summaryrefslogtreecommitdiffstats
path: root/mkosi.images/system/mkosi.conf.d
diff options
context:
space:
mode:
Diffstat (limited to 'mkosi.images/system/mkosi.conf.d')
-rw-r--r--mkosi.images/system/mkosi.conf.d/05-initrd.conf12
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch.conf27
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot93
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf71
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf7
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare29
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf32
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot116
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf75
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf17
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf20
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare65
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf11
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf29
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot142
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf93
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf27
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf7
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst29
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare18
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf4
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf (renamed from mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf)2
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf (renamed from mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf)2
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-fedora.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf23
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse.conf23
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst7
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot132
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf100
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf22
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare61
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf (renamed from mkosi.images/system/mkosi.conf.d/10-ubuntu.conf)6
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources6
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-images.conf22
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf15
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf6
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf6
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf3
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize6
-rwxr-xr-xmkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot12
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf9
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf9
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf7
-rw-r--r--mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf6
46 files changed, 1279 insertions, 150 deletions
diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
deleted file mode 100644
index 9f21754..0000000
--- a/mkosi.images/system/mkosi.conf.d/05-initrd.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Bootable=!no
-Format=|disk
-Format=|directory
-
-[Config]
-Dependencies=initrd
-
-[Content]
-Initrds=../../mkosi.output/initrd
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
deleted file mode 100644
index e1a511c..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-arch.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=arch
-
-[Content]
-Packages=
- bpf
- btrfs-progs
- compsize
- dhcp
- f2fs-tools
- glib2
- iproute
- linux
- man-db
- openbsd-netcat
- openssh
- pacman
- polkit
- python-pefile
- python-psutil
- python-pytest
- python3
- quota-tools
- shadow
- vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot
new file mode 100755
index 0000000..1f6e0c3
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot
@@ -0,0 +1,93 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+
+if [ ! -f "pkg/$ID/PKGBUILD" ]; then
+ echo "PKGBUILD not found at pkg/$ID/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
+ exit 1
+fi
+
+# We can't configure the source or build directory so we use symlinks instead to make sure they are in the
+# expected locations.
+ln --symbolic "$SRCDIR" "pkg/$ID/systemd-stable"
+ln --symbolic "$BUILDDIR" "pkg/$ID/build"
+# Because we run with --noextract we are responsible for making sure the source files appear in src/.
+ln --symbolic . "pkg/$ID/src"
+
+MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE"
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS=""
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+# Override the default options. We specifically disable "strip", "zipman" and "lto" as they slow down builds
+# significantly. OPTIONS= cannot be overridden on the makepkg command line so we append to /etc/makepkg.conf
+# instead. The rootfs is overlaid with a writable tmpfs during the build script so these changes don't end up
+# in the image itself.
+tee --append /etc/makepkg.conf >/dev/null <<EOF
+export CC="$( ((LLVM)) && echo clang || echo gcc)"
+export CXX="$( ((LLVM)) && echo clang++ || echo g++)"
+export CC_LD="$( ((LLVM)) && echo lld)"
+export CXX_LD="$( ((LLVM)) && echo lld)"
+export CFLAGS="\$CFLAGS $MKOSI_CFLAGS $CFLAGS"
+export CXXFLAGS="\$CXXFLAGS $MKOSI_CFLAGS $CFLAGS"
+export LDFLAGS="\$LDFLAGS $MKOSI_LDFLAGS $LDFLAGS"
+OPTIONS=(
+ docs
+ !libtool
+ !staticlibs
+ emptydirs
+ !zipman
+ purge
+ $( ((WITH_DEBUG)) && echo strip || echo !strip)
+ $( ((WITH_DEBUG)) && echo debug || echo !debug)
+ !lto
+)
+EOF
+
+# Linting the PKGBUILD takes multiple seconds every build so avoid that by nuking all the linting functions.
+rm /usr/share/makepkg/lint_pkgbuild/*
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+sed --in-place "pkg/$ID/PKGBUILD" \
+ --expression "s/^_tag=.*/_tag=$(cat meson.version)/" \
+ --expression "s/^pkgrel=.*/pkgrel=$(date "+%Y%m%d%H%M%S" --date "@$TS")/"
+
+# We get around makepkg's root check by setting EUID to something else.
