Merge pull request #34 from nix-community/configuration-limit

Lanzatool: respect configuration limit
nix-community · Jan 1, 2023 · f431622 · f431622
2 parents e439cf4 + d3a96b1
commit f431622
Show file tree

Hide file tree

Showing 14 changed files with 778 additions and 44 deletions.
diff --git a/flake.nix b/flake.nix
@@ -50,14 +50,14 @@
         { src
         , target ? null
         , doCheck ? true
+        , extraArgs ? { }
         }:
         let
-          cleanedSrc = craneLib.cleanCargoSource src;
           commonArgs = {
-            src = cleanedSrc;
+            inherit src;
             CARGO_BUILD_TARGET = target;
             inherit doCheck;
-          };
+          } // extraArgs;
 
           cargoArtifacts = craneLib.buildDepsOnly commonArgs;
         in
@@ -73,7 +73,7 @@
         };
 
       lanzabooteCrane = buildRustApp {
-        src = ./rust/lanzaboote;
+        src = craneLib.cleanCargoSource ./rust/lanzaboote;
         target = "x86_64-unknown-uefi";
         doCheck = false;
       };
@@ -82,6 +82,13 @@
 
       lanzatoolCrane = buildRustApp {
         src = ./rust/lanzatool;
+        extraArgs = {
+          TEST_SYSTEMD = pkgs.systemd;
+          checkInputs = with pkgs; [
+            binutils-unwrapped
+            sbsigntool
+          ];
+        };
       };
 
       lanzatool-unwrapped = lanzatoolCrane.package;
@@ -134,6 +141,8 @@
           lanzaboote
           lanzatool
         ];
+
+        TEST_SYSTEMD = pkgs.systemd;
       };
 
       checks.x86_64-linux = {

diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
@@ -5,11 +5,24 @@ let
   sbctlWithPki = pkgs.sbctl.override {
     databasePath = "/tmp/pki";
   };
+
+  configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
 in
 {
   options.boot.lanzaboote = {
     enable = mkEnableOption "Enable the LANZABOOTE";
     enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
+    configurationLimit = mkOption {
+      default = null;
+      example = 120;
+      type = types.nullOr types.int;
+      description = lib.mdDoc ''
+        Maximum number of latest generations in the boot menu.
+        Useful to prevent boot partition running out of disk space.
+        `null` means no limit i.e. all generations
+        that were not garbage collected yet.
+      '';
+    };
     pkiBundle = mkOption {
       type = types.nullOr types.path;
       description = "PKI bundle containg db, PK, KEK";
@@ -49,6 +62,7 @@ in
         ${cfg.package}/bin/lanzatool install \
           --public-key ${cfg.publicKeyFile} \
           --private-key ${cfg.privateKeyFile} \
+          --configuration-limit ${toString configurationLimit} \
           ${config.boot.loader.efi.efiSysMountPoint} \
           /nix/var/nix/profiles/system-*-link
       '';

diff --git a/rust/lanzatool/Cargo.lock b/rust/lanzatool/Cargo.lock
diff --git a/rust/lanzatool/Cargo.toml b/rust/lanzatool/Cargo.toml
@@ -16,3 +16,8 @@ tempfile = "3.3.0"
 blake3 = "1.3.3"
 # TODO: wait for a upstream release and pin it.
 bootspec = { git = "https://github.com/DeterminateSystems/bootspec" }
+walkdir = "2.3.2"
+
+[dev-dependencies]
+assert_cmd = "2.0.7"
+rand = "0.8.5"