Skip to content

Merge Preparation #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
alexhulbert wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Merge Preparation #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
10c1d4f
Remove unused files
alexhulbert Feb 4, 2026
73884c6
Switch to more idiomatic mathod of enabling systemd services
alexhulbert Feb 5, 2026
4a5f9ba
Switch from mtools/etc to systemd-repart for cleaner GCP tar.gz creation
alexhulbert Feb 5, 2026
016926c
Merge branch 'main' of github.com:flashbots/flashbots-images into ah/…
alexhulbert Feb 5, 2026
15a1266
Simplify base module and networking configuration
alexhulbert Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .dockerignore
View file
Open in desktop

This file was deleted.

29 changes: 9 additions & 20 deletions DEVELOPMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,8 +276,8 @@ systemd services are the primary way to run applications in Flashboxes. Here's h
```ini
[Unit]
Description=My Application
After=network.target network-setup.service
Requires=network-setup.service
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Expand Down Expand Up @@ -354,8 +354,8 @@ Conflicts=apache2.service
```ini
[Unit]
# Network is available
After=network.target network-setup.service
Requires=network-setup.service
After=network-online.target
Wants=network-online.target

# Persistent storage is mounted
After=persistent-mount.service
Expand All @@ -365,24 +365,14 @@ Requires=persistent-mount.service
After=basic.target
```

### Enabling Services
### Enabling Packaged Services

**In `mkosi.postinst` script**:
```bash
#!/bin/bash
set -euxo pipefail
To enable a service installed with a Debian package, add the following to your `mkosi.postinst` script:

# Enable service
mkosi-chroot systemctl enable myapp.service

# Create symlink for minimal.target
mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
ln -sf "/etc/systemd/system/myapp.service" \
"$BUILDROOT/etc/systemd/system/minimal.target.wants/"
```bash
mkosi-chroot systemctl add-wants minimal.target myapp.service
```

For comprehensive systemd options, see: [systemd Service Documentation](https://www.freedesktop.org/software/systemd/man/systemd.service.html)

## Extending Built-in systemd Services

Sometimes you need to modify existing systemd services rather than creating new ones.
Expand Down Expand Up @@ -543,8 +533,7 @@ chown myapp:myapp /etc/myapp/config.conf
chmod 600 /etc/myapp/config.conf

# Enable systemd service
systemctl enable myapp.service || true
systemctl start myapp.service || true
mkosi-chroot systemctl add-wants minimal.target myapp.service || true

exit 0
```
Expand Down
22 changes: 0 additions & 22 deletions Dockerfile
View file
Open in desktop

This file was deleted.

14 changes: 7 additions & 7 deletions base/debloat-systemd.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ systemd_svc_whitelist=(
"systemd-journald-dev-log.socket"
"systemd-remount-fs.service"
"systemd-sysctl.service"
"systemd-networkd.service"
"systemd-networkd.socket"
"chrony.service"
)

Expand All @@ -42,10 +44,8 @@ mkosi-chroot dpkg-query -L systemd | grep -E '\.service$|\.socket$|\.timer$|\.ta
fi
done

# Set default target
ln -sf minimal.target "$SYSTEMD_DIR/default.target"

# Enable chrony and link to minimal.target
mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
mkosi-chroot systemctl enable chrony.service
ln -sf /lib/systemd/system/chrony.service "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
# Enable chrony service
mkosi-chroot systemctl add-wants minimal.target \
chrony.service \
systemd-resolved.service \
systemd-networkd.service
2 changes: 0 additions & 2 deletions base/debloat.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,8 @@ debloat_paths=(
"/usr/lib/systemd/catalog"
"/usr/lib/systemd/user"
"/usr/lib/systemd/user-generators"
"/usr/lib/systemd/network"
"/usr/lib/pcrlock.d"
"/usr/lib/tmpfiles.d"
"/etc/systemd/network"
"/etc/credstore"
"/nix"
)
Expand Down
6 changes: 3 additions & 3 deletions base/mkosi.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c

[Content]
SourceDateEpoch=0
KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2
SkeletonTrees=base/mkosi.skeleton
KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 systemd.unit=minimal.target
ExtraTrees=base/mkosi.extra
BuildScripts=kernel/mkosi.build
PostInstallationScripts=base/debloat-systemd.sh
PostInstallationScripts=base/efi-stub.sh
Expand All @@ -30,14 +30,14 @@ SyncScripts=base/normalize-umask.sh
CleanPackageMetadata=true
Packages=kmod
systemd
systemd-resolved
systemd-boot-efi
busybox
util-linux
procps
ca-certificates
openssl
iproute2
udhcpc
e2fsprogs
chrony
BuildPackages=build-essential
Expand Down
0 base/mkosi.skeleton/etc/chrony/chrony.conf → base/mkosi.extra/etc/chrony/chrony.conf
View file
Open in desktop
File renamed without changes.
5 changes: 5 additions & 0 deletions base/mkosi.extra/etc/systemd/journald.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[Journal]
SystemMaxFileSize=128M
SystemMaxFiles=2
RuntimeMaxFileSize=512K
RuntimeMaxFiles=2
9 changes: 9 additions & 0 deletions base/mkosi.extra/etc/systemd/network/10-ethernet.network
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[Match]
Name=eth* en*

[Network]
DHCP=yes

[DHCPv4]
UseDNS=no
UseHostname=no
4 changes: 4 additions & 0 deletions base/mkosi.extra/etc/systemd/resolved.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[Resolve]
# GCP: 169.254.169.254, Azure: 168.63.129.16
DNS=169.254.169.254 168.63.129.16
FallbackDNS=1.1.1.1 1.0.0.1
3 changes: 0 additions & 3 deletions ...keleton/etc/systemd/system/minimal.target → ...i.extra/etc/systemd/system/minimal.target
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,3 @@ Requires=basic.target
Conflicts=rescue.service rescue.target emergency.service emergency.target
After=basic.target rescue.service rescue.target emergency.service emergency.target
AllowIsolate=yes

[Install]
WantedBy=default.target
2 changes: 1 addition & 1 deletion base/mkosi.skeleton/init → base/mkosi.extra/init
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,4 @@ exec unshare --mount sh -c '
mkdir /@
mount --rbind / /@
cd /@ && mount --move . /
exec chroot . /lib/systemd/systemd systemd.unit=minimal.target'
exec chroot . /lib/systemd/systemd'
2 changes: 0 additions & 2 deletions base/mkosi.skeleton/etc/resolv.conf
View file
Open in desktop

This file was deleted.

16 changes: 0 additions & 16 deletions base/mkosi.skeleton/etc/systemd/system/network-setup.service
View file
Open in desktop

This file was deleted.

3 changes: 0 additions & 3 deletions bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,3 @@ Requires=wait-for-key.service searcher-firewall.service
[Service]
ExecStartPre=/usr/bin/chown -R searcher:searcher /home/searcher
ExecStartPre=/bin/sh -c 'test -f /etc/dropbear/dropbear_ed25519_host_key || /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key'

[Install]
WantedBy=minimal.target
2 changes: 1 addition & 1 deletion ...c/systemd/system/persistent-mount.service → ...c/systemd/system/persistent-mount.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ ExecStart=/bin/bash -c 'until grep -q " /persistent " /proc/mounts; do sleep 1;
RemainAfterExit=yes

[Install]
WantedBy=minimal.target
WantedBy=minimal.target
