summaryrefslogtreecommitdiffstats
path: root/mkosi.images
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xmkosi.images/base/mkosi.build.chroot230
-rw-r--r--mkosi.images/base/mkosi.conf34
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-arch.conf32
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf75
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf69
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-debian.conf11
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-fedora.conf9
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-opensuse.conf91
-rw-r--r--mkosi.images/base/mkosi.conf.d/10-ubuntu.conf12
-rw-r--r--mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset30
-rw-r--r--mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset4
-rw-r--r--mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf1
-rw-r--r--mkosi.images/initrd/mkosi.conf30
-rw-r--r--mkosi.images/initrd/mkosi.conf.d/10-centos.conf12
-rw-r--r--mkosi.images/initrd/mkosi.conf.d/10-default.conf12
-rw-r--r--mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf11
-rwxr-xr-xmkosi.images/initrd/mkosi.postinst7
-rw-r--r--mkosi.images/system/mkosi.conf48
-rw-r--r--mkosi.images/system/mkosi.conf.d/05-initrd.conf12
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch.conf27
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf32
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf8
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf29
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-fedora.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse.conf23
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-ubuntu.conf11
-rw-r--r--mkosi.images/system/mkosi.extra/etc/issue2
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf6
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf8
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf8
-rwxr-xr-xmkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh19
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service15
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf3
-rw-r--r--mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb3
-rwxr-xr-xmkosi.images/system/mkosi.finalize4
-rwxr-xr-xmkosi.images/system/mkosi.postinst.chroot93
-rw-r--r--mkosi.images/system/mkosi.repart/00-esp.conf9
-rw-r--r--mkosi.images/system/mkosi.repart/10-usr.conf9
-rw-r--r--mkosi.images/system/mkosi.repart/11-usr-verity.conf7
-rw-r--r--mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf6
44 files changed, 1092 insertions, 0 deletions
diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
new file mode 100755
index 0000000..f26098c
--- /dev/null
+++ b/mkosi.images/base/mkosi.build.chroot
@@ -0,0 +1,230 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
+# Simply invoke "mkosi" in the project directory to build an OS image.
+
+# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
+# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
+# an extra tree in the initrd and system image builds.
+DESTDIR="$OUTPUTDIR/systemd"
+
+# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
+# as out-of-tree build dir. Otherwise, let's make up our own builddir.
+[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
+
+# Let's make sure we're using stuff from the build directory first if available there.
+PATH="$BUILDDIR:$PATH"
+export PATH
+
+# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
+# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
+# the ubuntu script with a symlink to the first bpftool program we can find.
+for bpftool in /usr/lib/linux-tools/*/bpftool; do
+ [ -x "$bpftool" ] || continue
+ ln -sf "$bpftool" "$BUILDDIR"/bpftool
+ break
+done
+
+# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
+# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
+# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
+. /usr/lib/os-release
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ cat >"$BUILDDIR"/bpftool <<EOF
+#!/bin/sh
+if [ "\$1" = --version ]; then
+ echo 5.6.0
+else
+ exec /usr/sbin/bpftool \$@
+fi
+EOF
+ chmod +x "$BUILDDIR"/bpftool
+fi
+
+if [ ! -f "$BUILDDIR"/build.ninja ]; then
+ sysvinit_path=$(realpath /etc/init.d)
+
+ if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ UKIFY="disabled"
+ else
