Working config

.gitignore

@@ -1,3 +1,16 @@
-mkosi.cache/
-mkosi.output/
-mkosi.builddir/
+!mkosi.cache/.gitkeep
+mkosi.cache/*
+!mkosi.output/.gitkeep
+mkosi.output/*
+!mkosi.builddir/.gitkeep
+mkosi.builddir/*
+
+# Build version of the image
+/mkosi.version
+
+# Root password for the image
+/mkosi.rootpw
+
+# SecureBoot keys for the image
+/mkosi.key
+/mkosi.crt

mkosi.conf

@@ -5,22 +5,74 @@ CacheOnly=true
 
 [Output]
 Format=disk
-ManifestFormat=json
-OutputDirectory=mkosi.output
-BuildDirectory=mkosi.builddir
-CacheDirectory=mkosi.cache
+SplitArtifacts=true
+ManifestFormat=json,changelog
+ImageId=rafeOS
+SectorSize=4096
+#CompressOutput=xz
+# For Reproducible Builds
+Seed=834dd70f55be43cc9934b20fc0b7f7be
 
 [Content]
 Bootable=yes
+SourceDateEpoch=0
 Packages=
-	linux
+	# Minimal package set to define a basic Arch Linux installation
+	base
+	# system and service manager
 	systemd
-	openssh
-	# squashfs-tools
-	# libfido2
-	# tpm2-tss
-RootPassword=password
-KernelCommandLine=rd.shell=0 rd.emergency=reboot loglevel=8
+	# systemd: show QR codes
+	qrencode
+	# systemd: unlocking LUKS2 volumes with FIDO2 token
+	libfido2
+	# systemd: unlocking LUKS2 volumes with TPM2
+	tpm2-tss
+	# The Linux kernel and modules
+	linux
+	# linux: firmware images needed for some devices
+	linux-firmware
+	# linux: to set the correct wireless channels of your country
+	wireless-regdb
+	# Microcode update image for AMD CPUs
+	amd-ucode
+	# Microcode update image for Intel CPUs
+	intel-ucode
+	# Userspace utilities for linux-erofs file system
+	#erofs-utils
+	# Btrfs filesystem utilities
+	btrfs-progs
+	# Ext2/3/4 filesystem utilities
+	e2fsprogs
+
+RemoveFiles=
+    /usr/include
+    /usr/local
+    /usr/src
+    /usr/lib/cmake
+    /usr/lib/pkgconfig
+
+KernelCommandLine=
+	# prevents access to a shell if boot fails
+	rd.shell=0
+	# prevents access to a shell if the root is corrupt
+	rd.emergency=reboot
+	# reboots system 30 seconds after a kernel panic
+	panic=30
+#	loglevel=8
 
 [Validation]
-Checksum=yes
+SecureBoot=true
+SecureBootKey=mkosi.key
+SecureBootCertificate=mkosi.crt
+#SecureBootKey=/usr/share/secureboot/keys/db/db.key
+#SecureBootCertificate=/usr/share/secureboot/keys/db/db.pem
+SignExpectedPcr=true
+VerityKey=mkosi.key
+VerityCertificate=mkosi.crt
+#VerityKey=/usr/share/secureboot/keys/db/db.key
+#VerityCertificate=/usr/share/secureboot/keys/db/db.pem
+Checksum=true
+
+[Host]
+Incremental=true
+ToolsTree=default

mkosi.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuzCCAaMCFEjGk1dAn3d720+09bprtDG+mRgWMA0GCSqGSIb3DQEBCwUAMBox
+GDAWBgNVBAMMD21rb3NpIG9mIHRvYmlhczAeFw0yMzEyMDkyMjQ4NDVaFw0yNTEy
+MDgyMjQ4NDVaMBoxGDAWBgNVBAMMD21rb3NpIG9mIHRvYmlhczCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKCve5Z3mAM0GHV1JYJ8In7OW4p0xx+UfNpA
+hya+V0FrbeoFYJZK4+xL90hiFkfbS5YvQQ+92JZDdYYEKJOEn0IaXied5UlfMys/
+7YvZzJMcXGVR4Tux/IDoPp7xrmUqfQfQqmJykyV+XpCY9neG2fS48aWu7Jc2Ztim
+tQvG65A9FK3byBAFbNNqrn1dtpOFKLuYzDTSla0t7F+MNzCabOf1n6fIJpVef/2x
+K0T09l/0sv89a+WSOKdZuUg97kvCBjXzKtufIzjTaWWQl8Io6FmMGU8Dl9GyWfMw
+gCfehwmysJ128G4R+b4rBvVUT60lXXZvJGIRGC1rH+/Mn9uXOIcCAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAjPJIAQ90/MbDC9REWUaAf5eowBELKx5PHg/DFxflskyi
+E9+6w+P3wdUBVGgsJF3dsdIat2oEadgzLRne5YBTfRJcbP2ObeV8uynG1Ay1m53b
+TgjN1vGyTJoVa2+wFx9lsnF5jGFAEHVp1X3DWEcirq3HHUDxJLvNi6Ub0RvSVY9M
+Fw0RyZqmLfjvePVtXYFSbFZbgE0xH+kmXc+cZMiza9LxFNXLdRJikXslJEfl14ni
+XsbDQ77ePyViIpU8oB8WUjtnxNAg10618W0CLgSR62gtnhoz2sniDeRJ6ipxTpJq
+u3ItsPcBD8jFpTlUQrAmTehleZ1vD5dmY3txHFVzcQ==
+-----END CERTIFICATE-----

