diff --git a/.dockerignore b/.dockerignore deleted file mode 120000 index 3e4e48b0..00000000 --- a/.dockerignore +++ /dev/null @@ -1 +0,0 @@ -.gitignore \ No newline at end of file diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 82a8f514..9217d529 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -276,8 +276,8 @@ systemd services are the primary way to run applications in Flashboxes. Here's h ```ini [Unit] Description=My Application -After=network.target network-setup.service -Requires=network-setup.service +After=network-online.target +Wants=network-online.target [Service] Type=simple @@ -354,8 +354,8 @@ Conflicts=apache2.service ```ini [Unit] # Network is available -After=network.target network-setup.service -Requires=network-setup.service +After=network-online.target +Wants=network-online.target # Persistent storage is mounted After=persistent-mount.service @@ -365,24 +365,14 @@ Requires=persistent-mount.service After=basic.target ``` -### Enabling Services +### Enabling Packaged Services -**In `mkosi.postinst` script**: -```bash -#!/bin/bash -set -euxo pipefail +To enable a service installed with a Debian package, add the following to your `mkosi.postinst` script: -# Enable service -mkosi-chroot systemctl enable myapp.service - -# Create symlink for minimal.target -mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants" -ln -sf "/etc/systemd/system/myapp.service" \ - "$BUILDROOT/etc/systemd/system/minimal.target.wants/" +```bash +mkosi-chroot systemctl add-wants minimal.target myapp.service ``` -For comprehensive systemd options, see: [systemd Service Documentation](https://www.freedesktop.org/software/systemd/man/systemd.service.html) - ## Extending Built-in systemd Services Sometimes you need to modify existing systemd services rather than creating new ones. @@ -543,8 +533,7 @@ chown myapp:myapp /etc/myapp/config.conf chmod 600 /etc/myapp/config.conf # Enable systemd service -systemctl enable myapp.service || true -systemctl start myapp.service || true +mkosi-chroot systemctl add-wants minimal.target myapp.service || true exit 0 ``` diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 57739de9..00000000 --- a/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -FROM ubuntu:25.04 - -RUN apt-get update && apt-get install -y \ - curl git sudo qemu-system-x86 qemu-utils \ - debian-archive-keyring systemd-boot reprepro xz-utils - -RUN echo "ubuntu ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu && \ - chmod 0440 /etc/sudoers.d/ubuntu - -COPY --chown=ubuntu:ubuntu . /home/ubuntu/mkosi -RUN mkdir -p /home/ubuntu/mkosi/mkosi.packages /home/ubuntu/mkosi/mkosi.cache \ - /home/ubuntu/mkosi/mkosi.builddir /home/ubuntu/mkosi/build /nix && \ - chown -R ubuntu:ubuntu /home/ubuntu/mkosi /nix - -USER ubuntu -RUN curl -L https://nixos.org/nix/install | sh -s -- --no-daemon && \ - mkdir -p ~/.config/nix ~/.cache/mkosi/ && \ - echo 'experimental-features = nix-command flakes' > ~/.config/nix/nix.conf - -WORKDIR /home/ubuntu/mkosi -RUN /home/ubuntu/.nix-profile/bin/nix develop -c /bin/true -ENTRYPOINT ["/home/ubuntu/.nix-profile/bin/nix", "develop", "-c", "/bin/bash"] \ No newline at end of file diff --git a/base/mkosi.conf b/base/mkosi.conf index 6eeb3214..7666342f 100644 --- a/base/mkosi.conf +++ b/base/mkosi.conf @@ -17,19 +17,17 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c [Content] SourceDateEpoch=0 -KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 -SkeletonTrees=base/mkosi.skeleton +KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 systemd.unit=minimal.target +ExtraTrees=base/mkosi.extra BuildScripts=kernel/mkosi.build -PostInstallationScripts=base/debloat-systemd.sh -PostInstallationScripts=base/efi-stub.sh -SyncScripts=base/add-backports.sh -FinalizeScripts=base/debloat.sh -FinalizeScripts=base/remove-image-version.sh -SyncScripts=base/normalize-umask.sh +SyncScripts=base/mkosi.sync.d/* +PostInstallationScripts=base/mkosi.postinst.d/* +FinalizeScripts=base/mkosi.finalize.d/* CleanPackageMetadata=true Packages=kmod systemd + systemd-resolved systemd-boot-efi busybox util-linux @@ -37,7 +35,6 @@ Packages=kmod ca-certificates openssl iproute2 - udhcpc e2fsprogs chrony BuildPackages=build-essential diff --git a/base/mkosi.skeleton/etc/chrony/chrony.conf b/base/mkosi.extra/etc/chrony/chrony.conf similarity index 100% rename from base/mkosi.skeleton/etc/chrony/chrony.conf rename to base/mkosi.extra/etc/chrony/chrony.conf diff --git a/base/mkosi.extra/etc/systemd/journald.conf b/base/mkosi.extra/etc/systemd/journald.conf new file mode 100644 index 00000000..44e635ca --- /dev/null +++ b/base/mkosi.extra/etc/systemd/journald.conf @@ -0,0 +1,5 @@ +[Journal] +SystemMaxFileSize=128M +SystemMaxFiles=2 +RuntimeMaxFileSize=512K +RuntimeMaxFiles=2 diff --git a/base/mkosi.extra/etc/systemd/network/10-ethernet.network b/base/mkosi.extra/etc/systemd/network/10-ethernet.network new file mode 100644 index 00000000..560dbd99 --- /dev/null +++ b/base/mkosi.extra/etc/systemd/network/10-ethernet.network @@ -0,0 +1,9 @@ +[Match] +Name=eth* en* + +[Network] +DHCP=yes + +[DHCPv4] +UseDNS=no +UseHostname=no diff --git a/base/mkosi.extra/etc/systemd/resolved.conf b/base/mkosi.extra/etc/systemd/resolved.conf new file mode 100644 index 00000000..479b4103 --- /dev/null +++ b/base/mkosi.extra/etc/systemd/resolved.conf @@ -0,0 +1,3 @@ +[Resolve] +FallbackDNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com +DNSOverTLS=yes diff --git a/base/mkosi.skeleton/etc/systemd/system/minimal.target b/base/mkosi.extra/etc/systemd/system/minimal.target similarity index 87% rename from base/mkosi.skeleton/etc/systemd/system/minimal.target rename to base/mkosi.extra/etc/systemd/system/minimal.target index a8464ca2..dbc9a780 100644 --- a/base/mkosi.skeleton/etc/systemd/system/minimal.target +++ b/base/mkosi.extra/etc/systemd/system/minimal.target @@ -4,6 +4,3 @@ Requires=basic.target