+ UKIFY="enabled"
+ fi
+
+ # On Debian 'loadkeys us' fails
+ if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
+ DEFAULT_KEYMAP=""
+ else
+ DEFAULT_KEYMAP="us"
+ fi
+
+ CONFIGURE_OPTS=(
+ -D sysvinit-path="$sysvinit_path"
+ -D man=disabled
+ -D translations=false
+ -D version-tag="${VERSION_TAG}"
+ -D mode=developer
+ -D b_sanitize="${SANITIZERS:-none}"
+ -D install-tests=true
+ -D tests=unsafe
+ -D slow-tests="${SLOW_TESTS:-false}"
+ -D create-log-dirs=false
+ -D pamconfdir=no
+ -D utmp=true
+ -D hibernate=true
+ -D ldconfig=true
+ -D resolve=true
+ -D efi=true
+ -D tpm=true
+ -D environment-d=true
+ -D binfmt=true
+ -D repart=enabled
+ -D sysupdate=enabled
+ -D coredump=true
+ -D pstore=true
+ -D oomd=true
+ -D logind=true
+ -D hostnamed=true
+ -D localed=true
+ -D machined=true
+ -D portabled=true
+ -D sysext=true
+ -D userdb=true
+ -D homed=enabled
+ -D networkd=true
+ -D timedated=true
+ -D timesyncd=true
+ -D remote=enabled
+ -D nss-myhostname=true
+ -D nss-mymachines=enabled
+ -D nss-resolve=enabled
+ -D nss-systemd=true
+ -D firstboot=true
+ -D randomseed=true
+ -D backlight=true
+ -D vconsole=true
+ -D quotacheck=true
+ -D sysusers=true
+ -D tmpfiles=true
+ -D importd=enabled
+ -D hwdb=true
+ -D rfkill=true
+ -D xdg-autostart=true
+ -D translations=true
+ -D polkit=enabled
+ -D acl=enabled
+ -D audit=enabled
+ -D blkid=enabled
+ -D fdisk=enabled
+ -D kmod=enabled
+ -D pam=enabled
+ -D pwquality=enabled
+ -D microhttpd=enabled
+ -D libcryptsetup=enabled
+ -D libcurl=enabled
+ -D idn=true
+ -D libidn2=enabled
+ -D qrencode=enabled
+ -D gcrypt=enabled
+ -D gnutls=enabled
+ -D openssl=enabled
+ -D cryptolib=openssl
+ -D p11kit=enabled
+ -D libfido2=enabled
+ -D tpm2=enabled
+ -D elfutils=enabled
+ -D zstd=enabled
+ -D xkbcommon=enabled
+ -D pcre2=enabled
+ -D glib=enabled
+ -D dbus=enabled
+ -D bootloader=enabled
+ -D kernel-install=true
+ -D analyze=true
+ -D bpf-framework=enabled
+ -D ukify="$UKIFY"
+ -D seccomp=enabled
+ -D selinux=auto
+ -D apparmor=auto
+ -D smack=true
+ -D ima=true
+ -D first-boot-full-preset=true
+ -D initrd=true
+ -D fexecve=true
+ -D default-keymap="$DEFAULT_KEYMAP"
+ )
+
+ # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
+ # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
+ # installed in the wrong directory and not be found by cryptsetup. Assume native build.
+ if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
+ CONFIGURE_OPTS+=(
+ -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
+ -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
+ )
+ fi
+
+ # Set various uids and gids for which Fedora has "soft static" allocations.
+ # Without this, we would get warning about mismatched sysusers.d entries
+ # between the files that we and Fedora's setup package install.
+ if grep -q '^ID=fedora' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -Dadm-gid=4
+ -Daudio-gid=63
+ -Dcdrom-gid=11
+ -Ddialout-gid=18
+ -Ddisk-gid=6
+ -Dinput-gid=104
+ -Dkmem-gid=9
+ -Dkvm-gid=36
+ -Dlp-gid=7
+ -Drender-gid=105
+ -Dsgx-gid=106
+ -Dtape-gid=33
+ -Dtty-gid=5
+ -Dusers-gid=100
+ -Dutmp-gid=22
+ -Dvideo-gid=39
+ -Dwheel-gid=10
+ -Dsystemd-journal-gid=190
+ -Dsystemd-network-uid=192
+ -Dsystemd-resolve-uid=193
+ )
+ fi
+
+ if grep -q '^ID="opensuse' /usr/lib/os-release; then
+ CONFIGURE_OPTS+=(
+ -Dbpf-compiler=gcc
+ )
+ fi
+
+ ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" )
+fi
+
+( set -x; ninja -C "$BUILDDIR" "$@" )
+if [ "$WITH_TESTS" = 1 ]; then
+ if [ -n "$SANITIZERS" ]; then
+ export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
+ export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
+ TIMEOUT_MULTIPLIER=3
+ else
+ TIMEOUT_MULTIPLIER=1
+ fi
+
+ ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
+fi
+
+( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
+
+# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+if [ -d "${DESTDIR}/boot/loader" ]; then
+ addons_dir="${DESTDIR}/boot/loader/addons"
+elif [ -d "${DESTDIR}/efi/loader" ]; then
+ addons_dir="${DESTDIR}/efi/loader/addons"
+fi
+if [ -n "${addons_dir}" ]; then
+ mkdir -p "${addons_dir}"
+ ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
+ ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
+fi
