fixup not actually mounting the dm-verity device

Signed-off-by: Arthur Gautier <baloo@superbaloo.net>

image-builder/modules/dm-verity.nix

@@ -0,0 +1,13 @@
+{ ...
+}:
+
+{ ...
+}: {
+ config = {
+   boot.initrd.kernelModules = [
+      "dm_verity"
+   ];
+ };
+}
+
+

image-builder/modules/fs-config.nix

@@ -1,4 +1,4 @@
-{ volumeLabel
+{ integrityLabel
 }:
 
 { ...
@@ -8,16 +8,10 @@
 
    fileSystems = {
      "/" = {
-       device = "/dev/disk/by-label/${volumeLabel}";
+       device = "/dev/disk/by-id/dm-name-${integrityLabel}";
        fsType = "ext4";
        options = [ "ro" ];
      };
    };
-
-   # todo: move that
-   boot.initrd.kernelModules = [
-      "dm_verity"
-   ];
-   nix.readOnlyStore = true;
  };
 }

image-builder/modules/key-config.nix

@@ -1,6 +1,7 @@
 { key
 , volumeLabel
 , merkleTreeLabel
+, integrityLabel
 }:
 
 { pkgs
@@ -12,7 +13,7 @@
    '';
 
    boot.initrd.preLVMCommands = ''
-     veritysetup --root-hash-file=${key} create vroot /dev/disk/by-partlabel/${volumeLabel} /dev/disk/by-partlabel/${merkleTreeLabel}
+     veritysetup --root-hash-file=${key} create "${integrityLabel}" /dev/disk/by-partlabel/${volumeLabel} /dev/disk/by-partlabel/${merkleTreeLabel}
    '';
    boot.initrd.postMountCommands = ''
      mount -t tmpfs none /mnt-root/etc
@@ -21,6 +22,8 @@
      mount -t tmpfs none /mnt-root/usr/bin
      mount -t tmpfs none /mnt-root/bin
      mount -t tmpfs none /mnt-root/tmp
+
+     mkdir -p /mnt-root/nix/var/nix/gcroots/
    '';
  };
 }

image-builder/modules/readonly.nix

@@ -0,0 +1,13 @@
+{ ...
+}:
+
+{ lib
+, ...
+}: {
+ config = {
+   system.activationScripts.nix = lib.mkForce "";
+
+   nix.readOnlyStore = true;
+ };
+}
+

image-builder/verity-firmware.nix

@@ -3,21 +3,38 @@
 with lib;
 
 let
-  volumeLabel = "firmware";
-  merkleTreeLabel = "merkle-tree";
-  eval = { key ? null}: (import <nixpkgs/nixos/lib/eval-config.nix> {
+  integrityLabel = "firmware";
+  eval = { key ? null
+         , volumeLabel ? "dummy"
+         , merkleTreeLabel ? "dummy"
+  }: (import <nixpkgs/nixos/lib/eval-config.nix> {
     modules = [ configuration ];
     extraModules = [
       (import ./modules/fs-config.nix {
-        inherit volumeLabel;
+        inherit integrityLabel;
+      })
+      (import ./modules/readonly.nix {
+      })
+      (import ./modules/dm-verity.nix {
       })
     ] ++ optionals (key != null) [
       (import ./modules/key-config.nix {
-        inherit key volumeLabel merkleTreeLabel;
+        inherit key volumeLabel merkleTreeLabel integrityLabel;
       })
     ];
   });
-  config = (eval {}).config;
+
+  # Compute a unique name from the configuration itself
+  configName = (eval {}).config.system.build.toplevel.drvPath;
+  # this goes in partition labels, partition labels are 36 chars max.
+  # sha1 hexencoded would give us 40, we're using md5 instead, which yield 32chars.
+  volumeLabel = builtins.hashString "md5" (configName + "volume");
+  merkleTreeLabel = builtins.hashString "md5" (configName + "merkle-tree");
+
+  config = (eval {
+    inherit volumeLabel merkleTreeLabel;
+  }).config;
+
   rootfsImage = pkgs.callPackage <nixpkgs/nixos/lib/make-ext4-fs.nix> {
     compressImage = false;
     storePaths = [ config.system.build.toplevel ];
@@ -80,6 +97,7 @@ let
     '';
   };
   configWithKey = (eval {
+    inherit volumeLabel merkleTreeLabel;
     key = diskImage.key;
   }).config;
 in {