+# shellcheck disable=SC2046
+env --chdir="pkg/$ID" \
+ EUID=123 \
+ makepkg \
+ --noextract \
+ $( ((WITH_TESTS)) || echo --nocheck) \
+ --force \
+ _systemd_UPSTREAM=1 \
+ _systemd_QUIET=$( ((MESON_VERBOSE)); echo $? ) \
+ BUILDDIR="$PWD/pkg/$ID" \
+ PKGDEST="$OUTPUTDIR" \
+ PKGEXT=".pkg.tar" \
+ MESON_EXTRA_CONFIGURE_OPTIONS="$MKOSI_MESON_OPTIONS $MESON_OPTIONS"
+
+cp "$OUTPUTDIR"/*.pkg.tar "$PACKAGEDIR"
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf
new file mode 100644
index 0000000..036b0a3
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf
@@ -0,0 +1,71 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Environment=
+ GIT_URL=https://gitlab.archlinux.org/archlinux/packaging/packages/systemd.git
+ GIT_BRANCH=main
+ GIT_COMMIT=dc6c099e0785753c1c88b4adcbcbfc209a8d12e3
+
+VolatilePackages=
+ systemd
+ systemd-libs
+ systemd-resolvconf
+ systemd-sysvcompat
+ systemd-tests
+ systemd-ukify
+
+Packages=
+ bind
+ bpf
+ btrfs-progs
+ compiler-rt
+ compsize
+ cryptsetup
+ dbus-broker
+ dbus-broker-units
+ debugedit
+ dhcp
+ f2fs-tools
+ fakeroot
+ git
+ gnutls
+ gnutls
+ iproute
+ iputils
+ linux
+ man-db
+ multipath-tools
+ open-iscsi
+ openbsd-netcat
+ openssh
+ openssl
+ pacman
+ pkgconf
+ polkit
+ procps-ng
+ psmisc
+ python-pexpect
+ python-psutil
+ quota-tools
+ sbsigntools
+ shadow
+ softhsm
+ squashfs-tools
+ stress
+ tgt
+ tpm2-tools
+ tpm2-tss
+ vim
+
+InitrdPackages=
+ btrfs-progs
+ compiler-rt
+ tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ systemd-libs
+ systemd-sysvcompat
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..4a6d2e9
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=systemd-debug
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare
new file mode 100755
index 0000000..fd78e81
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.prepare
@@ -0,0 +1,29 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+
+if [ ! -f "pkg/$ID/PKGBUILD" ]; then
+ echo "PKGBUILD not found at pkg/$ID/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
+ exit 1
+fi
+
+# We get depends and optdepends from .SRCINFO as getting them from the PKGBUILD is rather complex.
+sed --expression 's/^[ \t]*//' "pkg/$ID/.SRCINFO" |
+ grep --regexp '^depends =' --regexp '^optdepends =' |
+ sed --expression 's/^depends = //' --expression 's/^optdepends = //' --expression 's/:.*//' --expression 's/=.*//' |
+ xargs --delimiter '\n' mkosi-install
+
+# We get makedepends from the PKGBUILD as .SRCINFO can't encode conditional dependencies depending on
+# whether some environment variable is set or not.
+# shellcheck source=/dev/null
+_systemd_UPSTREAM=1 . "pkg/$ID/PKGBUILD"
+
+# shellcheck disable=SC2154
+mkosi-install "${makedepends[@]}"
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
deleted file mode 100644
index 67d4643..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
- bpftool
- cryptsetup
- dhcp-server
- dnf
- glib2
- integritysetup
- iproute
- iproute-tc
- kernel-core
- libcap-ng-utils
- netcat
- openssh-server
- p11-kit
- pam
- passwd
- polkit
- procps-ng
- python3
- python3dist(pefile)
- python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
- python3dist(psutil)
- python3dist(pytest)
- quota
- vim-common
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
new file mode 100755
index 0000000..2c05787
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
@@ -0,0 +1,116 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+if systemd-analyze compare-versions "$(rpm --version | cut -d ' ' -f3)" lt "4.19.91"; then
+ # Fix the %install override so debuginfo packages are generated even when --build-in-place is used.
+ # See https://github.com/rpm-software-management/rpm/issues/3042.
+ tee --append /usr/lib/rpm/redhat/macros <<'EOF'
+%install %{?_enable_debug_packages:%{debug_package}}\
+%%install\
+%{nil}
+EOF
+fi
+
+VERSION="$(cat meson.version)"
+RELEASE="$(date "+%Y%m%d%H%M%S" --date "@$TS")"
+
+DIST="$(rpm --eval %dist)"
+ARCH="$(rpm --eval %_arch)"
+SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH"
+
+COMMON_MACRO_OVERRIDES=(
+ --define "toolchain $( ((LLVM)) && echo clang || echo gcc)"
+ --define "_fortify_level 0"
+ --undefine _lto_cflags
+ # TODO: Remove once redhat-rpm-config 292 is available everywhere.
+ --define "_hardening_clang_cflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang.cfg"
+ --define "_hardening_clang_ldflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang-ld.cfg"
+)
+
+# TODO: Drop -U_FORTIFY_SOURCE when we switch to CentOS Stream 10.
+MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE"
+if ((WITH_DEBUG)); then
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST"
+fi
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS=""
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(dirname "$(clang --print-file-name=libclang_rt.asan.so)")"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+IFS=
+# TODO: Replace meson_build and meson_install overrides with "--undefine __meson_verbose" once
+# https://github.com/mesonbuild/meson/pull/12835 is available.