diff --git a/mkosi.images/base/mkosi.conf b/mkosi.images/base/mkosi.conf
new file mode 100644
index 0000000..6c6d045
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+CleanPackageMetadata=no
+
+Packages=
+Packages=
+ kmod
+ less
+ util-linux
+
+BuildPackages=
+ acl
+ diffutils
+ gawk
+ binutils
+ clang
+ gettext
+ git
+ gperf
+ grep
+ lld
+ llvm
+ make
+ meson
+ pkgconf
+ rsync
+ sed
+ tar
+ zstd
diff --git a/mkosi.images/base/mkosi.conf.d/10-arch.conf b/mkosi.images/base/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000..7ab0c71
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ cryptsetup
+ dbus
+ gnutls
+ libbpf
+ libfido2
+ libmicrohttpd
+ libnftnl
+ libpwquality
+ libseccomp
+ libxkbcommon
+ openssl
+ qrencode
+ tpm2-tss
+
+BuildPackages=
+ bpf
+ docbook-xsl
+ glib2
+ libxslt
+ linux-api-headers
+ python
+ python-jinja
+ python-lxml
+ python-pefile
+ python-pyelftools
diff --git a/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000..8ada9b0
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,75 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ audit-libs
+ cryptsetup-libs
+ gnutls
+ libasan
+ libbpf
+ libfido2
+ libgcrypt
+ libmicrohttpd
+ libnftnl
+ libubsan
+ libxcrypt
+ libxkbcommon
+ openssl-libs
+ qrencode-libs
+ tpm2-tss
+ util-linux
+
+BuildPackages=
+ pkgconf
+ bpftool
+ docbook-xsl
+ findutils
+ libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
+ libxslt
+ pam-devel
+ pkgconfig(audit)
+ pkgconfig(blkid)
+ pkgconfig(bzip2)
+ pkgconfig(dbus-1)
+ pkgconfig(fdisk)
+ pkgconfig(glib-2.0)
+ pkgconfig(gnutls)
+ pkgconfig(libacl)
+ pkgconfig(libbpf)
+ pkgconfig(libcap)
+ pkgconfig(libcryptsetup)
+ pkgconfig(libcurl)
+ pkgconfig(libdw)
+ pkgconfig(libfido2)
+ pkgconfig(libidn2)
+ pkgconfig(libkmod)
+ pkgconfig(libmicrohttpd)
+ pkgconfig(libnftnl)
+ pkgconfig(libpcre2-8)
+ pkgconfig(libqrencode)
+ pkgconfig(libseccomp)
+ pkgconfig(libselinux)
+ pkgconfig(libzstd)
+ pkgconfig(mount)
+ pkgconfig(numa)
+ pkgconfig(openssl)
+ pkgconfig(openssl)
+ pkgconfig(p11-kit-1)
+ pkgconfig(pwquality)
+ pkgconfig(tss2-esys)
+ pkgconfig(tss2-mu)
+ pkgconfig(tss2-rc)
+ pkgconfig(tss2-tcti-device)
+ pkgconfig(valgrind)
+ pkgconfig(xkbcommon)
+ python3
+ python3dist(jinja2)
+ python3dist(lxml)
+ python3dist(pefile)
+ python3dist(pyelftools)
+ python3dist(pytest)
+ rpm
diff --git a/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000..c529e0b
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,69 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ dmsetup
+ libapparmor1
+ libfdisk1
+ libfido2-1
+ libglib2.0-0
+ libgnutls30
+ libidn2-0
+ libmicrohttpd12
+ libnftnl11
+ libp11-kit0
+ libpam0g
+ libpwquality1
+ libqrencode4
+ libssl3
+ libip4tc2
+ libtss2-dev # Use the -dev package to avoid churn in updating version numbers
+ tzdata
+
+BuildPackages=
+ docbook-xsl
+ dpkg-dev
+ g++
+ libacl1-dev
+ libapparmor-dev
+ libaudit-dev
+ libblkid-dev
+ libbpf-dev
+ libbz2-dev
+ libcap-dev
+ libcryptsetup-dev
+ libcurl4-openssl-dev
+ libdbus-1-dev
+ libdw-dev
+ libfdisk-dev
+ libfido2-dev
+ libgcrypt20-dev
+ libglib2.0-dev
+ libgnutls28-dev
+ libidn2-dev
+ libiptc-dev
+ libkmod-dev
+ libmicrohttpd-dev
+ libmount-dev
+ libnftnl-dev
+ libp11-kit-dev
+ libpam0g-dev
+ libpwquality-dev
+ libqrencode-dev
+ libseccomp-dev
+ libsmartcols-dev
+ libssl-dev
+ libxen-dev
+ libxkbcommon-dev
+ libzstd-dev
+ python3
+ python3-jinja2
+ python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
+ xsltproc
diff --git a/mkosi.images/base/mkosi.conf.d/10-debian.conf b/mkosi.images/base/mkosi.conf.d/10-debian.conf
new file mode 100644
index 0000000..020b02b
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-debian.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+ libbpf1
+
+BuildPackages=
+ bpftool
diff --git a/mkosi.images/base/mkosi.conf.d/10-fedora.conf b/mkosi.images/base/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000..a8fbce4
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+BuildPackages=
+ python3dist(pytest-flakes)
+ pkgconfig(xencontrol)
diff --git a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000..ec91b49
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,91 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
+# versions don't get installed instead.
