From 52dfbaeec5e46062ba3f8624d8c88ee4ec74175c Mon Sep 17 00:00:00 2001
From: Florian Agbuya <fa@m-labs.ph>
Date: Thu, 9 Jan 2025 16:01:29 +0800
Subject: [PATCH] mount SD read-only and use overlay ramfs

---
 flake.nix                  |  2 ++
 not-os-patches/pr-28.patch | 32 +++++++++++++++++++++++---------
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/flake.nix b/flake.nix
index aa669d5..4a0028b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -410,6 +410,8 @@
                 linien-server
                 (pkgs.python3.withPackages(ps: [ pyfastservo ]))
               ];
+              # Set to false to have the SD/rootfs mounted RW
+              not-os.readOnly = true;
               boot.postBootCommands = lib.mkAfter ''
 
                 # Program the FPGA
diff --git a/not-os-patches/pr-28.patch b/not-os-patches/pr-28.patch
index d122e5a..450972e 100644
--- a/not-os-patches/pr-28.patch
+++ b/not-os-patches/pr-28.patch
@@ -1,8 +1,8 @@
 diff --git a/base.nix b/base.nix
-index 7eaee32..9aa338e 100644
+index 7eaee32..ad2c168 100644
 --- a/base.nix
 +++ b/base.nix
-@@ -27,6 +27,11 @@ with lib;
+@@ -27,6 +27,16 @@ with lib;
        description = "enable rngd";
        default = false;
      };
@@ -10,11 +10,16 @@ index 7eaee32..9aa338e 100644
 +      type = types.bool;
 +      default = false;
 +      description = "enable sd image support";
++    };
++    not-os.readOnly = mkOption {
++      type = types.bool;
++      default = true;
++      description = "Mount root filesystem as read-only with overlay for writes";
 +    };
      not-os.simpleStaticIp = mkOption {
        type = types.bool;
        default = false;
-@@ -84,17 +89,25 @@ with lib;
+@@ -84,17 +94,25 @@ with lib;
      };
      environment.etc = {
        "nix/nix.conf".source = pkgs.runCommand "nix.conf" {} ''
@@ -59,7 +64,7 @@ index d7b0bf3..70353a1 100644
        '';
      }
 diff --git a/stage-1.nix b/stage-1.nix
-index 331fecd..aa5148e 100644
+index 331fecd..f580f7a 100644
 --- a/stage-1.nix
 +++ b/stage-1.nix
 @@ -117,11 +117,6 @@ let
@@ -74,18 +79,27 @@ index 331fecd..aa5148e 100644
      root=/dev/vda
      realroot=tmpfs
      for o in $(cat /proc/cmdline); do
-@@ -164,7 +159,9 @@ let
+@@ -164,7 +159,18 @@ let
      mkdir -p /mnt/nix/store/
  
  
 -    ${if config.not-os.nix then ''
-+    ${if config.not-os.sd && config.not-os.nix then ''
-+    mount $root /mnt
++    ${if config.not-os.sd && config.not-os.nix then
++    if config.not-os.readOnly then ''
++      mkdir -p /mnt.ro /mnt.overlay
++      mount -o ro $root /mnt.ro
++      mount -t tmpfs -o size=1G tmpfs /mnt.overlay
++      mkdir -p /mnt.overlay/upper /mnt.overlay/work
++
++      mount -t overlay overlay -o lowerdir=/mnt.ro,upperdir=/mnt.overlay/upper,workdir=/mnt.overlay/work /mnt
++    '' else ''
++      # Read-write mount for development
++      mount $root /mnt
 +    '' else if config.not-os.nix then ''
      # make the store writeable
      mkdir -p /mnt/nix/.ro-store /mnt/nix/.overlay-store /mnt/nix/store
      mount $root /mnt/nix/.ro-store -t squashfs
-@@ -190,6 +187,11 @@ let
+@@ -190,6 +196,11 @@ let
    initialRamdisk = pkgs.makeInitrd {
      contents = [ { object = bootStage1; symlink = "/init"; } ];
    };
@@ -97,7 +111,7 @@ index 331fecd..aa5148e 100644
  in
  {
    options = {
-@@ -205,6 +207,7 @@ in
+@@ -205,6 +216,7 @@ in
    config = {
      system.build.bootStage1 = bootStage1;
      system.build.initialRamdisk = initialRamdisk;