+# shellcheck disable=SC2046
+env \
+--unset=CFLAGS \
+--unset=CXXFLAGS \
+--unset=LDFLAGS \
+ANNOBIN="no-active-checks" \
+CC_LD="$( ((LLVM)) && echo lld)" \
+CXX_LD="$( ((LLVM)) && echo lld)" \
+ rpmbuild \
+ -bb \
+ --build-in-place \
+ --with upstream \
+ $( ((WITH_TESTS)) || echo "--nocheck") \
+ $( ((WITH_DOCS)) || echo "--without=docs") \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_rpmdir $OUTPUTDIR" \
+ ${BUILDDIR:+"--define=_vpath_builddir $BUILDDIR"} \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ --define "_binary_payload w.ufdio" \
+ $( ((WITH_DEBUG)) || echo "--define=debug_package %{nil}") \
+ --define "version_override $VERSION" \
+ --define "release_override $RELEASE" \
+ "${COMMON_MACRO_OVERRIDES[@]}" \
+ --define "build_cflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_cflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_cxxflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_cxxflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_ldflags $(rpm "${COMMON_MACRO_OVERRIDES[@]}" --eval "%{?build_ldflags}") $MKOSI_LDFLAGS $LDFLAGS" \
+ --define "meson_build %{shrink:%{__meson} compile -C %{_vpath_builddir} -j %{_smp_build_ncpus} $( ((MESON_VERBOSE)) && echo --verbose) %{nil}}" \
+ --define "meson_install %{shrink:DESTDIR=%{buildroot} %{__meson} install -C %{_vpath_builddir} --no-rebuild --quiet %{nil}}" \
+ --define "meson_extra_configure_options $MKOSI_MESON_OPTIONS $MESON_OPTIONS" \
+ $( ((WITH_DEBUG)) || echo "--define=__brp_strip %{nil}") \
+ --define "__brp_compress %{nil}" \
+ --define "__brp_mangle_shebangs %{nil}" \
+ --define "__brp_strip_comment_note %{nil}" \
+ --define "__brp_strip_static_archive %{nil}" \
+ --define "__brp_check_rpaths %{nil}" \
+ --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \
+ --define "__script_requires %{nil}" \
+ --define "_find_debuginfo_dwz_opts %{nil}" \
+ --define "_fixperms true" \
+ --undefine _package_note_flags \
+ --noclean \
+ "pkg/$ID/systemd.spec"
+
+cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
new file mode 100644
index 0000000..6fbd507
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
@@ -0,0 +1,75 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+VolatilePackages=
+ systemd
+ systemd-boot
+ systemd-container
+ systemd-devel
+ systemd-journal-remote
+ systemd-networkd
+ systemd-networkd-defaults
+ systemd-oomd-defaults
+ systemd-pam
+ systemd-resolved
+ systemd-tests
+ systemd-udev
+ systemd-ukify
+
+Packages=
+ bind-utils
+ bpftool
+ compiler-rt
+ cryptsetup
+ device-mapper-event
+ device-mapper-multipath
+ dfuzzer
+ dhcp-server
+ dnf
+ git-core
+ glibc-langpack-de
+ glibc-langpack-en
+ gnutls
+ gnutls-utils
+ integritysetup
+ iproute
+ iproute-tc
+ iputils
+ iscsi-initiator-utils
+ kernel-core
+ libasan
+ libcap-ng-utils
+ libubsan
+ man-db
+ netcat
+ openssh-clients
+ openssh-server
+ pam
+ passwd
+ policycoreutils
+ polkit
+ procps-ng
+ python3-pexpect
+ quota
+ rpm
+ rpm-build
+ rpmautospec
+ sbsigntools
+ softhsm
+ squashfs-tools
+ stress
+ tpm2-tools
+ util-linux
+ veritysetup
+ vim-common
+
+InitrdPackages=
+ tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ systemd-udev
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..0c3707b
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=
+ systemd-container-debuginfo
+ systemd-debuginfo
+ systemd-debugsource
+ systemd-journal-remote-debuginfo
+ systemd-libs-debuginfo
+ systemd-networkd-debuginfo
+ systemd-pam-debuginfo
+ systemd-resolved-debuginfo
+ systemd-tests-debuginfo
+ systemd-udev-debuginfo
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
new file mode 100644
index 0000000..9fe5509
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=!particle
+
+[Content]
+# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
+# building a /usr-only image.
+Packages=
+ selinux-policy
+ selinux-policy-targeted
+ setools-console
+
+# We relabel on first boot instead of at build time because it is only possible to label without root
+# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
+SELinuxRelabel=no
+
+InitrdPackages=
+ selinux-policy
+ selinux-policy-targeted
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare
new file mode 100755
index 0000000..1b86073
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.prepare
@@ -0,0 +1,65 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+for DEPS in --requires --buildrequires; do
+ mkosi-chroot \
+ rpmspec \
+ --with upstream \
+ --query \
+ "$DEPS" \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ "pkg/$ID/systemd.spec" |
+ grep --invert-match --regexp systemd --regexp /bin/sh --regexp "rpmlib(" --regexp udev --regexp grubby --regexp sdubby |
+ sort --unique |
+ tee /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
+
+# rpmbuild -br tries to build a source package which means all source files have to exist which isn't the
+# case when using --build-in-place so we get rid of the source file that doesn't exist to make it happy.
+# TODO: Use -bd instead of -br and get rid of this once we don't need to build on CentOS Stream 9 anymore.
+sed '/Source0/d' --in-place "pkg/$ID/systemd.spec"
+
+until mkosi-chroot \
+ rpmbuild \
+ -br \
+ --build-in-place \
+ --with upstream \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ "pkg/$ID/systemd.spec"
+do
+ EXIT_STATUS=$?
