This is the accompanying repository for my All Systems Go 2024 talk with the same name.
Important
This repository is not meant for direct consumption via this Flake. Outputs may and will be unstable. It is rather meant as a reference for how such images may look and be built like.
As of now, only images to be booted with QEMU are built, but I'm happy to take contributions for other platforms.
It should be a reference for how immutable NixOS configurations can be built, and how they can be packed into OS images reproducibly. It is very unlikely that the exact configuration presented here can be used in any real-world scenario as is. It should rather be considered a one-size-fits-most approach, and tweaked per use-case.
# Build the GPT disk image
nix build .#qemu-image
# Verify reproducibility
nix build .#qemu-image --keep-failed --rebuild
# Boot it in QEMU
nix run .#boot-uefi-qemu -- ./result/image_0.0.1.raw- Measured boot with UKI
- Read-only root partition, integrity-protected by dm-verity
- Filesystem integrity is embedded into PCR values through kernel command line (
roothash=) - System integrity is verifiable through TPM remote attestation
- Filesystem integrity is embedded into PCR values through kernel command line (
- Bootable image built with systemd-repart
- nix-store-veritysetup-generator by @nikstur
- nixlet by @petm5
- server-optimised-nixos by @arianvp