mkosi.extra/usr/lib/repart.d/00-esp.conf

@@ -1,6 +1,5 @@
 [Partition]
 Type=esp
-Format=vfat
-CopyFiles=/efi:/
+CopyBlocks=auto
 SizeMinBytes=1G
 SizeMaxBytes=1G

mkosi.extra/usr/lib/repart.d/10-usr.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr
+CopyBlocks=auto
+SizeMinBytes=3G
+SizeMaxBytes=3G

mkosi.extra/usr/lib/repart.d/11-usr-verity.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr-verity
+CopyBlocks=auto
+SizeMinBytes=256M
+SizeMaxBytes=256M

mkosi.extra/usr/lib/repart.d/12-usr-verity-sig.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr-verity-sig
+CopyBlocks=auto
+SizeMinBytes=16K
+SizeMaxBytes=16K

mkosi.extra/usr/lib/repart.d/20-usr.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr
+Label=_empty
+SizeMinBytes=3G
+SizeMaxBytes=3G

mkosi.extra/usr/lib/repart.d/21-usr-verity.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr-verity
+Label=_empty
+SizeMinBytes=256M
+SizeMaxBytes=256M

mkosi.extra/usr/lib/repart.d/22-usr-verity-sig.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr-verity-sig
+Label=_empty
+SizeMinBytes=16K
+SizeMaxBytes=16K

mkosi.extra/usr/lib/repart.d/50-root.conf

@@ -1,10 +1,16 @@
 [Partition]
 Type=root
-Format=squashfs
-Verity=data
-VerityMatchKey=root
-CopyFiles=/
-ExcludeFiles=/efi
-#SizeMinBytes=1536M
-#SizeMaxBytes=1536M
-Minimize=best
+Format=btrfs
+FactoryReset=true
+Label=%M-root
+Encrypt=key-file+tpm2
+MakeDirectories=/etc
+MakeDirectories=/var
+MakeDirectories=/var/log
+MakeDirectories=/var/tmp
+MakeDirectories=/srv
+Subvolumes=/etc
+Subvolumes=/var
+Subvolumes=/var/log
+Subvolumes=/var/tmp
+Subvolumes=/srv

mkosi.extra/usr/lib/repart.d/60-home.conf

@@ -1,2 +1,4 @@
 [Partition]
-Type=home
+Type=home
+Format=ext4
+FactoryReset=false

mkosi.extra/usr/lib/repart.d/60-root-verity.conf

@@ -1,6 +0,0 @@
-[Partition]
-Type=root-verity
-SizeMinBytes=64M
-SizeMaxBytes=256M
-Verity=hash
-VerityMatchKey=root

mkosi.extra/usr/lib/repart.d/70-root-b.conf

@@ -1 +0,0 @@
-50-root.conf

mkosi.extra/usr/lib/repart.d/70-swap.conf

@@ -0,0 +1,9 @@
+[Partition]
+Type=swap
+Format=swap
+FactoryReset=true
+Encrypt=key-file+tpm2
+SizeMinBytes=64M
+SizeMaxBytes=48G
+Weight=333
+Priority=1