4 changes: 2 additions & 2 deletions bob-common/mkosi.extra/etc/systemd/system/searcher-firewall.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[Unit]
Description=Searcher Network and Firewall Rules
After=network.target network-setup.service
Requires=network-setup.service
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
Expand Down
4 changes: 2 additions & 2 deletions bob-common/mkosi.extra/etc/systemd/system/wait-for-key.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[Unit]
Description=SSH Public Key Server
After=network.target network-setup.service wait-for-key.service
Requires=network-setup.service
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
Expand Down
18 changes: 3 additions & 15 deletions bob-common/mkosi.postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,25 +18,13 @@ mkdir -p "$BUILDROOT/etc/searcher/ssh_hostkey"
rm -r "$BUILDROOT/etc/dropbear"
mkdir "$BUILDROOT/etc/dropbear"

# Enable services
mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
for service in \
network-setup.service \
# Enable packaged services
mkosi-chroot systemctl add-wants minimal.target \
logrotate.timer \
delay-pipe.service \
wait-for-key.service \
searcher-firewall.service \
dropbear.service \
searcher-container.service \
ssh-pubkey-server.service \
cvm-reverse-proxy.service
do
mkosi-chroot systemctl enable "$service"
ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
done
dropbear.service

# Don't reserve port 22
mkosi-chroot systemctl disable ssh.service ssh.socket
mkosi-chroot systemctl mask ssh.service ssh.socket

# Lock the root account
Expand Down
5 changes: 3 additions & 2 deletions bob-l1/mkosi.extra/etc/systemd/system/lighthouse.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
[Unit]
Description=Lighthouse Consensus Client
After=network.target network-setup.service persistent-mount.service
Requires=network-setup.service persistent-mount.service
After=network-online.target persistent-mount.service
Wants=network-online.target
Requires=persistent-mount.service

[Service]
Type=exec
Expand Down
0 services/bin/lighthouse-init → bob-l1/mkosi.extra/usr/bin/lighthouse-init
View file
Open in desktop
File renamed without changes.
12 changes: 1 addition & 11 deletions bob-l1/mkosi.postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,4 @@ set -euxo pipefail
mkosi-chroot groupadd -r eth
mkosi-chroot useradd -r -s /bin/false -G eth lighthouse

# Install lighthouse
install -m 755 services/bin/lighthouse-init "$BUILDROOT/usr/bin/"

# Enable services
mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
for service in \
lighthouse.service
do
mkosi-chroot systemctl enable "$service"
ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
done
mkosi-chroot systemctl add-wants minimal.target lighthouse
6 changes: 3 additions & 3 deletions bob-l1/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -601,9 +601,9 @@ Developer Notes

### Service Order

1. Initialize network (**name:** `network-setup.service`)
2. Get searcher key from LUKS partition or wait for key on port 8080 (**name:** `wait-for-key.service`) (**after:** `network-setup.service`)
3. Setup firewall (**name:** `searcher-firewall.service`) (**after:** `network-setup.service`)
1. Initialize network via `systemd-networkd.service`
2. Get searcher key from LUKS partition or wait for key on port 8080 (**name:** `wait-for-key.service`) (**after:** `network-online.target`)
3. Setup firewall (**name:** `searcher-firewall.service`) (**after:** `network-online.target`)
4. Start dropbear server for `initialize`, `toggle`, etc. (**name:** `dropbear.service`) (**after:** `wait-for-key.service`, `searcher-firewall.service`)
5. Open a log socket and forward text from it to the delayed log file after 300s (**name:** searcher-log-reader.service) (**after:** `/persistent` is mounted)
6. Write new text in `bob.log` to the log socket (**name:** searcher-log-writer.service) (**after:** searcher-log-reader.service)
Expand Down
4 changes: 2 additions & 2 deletions bob-l2/mkosi.extra/etc/systemd/system/fetch-config.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[Unit]
Description=Fetch some configuration variables from Vault
After=network.target network-setup.service
Requires=network-setup.service
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
Expand Down
3 changes: 0 additions & 3 deletions buildernet.conf
View file
Open in desktop

This file was deleted.

25 changes: 0 additions & 25 deletions buildernet/mkosi.build
View file
Open in desktop

This file was deleted.

25 changes: 0 additions & 25 deletions buildernet/mkosi.conf
View file
Open in desktop

This file was deleted.

Loading