Conflicts=rescue.service rescue.target emergency.service emergency.target After=basic.target rescue.service rescue.target emergency.service emergency.target AllowIsolate=yes - -[Install] -WantedBy=default.target \ No newline at end of file diff --git a/base/mkosi.skeleton/init b/base/mkosi.extra/init similarity index 85% rename from base/mkosi.skeleton/init rename to base/mkosi.extra/init index b6f12563..78b382c2 100755 --- a/base/mkosi.skeleton/init +++ b/base/mkosi.extra/init @@ -14,4 +14,4 @@ exec unshare --mount sh -c ' mkdir /@ mount --rbind / /@ cd /@ && mount --move . / - exec chroot . /lib/systemd/systemd systemd.unit=minimal.target' + exec chroot . /lib/systemd/systemd' diff --git a/base/remove-image-version.sh b/base/mkosi.finalize.d/10-remove-image-version.sh similarity index 100% rename from base/remove-image-version.sh rename to base/mkosi.finalize.d/10-remove-image-version.sh diff --git a/base/debloat.sh b/base/mkosi.finalize.d/90-debloat.sh similarity index 95% rename from base/debloat.sh rename to base/mkosi.finalize.d/90-debloat.sh index 1906010d..ffe0416a 100755 --- a/base/debloat.sh +++ b/base/mkosi.finalize.d/90-debloat.sh @@ -31,10 +31,8 @@ debloat_paths=( "/usr/lib/systemd/catalog" "/usr/lib/systemd/user" "/usr/lib/systemd/user-generators" - "/usr/lib/systemd/network" "/usr/lib/pcrlock.d" "/usr/lib/tmpfiles.d" - "/etc/systemd/network" "/etc/credstore" "/nix" ) diff --git a/base/efi-stub.sh b/base/mkosi.postinst.d/10-efi-stub.sh similarity index 100% rename from base/efi-stub.sh rename to base/mkosi.postinst.d/10-efi-stub.sh diff --git a/base/debloat-systemd.sh b/base/mkosi.postinst.d/90-debloat-systemd.sh similarity index 79% rename from base/debloat-systemd.sh rename to base/mkosi.postinst.d/90-debloat-systemd.sh index 81efba20..2cb8f4bb 100755 --- a/base/debloat-systemd.sh +++ b/base/mkosi.postinst.d/90-debloat-systemd.sh @@ -16,6 +16,9 @@ systemd_svc_whitelist=( "systemd-journald-dev-log.socket" "systemd-remount-fs.service" "systemd-sysctl.service" + "systemd-networkd.service" + "systemd-networkd.socket" + "systemd-networkd-wait-online.service" "chrony.service" ) @@ -42,10 +45,9 @@ mkosi-chroot dpkg-query -L systemd | grep -E '\.service$|\.socket$|\.timer$|\.ta fi done -# Set default target -ln -sf minimal.target "$SYSTEMD_DIR/default.target" - -# Enable chrony and link to minimal.target -mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants" -mkosi-chroot systemctl enable chrony.service -ln -sf /lib/systemd/system/chrony.service "$BUILDROOT/etc/systemd/system/minimal.target.wants/" +# Enable chrony service +mkosi-chroot systemctl add-wants minimal.target \ + chrony.service \ + systemd-resolved.service \ + systemd-networkd.service \ + systemd-networkd-wait-online.service diff --git a/base/mkosi.skeleton/etc/resolv.conf b/base/mkosi.skeleton/etc/resolv.conf deleted file mode 100644 index 0bb99396..00000000 --- a/base/mkosi.skeleton/etc/resolv.conf +++ /dev/null @@ -1,2 +0,0 @@ -nameserver 8.8.8.8 -nameserver 8.8.4.4 \ No newline at end of file diff --git a/base/mkosi.skeleton/etc/systemd/system/network-setup.service b/base/mkosi.skeleton/etc/systemd/system/network-setup.service deleted file mode 100644 index d980087b..00000000 --- a/base/mkosi.skeleton/etc/systemd/system/network-setup.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Basic Network Setup -DefaultDependencies=no -Before=network.target -Wants=network.target - -[Service] -Type=oneshot -ExecStart=ip link set lo up -ExecStart=ip link set eth0 up -ExecStart=chattr +i /etc/resolv.conf -ExecStart=/usr/sbin/udhcpc -i eth0 -n -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target \ No newline at end of file diff --git a/base/add-backports.sh b/base/mkosi.sync.d/10-add-backports.sh similarity index 100% rename from base/add-backports.sh rename to base/mkosi.sync.d/10-add-backports.sh diff --git a/base/normalize-umask.sh b/base/mkosi.sync.d/20-normalize-umask.sh similarity index 100% rename from base/normalize-umask.sh rename to base/mkosi.sync.d/20-normalize-umask.sh diff --git a/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf b/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf index deb3611c..cdfcf563 100644 --- a/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf +++ b/bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf @@ -5,6 +5,3 @@ Requires=wait-for-key.service searcher-firewall.service [Service] ExecStartPre=/usr/bin/chown -R searcher:searcher /home/searcher ExecStartPre=/bin/sh -c 'test -f /etc/dropbear/dropbear_ed25519_host_key || /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key' - -[Install] -WantedBy=minimal.target diff --git a/base/mkosi.skeleton/etc/systemd/system/persistent-mount.service b/bob-common/mkosi.extra/etc/systemd/system/persistent-mount.service similarity index 92% rename from base/mkosi.skeleton/etc/systemd/system/persistent-mount.service rename to bob-common/mkosi.extra/etc/systemd/system/persistent-mount.service index 1c630ea5..f3cc2c85 100644 --- a/base/mkosi.skeleton/etc/systemd/system/persistent-mount.service +++ b/bob-common/mkosi.extra/etc/systemd/system/persistent-mount.service @@ -11,4 +11,4 @@ ExecStart=/bin/bash -c 'until grep -q " /persistent " /proc/mounts; do sleep 1; RemainAfterExit=yes [Install] -WantedBy=minimal.target +WantedBy=minimal.target \ No newline at end of file diff --git a/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service b/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service index 3812c1eb..84b5dd77 100644 --- a/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service +++ b/bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service @@ -1,7 +1,7 @@ [Unit] Description=Searcher Network and Firewall Rules -After=network.target network-setup.service -Requires=network-setup.service +After=network-online.target +Wants=network-online.target [Service] Type=oneshot diff --git