+Packages=
+ device-mapper
+ distribution-release
+ docbook-xsl-stylesheets
+ gawk
+ grep
+ gzip
+ libbpf1
+ libcrypt1
+ libcryptsetup12
+ libdw1
+ libelf1
+ libfido2
+ libgcrypt20
+ libglib-2_0-0
+ libkmod2
+ libmount1
+ libnftnl11
+ libopenssl3
+ libp11-kit0
+ libqrencode4
+ libseccomp2
+ libtss2-esys0
+ libtss2-mu0
+ libtss2-rc0
+ libtss2-tcti-device0
+ libxkbcommon0
+ libzstd1
+ pam
+ rsync
+ sed
+ shadow
+ tpm2-0-tss
+ xz
+
+BuildPackages=
+ audit-devel
+ bpftool
+ cross-bpf-gcc13
+ dbus-1-devel
+ fdupes
+ gcc-c++
+ glib2-devel
+ glibc-locale
+ intltool
+ libacl-devel
+ libapparmor-devel
+ libblkid-devel
+ libbpf-devel
+ libcap-devel
+ libcryptsetup-devel
+ libcurl-devel
+ libdw-devel
+ libelf-devel
+ libfdisk-devel
+ libfido2-devel
+ libgcrypt-devel
+ libgnutls-devel
+ libkmod-devel
+ libmicrohttpd-devel
+ libmount-devel
+ libnftnl-devel
+ libpwquality-devel
+ libseccomp-devel
+ libselinux-devel
+ libxkbcommon-devel
+ libxslt-tools
+ libzstd-devel
+ openssl-devel
+ pam-devel
+ pciutils-devel
+ python3
+ python3-Jinja2
+ python3-lxml
+ python3-pefile
+ python3-pyelftools
+ python3-pytest
+ python3-pytest-flakes
+ qrencode-devel
+ shadow
+ timezone
+ tpm2-0-tss-devel
+ xen-devel
diff --git a/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000..717809f
--- /dev/null
+++ b/mkosi.images/base/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ libbpf0
+
+BuildPackages=
+ linux-tools-common
+ linux-tools-generic
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
new file mode 100644
index 0000000..070af4c
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# mkosi adds its own ssh units via the --ssh switch so disable the default ones.
+disable ssh.service
+disable sshd.service
+
+# These are started manually in integration tests so don't start them by default.
+disable dnsmasq.service
+disable isc-dhcp-server.service
+disable isc-dhcp-server6.service
+
+# Pulled in via dracut-network by kexec-tools on Fedora.
+disable NetworkManager*
+
+# Make sure dbus-broker is started by default on Debian/Ubuntu.
+enable dbus-broker.service
+
+# systemd-networkd is disabled by default on Fedora so make sure it is enabled.
+enable systemd-networkd.service
+enable systemd-networkd-wait-online.service
+
+# We install dnf in some images but it's only going to be used rarely,
+# so let's not have dnf create its cache.
+disable dnf-makecache.*
+
+# We have journald to receive audit data so let's make sure we're not running auditd as well
+disable auditd.service
+
+# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
+enable systemd-timesyncd.service
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
new file mode 100644
index 0000000..710ee7c
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Make sure that services are disabled by default (primarily for Debian/Ubuntu).
+disable *
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
new file mode 100644
index 0000000..e1a8e81
--- /dev/null
+++ b/mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
@@ -0,0 +1 @@
+L /etc/default/locale - - - - ../locale.conf
diff --git a/mkosi.images/initrd/mkosi.conf b/mkosi.images/initrd/mkosi.conf
new file mode 100644
index 0000000..8e38dc1
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=base
+
+[Output]
+Format=cpio
+
+[Content]
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+MakeInitrd=yes
+Bootable=no
+BuildPackages=
+
+Packages=
+Packages=
+ gzip
+ systemd
+ udev
+
+# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it
+# doesn't end up in the initrd.