+ if [ $EXIT_STATUS -ne 11 ]; then
+ exit $EXIT_STATUS
+ fi
+
+ mkosi-chroot \
+ rpm \
+ --query \
+ --package \
+ --requires \
+ /var/tmp/SRPMS/systemd-*.buildreqs.nosrc.rpm |
+ grep --invert-match '^rpmlib(' |
+ sort --unique >/tmp/dynamic-buildrequires
+
+ sort /tmp/buildrequires /tmp/dynamic-buildrequires |
+ uniq --unique |
+ tee --append /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
index 146e03a..25059c2 100644
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -4,5 +4,14 @@
Distribution=centos
[Content]
+Environment=
+ # The kernel versions in CentOS Stream 9 doesn't support orphan_file, but later versions of
+ # mkfs.ext4 enabled it by default, so we disable it explicitly.
+ Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
+ GIT_URL=https://git.centos.org/rpms/systemd.git
+ GIT_BRANCH=c9s-sig-hyperscale
+ GIT_COMMIT=8cf2aed0181920611421384f7374720db269d6c7
+
Packages=
- kernel-modules # For squashfs support
+ kernel-modules # For squashfs
+ rpmautospec-rpm-macros
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
deleted file mode 100644
index 99b846d..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support btrfs so we use xfs instead.
-[Partition]
-Format=xfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
deleted file mode 100644
index 393d5f0..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support erofs so we use squashfs instead.
-[Partition]
-Format=squashfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
deleted file mode 100644
index 588f833..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
- apt
- btrfs-progs
- cryptsetup-bin
- dbus-broker
- default-dbus-session-bus
- f2fs-tools
- fdisk
- iproute2
- isc-dhcp-server
- libcap-ng-utils
- netcat-openbsd
- openssh-server
- passwd
- policykit-1
- procps
- python3
- python3-pefile
- python3-psutil
- python3-pytest
- quota
- xxd
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
new file mode 100755
index 0000000..7e4eab9
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+
+if [ ! -d "pkg/$ID/debian" ]; then
+ echo "deb rules not found at pkg/$ID/debian, run mkosi once with -ff to make sure the rules are cloned" >&2
+ exit 1
+fi
+
+# We transplant the debian/ folder from the deb package sources into the upstream sources.
+mount --mkdir --bind "$SRCDIR/pkg/$ID/debian" "$SRCDIR"/debian
+
+# We remove the patches so they don't get applied.
+rm -rf "$SRCDIR"/debian/patches/*
+
+# While the build directory can be specified through DH_OPTIONS, the default one is hardcoded everywhere so
+# we have to use that. Because it is architecture dependent, we query it using dpkg-architecture first.
+DEB_HOST_GNU_TYPE="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"
+mount --mkdir --bind "$BUILDDIR" "$SRCDIR/obj-$DEB_HOST_GNU_TYPE"
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+# Add a new changelog entry to update the version. We use a fixed date since a dynamic one causes a full
+# rebuild every time.
+cat >debian/changelog.new <<EOF
+systemd ($(cat meson.version)-$(date "+%Y%m%d%H%M%S" --date "@$TS")) UNRELEASED; urgency=low
+
+ * Automatic build from mkosi
+
+ -- systemd test <systemd-devel@lists.freedesktop.org> $(date --rfc-email --date "@$TS")
+
+EOF
+cat debian/changelog >>debian/changelog.new
+mv debian/changelog.new debian/changelog
+
+MKOSI_CFLAGS="-O0"
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS=""
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+# TODO: Drop GENSYMBOLS_LEVEL once https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986746 is fixed.
+build() {
+ env \
+ CC="$( ((LLVM)) && echo clang || echo gcc)" \
+ CXX="$( ((LLVM)) && echo clang++ || echo g++)" \
+ CC_LD="$( ((LLVM)) && echo lld)" \
+ CXX_LD="$( ((LLVM)) && echo lld)" \
+ DEB_BUILD_OPTIONS="$(awk '$1=$1' <<<"\
+ $( ((WITH_TESTS)) || echo nocheck) \
+ $( ((WITH_DOCS)) || echo nodoc) \
+ $( ((WITH_DEBUG)) && echo debug || echo nostrip) \
+ $( ! ((MESON_VERBOSE)) && echo terse) \
+ optimize=-lto \
+ hardening=-fortify \
+ ")" \
+ DEB_BUILD_PROFILES="$(awk '$1=$1' <<<"\
+ $( ((WITH_TESTS)) || echo nocheck) \
+ $( ((WITH_DOCS)) || echo nodoc) \
+ pkg.systemd.upstream \
+ ")" \
+ DEB_CFLAGS_APPEND="$MKOSI_CFLAGS $CFLAGS" \
+ DEB_CXXFLAGS_APPEND="$MKOSI_CFLAGS $CFLAGS" \
+ DEB_LDFLAGS_APPEND="$MKOSI_LDFLAGS $LDFLAGS" \
+ DPKG_FORCE="unsafe-io" \
+ DPKG_DEB_COMPRESSOR_TYPE="none" \
+ DH_MISSING="--fail-missing" \
+ CONFFLAGS_UPSTREAM="$MKOSI_MESON_OPTIONS $MESON_OPTIONS" \
+ GENSYMBOLS_LEVEL="$( ((LLVM)) && echo 0 || echo 1)" \
+ dpkg-buildpackage \
+ --no-pre-clean \
+ --unsigned-changes \
+ --build=binary
+
+ EXIT_STATUS=$?
