New systemd prototype

Author: alexhulbert

.gitignore

@@ -6,4 +6,5 @@ mkosi.cache/
 mkosi.builddir/
 *.qcow2
 .claudesync/
-.claudeignore
+.claudeignore
+tmp/

base/base.conf

@@ -0,0 +1,40 @@
+[Distribution]
+Distribution=debian
+Release=trixie
+
+[Output]
+Format=uki
+ImageId=tdx-debian
+OutputDirectory=build
+PackageCacheDirectory=mkosi.cache
+Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
+
+[Host]
+# Incremental=true
+
+[Content]
+SourceDateEpoch=0
+KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2
+Environment=KERNEL_IMAGE KERNEL_VERSION
+SkeletonTrees=base/mkosi.skeleton
+FinalizeScripts=base/debloat.sh
+PostInstallationScripts=base/debloat-systemd.sh
+BuildScripts=base/mkosi.build
+PrepareScripts=base/export-packages.sh
+
+CleanPackageMetadata=true
+Packages=kmod
+         systemd
+         systemd-boot-efi
+         busybox
+         util-linux
+         iproute2
+         udhcpc
+         e2fsprogs
+BuildPackages=build-essential
+              git
+              curl
+              cmake
+              pkg-config
+              clang
+              cargo

base/debloat-systemd.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -euo pipefail
+
+# Core systemd units to keep
+systemd_svc_whitelist=(
+    "minimal.target"
+    "basic.target"
+    "sysinit.target"
+    "sockets.target" 
+    "local-fs.target"
+    "local-fs-pre.target"
+    "slices.target"
+    "systemd-journald.service"
+    "systemd-journald.socket"
+    "systemd-journald-dev-log.socket"
+    "systemd-remount-fs.service"
+    "systemd-sysctl.service"
+)
+
+# Keep only essential systemd binaries
+systemd_bin_whitelist=(
+    "systemctl"
+    "journalctl"
+    "systemd"
+)
+
+mkosi-chroot dpkg-query -L systemd | grep -E '^/usr/bin/' | while read -r bin_path; do
+    bin_name=$(basename "$bin_path")
+    if ! printf '%s\n' "${systemd_bin_whitelist[@]}" | grep -qx "$bin_name"; then
+        rm -f "$BUILDROOT$bin_path"
+    fi
+done
+
+# Get all systemd units and mask those not in service whitelist
+SYSTEMD_DIR="$BUILDROOT/etc/systemd/system"
+mkosi-chroot dpkg-query -L systemd | grep -E '\.service$|\.socket$|\.timer$|\.target$|\.mount$' | sed 's|.*/||' | while read -r unit; do
+    if ! printf '%s\n' "${systemd_svc_whitelist[@]}" | grep -qx "$unit"; then
+        ln -sf /dev/null "$SYSTEMD_DIR/$unit"
+    fi
+done
+
+# Set default target
+ln -sf minimal.target "$SYSTEMD_DIR/default.target"

base/debloat.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+set -euo pipefail
+
+# Remove all logs and cache, but keep directory structure intact
+find "$BUILDROOT/var/log" -type f -delete
+find "$BUILDROOT/var/cache" -type f -delete
+
+debloat_paths=(
+    "/etc/machine-id"
+    "/etc/*-"
+    "/usr/share/doc"
+    "/usr/share/man"
+    "/usr/share/info"
+    "/usr/share/locale"
+    "/usr/share/gcc"
+    "/usr/share/gdb"
+    "/usr/share/lintian"
+    "/usr/share/perl5/debconf"
+    "/usr/share/debconf"
+    "/usr/share/initramfs-tools"
+    "/usr/share/polkit-1"
+    "/usr/share/bug"
+    "/usr/share/menu"
+    "/usr/share/systemd"
+    "/usr/share/bash-completion"
+    "/usr/share/zsh"
+    "/usr/share/mime"
+    "/usr/lib/modules"
+    "/usr/lib/udev/hwdb.d"
+    "/usr/lib/systemd/catalog"
+    "/usr/lib/systemd/user"
+    "/usr/lib/systemd/user-generators"
+    "/usr/lib/systemd/network"
+    "/usr/lib/pcrlock.d"
+    "/usr/lib/tmpfiles.d"
+    "/etc/systemd/network"
+    "/etc/credstore"
+    "/usr/lib/x86_64-linux-gnu/security"
+)
+
+for p in "${debloat_paths[@]}"; do rm -rf "$BUILDROOT$p"; done

base/export-packages.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ "$1" == "final" ]; then
+    dpkg-query -W -f='${Package},${Architecture},${Version}\n' > $SRCDIR/build/packages.csv
+fi

mkosi.prepare renamed to base/mkosi.build

@@ -7,6 +7,5 @@ if [ -z "$KERNEL_IMAGE" ] || [ -z "$KERNEL_VERSION" ]; then
 fi
 
 # Copy kernel and config to a place where mkosi can find it
-mkdir -p "$BUILDROOT/usr/lib/modules/$KERNEL_VERSION"
-cp "$KERNEL_IMAGE" "$BUILDROOT/usr/lib/modules/$KERNEL_VERSION/vmlinuz"
-cp ./kernel-yocto.config "$BUILDROOT/boot/config-$KERNEL_VERSION"
+mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_VERSION"
+cp "$KERNEL_IMAGE" "$DESTDIR/usr/lib/modules/$KERNEL_VERSION/vmlinuz"

base/mkosi.skeleton/etc/resolv.conf

@@ -0,0 +1,2 @@
+nameserver 8.8.8.8
+nameserver 8.8.4.4

base/mkosi.skeleton/etc/systemd/system/minimal.target

@@ -0,0 +1,9 @@
+[Unit]
+Description=Minimal System
+Requires=basic.target
+Conflicts=rescue.service rescue.target
+After=basic.target rescue.service rescue.target
+AllowIsolate=yes
+
+[Install]
+WantedBy=default.target

base/mkosi.skeleton/etc/systemd/system/network-setup.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Basic Network Setup
+DefaultDependencies=no
+Before=network.target
+Wants=network.target
+
+[Service]
+Type=oneshot
+ExecStart=ip link set lo up
+ExecStart=ip link set eth0 up
+ExecStart=chattr +i /etc/resolv.conf
+ExecStart=/usr/sbin/udhcpc -i eth0 -n
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

base/mkosi.skeleton/etc/systemd/system/persistence-setup.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Setup Persistent Storage
+DefaultDependencies=no
+After=local-fs-pre.target
+Before=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "if [ -e /dev/vda ] && ! blkid /dev/vda | grep -q 'TYPE=\"ext4\"'; then mkfs.ext4 -F /dev/vda; fi"
+ExecStart=/bin/sh -c "mkdir -p /persistent"
+ExecStart=/bin/sh -c "mount /dev/vda /persistent || echo 'Failed to mount persistent storage'"
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target