+RemoveFiles=
+ /usr/lib/libgfortran.so*
+ /usr/lib/libgo.so*
+ /usr/lib/libgomp.so*
+ /usr/lib/libgphobos.so*
+ /usr/lib/libobjc.so*
+ /usr/lib/libstdc++.so*
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-centos.conf b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf
new file mode 100644
index 0000000..3f92e52
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf.d/10-centos.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Output]
+# TODO: Switch to zstd once we stop building CentOS Stream 8.
+CompressOutput=xz
+
+[Content]
+Packages=xfsprogs
+ tpm2-tools
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-default.conf b/mkosi.images/initrd/mkosi.conf.d/10-default.conf
new file mode 100644
index 0000000..9224b92
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf.d/10-default.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=!centos
+Distribution=!opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+ tpm2-tools
diff --git a/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000..5cf2df3
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+ tpm2.0-tools
diff --git a/mkosi.images/initrd/mkosi.postinst b/mkosi.images/initrd/mkosi.postinst
new file mode 100755
index 0000000..de610df
--- /dev/null
+++ b/mkosi.images/initrd/mkosi.postinst
@@ -0,0 +1,7 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
+# See https://github.com/openSUSE/suse-module-tools/pull/71
+rm -f "$BUILDROOT/usr/lib/modprobe.d/60-blacklist_fs-erofs.conf"
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf
new file mode 100644
index 0000000..7612f22
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf
@@ -0,0 +1,48 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=base
+
+[Content]
+Autologin=yes
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+Packages=
+ acl
+ bash-completion
+ coreutils
+ diffutils
+ dnsmasq
+ dosfstools
+ e2fsprogs
+ findutils
+ gcc # Sanitizer libraries
+ gdb
+ grep
+ gzip
+ kbd
+ kexec-tools
+ less
+ mtools
+ nano
+ nftables
+ openssl
+ qrencode
+ sed
+ socat
+ strace
+ systemd
+ tmux
+ tree
+ udev
+ util-linux
+ valgrind
+ wireguard-tools
+ xfsprogs
+ zsh
+
+BuildPackages=
+
+[Validation]
+@SecureBoot=yes
+@SignExpectedPcr=yes
diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
new file mode 100644
index 0000000..9f21754
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Bootable=!no
+Format=|disk
+Format=|directory
+
+[Config]
+Dependencies=initrd
+
+[Content]
+Initrds=../../mkosi.output/initrd
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000..e1a511c
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ bpf
+ btrfs-progs
+ compsize
+ dhcp
+ f2fs-tools
+ glib2
+ iproute
+ linux
+ man-db
+ openbsd-netcat
+ openssh
+ pacman
+ polkit
+ python-pefile
+ python-psutil
+ python-pytest
+ python3
+ quota-tools
+ shadow
+ vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000..67d4643
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ bpftool
+ cryptsetup
+ dhcp-server
+ dnf
+ glib2
+ integritysetup
+ iproute
+ iproute-tc
+ kernel-core
+ libcap-ng-utils
+ netcat
+ openssh-server
+ p11-kit
+ pam
+ passwd
+ polkit
+ procps-ng
+ python3
+ python3dist(pefile)
+ python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
+ python3dist(psutil)
+ python3dist(pytest)
+ quota
+ vim-common
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
new file mode 100644
index 0000000..146e03a
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Content]
+Packages=
+ kernel-modules # For squashfs support
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
new file mode 100644
index 0000000..99b846d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support btrfs so we use xfs instead.
+[Partition]
+Format=xfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
new file mode 100644
index 0000000..393d5f0
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support erofs so we use squashfs instead.
+[Partition]
+Format=squashfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
new file mode 100644
index 0000000..d3c89f3
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+Architecture=x86-64
+
+[Content]
+Packages=
+ bpftool
+ linux-image-cloud-amd64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
new file mode 100644
index 0000000..76a6898
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+Architecture=arm64
+
+[Content]
+Packages=
+ bpftool
+ linux-image-cloud-arm64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000..588f833
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ apt
+ btrfs-progs
+ cryptsetup-bin
+ dbus-broker
+ default-dbus-session-bus
+ f2fs-tools
+ fdisk
+ iproute2
+ isc-dhcp-server
+ libcap-ng-utils
+ netcat-openbsd
+ openssh-server
+ passwd
+ policykit-1
+ procps
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ xxd
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000..42d0093
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+ btrfs-progs
+ compsize
+ f2fs-tools
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000..60a2b6d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+ bpftool
+ btrfs-progs
+ cryptsetup
+ dbus-broker
+ f2fs-tools
+ glibc-locale-base
+ kernel-kvmsmall
+ libcap-ng-utils
+ openssh-server
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ shadow
+ vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000..f58ee7e
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials.