+
+ # Make sure we don't reconfigure twice.
+ MKOSI_MESON_OPTIONS="${MKOSI_MESON_OPTIONS//"--wipe"/}"
+
+ return $EXIT_STATUS
+}
+
+if ! build; then
+ # debhelper installs files for each package to debian/<package> so we figure out which files were
+ # packaged by querying all the package names from debian/control and running find on each of the
+ # corresponding package directory in debian/.
+ grep "Package:" debian/control |
+ sed "s/Package: //" |
+ xargs -d '\n' -I {} sh -c "[ -d debian/{} ] && (cd debian/{} && find . ! -type d ! -path "*dh-exec*" -printf '%P\n')" |
+ # Remove compression suffix from compressed manpages as the manpages in debian/tmp will be uncompressed.
+ sed --regexp-extended 's/([0-9])\.gz$/\1/' |
+ sort --unique >/tmp/packaged-files
+
+ # We figure out the installed files by running find on debian/tmp/ which contains the files installed
+ # by meson install.
+ (cd debian/tmp/ && find . ! -type d ! -path "*dh-exec*" -printf '%P\n') >/tmp/installed-files
+
+ if [ -f debian/not-installed ]; then
+ grep --invert-match "^#" debian/not-installed >>/tmp/installed-files
+ fi
+
+ sort --unique --output /tmp/installed-files /tmp/installed-files
+
+ # We get all the installed files that were not packaged by finding entries in the installed file that are
+ # not in the packaged file.
+ comm -23 /tmp/installed-files /tmp/packaged-files > /tmp/unpackaged-files
+ # If there are no unpackaged files something else went wrong.
+ if [ ! -s /tmp/unpackaged-files ]; then
+ exit 1
+ fi
+
+ # Otherwise, we append the unpackaged files to the filelist for the systemd package and retry the build.
+ cat /tmp/unpackaged-files >>debian/systemd.install
+ build
+fi
+
+(
+ shopt -s nullglob
+ cp ../*.deb ../*.ddeb "$PACKAGEDIR"
+ cp ../*.deb ../*.ddeb "$OUTPUTDIR"
+)
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
new file mode 100644
index 0000000..ae014fa
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -0,0 +1,93 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Environment=
+ GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
+ GIT_SUBDIR=debian
+ GIT_BRANCH=debian/master
+ GIT_COMMIT=596a70511736d78c1d8a5a27dca3989806cfa733
+
+VolatilePackages=
+ libnss-myhostname
+ libnss-mymachines
+ libnss-resolve
+ libnss-systemd
+ libpam-systemd
+ libsystemd-dev
+ libudev-dev
+ systemd
+ systemd-boot
+ systemd-boot-efi
+ systemd-container
+ systemd-coredump
+ systemd-dev
+ systemd-homed
+ systemd-journal-remote
+ systemd-oomd
+ systemd-resolved
+ systemd-sysv
+ systemd-tests
+ systemd-timesyncd
+ systemd-ukify
+ systemd-userdbd
+ udev
+
+Packages=
+ ^libasan[0-9]+$
+ ^libtss2-esys-[0-9.]+-0$
+ ^libtss2-mu-[0-9.]+-0$
+ ^libubsan[0-9]+$
+ apt
+ bind9-dnsutils
+ btrfs-progs
+ cryptsetup-bin
+ dbus-broker
+ dbus-user-session
+ dmsetup
+ dpkg-dev
+ f2fs-tools
+ fdisk
+ git-core
+ gnutls-bin
+ iproute2
+ iputils-ping
+ isc-dhcp-server
+ libcap-ng-utils
+ libclang-rt-dev
+ libtss2-rc0
+ libtss2-tcti-device0
+ locales
+ man-db
+ multipath-tools
+ netcat-openbsd
+ open-iscsi
+ openssh-client
+ openssh-server
+ passwd
+ policykit-1
+ procps
+ psmisc
+ python3-pexpect
+ python3-psutil
+ quota
+ sbsigntool
+ softhsm2
+ squashfs-tools
+ stress
+ tgt
+ tpm2-tools
+ tzdata
+ xxd
+
+InitrdPackages=
+ btrfs-progs
+ libclang-rt-dev
+ tpm2-tools
+
+InitrdVolatilePackages=
+ systemd
+ udev
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..b53b3dc
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=
+ libnss-myhostname-dbgsym
+ libnss-mymachines-dbgsym
+ libnss-resolve-dbgsym
+ libnss-systemd-dbgsym
+ libpam-systemd-dbgsym
+ libsystemd-shared-dbgsym
+ libsystemd0-dbgsym
+ libudev1-dbgsym
+ systemd-boot-dbgsym
+ systemd-container-dbgsym
+ systemd-coredump-dbgsym
+ systemd-dbgsym
+ systemd-homed-dbgsym
+ systemd-journal-remote-dbgsym
+ systemd-oomd-dbgsym
+ systemd-resolved-dbgsym
+ systemd-tests-dbgsym
+ systemd-timesyncd-dbgsym
+ systemd-userdbd-dbgsym
+ udev-dbgsym
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf
new file mode 100644
index 0000000..4fb4f46
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/network.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=NO_BUILD=1
+
+[Content]
+WithNetwork=yes
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst
new file mode 100755
index 0000000..314f235
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.postinst
@@ -0,0 +1,29 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# By default Suggests are not installed (and often Recommends are disabled too), which means we will miss
+# the dlopen optional dependencies, but the tests need them, so parse them from the package metadata and
+# install them. This is not an issue when building locally, as the build and runtime images are the same,
+# so they would get installed as build dependencies anyway.
