Bob

base/base.conf

@@ -2,11 +2,15 @@
 Distribution=debian
 Release=trixie
 
+[Build]
+PackageCacheDirectory=mkosi.cache
+Environment=KERNEL_IMAGE KERNEL_VERSION
+
 [Output]
 Format=uki
+ManifestFormat=json
 ImageId=tdx-debian
 OutputDirectory=build
-PackageCacheDirectory=mkosi.cache
 Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
 
 [Host]
@@ -15,19 +19,20 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
 [Content]
 SourceDateEpoch=0
 KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2
-Environment=KERNEL_IMAGE KERNEL_VERSION
 SkeletonTrees=base/mkosi.skeleton
 FinalizeScripts=base/debloat.sh
 PostInstallationScripts=base/debloat-systemd.sh
 BuildScripts=base/mkosi.build
-PrepareScripts=base/export-packages.sh
 
 CleanPackageMetadata=true
 Packages=kmod
          systemd
          systemd-boot-efi
          busybox
          util-linux
+         procps
+         ca-certificates
+         openssl
          iproute2
          udhcpc
          e2fsprogs
@@ -37,4 +42,4 @@ BuildPackages=build-essential
               cmake
               pkg-config
               clang
-              cargo
+              cargo

base/debloat-systemd.sh

@@ -22,6 +22,7 @@ systemd_bin_whitelist=(
     "systemctl"
     "journalctl"
     "systemd"
+    "systemd-tty-ask-password-agent"
 )
 
 mkosi-chroot dpkg-query -L systemd | grep -E '^/usr/bin/' | while read -r bin_path; do

base/debloat.sh

@@ -27,6 +27,7 @@ debloat_paths=(
     "/usr/share/mime"
     "/usr/lib/modules"
     "/usr/lib/udev/hwdb.d"
+    "/usr/lib/udev/hwdb.bin"
     "/usr/lib/systemd/catalog"
     "/usr/lib/systemd/user"
     "/usr/lib/systemd/user-generators"
@@ -35,7 +36,6 @@ debloat_paths=(
     "/usr/lib/tmpfiles.d"
     "/etc/systemd/network"
     "/etc/credstore"
-    "/usr/lib/x86_64-linux-gnu/security"
 )
 
 for p in "${debloat_paths[@]}"; do rm -rf "$BUILDROOT$p"; done

base/mkosi.skeleton/etc/systemd/system/persistent-mount.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Wait for Persistent Directory Mount
+DefaultDependencies=no
+Conflicts=shutdown.target
+Before=minimal.target
+After=local-fs-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash -c 'until grep -q " /persistent " /proc/mounts; do sleep 1; done'
+RemainAfterExit=yes
+
+[Install]
+WantedBy=minimal.target

base/mkosi.skeleton/init

@@ -8,5 +8,10 @@ mount -t devtmpfs none /dev
 mount -t tmpfs none /run
 mount -t configfs none /sys/kernel/config
 
-# Execute systemd
-exec /lib/systemd/systemd systemd.unit=minimal.target
+# Workaround to make pivot_root work
+# https://aconz2.github.io/2024/07/29/container-from-initramfs.html
+exec unshare --mount sh -c '
+    mkdir /@
+    mount --rbind / /@
+    cd /@ && mount --move . /
+    exec chroot . /lib/systemd/systemd systemd.unit=minimal.target'

base/mkosi.skeleton/usr/bin/azure-complete-provisioning

@@ -0,0 +1,73 @@
+#!/bin/sh
+# Report VM is ready to Azure API in the absence of the Azure VM Agent
+# Adapted from https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent#bash-script
+
+set -e
+
+attempts=1
+retrieved_goal_state=false
+until [ "$attempts" -gt 5 ]
+do
+    echo "obtaining goal state - attempt $attempts"
+    goalstate=$(curl --fail -v -X 'GET' -H "x-ms-agent-name: azure-vm-register" \
+                                        -H "Content-Type: text/xml;charset=utf-8" \
+                                        -H "x-ms-version: 2012-11-30" \
+                                          "http://168.63.129.16/machine/?comp=goalstate")
+    if [ $? -eq 0 ]
+    then
+      echo "successfully retrieved goal state"
+      retrieved_goal_state=true
+      break
+    fi
+    sleep 5
+    attempts=$((attempts+1))
+done
+
+if [ "$retrieved_goal_state" != "true" ]
+then
+    echo "failed to obtain goal state - cannot register this VM"
+    exit 1
+fi
+
+container_id=$(echo "$goalstate" | grep ContainerId | sed 's/\s*<\/*ContainerId>//g' | sed 's/\r$//')
+instance_id=$(echo "$goalstate" | grep InstanceId | sed 's/\s*<\/*InstanceId>//g' | sed 's/\r$//')
+
+ready_doc=$(cat << EOF
+<?xml version="1.0" encoding="utf-8"?>
+<Health xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <GoalStateIncarnation>1</GoalStateIncarnation>
+  <Container>
+    <ContainerId>$container_id</ContainerId>
+    <RoleInstanceList>
+      <Role>
+        <InstanceId>$instance_id</InstanceId>
+        <Health>
+          <State>Ready</State>
+        </Health>
+      </Role>
+    </RoleInstanceList>
+  </Container>
+</Health>
+EOF
+)
+
+attempts=1
+until [ "$attempts" -gt 5 ]
+do
+    echo "registering with Azure - attempt $attempts"
+    curl --fail -v -X 'POST' -H "x-ms-agent-name: azure-vm-register" \
+                            -H "Content-Type: text/xml;charset=utf-8" \
+                            -H "x-ms-version: 2012-11-30" \
+                            -d "$ready_doc" \
+                            "http://168.63.129.16/machine?comp=health"
+    if [ $? -eq 0 ]
+    then
+      echo "successfully register with Azure"
+      exit 0
+    fi
+    sleep 5 # sleep to prevent throttling from wire server
+    attempts=$((attempts+1))
+done
+
+echo "failed to register with Azure after $attempts attempts"
+exit 1

bob.conf

@@ -0,0 +1,9 @@
+[Include]
+Include=base/base.conf
+Include=bob/bob.conf
+
+[Distribution]
+Mirror=https://snapshot.debian.org/archive/debian/20250526T142542Z/
+
+[Build]
+ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20250526T142542Z/

bob/bob.conf

@@ -0,0 +1,41 @@
+[Build]
+Environment=LIGHTHOUSE_BINARY
+WithNetwork=true
+
+[Content]
+ExtraTrees=bob/mkosi.extra
+PostInstallationScripts=bob/mkosi.postinst
+BuildScripts=bob/mkosi.build
+
+Packages=podman
+         runc
+         dropbear
+         socat
+         iptables
+         iproute2
+         conntrack
+         netfilter-persistent
+         openntpd
+         curl
+         jq
+         ncat
+         logrotate
+         sudo
+         uidmap
+         passt
+         fuse-overlayfs
+         cryptsetup
+         openssh-sftp-server
+         udev
+         libsnappy1v5
+
+BuildPackages=build-essential
+              git
+              gcc
+              zlib1g-dev
+              libzstd-dev
+              libleveldb-dev
+              libsnappy-dev
+              libpq-dev
+              libssl-dev
+              golang

bob/mkosi.build

@@ -0,0 +1,42 @@
+#!/bin/bash
+set -euxo pipefail
+
+source scripts/build_rust_package.sh
+source scripts/make_git_package.sh
+
+# Compile searchersh
+mkdir -p "$DESTDIR/usr/bin"
+mkosi-chroot gcc -o "$DESTDIR/usr/bin/searchersh" "$SRCDIR/bob/searchersh.c"
+chmod 755 "$DESTDIR/usr/bin/searchersh"
+
+# Compile lighthouse
+build_rust_package \
+    "lighthouse" \
+    "v7.0.1" \
+    "https://github.com/sigp/lighthouse.git" \
+    "$LIGHTHOUSE_BINARY" \
+    "modern" \
+    "-l z -l zstd -l snappy"
+
+# Build tdx-init
+make_git_package \
+    "tdx-init" \
+    "v0.1.1" \
+    "https://github.com/flashbots/tdx-init" \
+    'go build -trimpath -ldflags "-s -w -buildid=" -o ./build/tdx-init' \
+    "build/tdx-init:/usr/bin/tdx-init"
+
+# Build ssh-pubkey-server
+make_git_package \
+    "ssh-pubkey-server" \
+    "second-key" \
+    "https://github.com/flashbots/ssh-pubkey-server" \
+    'go build -trimpath -ldflags "-s -w -buildid= -X github.com/flashbots/go-template/common.Version=v1.0.0" -o ./build/ssh-pubkey-server cmd/httpserver/main.go' \
+    "build/ssh-pubkey-server:/usr/bin/ssh-pubkey-server"
+
+make_git_package \
+    "cvm-reverse-proxy" \
+    "v0.1.7" \
+    "https://github.com/flashbots/cvm-reverse-proxy" \
+    "make build-proxy-server" \
+    "build/proxy-server:/usr/bin/cvm-reverse-proxy"

bob/mkosi.extra/etc/containers/containers.conf

@@ -0,0 +1,14 @@
+[engine]
+cgroup_manager = "cgroupfs"
+events_logger = "file"
+runtime = "runc"
+lock_type = "file"
+seccomp_profile = "/etc/containers/seccomp.json"
+
+[storage]
+driver = "vfs"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+
+[network]
+firewall_driver = "iptables"