+ linux-image-generic
+ linux-tools-common
+ linux-tools-generic
diff --git a/mkosi.images/system/mkosi.extra/etc/issue b/mkosi.images/system/mkosi.extra/etc/issue
new file mode 100644
index 0000000..6aa6fc0
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/etc/issue
@@ -0,0 +1,2 @@
+\S (built from systemd tree)
+Kernel \r on an \m (\l)
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
new file mode 100644
index 0000000..3755278
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=swap
+SizeMinBytes=100M
+SizeMaxBytes=100M
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
new file mode 100644
index 0000000..71eb9e3
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
+Subvolumes=/home /var
+MakeDirectories=/home /var
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
new file mode 100644
index 0000000..2f95329
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
+# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
+# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
+# Storage= to persistent to have systemd-journald create /var/log/journal itself.
+[Journal]
+Storage=persistent
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
new file mode 100755
index 0000000..9bb2462
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -eux
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# TODO: Figure out why this is failing
+systemctl reset-failed systemd-vconsole-setup.service
+
+systemctl --failed --no-legend | tee /failed-services
+
+# Check that secure boot keys were properly enrolled.
+if ! systemd-detect-virt --container; then
+ cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+ cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+ # TODO: Figure out why this is failing
+ # grep -q this_should_be_here /proc/cmdline
+ # grep -q this_should_not_be_here /proc/cmdline && exit 1
+fi
+
+# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
+[[ ! -s /failed-services ]]
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
new file mode 100644
index 0000000..7942cbf
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Check if any service failed and then shutdown the machine
+After=multi-user.target network-online.target
+Requires=multi-user.target
+Wants=systemd-resolved.service systemd-networkd.service network-online.target
+SuccessAction=exit
+FailureAction=exit
+# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
+# host.
+SuccessActionExitStatus=123
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
new file mode 100644
index 0000000..dac79ba
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
new file mode 100644
index 0000000..26f882b
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
@@ -0,0 +1,3 @@
+set debuginfod enabled off
+set build-id-verbose 0
+set substitute-path ../src /root/src/systemd
diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize
new file mode 100755
index 0000000..74b810c
--- /dev/null
+++ b/mkosi.images/system/mkosi.finalize
@@ -0,0 +1,4 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
new file mode 100755
index 0000000..0cb9b9c
--- /dev/null
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -0,0 +1,93 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ]; then
+ exit 0
+fi
+
+if [ -n "$SANITIZERS" ]; then
+ LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
+
+ mkdir -p /etc/systemd/system.conf.d
+
+ cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+EOF
+
+ # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+ # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+ # sanitizer failures appear directly on the user's console.
+ mkdir -p /etc/systemd/system/systemd-journald.service.d
+ cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+ # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+ # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+ # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+ # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+ mkdir -p /etc/systemd/system/console-getty.service.d
+ cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+ # ASAN and syscall filters aren't compatible with each other.
+ find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+ # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+ systemctl mask systemd-hwdb-update.service
+fi
+
+if [ -n "$IMAGE_ID" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_ID=/!p' \
+ -e "\$aIMAGE_ID=$IMAGE_ID" \
+ /usr/lib/os-release
+fi
+
+if [ -n "$IMAGE_VERSION" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_VERSION=/!p' \
+ -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
+ /usr/lib/os-release
+fi
+
+if command -v authselect >/dev/null; then
+ # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
+ # let's use the new name if it exists.
+ if [ -d /usr/share/authselect/default/local ]; then
+ PROFILE=local
+ else
+ PROFILE=minimal
+ fi
+
+ authselect select "$PROFILE"
+
+ if authselect list-features "$PROFILE" | grep -q "with-homed"; then
+ authselect enable-feature with-homed
+ fi
+fi
+
+# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
+# if that's the case.
+mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
+rm -f /etc/resolv.conf
+
+. /usr/lib/os-release
+
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
+ alternatives --set python3 /usr/bin/python3.9
+fi
diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000..4be0466
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/00-esp.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.repart/10-usr.conf
new file mode 100644
index 0000000..343761d
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/10-usr.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.repart/11-usr-verity.conf
new file mode 100644
index 0000000..b4d45dd
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/11-usr-verity.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
new file mode 100644
index 0000000..1841d0a
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr