1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| | # SPDX-License-Identifier: MIT
# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
import ../../lib/call-package.nix (
{ callSpectrumPackage, config, curl, lib, src
, runCommand, systemd, writeScript
}:
let
update-url = config.update-url;
mountpoint = "/run/virtiofs/virtiofs0";
sysupdate-path = "${systemd}/lib/systemd/systemd-sysupdate";
runner = writeScript "update-run-script"
''
#!/usr/bin/execlineb -P
if { mount -toverlay -olowerdir=${mountpoint}/etc:/etc -- overlay /etc }
envfile ${mountpoint}/etc/url-env
importas -i update_url UPDATE_URL
if { ${sysupdate-path} update }
if { ${curl}/bin/curl -L --proto =http,https
-o ${mountpoint}/updates/SHA256SUMS.gpg ''${update_url}/SHA256SUMS.gpg }
# systemd-sysupdate recently went from needing SHA256SUMS.gpg to SHA256SUMS.sha256.asc.
# I (Demi) have no need if this is intentional or a bug. I also have no idea if this
# behavior will stay unchanged in the future. Therefore, create both files and let
# systemd-sysupdate ignore the one it isn't interested in.
if { ln -f ${mountpoint}/updates/SHA256SUMS.gpg ${mountpoint}/updates/SHA256SUMS.sha256.asc }
${curl}/bin/curl -L --proto =http,https
-o ${mountpoint}/updates/SHA256SUMS ''${update_url}/SHA256SUMS
'';
in
callSpectrumPackage ../make-vm.nix {} {
providers.net = [ "sys.netvm" ];
type = "nix";
run = "${runner}";
}) (_: {})
|