a/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service b/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service index 5a4c1eae..e575f806 100644 --- a/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service +++ b/bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service @@ -1,7 +1,7 @@ [Unit] Description=SSH Public Key Server -After=network.target network-setup.service wait-for-key.service -Requires=network-setup.service +After=network-online.target +Wants=network-online.target [Service] Type=oneshot diff --git a/bob-common/mkosi.postinst b/bob-common/mkosi.postinst index 227beea5..ab3b4b1c 100755 --- a/bob-common/mkosi.postinst +++ b/bob-common/mkosi.postinst @@ -18,25 +18,13 @@ mkdir -p "$BUILDROOT/etc/searcher/ssh_hostkey" rm -r "$BUILDROOT/etc/dropbear" mkdir "$BUILDROOT/etc/dropbear" -# Enable services -mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants" -for service in \ - network-setup.service \ +# Enable packaged services +mkosi-chroot systemctl add-wants minimal.target \ logrotate.timer \ delay-pipe.service \ - wait-for-key.service \ - searcher-firewall.service \ - dropbear.service \ - searcher-container.service \ - ssh-pubkey-server.service \ - cvm-reverse-proxy.service -do - mkosi-chroot systemctl enable "$service" - ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/" -done + dropbear.service # Don't reserve port 22 -mkosi-chroot systemctl disable ssh.service ssh.socket mkosi-chroot systemctl mask ssh.service ssh.socket # Lock the root account diff --git a/bob-l1.conf b/bob-l1.conf index 207015fb..0f26cd46 100644 --- a/bob-l1.conf +++ b/bob-l1.conf @@ -7,7 +7,7 @@ Include=bob-l1/mkosi.conf Profiles=azure,gcp [Distribution] -Mirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/ +Snapshot=20251113T083151Z [Build] ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/ diff --git a/bob-l1/mkosi.extra/etc/bob/firewall-config b/bob-l1/mkosi.extra/etc/bob/firewall-config index 6355d153..7f856645 100644 --- a/bob-l1/mkosi.extra/etc/bob/firewall-config +++ b/bob-l1/mkosi.extra/etc/bob/firewall-config @@ -11,6 +11,7 @@ SEARCHER_INPUT_TCP_PORT=27018 # Well-known ports DNS_PORT=53 +DNS_OVER_TLS_PORT=853 HTTP_PORT=80 HTTPS_PORT=443 NTP_PORT=123 @@ -90,6 +91,7 @@ drop_dst_ip $CHAIN_MAINTENANCE_OUT $FLASHBOTS_TX_STREAM_1,$FLASHBOTS_TX_STREAM_2 accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)" accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)" +accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_OVER_TLS_PORT "DNS-over-TLS" accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTP_PORT "HTTP" accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTPS_PORT "HTTPS" diff --git a/bob-l1/mkosi.extra/etc/bob/toggle-config b/bob-l1/mkosi.extra/etc/bob/toggle-config index 9be10caa..086e17c8 100644 --- a/bob-l1/mkosi.extra/etc/bob/toggle-config +++ b/bob-l1/mkosi.extra/etc/bob/toggle-config @@ -17,6 +17,7 @@ MAINTENANCE_ENDPOINTS=( "tcp:10022:SSH data port" "tcp:53:DNS" "udp:53:DNS" + "tcp:853:DNS-over-TLS" "tcp:80:HTTP" "tcp:443:HTTPS" "tcp:30303:EL P2P" diff --git a/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service b/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service index e0f79633..df8422ed 100644 --- a/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service +++ b/bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service @@ -1,7 +1,8 @@ [Unit] Description=Lighthouse Consensus Client -After=network.target network-setup.service persistent-mount.service -Requires=network-setup.service persistent-mount.service +After=network-online.target persistent-mount.service +Wants=network-online.target +Requires=persistent-mount.service [Service] Type=exec diff --git a/services/bin/lighthouse-init b/bob-l1/mkosi.extra/usr/bin/lighthouse-init similarity index 100% rename from services/bin/lighthouse-init rename to bob-l1/mkosi.extra/usr/bin/lighthouse-init diff --git a/bob-l1/mkosi.postinst b/bob-l1/mkosi.postinst index 7a447d03..626ab872 100755 --- a/bob-l1/mkosi.postinst +++ b/bob-l1/mkosi.postinst @@ -7,14 +7,4 @@ set -euxo pipefail mkosi-chroot groupadd -r eth mkosi-chroot useradd -r -s /bin/false -G eth lighthouse -# Install lighthouse -install -m 755 services/bin/lighthouse-init "$BUILDROOT/usr/bin/" - -# Enable services -mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants" -for service in \ - lighthouse.service -do - mkosi-chroot systemctl enable "$service" - ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/" -done +mkosi-chroot systemctl add-wants minimal.target lighthouse diff --git a/bob-l1/readme.md b/bob-l1/readme.md index edb9bba2..e24f1a42 100644 --- a/bob-l1/readme.md +++ b/bob-l1/readme.md @@ -601,9 +601,9 @@ Developer Notes ### Service Order -1. Initialize network (**name:** `network-setup.service`) -2. Get searcher key from LUKS partition or wait for key on port 8080 (**name:** `wait-for-key.service`) (**after:** `network-setup.service`) -3. Setup firewall (**name:** `searcher-firewall.service`) (**after:** `network-setup.service`) +1. Initialize network via `systemd-networkd.service` +2. Get searcher key from LUKS partition or wait for key on port 8080 (**name:** `wait-for-key.service`) (**after:** `network-online.target`) +3. Setup firewall (**name:** `searcher-firewall.service`) (**after:** `network-online.target`) 4. Start dropbear server for `initialize`, `toggle`, etc. (**name:** `dropbear.service`) (**after:** `wait-for-key.service`, `searcher-firewall.service`) 5. Open a log socket and forward text from it to the delayed log file after 300s (**name:** searcher-log-reader.service) (**after:** `/persistent` is mounted) 6. Write new text in `bob.log` to the log socket (**name:** searcher-log-writer.service) (**after:** searcher-log-reader.service) diff --git a/bob-l2.conf b/bob-l2.conf index 80690614..1900d3dc 100644 --- a/bob-l2.conf +++ b/bob-l2.conf @@ -7,7 +7,7 @@ Include=bob-l2/mkosi.conf Profiles=gcp [Distribution] -Mirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/ +Snapshot=20251113T083151Z [Build] ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20251113T083151Z/ diff --git a/bob-l2/mkosi.extra/etc/bob/firewall-config b/bob-l2/mkosi.extra/etc/bob/firewall-config index 85e7925f..30e1aebb 100644 --- a/bob-l2/mkosi.extra/etc/bob/firewall-config +++ b/bob-l2/mkosi.extra/etc/bob/firewall-config @@ -11,6 +11,7 @@ SEARCHER_INPUT_TCP_PORT=27018 # Well-known ports DNS_PORT=53 +DNS_OVER_TLS_PORT=853 HTTP_PORT=80 HTTPS_PORT=443 NTP_PORT=123 @@ -67,6 +68,7 @@ drop_dst_ip $CHAIN_MAINTENANCE_OUT "$CONFIG_SIMULATOR_IP" "Simulator (blocked in accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)" accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)" +accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_OVER_TLS_PORT "DNS-over-TLS" accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTP_PORT "HTTP" accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTPS_PORT "HTTPS" diff --git a/bob-l2/mkosi.extra/etc/bob/toggle-config b/bob-l2/mkosi.extra/etc/bob/toggle-config index a75e9b30..1359d2f3 100644 --- a/bob-l2/mkosi.extra/etc/bob/toggle-config +++ b/bob-l2/mkosi.extra/etc/bob/toggle-config @@ -21,6 +21,7 @@ MAINTENANCE_ENDPOINTS=( "tcp:10022:SSH data port" "tcp:53:DNS" "udp:53:DNS" + "tcp:853:DNS-over-TLS" "tcp:80:HTTP" "tcp:443:HTTPS" "tcp:40404:OP-Geth P2P" diff --git a/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service b/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service index 258aeda0..28779a07 100644 --- a/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service +++ b/bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service @@ -1,7 +1,7 @@ [Unit] Description=Fetch some configuration variables from Vault -After=network.target network-setup.service -Requires=network-setup.service +After=network-online.target +Wants=network-online.target [Service] Type=oneshot diff --git a/buildernet.conf b/buildernet.conf deleted file mode 100644 index 41897e36..00000000 --- a/buildernet.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Include] -Include=base/mkosi.conf -Include=buildernet/mkosi.conf diff --git a/buildernet/mkosi.build b/buildernet/mkosi.build deleted file mode 100755 index 664e5043..00000000 --- a/buildernet/mkosi.build +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -set -euxo pipefail - -source scripts/build_rust_package.sh - -build_rust_package \ - "lighthouse" \ - "v7.1.0" \ - "https://github.com/sigp/lighthouse.git" \ - "$LIGHTHOUSE_BINARY" \ - "" \ - "-l z -l zstd -l snappy" - -build_rust_package \ - "reth" \ - "v1.0.8" \ - "https://github.com/paradigmxyz/reth.git" \ - "$RETH_BINARY" \ - "jemalloc" - -build_rust_package \ - "rbuilder" \ - "v0.1.2" \ - "https://github.com/flashbots/rbuilder-operator.git" \ - "$RBUILDER_BINARY" diff --git a/buildernet/mkosi.conf b/buildernet/mkosi.conf deleted file mode 100644 index 8c840493..00000000 --- a/buildernet/mkosi.conf +++ /dev/null @@ -1,25 +0,0 @@ -[Build] -Environment=LIGHTHOUSE_BINARY RETH_BINARY RBUILDER_BINARY -WithNetwork=true - -[Content] -SkeletonTrees=buildernet/mkosi.skeleton -PostInstallationScripts=buildernet/mkosi.postinst -PostInstallationScripts=buildernet/render-config.sh -BuildScripts=buildernet/mkosi.build - -Packages=prometheus - prometheus-node-exporter - prometheus-process-exporter - rclone - openntpd - libsnappy1v5 - netcat-openbsd - bubblewrap -BuildPackages=cargo - libleveldb-dev - libsnappy-dev - zlib1g-dev - libzstd-dev - libpq-dev - protobuf-compiler diff --git a/buildernet/mkosi.postinst b/buildernet/mkosi.postinst deleted file mode 100755 index 3804cd99..00000000 --- a/buildernet/mkosi.postinst +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -set -euxo pipefail - -# Create groups/users -mkosi-chroot groupadd -r eth -mkosi-chroot useradd -r -s /bin/false -G eth reth -mkosi-chroot useradd -r -s /bin/false -G eth lighthouse -mkosi-chroot useradd -r -s /bin/false -G eth rbuilder - -# Install scripts -install -m 755 services/bin/reth-sync "$BUILDROOT/usr/bin/" -install -m 755 services/bin/lighthouse-init "$BUILDROOT/usr/bin/" -install -m 755 services/bin/rbuilder-init "$BUILDROOT/usr/bin/" - -# Install systemd service units -SERVICE_DIR="$BUILDROOT/etc/systemd/system" -mkdir -p "$SERVICE_DIR" - -# Copy systemd service files for buildernet -for service in \ - persistence-setup # reth reth-sync \ - # rbuilder-bidding rbuilder -do - install -m 644 "services/systemd/$service.service" "$SERVICE_DIR/" -done \ No newline at end of file diff --git a/buildernet/mkosi.skeleton/etc/bidding.toml.mustache b/buildernet/mkosi.skeleton/etc/bidding.toml.mustache deleted file mode 100644 index 32d242fd..00000000 --- a/buildernet/mkosi.skeleton/etc/bidding.toml.mustache +++ /dev/null @@ -1,7 +0,0 @@ -ipc_path = "/var/run/rbuilder/rpc_bidding_server.sock" - -log_color = false -log_json = true -log_level = "info" - -{{{bidding_service.config}}} \ No newline at end of file diff --git a/buildernet/mkosi.skeleton/etc/rbuilder.config.mustache b/buildernet/mkosi.skeleton/etc/rbuilder.config.mustache deleted file mode 100644 index af8bd131..00000000 --- a/buildernet/mkosi.skeleton/etc/rbuilder.config.mustache +++ /dev/null @@ -1,74 +0,0 @@ -bidding_service_ipc_path = "/var/run/rbuilder/rpc_bidding_server.sock" -blocklist_file_path = "/persistent/rbuilder/rbuilder.blocklist.json" -blocks_processor_url = "https://orderflow-archive.flashbots.net/api" -chain = "mainnet" -cl_node_url = ["http://127.0.0.1:3500"] -coinbase_secret_key = "{{rbuilder.coinbase_secret_key}}" -dry_run = {{rbuilder.dry_run}} -dry_run_validation_url = "http://127.0.0.1:9999" -el_node_ipc_path = "/tmp/reth.ipc" -error_storage_path = "/tmp/rbuilder_errors.sqlite" -extra_data = "{{rbuilder.extra_data}}" -full_telemetry_server_ip = "127.0.0.1" -full_telemetry_server_port = 6060 -ignore_blobs = false -ignore_cancellable_orders = false -jsonrpc_server_ip = "127.0.0.1" -jsonrpc_server_port = 8645 -live_builders = ["mgp-ordering", "mp-ordering", "mp-ordering-cb", "mp-ordering-deadline"] -log_color = false -log_json = true -log_level = "info,rbuilder=debug" -max_concurrent_seals = 1 -optimistic_enabled = false -relay_secret_key = "{{rbuilder.relay_secret_key}}" -reth_db_path = "/persistent/reth/db" -reth_static_files_path = "/persistent/reth/static_files" -root_hash_task_pool_threads = 6 -root_hash_use_sparse_trie = true -sbundle_mergeabe_signers = ["0xFC171C46A32DC7fF09fBDDD4884a65b2aD596517"] -simulation_threads = 4 -top_bid_ws_basic_auth = "{{rbuilder.top_bid_ws_basic_auth}}" -top_bid_ws_url = "{{rbuilder.top_bid_ws_url}}" -watchdog_timeout_sec = 45 - -[[builders]] -algo = "ordering-builder" -discard_txs = true -drop_failed_orders = true -failed_order_retries = 1 -name = "mgp-ordering" -sorting = "mev-gas-price" - -[[builders]] -algo = "ordering-builder" -discard_txs = true -drop_failed_orders = true -failed_order_retries = 1 -name = "mp-ordering" -sorting = "max-profit" - -[[builders]] -algo = "ordering-builder" -build_duration_deadline_ms = 30 -discard_txs = true -drop_failed_orders = true -failed_order_retries = 1 -name = "mp-ordering-deadline" -sorting = "max-profit" - -[[builders]] -algo = "ordering-builder" -coinbase_payment = true -discard_txs = true -drop_failed_orders = true -failed_order_retries = 1 -name = "mp-ordering-cb" -sorting = "max-profit" - -[[builders]] -algo = "merging-builder" -discard_txs = true -merge_wait_time_ms = 300 -name = "merging" -num_threads = 3 diff --git a/buildernet/mkosi.skeleton/etc/rclone.conf.mustache b/buildernet/mkosi.skeleton/etc/rclone.conf.mustache deleted file mode 100644 index 1713cd67..00000000 --- a/buildernet/mkosi.skeleton/etc/rclone.conf.mustache +++ /dev/null @@ -1,9 +0,0 @@ -[r2] -type = s3 -provider = Cloudflare -endpoint = {{rclone.bucket_endpoint}} -region = auto -acl = private -no_check_bucket = true -access_key_id = {{rclone.access_key_id}} -secret_access_key = {{rclone.secret_access_key}} diff --git a/buildernet/mkosi.skeleton/etc/systemd/system/lighthouse.service b/buildernet/mkosi.skeleton/etc/systemd/system/lighthouse.service deleted file mode 100644 index dd64addc..00000000 --- a/buildernet/mkosi.skeleton/etc/systemd/system/lighthouse.service +++ /dev/null @@ -1,34 +0,0 @@ -[Unit] -Description=Lighthouse Consensus Client -After=network.target network-setup.service persistent-mount.service -Requires=network-setup.service persistent-mount.service - -[Service] -Type=exec -User=lighthouse -Group=eth -ExecStartPre=+/usr/bin/lighthouse-init -ExecStart=/usr/bin/lighthouse bn \ - --eth1 \ - --checkpoint-sync-url https://mainnet.checkpoint.sigp.io \ - --execution-endpoint http://localhost:8551 \ - --execution-jwt /tmp/jwt.hex \ - --suggested-fee-recipient 0x000000000000000000000000000000000000dead \ - --http-allow-sync-stalled \ - --always-prepare-payload \ - --prepare-payload-lookahead 8000 \ - --disable-deposit-contract-sync \ - --http \ - --port 9000 \ - --http-port 3500 \ - --metrics \ - --metrics-address 127.0.0.1 \ - --metrics-port 5054 \ - --datadir /persistent/lighthouse -Restart=on-failure -RestartSec=10 -StandardOutput=journal -StandardError=journal - -[Install] -WantedBy=minimal.target \ No newline at end of file diff --git a/buildernet/render-config.sh b/buildernet/render-config.sh deleted file mode 100755 index 8102fa82..00000000 --- a/buildernet/render-config.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -set -euxo pipefail - -# TODO: Convert this file into a service that pulls from buildernet - -ENV_FILE="env.json" -if [ ! -f "$ENV_FILE" ]; then - echo "Error: env.json not found" - exit 1 -fi - -# Find and process all mustache templates in skeleton directory -find buildernet/mkosi.skeleton -type f -name "*.mustache" | while read -r template; do - rel_path="${template#buildernet/mkosi.skeleton/}" - output_path="$BUILDROOT/${rel_path%.mustache}" - mustache "$ENV_FILE" "$template" > "$output_path" - rm "$BUILDROOT/$rel_path" -done - -# Download rbuilder-bidding binary -export rbuilder_version="v0.4.2" -export github_token="$(jq -j ".bidding_service.github_token" env.json)" -export rbuilder_url="https://api.github.com/repos/flashbots/rbuilder-bidding-service/releases/tags/$rbuilder_version" -export headers="Authorization: token $github_token" -export asset_url=$(curl -s -H "$headers" "$rbuilder_url" | jq -j '.assets[] | select(.name == "bidding-service") | .url') -curl -s -H "$headers" -H "Accept: application/octet-stream" -L "$asset_url" -o "$BUILDROOT/usr/bin/bidding-service" -chmod +x "$BUILDROOT/usr/bin/bidding-service" - -# Set permissions of templated files -chmod 640 "$BUILDROOT/etc/rbuilder.config" -chmod 600 "$BUILDROOT/etc/rclone.conf" diff --git a/env.json.example b/env.json.example deleted file mode 100644 index 41278556..00000000 --- a/env.json.example +++ /dev/null @@ -1,23 +0,0 @@ -{ - "bidding_service_download": { - "github_token": "", - "config": "" - }, - "fluentbit": { - "aws_access_key_id": "", - "aws_secret_access_key": "" - }, - "rbuilder": { - "coinbase_secret_key": "", - "dry_run": "true", - "optimistic_relay_secret_key": "", - "relay_secret_key": "", - "top_bid_ws_basic_auth": "", - "top_bid_ws_url": "" - }, - "rclone": { - "access_key_id": "", - "bucket_endpoint": "", - "secret_access_key": "" - } -} \ No newline at end of file diff --git a/flake.lock b/flake.lock index 7dcb42b7..0c6ae986 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1746904237, - "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=", + "lastModified": 1769170682, + "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956", + "rev": "c5296fdd05cfa2c187990dd909864da9658df755", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7e423ba3..3a9a9f04 100644 --- a/flake.nix +++ b/flake.nix @@ -44,14 +44,14 @@ src = pkgs.fetchFromGitHub { owner = "flashbots"; repo = "dstack-mr-gcp"; - rev = "ee95d36c8f18d159f6ada31474555e4a253b3897"; - sha256 = "sha256-vAYN4zFXHSxd86KP+Toqh1ZDa4+KGLNsQoOuTr45pGg="; + rev = "503e7c506f89f9d81be04025c90921778b26f0a4"; + sha256 = "sha256-z6STTgcOXatiqA2rlpzwRyvAwnXrK30oNDCJqtIp7/8="; }; vendorHash = "sha256-glOyRTrIF/zP78XGV+v58a1Bec6C3Fvc5c8G3PglzPM="; }; mkosi = system: let pkgsForSystem = import nixpkgs {inherit system;}; - mkosi-unwrapped = pkgsForSystem.mkosi.override { + mkosi-unwrapped = (pkgsForSystem.mkosi.override { extraDeps = with pkgsForSystem; [ apt @@ -74,7 +74,39 @@ jq ] ++ [reprepro]; - }; + }).overrideAttrs (old: { + src = pkgsForSystem.fetchFromGitHub { + owner = "alexhulbert"; + repo = "mkosi"; + rev = "1c15276e3bdb379bd62629420a55eae4a4091b24"; + hash = "sha256-N7P39o2FyGvbnVU7SQadF19WFTTNzSf2iLprYIUwYY8="; + }; + patches = let + # TODO: remove the hunk from nixpkgs and remove this hack + # Newest mkosi adds nix store paths to PATH dynamically + # so this patch hunk in nixpkgs is no longer needed + patchWithoutFinalizePath = pkgsForSystem.runCommandLocal "mkosi-patch-fixed" {} '' + ${pkgsForSystem.gawk}/bin/awk ' + /^@@ .* finalize_path\(/ { skip=1; next } + skip && /^(@@|diff )/ { skip=0 } + !skip + ' ${builtins.elemAt old.patches 0} > $out + ''; + in [patchWithoutFinalizePath] ++ builtins.tail old.patches; + postFixup = (old.postFixup or "") + '' + # Fix mkosi-sandbox: Nix wraps console_scripts entry points via + # "from mkosi.sandbox import main", so __name__ in sandbox.py is + # "mkosi.sandbox" not "__main__", breaking is_main() checks. + # Use runpy to run the module as __main__ instead. + substituteInPlace $out/bin/.mkosi-sandbox-wrapped \ + --replace-fail \ + 'from mkosi.sandbox import main' \ + 'import runpy' \ + --replace-fail \ + $'sys.argv[0] = re.sub(r"(-script\\.pyw|\\.exe)?$", "", sys.argv[0])\n sys.exit(main())' \ + 'runpy.run_module("mkosi.sandbox", run_name="__main__", alter_sys=True)' + ''; + }); in # Create a wrapper script that runs mkosi with unshare # Unshare is needed to create files owned by multiple uids/gids @@ -90,11 +122,7 @@ devShells = builtins.listToAttrs (map (system: { name = system; value.default = pkgs.mkShell { - nativeBuildInputs = [ - (mkosi system) - measured-boot - measured-boot-gcp - ]; + nativeBuildInputs = [(mkosi system) measured-boot measured-boot-gcp]; shellHook = '' mkdir -p mkosi.packages mkosi.cache mkosi.builddir ~/.cache/mkosi touch mkosi.builddir/debian-backports.sources diff --git a/mkosi.profiles/azure/mkosi.conf b/mkosi.profiles/azure/mkosi.conf index b28c483a..9c28b6da 100644 --- a/mkosi.profiles/azure/mkosi.conf +++ b/mkosi.profiles/azure/mkosi.conf @@ -1,4 +1,2 @@ [Content] -SkeletonTrees=azure-complete-provisioning.service:/etc/systemd/system/azure-complete-provisioning.service -SkeletonTrees=azure-complete-provisioning:/usr/bin/azure-complete-provisioning Packages=dmidecode diff --git a/mkosi.profiles/azure/mkosi.extra/etc/systemd/network/99-azure-dns.network b/mkosi.profiles/azure/mkosi.extra/etc/systemd/network/99-azure-dns.network new file mode 100644 index 00000000..eae5e182 --- /dev/null +++ b/mkosi.profiles/azure/mkosi.extra/etc/systemd/network/99-azure-dns.network @@ -0,0 +1,8 @@ +[Match] +Name=eth* en* + +[Network] +# Azure internal DNS +DNS=168.63.129.16 +Domains=~internal.cloudapp.net +DNSOverTLS=no diff --git a/mkosi.profiles/azure/azure-complete-provisioning.service b/mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service similarity index 74% rename from mkosi.profiles/azure/azure-complete-provisioning.service rename to mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service index 4d8866dd..bb35fe7e 100644 --- a/mkosi.profiles/azure/azure-complete-provisioning.service +++ b/mkosi.profiles/azure/mkosi.extra/etc/systemd/system/azure-complete-provisioning.service @@ -1,7 +1,7 @@ [Unit] Description=Report VM is ready to Azure API -After=network.target network-setup.service -Requires=network-setup.service +After=network-online.target +Wants=network-online.target [Service] Type=oneshot diff --git a/mkosi.profiles/azure/azure-complete-provisioning b/mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning similarity index 100% rename from mkosi.profiles/azure/azure-complete-provisioning rename to mkosi.profiles/azure/mkosi.extra/usr/bin/azure-complete-provisioning diff --git a/mkosi.profiles/azure/mkosi.postinst b/mkosi.profiles/azure/mkosi.postinst deleted file mode 100755 index c1b3474f..00000000 --- a/mkosi.profiles/azure/mkosi.postinst +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -set -euxo pipefail - -mkosi-chroot systemctl enable "azure-complete-provisioning.service" -ln -sf "/etc/systemd/system/azure-complete-provisioning.service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/" diff --git a/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service b/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service index 04352634..bfcfdd63 100644 --- a/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service +++ b/mkosi.profiles/devtools/mkosi.extra/etc/systemd/system/serial-console.service @@ -13,5 +13,3 @@ Restart=always [Install] WantedBy=minimal.target -WantedBy=rescue.target -WantedBy=emergency.target diff --git a/mkosi.profiles/devtools/mkosi.postinst b/mkosi.profiles/devtools/mkosi.postinst index 5eca88d7..98af4442 100755 --- a/mkosi.profiles/devtools/mkosi.postinst +++ b/mkosi.profiles/devtools/mkosi.postinst @@ -13,6 +13,6 @@ if [ -f "$BUILDROOT/etc/default/dropbear" ]; then else echo "PermitRootLogin yes" >> "$BUILDROOT/etc/ssh/sshd_config" echo "PasswordAuthentication yes" >> "$BUILDROOT/etc/ssh/sshd_config" - mkosi-chroot systemctl enable ssh.service mkosi-chroot systemctl unmask ssh.service ssh.socket + mkosi-chroot systemctl add-wants minimal.target ssh.service fi diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf b/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf deleted file mode 100644 index 6c6486e6..00000000 --- a/mkosi.profiles/gcp/mkosi.extra/etc/resolv.conf +++ /dev/null @@ -1,2 +0,0 @@ -nameserver 169.254.169.254 -options edns0 trust-ad diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/network/99-gcp-dns.network b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/network/99-gcp-dns.network new file mode 100644 index 00000000..5bf197c1 --- /dev/null +++ b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/network/99-gcp-dns.network @@ -0,0 +1,8 @@ +[Match] +Name=eth* en* + +[Network] +# GCP internal DNS +DNS=169.254.169.254 +Domains=~internal ~google.internal +DNSOverTLS=no diff --git a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service index 209cd01f..eb16abf9 100644 --- a/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service +++ b/mkosi.profiles/gcp/mkosi.extra/etc/systemd/system/set-hostname.service @@ -1,8 +1,8 @@ [Unit] Description=Set hostname ConditionFirstBoot=yes -After=network.target network-setup.service -Wants=network-setup.service +After=network-online.target +Wants=network-online.target [Service] User=root @@ -11,4 +11,4 @@ Type=oneshot ExecStart=/usr/bin/set-hostname.sh [Install] -WantedBy=default.target +WantedBy=minimal.target diff --git a/mkosi.profiles/gcp/mkosi.postinst b/mkosi.profiles/gcp/mkosi.postinst index c1ad20cc..bd8a5155 100755 --- a/mkosi.profiles/gcp/mkosi.postinst +++ b/mkosi.profiles/gcp/mkosi.postinst @@ -9,14 +9,9 @@ echo "/dev/disk/by-id/google-data" >> "$BUILDROOT/etc/tdx-init/disk-glob" # Enable systemd services mkdir "$BUILDROOT/etc/systemd/system/minimal.target.wants" || true + mkosi-chroot systemctl unmask sys-kernel-config.mount -for service in \ - sys-kernel-config.mount \ - set-hostname.service -do - mkosi-chroot systemctl enable "$service" - ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/" -done +mkosi-chroot systemctl add-wants minimal.target sys-kernel-config.mount if [ -f /etc/rsyslog.d/50-default.conf ]; then sed -i 's/^.*\/var\/log\/syslog.*$/# &/' /etc/rsyslog.d/50-default.conf diff --git a/mkosi.profiles/gcp/mkosi.postoutput b/mkosi.profiles/gcp/mkosi.postoutput index 83228a42..2d4dbe66 100755 --- a/mkosi.profiles/gcp/mkosi.postoutput +++ b/mkosi.profiles/gcp/mkosi.postoutput @@ -1,53 +1,30 @@ #!/bin/bash -set -euxo pipefail -EFI="${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.efi" -TAR="${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.tar.gz" -TMP="${OUTPUTDIR}/gcp-tmp" - -[ ! -f "$EFI" ] && echo "Error: $EFI not found" && exit 1 - -mkdir -p "$TMP" - -# Fixed GUIDs and IDs -DISK_GUID="12345678-1234-5678-1234-567812345678" -PARTITION_GUID="87654321-4321-8765-4321-876543218765" -FAT_SERIAL="12345678" - -# Create 500MB ESP -dd if=/dev/zero of="$TMP/esp.img" bs=1M count=500 - -# Format with fixed volume serial number and label -mformat -i "$TMP/esp.img" -F -v "ESP" -N "$FAT_SERIAL" :: - -# Create directory structure -mmd -i "$TMP/esp.img" ::EFI ::EFI/BOOT - -# Copy files with deterministic timestamps -# -D o sets file times to 1980-01-01 (DOS epoch) -mcopy -D o -i "$TMP/esp.img" "$EFI" ::EFI/BOOT/BOOTX64.EFI - -# Create 1GB disk with GPT -dd if=/dev/zero of="$TMP/disk.raw" bs=1M count=1024 -sgdisk --disk-guid="$DISK_GUID" "$TMP/disk.raw" - -# Create ESP partition -# -n creates partition (number:start:end) -# -t sets type (1:ef00 for ESP) -# -u sets partition GUID -# -c sets partition name -sgdisk -n 1:2048:1026047 \ - -t 1:ef00 \ - -u 1:"$PARTITION_GUID" \ - -c 1:"ESP" \ - -A 1:set:0 \ - "$TMP/disk.raw" - -# Write ESP image to partition area -dd if="$TMP/esp.img" of="$TMP/disk.raw" bs=512 seek=2048 conv=notrunc -touch -d "2024-01-01 00:00:00 UTC" "$TMP/disk.raw" 2>/dev/null || true - -# Create GCP tar.gz -tar --format=oldgnu -Sczf "$TAR" -C "$TMP" disk.raw - -rm -rf "$TMP" +set -eu -o pipefail + +export SOURCE_DATE_EPOCH=0 # not propagated from the main config, needed for mkfs.vfat +export SYSTEMD_REPART_MKFS_OPTIONS_VFAT="-i 12345678 --invariant" +mkdir -p ${OUTPUTDIR}/esp/EFI/BOOT +cp ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.efi ${OUTPUTDIR}/esp/EFI/BOOT/BOOTX64.EFI +# Set fixed timestamps for reproducibility (FAT uses file mtime for directory entries) +find ${OUTPUTDIR}/esp -exec touch -d "@${SOURCE_DATE_EPOCH}" {} + +rm -f ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw + +# Hack to use the newer systemd-repart from nix instead of mkosi.tools one +# TODO: remove after updating mkosi +PATH="${PATH#/usr/bin:/usr/sbin:}" systemd-repart --empty=create \ + --size=1G \ + --definitions=mkosi.profiles/gcp/repart.d \ + --copy-source=${OUTPUTDIR} \ + --seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c \ + --dry-run=no \ + ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw +sgdisk --disk-guid "12345678-1234-5678-1234-567812345678" ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw + +rm -rf ${OUTPUTDIR}/esp + +cd ${OUTPUTDIR} +ln -sf ${IMAGE_ID}_${IMAGE_VERSION}.raw disk.raw +tar --mtime="@${SOURCE_DATE_EPOCH}" --dereference --format=oldgnu -Sczf ${IMAGE_ID}_${IMAGE_VERSION}.tar.gz disk.raw +unlink disk.raw +rm -f ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw diff --git a/mkosi.profiles/gcp/repart.d/00-uki.conf b/mkosi.profiles/gcp/repart.d/00-uki.conf new file mode 100644 index 00000000..b161a108 --- /dev/null +++ b/mkosi.profiles/gcp/repart.d/00-uki.conf @@ -0,0 +1,8 @@ +[Partition] +Type=esp +Format=vfat +CopyFiles=/esp:/ +Minimize=off +UUID=87654321-4321-8765-4321-876543218765 +SizeMinBytes=524288000 +SizeMaxBytes=524288000 diff --git a/services/bin/rbuilder-init b/services/bin/rbuilder-init deleted file mode 100755 index 94e4ff29..00000000 --- a/services/bin/rbuilder-init +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e - -# Create necessary directories -mkdir -p /var/run/rbuilder /persistent/rbuilder -chown -R rbuilder:eth /var/run/rbuilder /persistent/rbuilder /etc/rbuilder.config -chmod 640 /etc/rbuilder.config -chmod 770 /var/run/rbuilder - -# Create initial blocklist file -if [ ! -f /persistent/rbuilder/rbuilder.blocklist.json ]; then - echo '{}' > /persistent/rbuilder/rbuilder.blocklist.json - chmod 640 /persistent/rbuilder/rbuilder.blocklist.json - chown rbuilder:eth /persistent/rbuilder/rbuilder.blocklist.json -fi \ No newline at end of file diff --git a/services/bin/reth-sync b/services/bin/reth-sync deleted file mode 100755 index f7dbe8c9..00000000 --- a/services/bin/reth-sync +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -set -e - -# Set up directories -mkdir -p /persistent/reth -chown reth:eth /persistent/reth - -# Get latest version and sync -LATEST_META=$(rclone --config /etc/rclone.conf cat r2:chain-db-snapshots/reth-mainnet-full/latest_version.meta.txt) - -rclone sync --config /etc/rclone.conf -v -P \ - --transfers=20 --multi-thread-streams 30 \ - --contimeout=10m --retries 10 --retries-sleep 60s \ - --error-on-no-transfer --update --fast-list \ - --delete-during --disable-http2 --no-gzip-encoding \ - --exclude 'files.txt' \ - r2:chain-db-snapshots/reth-mainnet-full/$LATEST_META/ /persistent/reth \ No newline at end of file diff --git a/services/systemd/persistence-setup.service b/services/systemd/persistence-setup.service deleted file mode 100644 index d03b6a1f..00000000 --- a/services/systemd/persistence-setup.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Setup Persistent Storage -DefaultDependencies=no -After=local-fs-pre.target -Before=local-fs.target - -[Service] -Type=oneshot -ExecStart=/bin/sh -c "if [ -e /dev/vda ] && ! blkid /dev/vda | grep -q 'TYPE=\"ext4\"'; then mkfs.ext4 -F /dev/vda; fi" -ExecStart=/bin/sh -c "mkdir -p /persistent" -ExecStart=/bin/sh -c "mount /dev/vda /persistent || echo 'Failed to mount persistent storage'" -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target \ No newline at end of file diff --git a/services/systemd/rbuilder-bidding.service b/services/systemd/rbuilder-bidding.service deleted file mode 100644 index 8d039242..00000000 --- a/services/systemd/rbuilder-bidding.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=RBuilder Bidding Service -After=network.target network-setup.service persistent-mount.service rbuilder.service -Requires=network-setup.service persistent-mount.service rbuilder.service - -[Service] -Type=exec -User=rbuilder -Group=eth -WorkingDirectory=/var/run/rbuilder -ExecStart=/usr/bin/bwrap \ - --ro-bind /usr /usr \ - --ro-bind /lib /lib \ - --ro-bind /lib64 /lib64 \ - --ro-bind /bin /bin \ - --ro-bind /sbin /sbin \ - --ro-bind /etc/bidding.toml /config.toml \ - --bind /var/run/rbuilder /var/run/rbuilder \ - --proc /proc \ - --dev /dev \ - --clearenv \ - --unshare-pid \ - bidding-service /config.toml -Restart=on-failure -RestartSec=10 -StandardOutput=journal -StandardError=journal - -[Install] -WantedBy=minimal.target \ No newline at end of file diff --git a/services/systemd/rbuilder.service b/services/systemd/rbuilder.service deleted file mode 100644 index 764d82b7..00000000 --- a/services/systemd/rbuilder.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=RBuilder Bidding Service -After=network.target network-setup.service persistent-mount.service -Requires=network-setup.service persistent-mount.service - -[Service] -Type=exec -User=rbuilder -Group=eth -ExecStartPre=+/usr/bin/rbuilder-init -ExecStart=/usr/bin/bwrap \ - --ro-bind /usr /usr \ - --ro-bind /lib /lib \ - --ro-bind /lib64 /lib64 \ - --ro-bind /bin /bin \ - --ro-bind /sbin /sbin \ - --ro-bind /etc/bidding.toml /config.toml \ - --bind /var/run/rbuilder /var/run/rbuilder \ - --proc /proc \ - --dev /dev \ - --clearenv \ - --unshare-pid \ - bidding-service /config.toml -Restart=on-failure -RestartSec=10 -StandardOutput=journal -StandardError=journal - -[Install] -WantedBy=minimal.target \ No newline at end of file diff --git a/services/systemd/reth-sync.service b/services/systemd/reth-sync.service deleted file mode 100644 index e47c9c85..00000000 --- a/services/systemd/reth-sync.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Reth Chain Data Sync -After=network.target network-setup.service persistent-mount.service -Requires=network-setup.service persistent-mount.service - -[Service] -User=reth -Group=eth -Type=oneshot -ExecStart=/usr/bin/reth-sync -RemainAfterExit=yes -StandardOutput=journal -StandardError=journal - -[Install] -WantedBy=minimal.target \ No newline at end of file diff --git a/services/systemd/reth.service b/services/systemd/reth.service deleted file mode 100644 index 9d41f010..00000000 --- a/services/systemd/reth.service +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=Reth Execution Client -After=network-setup.service reth-sync.service persistent-mount.service -Requires=network-setup.service reth-sync.service persistent-mount.service - -[Service] -User=reth -Group=eth -ExecStart=/usr/bin/reth node \ - --full \ - --datadir "/persistent/reth" \ - --authrpc.addr 127.0.0.1 \ - --authrpc.jwtsecret "/tmp/jwt.hex" \ - --authrpc.port 8551 \ - --http \ - --http.addr 127.0.0.1 \ - --http.port 8545 \ - --http.api "eth,net,web3,trace,rpc,debug,txpool" \ - --ws \ - --ws.addr 127.0.0.1 \ - --ws.port 8546 \ - --ws.api "eth,net,trace,web3,rpc,debug,txpool" \ - --log.stdout.format json \ - --log.file.max-files 0 \ - --metrics "127.0.0.1:9001" -Restart=on-failure -RestartSec=10 -StandardOutput=journal -StandardError=journal - -[Install] -WantedBy=minimal.target \ No newline at end of file diff --git a/tdx-dummy/dummy-tdx-dcap.service b/tdx-dummy/dummy-tdx-dcap.service index f3feae45..b71ab38b 100644 --- a/tdx-dummy/dummy-tdx-dcap.service +++ b/tdx-dummy/dummy-tdx-dcap.service @@ -1,7 +1,7 @@ [Unit] Description=Dummy TDX DCAP server -After=network-setup.service -Wants=network-setup.service +After=network-online.target +Wants=network-online.target [Service] Type=exec