+
+if [ "$1" = "build" ] || ! ((NO_BUILD)); then
+ exit 0
+fi
+
+# Query the Recommends and Suggests of all systemd packages, by matching on the version
+systemd_version="$(dpkg-query --showformat '${Version}' --show systemd)"
+mapfile -t systemd_packages < <( dpkg --list | grep '^ii' | grep "$systemd_version" | awk '{print $2}' | tr '\n' ' ' )
+extra_packages=()
+# shellcheck disable=SC2068
+for package in ${systemd_packages[@]}; do
+ # We are looking for dlopens, so filter for libraries
+ mapfile -t -O "${#extra_packages[@]}" extra_packages < <(dpkg-query --showformat '${Suggests}' --show "$package" | sed -e "s/, /\n/g" -e "s/|.*//" | grep "lib")
+ mapfile -t -O "${#extra_packages[@]}" extra_packages < <(dpkg-query --showformat '${Recommends}' --show "$package" | sed -e "s/, /\n/g" -e "s/|.*//" | grep "lib")
+done
+
+if [ "${#extra_packages[@]}" -eq 0 ]; then
+ exit 0
+fi
+
+apt install "${extra_packages[@]}"
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare
new file mode 100755
index 0000000..645671a
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.prepare
@@ -0,0 +1,18 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+
+if [ ! -d "pkg/$ID/debian" ]; then
+ echo "deb rules not found at pkg/$ID/debian, run mkosi once with -ff to make sure the rules are cloned" >&2
+ exit 1
+fi
+
+cd "pkg/$ID"
+DEB_BUILD_PROFILES="pkg.systemd.upstream" apt-get build-dep .
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf
new file mode 100644
index 0000000..c6b6155
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf
index 76a6898..af923fa 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/arm64.conf
@@ -1,10 +1,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
-Distribution=debian
Architecture=arm64
[Content]
Packages=
- bpftool
linux-image-cloud-arm64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf
index d3c89f3..615de52 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian/mkosi.conf.d/x86-64.conf
@@ -1,10 +1,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
-Distribution=debian
Architecture=x86-64
[Content]
Packages=
- bpftool
linux-image-cloud-amd64
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
deleted file mode 100644
index 42d0093..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Content]
-Packages=
- btrfs-progs
- compsize
- f2fs-tools
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf
new file mode 100644
index 0000000..689fe7d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora/mkosi.conf
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Environment=
+ GIT_URL=https://src.fedoraproject.org/rpms/systemd.git
+ GIT_BRANCH=rawhide
+ GIT_COMMIT=1f94b56cee818068f57debfd78f035edd29f0e61
+
+Packages=
+ btrfs-progs
+ compsize
+ dnf5
+ f2fs-tools
+ scsi-target-utils
+ # Required for systemd-networkd-tests.py (netdevsim and sch_xxx modules)
+ kernel-modules-extra
+ kernel-modules-internal
+
+InitrdPackages=
+ btrfs-progs
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
deleted file mode 100644
index 60a2b6d..0000000
--- a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Content]
-Packages=
- bpftool
- btrfs-progs
- cryptsetup
- dbus-broker
- f2fs-tools
- glibc-locale-base
- kernel-kvmsmall
- libcap-ng-utils
- openssh-server
- python3
- python3-pefile
- python3-psutil
- python3-pytest
- quota
- shadow
- vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst b/mkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst
new file mode 100755
index 0000000..417132f
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/initrd/mkosi.postinst
@@ -0,0 +1,7 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
+# See https://github.com/openSUSE/suse-module-tools/pull/71
+rm -f "$BUILDROOT/usr/lib/modprobe.d/60-blacklist_fs-erofs.conf"
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot
new file mode 100755
index 0000000..3d6cc58
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot
@@ -0,0 +1,132 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. /usr/lib/os-release
+ID="${ID%-*}"
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+if [ -d .git/ ] && [ -z "$(git status --porcelain)" ]; then
+ TS="$(git show --no-patch --format=%ct HEAD)"
+else
+ TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
+fi
+
+# The openSUSE filelists hardcode the manpage compression extension. This causes rpmbuild errors since we
+# disable manpage compression as the files cannot be found. Fix the issue by removing the compression
+# extension.
+find "pkg/$ID" -name "files.*" -exec sed --in-place 's/\.gz$//' {} \;
+
+if systemd-analyze compare-versions "$(rpm --version | cut -d ' ' -f3)" lt "4.20"; then
+ # Fix the %install override so debuginfo packages are generated.
