mkosi: Adapt configuration to take into account configuration rework

In https://github.com/systemd/mkosi/pull/2847, the '@' specifier is
removed, CLI arguments take priority over configuration files again
and the "main" image is defined at the top level instead of in
mkosi.images/. Additionally, not every setting from the top level
configuration is inherited by the images in mkosi.images/ anymore,
only settings which make sense to be inherited are inherited.

This commit gets rid of all the usages of '@', moves the "main" image
configuration from mkosi.images/system to the top level and gets rid
of various hacks we had in place to deal with quirks of the old
configuration parsing logic.

We also remove usages of Images= and --append as these options are
removed by the mentioned PR.

1 files changed, 172 insertions, 0 deletions

diff --git a/mkosi.postinst.chroot b/mkosi.postinst.chroot
new file mode 100755
index 0000000000..46868020f6
--- /dev/null
+++ b/mkosi.postinst.chroot
@@ -0,0 +1,172 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+set -o nounset
+
+useradd --uid 4711 --create-home --user-group testuser
+
+if command -v authselect >/dev/null; then
+    # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
+    # let's use the new name if it exists.
+    if [ -d /usr/share/authselect/default/local ]; then
+        PROFILE=local
+    else
+        PROFILE=minimal
+    fi
+
+    authselect select "$PROFILE"
+
+    if authselect list-features "$PROFILE" | grep -q "with-homed"; then
+        authselect enable-feature with-homed
+    fi
+fi
+
+# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
+# if that's the case.
+mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
+rm -f /etc/resolv.conf
+
+for f in "$BUILDROOT"/usr/share/*.verity.sig; do
+    jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
+done
+
+# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
+# systemd-journald.
+rm -r "$BUILDROOT/var/log/journal"
+
+rm -f /etc/nsswitch.conf
+cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
+
+# Remove to make TEST-73-LOCALE pass on Ubuntu.
+rm -f /etc/default/keyboard
+
+# This is executed inside the chroot so no need to disable any features as the default features will match
+# the kernel's supported features.
+SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
+    systemd-repart \
+    --empty=create \
+    --dry-run=no \
+    --size=auto \
+    --offline=true \
+    --root test/TEST-24-CRYPTSETUP \
+    --definitions test/TEST-24-CRYPTSETUP/keydev.repart \
+    "$OUTPUTDIR/keydev.raw"
+
+can_test_pkcs11() {
+    if ! command -v "softhsm2-util" >/dev/null; then
+        echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! command -v "pkcs11-tool" >/dev/null; then
+        echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! command -v "certtool" >/dev/null; then
+        echo "certtool not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+P11KIT"; then
+        echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+OPENSSL"; then
+        echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
+        echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
+        echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+
+    return 0
+}
+
+setup_pkcs11_token() {
+    echo "Setup PKCS#11 token" >&2
+    local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
+
+    export SOFTHSM2_CONF="/tmp/softhsm2.conf"
+    mkdir -p /usr/lib/softhsm/tokens/
+    cat >$SOFTHSM2_CONF <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+EOF
+    export GNUTLS_PIN="1234"
+    export GNUTLS_SO_PIN="12345678"
+    softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
+
+    if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
+        P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
+    fi
+
+    if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
+        P11_MODULE_DIR="/usr/lib/pkcs11"
+    fi
+
+    SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
+    if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
+        SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
+    fi
+
+    # RSA #####################################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
+      --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+      --outder --outfile "/tmp/rsa_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
+    rm "/tmp/rsa_test.crt"
+
+    # prime256v1 ##############################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
+      --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+      --outder --outfile "/tmp/ec_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
+    rm "/tmp/ec_test.crt"
+
+    ###########################################################
+    rm "$SOFTHSM2_CONF"
+    unset SOFTHSM2_CONF
+
+    cat >/etc/softhsm2.conf <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+log.level = INFO
+EOF
+
+    mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
+    cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
+[Unit]
+# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
+StartLimitBurst=10
+
+[Service]
+Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
+Environment="PIN=$GNUTLS_PIN"
+EOF
+
+    unset GNUTLS_PIN
+    unset GNUTLS_SO_PIN
+}
+
+if can_test_pkcs11; then
+    setup_pkcs11_token
+fi