mkNixosConfig: add config builder abstraction

Signed-off-by: Paul Meyer <[email protected]>

packages/by-name/image-podvm/package.nix

@@ -3,62 +3,26 @@
 
 {
  lib,
- nixos,
- pkgs,
  jq,
+ mkNixosConfig,
 
  withDebug ? true,
  withGPU ? false,
  withCSP ? "azure",
 }:
 
 let
- # We write this placeholder into the command line and replace it with the real root hash
- # after the image is built.
  roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
-
- # 'nixos' uses 'pkgs' from the point in time where nixpkgs function is evaluated. According
- # to the documentation, we should be able to overwrite 'pkgs' by setting nixpkgs.pkgs in
- # the config, but that doesn't seem to work. We use an overlay for now instead.
- # TODO(katexochen): Investigate why the config option doesn't work.
- outerPkgs = pkgs;
 in
 
-(nixos (
- { modulesPath, ... }:
-
- {
- imports = [
- "${modulesPath}/image/repart.nix"
- "${modulesPath}/system/boot/uki.nix"
- ./azure.nix
- ./debug.nix
- ./gpu.nix
- ./image.nix
- ./kata.nix
- ./system.nix
- ];
-
- contrast.debug.enable = withDebug;
- contrast.gpu.enable = withGPU;
- contrast.azure.enable = withCSP == "azure";
+(mkNixosConfig {
+ inherit roothashPlaceholder;
 
- # TODO(katexochen): imporve, see comment above.
- nixpkgs.overlays = [
- (_self: _super: {
- inherit (outerPkgs)
- azure-no-agent
- cloud-api-adaptor
- kernel-podvm-azure
- pause-bundle
- ;
- inherit (outerPkgs.kata) kata-agent;
- })
- ];
+ contrast.debug.enable = withDebug;
+ contrast.gpu.enable = withGPU;
+ contrast.azure.enable = withCSP == "azure";
 
- boot.kernelParams = [ "roothash=${roothashPlaceholder}" ];
- }
-)).image.overrideAttrs
+}).image.overrideAttrs
  (oldAttrs: {
  nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ jq ];
  # Replace the placeholder with the real root hash.

packages/by-name/mkNixosConfig/package.nix

@@ -0,0 +1,57 @@
+{
+ lib,
+ nixos,
+ pkgs,
+}:
+
+{
+ # If set, placeholder is written into the command line roothash parameter.
+ # Used for building verity protected images.
+ roothashPlaceholder ? "",
+
+ ...
+}@args:
+
+let
+ # 'nixos' uses 'pkgs' from the point in time where nixpkgs function is evaluated. According
+ # to the documentation, we should be able to overwrite 'pkgs' by setting nixpkgs.pkgs in
+ # the config, but that doesn't seem to work. We use an overlay for now instead.
+ # TODO(katexochen): Investigate why the config option doesn't work.
+ outerPkgs = pkgs;
+
+ readModulesDir =
+ dir:
+ lib.pipe (builtins.readDir dir) [
+ (lib.filterAttrs (filename: type: type == "regular"))
+ (lib.mapAttrsToList (filename: type: "${dir}/${filename}"))
+ ];
+
+ args' = lib.removeAttrs args [ "roothashPlaceholder" ];
+in
+
+(nixos (
+ { modulesPath, ... }:
+
+ {
+ imports = [
+ "${modulesPath}/image/repart.nix"
+ "${modulesPath}/system/boot/uki.nix"
+ ] ++ readModulesDir ../../nixos;
+
+ # TODO(katexochen): imporve, see comment above.
+ nixpkgs.overlays = [
+ (_self: _super: {
+ inherit (outerPkgs)
+ azure-no-agent
+ cloud-api-adaptor
+ kernel-podvm-azure
+ pause-bundle
+ ;
+ inherit (outerPkgs.kata) kata-agent;
+ })
+ ];
+
+ boot.kernelParams = lib.optional (roothashPlaceholder != "") "roothash=${roothashPlaceholder}";
+ }
+ // args'
+))

packages/default.nix

@@ -15,7 +15,7 @@ let
  containers = callPackages ./containers.nix { pkgs = pkgs'; };
  scripts = callPackages ./scripts.nix { pkgs = pkgs'; };
  contrast-releases = callPackages ./contrast-releases.nix { };
- image-podvm = callPackage ./by-name/image-podvm/package.nix { pkgs = pkgs'; };
+ mkNixosConfig = callPackage ./by-name/mkNixosConfig/package.nix { pkgs = pkgs'; };
  microsoft = self'.microsoft // {
  genpolicy = pkgs.pkgsStatic.callPackage ./by-name/microsoft/genpolicy/package.nix { };
  cloud-hypervisor = pkgs.pkgsStatic.callPackage ./by-name/microsoft/cloud-hypervisor/package.nix { };