+ tee --append /usr/lib/rpm/suse/macros <<'EOF'
+%install %{debug_package}\
+%%install\
+%{nil}
+EOF
+fi
+
+VERSION="$(cat meson.version)"
+RELEASE="$(date "+%Y%m%d%H%M%S" --date "@$TS")"
+
+DIST="$(rpm --eval %dist)"
+ARCH="$(rpm --eval %_arch)"
+SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH"
+
+MKOSI_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE"
+if ((WITH_DEBUG)); then
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST"
+fi
+if ((LLVM)); then
+ # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
+ MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
+fi
+
+MKOSI_LDFLAGS="$(rpm --eval "%{?build_ldflags}")"
+if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
+ MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(clang --print-file-name="")lib/linux"
+fi
+
+# A macro can't have an empty body and currently opensuse does not specify any of its own linker flags so
+# set LDFLAGS to %{nil} if there are no linker flags.
+if [[ -z "${MKOSI_LDFLAGS// }" ]]; then
+ MKOSI_LDFLAGS="%{nil}"
+fi
+
+MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
+if ((WIPE)); then
+ MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
+fi
+
+build() {
+ IFS=
+ # shellcheck disable=SC2046
+ env \
+ --unset CFLAGS \
+ --unset CXXFLAGS \
+ --unset LDFLAGS \
+ CC="$( ((LLVM)) && echo clang || echo gcc)" \
+ CXX="$( ((LLVM)) && echo clang++ || echo g++)" \
+ CC_LD="$( ((LLVM)) && echo lld)" \
+ CXX_LD="$( ((LLVM)) && echo lld)" \
+ rpmbuild \
+ -bb \
+ --build-in-place \
+ --with upstream \
+ $( ((WITH_TESTS)) || echo "--nocheck") \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_rpmdir $OUTPUTDIR" \
+ ${BUILDDIR:+"--define=_vpath_builddir $BUILDDIR"} \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ --define "_binary_payload w.ufdio" \
+ $( ((WITH_DEBUG)) || echo "--define=debug_package %{nil}") \
+ --define "vendor openSUSE" \
+ --define "version_override $VERSION" \
+ --define "release_override $RELEASE" \
+ --define "__check_files sh -c '$(rpm --define "_topdir /var/tmp" --eval %__check_files) | tee /tmp/unpackaged-files'" \
+ --define "build_cflags $(rpm --eval "%{?build_cflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_cxxflags $(rpm --eval "%{?build_cxxflags}") $MKOSI_CFLAGS $CFLAGS" \
+ --define "build_ldflags $MKOSI_LDFLAGS $LDFLAGS" \
+ $( ((MESON_VERBOSE)) || echo "--undefine=__meson_verbose") \
+ --define "meson_extra_configure_options $MKOSI_MESON_OPTIONS $MESON_OPTIONS" \
+ --define "__os_install_post /usr/lib/rpm/brp-suse %{nil}" \
+ --define "__elf_exclude_path ^/usr/lib/systemd/tests/unit-tests/.*$" \
+ --define "__script_requires %{nil}" \
+ --define "_find_debuginfo_dwz_opts %{nil}" \
+ --define "_fixperms true" \
+ --noclean \
+ "$@" \
+ "pkg/$ID/systemd.spec"
+
+ EXIT_STATUS=$?
+
+ # Make sure we don't reconfigure twice.
+ MKOSI_MESON_OPTIONS="${MKOSI_MESON_OPTIONS//"--wipe"/}"
+
+ return $EXIT_STATUS
+}
+
+if ! build; then
+ if [ ! -s /tmp/unpackaged-files ]; then
+ exit 1
+ fi
+
+ # rpm will append to any existing systemd.lang so delete it explicitly so we don't get duplicate file
+ # warnings.
+ rm systemd.lang
+
+ grep -v ".debug" /tmp/unpackaged-files >>"pkg/$ID/files.systemd"
+ build --noprep --nocheck
+fi
+
+cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf
new file mode 100644
index 0000000..38ae052
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf
@@ -0,0 +1,100 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Config]
+InitrdInclude=initrd/
+
+[Content]
+Environment=
+ GIT_URL=https://src.opensuse.org/rpm/systemd
+ GIT_BRANCH=factory
+ GIT_COMMIT=973534fe1a0a5746ead5bbb6dff8b9ccb9e010982997ed56eba8e44a41c5895d
+
+VolatilePackages=
+ systemd
+ systemd-boot
+ systemd-container
+ systemd-devel
+ systemd-doc
+ systemd-experimental
+ systemd-homed
+ systemd-lang
+ systemd-network
+ systemd-portable
+ systemd-sysvcompat
+ systemd-testsuite
+ udev
+
+# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
+# versions don't get installed instead.