mkosi.extra/usr/lib/repart.d/80-root-verity-b.conf

@@ -1 +0,0 @@
-60-root-verity.conf

mkosi.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgr3uWd5gDNBh1
+dSWCfCJ+zluKdMcflHzaQIcmvldBa23qBWCWSuPsS/dIYhZH20uWL0EPvdiWQ3WG
+BCiThJ9CGl4nneVJXzMrP+2L2cyTHFxlUeE7sfyA6D6e8a5lKn0H0KpicpMlfl6Q
+mPZ3htn0uPGlruyXNmbYprULxuuQPRSt28gQBWzTaq59XbaThSi7mMw00pWtLexf
+jDcwmmzn9Z+nyCaVXn/9sStE9PZf9LL/PWvlkjinWblIPe5LwgY18yrbnyM402ll
+kJfCKOhZjBlPA5fRslnzMIAn3ocJsrCddvBuEfm+Kwb1VE+tJV12byRiERgtax/v
+zJ/blziHAgMBAAECggEAOWkpb4PQWMiquoC+A6aFjqf9NfVuVb6wcyxd/X5BX7rZ
+/SSps1kToVAtDHwbONZF5eWBSfYLJfj5SwY+VyKp4izYmjAEhZgRiLDhFzgcqy0V
+aA/+uNzpekdAZHq2VCf/nySzU9Ra9aj2cZRtbxxL0G+pywg6OPazfVHm2svaS2Cu
+iyNX15uNhzE3PW1Z40r30ucG7+KpNKp/h2uP0vLLQEJnHNCHNr5BPb0lzD4supN1
+FWXTYXf+LBzq1w9yZu7M33dBf4VJxVQSePyRESZcvmy8hQdUdHslX61BLN6BDuE1
+pnlBVddB86Rl7a0ckwNm163wipUZEycefl5mFd2RXQKBgQDNTjBh2pl10Yc/4/Yh
+NkFlZPepCD+nwFThhiMaEXwYHYVUDO7zlmqpieCcy1DJpyhhLey0E5lsRlj1jmIB
+4mGG9/dkhd8tmTZjMi/gcngC6PnQSOEvx3Jac0EaH3ZSH4oNwNEMXu14CekTzYm7
+RlwnlOsDR3B4rwPR0tob8eU3VQKBgQDIXMSgkFBUlclRyLBEgLdfPOfocueHA/Jm
+MHaKzPNlOlR9I7z0I7hj2+W6TnTfqfGWlPYIJYzOiuAIKTJnQsPc82iYlqwCV7nC
+FRqldf7LZlrVg8Fh3tb2JghC/GljZE82cvBFCH6O2LtELE/IpKUOjeXjn1igwl2w
+IePjNPS4awKBgQCMjaH77A8xpN+mMue3NxCwXN5cf4Qs0TSLLSzs1NmTHOrBbxVL
++EdPiFAYp+zIEUNIvIsXgW+Au+x9OBwK1DQWlb5tuGThL8oXQS2byGI3A8669JoN
+/spf+BWyz6VOdb8qyT2U7Yw/qPFDmGxZpMLEamQ2W3s5c//2bxbZGNLm/QKBgCB2
+Nz00ZG9v3TAs7bILkKoTehdFFpHfZ9R6oZoXXo/WBX5I3gJID0XOiMfIklLye7vD
+4qCrRMbp5SYtVoc4X/daUGX4c2HlyKjTNn/8QA3ARZM2R4yNyBIVU11W+9QomlTe
+BmOI3shSAPUooLyHQF69SrO4S2mwU/GHbB6Ro9yFAoGAYL0gbjGDsDIDkS4GEfFf
++2LiWgFEj9rJ61q1HqlyCexmvq4cFVqiU0qqQYepT6LsI2u7U9tyJm6x7neFkCJV
+Whq+L+w88PKg99U3nCK4q0ZlYzUolapz3qAqs65nMKTmtQx5doUUijwRdwQxmfF3
+JGsX7imrsv154qC2E244mdU=
+-----END PRIVATE KEY-----

mkosi.repart/00-esp.conf

@@ -0,0 +1,8 @@
+[Partition]
+Type=esp
+SizeMinBytes=1G
+SizeMaxBytes=1G
+Format=vfat
+CopyFiles=/efi:/
+ExcludeFilesTarget=/efi/EFI/systemd/systemd-bootia32.efi
+ExcludeFilesTarget=/efi/EFI/BOOT/BOOTIA32.EFI

mkosi.repart/10-usr.conf

@@ -0,0 +1,10 @@
+[Partition]
+Type=usr
+Label=%M_%A
+SizeMinBytes=3G
+SizeMaxBytes=3G
+Minimize=best
+Verity=data
+VerityMatchKey=usr
+Format=erofs
+CopyFiles=/usr:/

mkosi.repart/11-usr-verity.conf

@@ -0,0 +1,10 @@
+[Partition]
+Type=usr-verity
+Label=%M_%A
+SizeMinBytes=256M
+SizeMaxBytes=256M
+Minimize=best
+Verity=hash
+VerityMatchKey=usr
+VerityDataBlockSizeBytes=4096
+VerityHashBlockSizeBytes=4096

mkosi.repart/12-usr-verity-sig.conf

@@ -0,0 +1,5 @@
+[Partition]
+Type=usr-verity-sig
+Label=%M_%A
+Verity=signature
+VerityMatchKey=usr

mkosi.repart/50-root.conf

@@ -1 +0,0 @@
-../mkosi.extra/usr/lib/repart.d/50-root.conf

mkosi.repart/60-root-verity.conf

@@ -1 +0,0 @@
-../mkosi.extra/usr/lib/repart.d/60-root-verity.conf

mkosi.rootpw

@@ -0,0 +1 @@
+password

mkosi.version

@@ -0,0 +1 @@
+0.0.0