diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel index 9028b83761..2928787f16 100644 --- a/image/base/BUILD.bazel +++ b/image/base/BUILD.bazel @@ -30,6 +30,7 @@ copy_to_directory( mkosi_image( name = "base_" + kernel_variant, srcs = [ + "mkosi.finalize", "mkosi.postinst", "mkosi.prepare", ] + glob([ diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize new file mode 100755 index 0000000000..561db202f9 --- /dev/null +++ b/image/base/mkosi.finalize @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -euxo pipefail + +# For some reason yet unknown, SourceDateEpoch is not applied correctly to the +# users added by systemd-sysusers. This has only been observed in our mkosi +# flake so far, not in an upstream mkosi configuration. +# TODO(burgerdev): wait for a couple of Nix package upgrades and try again? + +# Strategy: unset the "last password change" date without leaving a trace in +# /etc/shadow-. +tmp=$(mktemp) +cp -a "${BUILDROOT}/etc/shadow-" "${tmp}" +mkosi-chroot chage -d "" etcd +cp -a "${tmp}" "${BUILDROOT}/etc/shadow-"