Add hardened kernel source (#47)

* fmt: run ruff and isort on kernel-cachyos/update.py

* Add separate hardened source
This commit is contained in:
sempiternal-aurora 2026-03-14 10:48:53 +11:00 committed by GitHub
parent 86a4ac1656
commit fc5803132d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 23 additions and 9 deletions

View File

@ -204,13 +204,13 @@ builtins.listToAttrs (
}) })
(mkCachyKernel { (mkCachyKernel {
pname = "linux-cachyos-hardened"; pname = "linux-cachyos-hardened";
inherit (linuxSources.latest) version src; inherit (linuxSources.hardened) version src;
configVariant = "linux-cachyos-hardened"; configVariant = "linux-cachyos-hardened";
hardened = true; hardened = true;
}) })
(mkCachyKernel { (mkCachyKernel {
pname = "linux-cachyos-hardened-lto"; pname = "linux-cachyos-hardened-lto";
inherit (linuxSources.latest) version src; inherit (linuxSources.hardened) version src;
configVariant = "linux-cachyos-hardened"; configVariant = "linux-cachyos-hardened";
hardened = true; hardened = true;
lto = "thin"; lto = "thin";

View File

@ -1,16 +1,19 @@
import json import json
from pathlib import Path
import subprocess import subprocess
import tempfile import tempfile
from pathlib import Path
def get_srctag(variant: str = "latest") -> str: def get_srctag(variant: str = "latest") -> str:
with tempfile.TemporaryDirectory(ignore_cleanup_errors=True) as dir: with tempfile.TemporaryDirectory(ignore_cleanup_errors=True) as dir:
subprocess.run( subprocess.run(
["nix", "build", ".#cachyos-kernel-input-path", "-o", f"{dir}/result"], check=True ["nix", "build", ".#cachyos-kernel-input-path", "-o", f"{dir}/result"],
check=True,
) )
pkgbuild_path = f"linux-cachyos-{variant}" if variant != "latest" else "linux-cachyos" pkgbuild_path = (
f"linux-cachyos-{variant}" if variant != "latest" else "linux-cachyos"
)
with open(f"{dir}/result/{pkgbuild_path}/PKGBUILD") as f: with open(f"{dir}/result/{pkgbuild_path}/PKGBUILD") as f:
pkgbuild = f.read() pkgbuild = f.read()
@ -33,7 +36,9 @@ def nix_sha256_to_sri(hash: str) -> str:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300) result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode != 0: if result.returncode != 0:
raise RuntimeError(f"nix hash command failed with return code: {result.returncode}") raise RuntimeError(
f"nix hash command failed with return code: {result.returncode}"
)
output = result.stdout.strip() output = result.stdout.strip()
if not output: if not output:
@ -49,7 +54,9 @@ def run_nix_prefetch_url(url: str) -> str:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300) result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode != 0: if result.returncode != 0:
raise RuntimeError(f"nix-prefetch-url command failed with return code: {result.returncode}") raise RuntimeError(
f"nix-prefetch-url command failed with return code: {result.returncode}"
)
output = result.stdout.strip() output = result.stdout.strip()
if not output: if not output:
@ -60,7 +67,7 @@ def run_nix_prefetch_url(url: str) -> str:
if __name__ == "__main__": if __name__ == "__main__":
versions = {} versions = {}
for variant in ["latest", "lts", "rc"]: for variant in ["latest", "lts", "rc", "hardened"]:
print(f"{variant=}") print(f"{variant=}")
srctag = get_srctag(variant) srctag = get_srctag(variant)
real_version = "-".join(srctag.split("-")[1:-1]) real_version = "-".join(srctag.split("-")[1:-1])
@ -80,7 +87,9 @@ if __name__ == "__main__":
current = Path.cwd() current = Path.cwd()
while not (current / "flake.lock").exists(): while not (current / "flake.lock").exists():
if current == current.parent: if current == current.parent:
raise RuntimeError("Could not find flake.lock in any parent directory, exiting") raise RuntimeError(
"Could not find flake.lock in any parent directory, exiting"
)
current = current.parent current = current.parent
output_file = current / "kernel-cachyos" / "version.json" output_file = current / "kernel-cachyos" / "version.json"

View File

@ -13,5 +13,10 @@
"version": "7.0-rc3", "version": "7.0-rc3",
"url": "https://github.com/CachyOS/linux/releases/download/cachyos-7.0-rc3-1/cachyos-7.0-rc3-1.tar.gz", "url": "https://github.com/CachyOS/linux/releases/download/cachyos-7.0-rc3-1/cachyos-7.0-rc3-1.tar.gz",
"hash": "sha256-+oWnfrNyTioD00QqvV5mbDoz/h/bjIVe0f+uWekjnFI=" "hash": "sha256-+oWnfrNyTioD00QqvV5mbDoz/h/bjIVe0f+uWekjnFI="
},
"hardened": {
"version": "6.18.17",
"url": "https://github.com/CachyOS/linux/releases/download/cachyos-6.18.17-1/cachyos-6.18.17-1.tar.gz",
"hash": "sha256-qpTxo8Q+4Bn3vXl7VHOc4vS4WswrlqNDCr9TQZHdC2Y="
} }
} }