+Packages=
+ bind-utils
+ bpftool
+ btrfs-progs
+ cryptsetup
+ device-mapper
+ dhcp-server
+ docbook-xsl-stylesheets
+ f2fs-tools
+ gawk
+ gcc-c++
+ git-core
+ glibc-locale-base
+ gnutls
+ grep
+ group(bin)
+ group(daemon)
+ group(games)
+ group(nobody)
+ group(root)
+ gzip
+ iputils
+ kernel-default
+ kmod
+ libasan8
+ libkmod2
+ libubsan1
+ multipath-tools
+ open-iscsi
+ openssh-clients
+ openssh-server
+ pam
+ patterns-base-minimal_base
+ procps4
+ psmisc
+ python3-pefile
+ python3-pexpect
+ python3-psutil
+ quota
+ rpm-build
+ rsync
+ sbsigntools
+ sed
+ shadow
+ softhsm
+ squashfs
+ tgt
+ timezone
+ tpm2.0-tools
+ user(bin)
+ user(daemon)
+ user(games)
+ user(nobody)
+ user(root)
+ veritysetup
+ vim
+ xz
+
+InitrdPackages=
+ btrfs-progs
+ clang
+ kmod
+ libkmod2
+ tpm2.0-tools
+
+InitrdVolatilePackages=
+ systemd
+ udev
+ systemd-experimental
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf
new file mode 100644
index 0000000..2262eae
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf.d/10-debug.conf
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Environment=WITH_DEBUG=1
+
+[Content]
+VolatilePackages=
+ libsystemd0-debuginfo
+ libudev1-debuginfo
+ systemd-boot-debuginfo
+ systemd-container-debuginfo
+ systemd-coredump-debuginfo
+ systemd-debuginfo
+ systemd-debugsource
+ systemd-experimental-debuginfo
+ systemd-homed-debuginfo
+ systemd-journal-remote-debuginfo
+ systemd-network-debuginfo
+ systemd-portable-debuginfo
+ systemd-sysvcompat-debuginfo
+ systemd-testsuite-debuginfo
+ udev-debuginfo
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare
new file mode 100755
index 0000000..282a360
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.prepare
@@ -0,0 +1,61 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ] || ((NO_BUILD)); then
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+. "$BUILDROOT/usr/lib/os-release"
+ID="${ID%-*}"
+
+if [ ! -f "pkg/$ID/systemd.spec" ]; then
+ echo "spec not found at pkg/$ID/systemd.spec, run mkosi once with -ff to make sure the spec is cloned" >&2
+ exit 1
+fi
+
+for DEPS in --requires --buildrequires; do
+ mkosi-chroot \
+ rpmspec \
+ --with upstream \
+ --query \
+ "$DEPS" \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ "pkg/$ID/systemd.spec" |
+ grep --invert-match --regexp systemd --regexp /bin/sh --regexp "rpmlib(" --regexp udev |
+ sort --unique |
+ tee /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
+
+until mkosi-chroot \
+ rpmbuild \
+ -bd \
+ --build-in-place \
+ --with upstream \
+ --define "_topdir /var/tmp" \
+ --define "_sourcedir pkg/$ID" \
+ --define "_build_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
+ "pkg/$ID/systemd.spec"
+do
+ EXIT_STATUS=$?
+ if [ $EXIT_STATUS -ne 11 ]; then
+ exit $EXIT_STATUS
+ fi
+
+ mkosi-chroot \
+ rpm \
+ --query \
+ --package \
+ --requires \
+ /var/tmp/SRPMS/systemd-*.buildreqs.nosrc.rpm |
+ grep --invert-match '^rpmlib(' |
+ sort --unique >/tmp/dynamic-buildrequires
+
+ sort /tmp/buildrequires /tmp/dynamic-buildrequires |
+ uniq --unique |
+ tee --append /tmp/buildrequires |
+ xargs --delimiter '\n' mkosi-install
+done
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
index f58ee7e..25957b1 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
@@ -3,9 +3,11 @@
[Match]
Distribution=ubuntu
+[Distribution]
+PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
+
[Content]
Packages=
- # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials.
linux-image-generic
linux-tools-common
- linux-tools-generic
+ linux-tools-virtual
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources
new file mode 100644
index 0000000..d10c1e8
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports.sources
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+Types: deb
+URIs: http://archive.ubuntu.com/ubuntu
+Suites: noble-backports
+Components: main universe
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
diff --git a/mkosi.images/system/mkosi.conf.d/20-images.conf b/mkosi.images/system/mkosi.conf.d/20-images.conf
new file mode 100644
index 0000000..8641984
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-images.conf
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Format=!none
+
+[Config]
+Dependencies=
+ exitrd
+ minimal-base
+ minimal-0
+ minimal-1
+
+[Content]
+ExtraTrees=
+ %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
+ %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
+ %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
+ %O/minimal-1.root-%a.raw:/usr/share/minimal_1.raw
+ %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
+ %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
+ %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
+ %O/exitrd:/exitrd
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf
new file mode 100644
index 0000000..8c1920b
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=particle
+
+[Output]
+RepartDirectories=
+RepartDirectories=mkosi.repart
+
+[Validation]
+@SecureBoot=yes
+@SignExpectedPcr=yes
+
+[Host]
+@RuntimeSize=8G
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf
new file mode 100644
index 0000000..3755278
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=swap
+SizeMinBytes=100M
+SizeMaxBytes=100M
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf
new file mode 100644
index 0000000..2f92af2
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
new file mode 100644
index 0000000..dac79ba
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
new file mode 100755
index 0000000..69f9554
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
@@ -0,0 +1,6 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot
new file mode 100755
index 0000000..95e0552
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot
@@ -0,0 +1,12 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+ # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+ addons_dir=/efi/loader/addons
+ mkdir -p "$addons_dir"
+ ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+ ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000..391543d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+CopyFiles=/efi:/
+SizeMinBytes=1G
+SizeMaxBytes=1G
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf
new file mode 100644
index 0000000..343761d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf
new file mode 100644
index 0000000..b4d45dd
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf
new file mode 100644
index 0000000..1841d0a
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr