FILENAME_PREFIX}.crt"
 
     # Period of validity (in days) for  the created certificate.
     # Defaults to 3650, i.e. 10 years.
@@ -79,7 +79,7 @@ generate_key_pair() {
 }
 
 generate_secureboot_keys() {
-    generate_key_pair "secureboot" "/CN=$IMAGE_ID UEFI CA $(date +%Y)" "rsa"
+    generate_key_pair "secure-boot" "/CN=$IMAGE_ID UEFI CA $(date +%Y)" "rsa"
 }
 
 generate_verity_keys() {