host/rootfs: dynamically generate s6-rc services

This way, we don't allow arbitrary code from the ext partition to run
on the host system, which gives us better integrity guarantees when
paired with Secure Boot.  This new scheme also makes it easy to
introspect VMs, since they're defined using a very limited
configuration language.

1 files changed, 29 insertions, 0 deletions

diff --git a/host/start-vm/default.nix b/host/start-vm/default.nix
new file mode 100644
index 0000000..8fd4933
--- /dev/null
+++ b/host/start-vm/default.nix
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
+
+{ pkgs ? import <nixpkgs> {} }: pkgs.callPackage (
+{ pkgsBuildHost, lib, stdenv, fetchpatch, rust, ninja, rustc }:
+
+let
+  inherit (lib) cleanSource;
+
+  meson' = pkgsBuildHost.meson_0_60.overrideAttrs ({ patches ? [], ... }: {
+    patches = patches ++ [
+      (fetchpatch {
+        url = "https://github.com/alyssais/meson/commit/e8464d47fa8971098d626744b14db5d066ebf753.patch";
+        sha256 = "0naxj0s16w6ffk6d7xg1m6kkx2a7zd0hz8mbvn70xy1k12a0c5gy";
+      })
+    ];
+  });
+in
+
+stdenv.mkDerivation {
+  name = "start-vm";
+
+  src = cleanSource ./.;
+
+  nativeBuildInputs = [ meson' ninja rustc ];
+
+  dontStrip = true;
+}
+) { }