Fix efi stub for measured boot + other misc tweaks for azure build

Author: alexhulbert

Dockerfile

@@ -0,0 +1,23 @@
+FROM ubuntu:25.04
+
+RUN apt-get update && apt-get install -y \
+    curl git sudo qemu-system-x86 qemu-utils \
+    debian-archive-keyring systemd-boot reprepro xz-utils
+
+RUN adduser --disabled-password --gecos '' nix && \
+    echo "nix ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nix && \
+    chmod 0440 /etc/sudoers.d/nix
+
+COPY --chown=nix:nix . /home/nix/mkosi
+RUN mkdir -p /home/nix/mkosi/mkosi.packages /home/nix/mkosi/mkosi.cache \
+        /home/nix/mkosi/mkosi.builddir /home/nix/mkosi/build /nix && \
+    chown -R nix:nix /home/nix/mkosi /nix
+
+USER nix
+RUN curl -L https://nixos.org/nix/install | sh -s -- --no-daemon && \
+    mkdir -p ~/.config/nix ~/.cache/mkosi/ && \
+    echo 'experimental-features = nix-command flakes' > ~/.config/nix/nix.conf
+RUN /home/nix/.nix-profile/bin/nix develop -c /bin/true
+
+WORKDIR /home/nix/mkosi
+ENTRYPOINT ["/home/nix/.nix-profile/bin/nix", "develop", "-c", "/bin/bash"]

base/base.conf

@@ -22,6 +22,7 @@ KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spe
 SkeletonTrees=base/mkosi.skeleton
 FinalizeScripts=base/debloat.sh
 PostInstallationScripts=base/debloat-systemd.sh
+PostInstallationScripts=base/efi-stub.sh
 BuildScripts=base/mkosi.build
 
 CleanPackageMetadata=true

base/efi-stub.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+
+# Use a version of systemd-boot that is compatible with measured-boot script
+SYSTEMD_BOOT_URL="https://snapshot.debian.org/archive/debian/20240314T094714Z/pool/main/s/systemd/systemd-boot-efi_255.4-1_amd64.deb"
+TEMP_DEB="$BUILDROOT/systemd-boot.deb"
+curl -L -o "$TEMP_DEB" "$SYSTEMD_BOOT_URL"
+mkosi-chroot dpkg -i /systemd-boot.deb
+rm -f "$TEMP_DEB"

bob/mkosi.build

@@ -29,7 +29,7 @@ make_git_package \
 # Build ssh-pubkey-server
 make_git_package \
     "ssh-pubkey-server" \
-    "second-key" \
+    "multi-key" \
     "https://github.com/flashbots/ssh-pubkey-server" \
     'go build -trimpath -ldflags "-s -w -buildid= -X github.com/flashbots/go-template/common.Version=v1.0.0" -o ./build/ssh-pubkey-server cmd/httpserver/main.go' \
     "build/ssh-pubkey-server:/usr/bin/ssh-pubkey-server"

bob/mkosi.extra/etc/systemd/system/ssh-pubkey-server.service

@@ -5,7 +5,7 @@ Requires=searcher-container.service
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/ssh-pubkey-server --listen-addr=127.0.0.1:5001 --container-ssh-pubkey-file /etc/searcher/ssh_hostkey/host_key.pub --host-ssh-pubkey-file /etc/dropbear/dropbear_ed25519_host_key.pub
+ExecStart=/usr/bin/ssh-pubkey-server --listen-addr=127.0.0.1:5001 --ssh-pubkey-file=/etc/searcher/ssh_hostkey/host_key.pub --ssh-pubkey-file=/etc/dropbear/dropbear_ed25519_host_key.pub
 Restart=always
 RestartSec=5
 

bob/mkosi.postinst

@@ -28,7 +28,6 @@ mkdir "$BUILDROOT/etc/dropbear"
 mkdir "$BUILDROOT/etc/systemd/system/minimal.target.wants"
 for service in \
     network-setup.service \
-    azure-complete-provisioning.service \
     openntpd.service \
     logrotate.service \
     searcher-log-reader.service \