handle seed_{ca,proxy,servername}

Cargo.lock

@@ -112,28 +112,6 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
-[[package]]
-name = "aws-lc-rs"
-version = "1.16.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f"
-dependencies = [
- "aws-lc-sys",
- "zeroize",
-]
-
-[[package]]
-name = "aws-lc-sys"
-version = "0.40.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7"
-dependencies = [
- "cc",
- "cmake",
- "dunce",
- "fs_extra",
-]
-
 [[package]]
 name = "base32"
 version = "0.5.1"
@@ -193,12 +171,6 @@ dependencies = [
  "shlex",
 ]
 
-[[package]]
-name = "cesu8"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
-
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
@@ -274,31 +246,12 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
 
-[[package]]
-name = "cmake"
-version = "0.1.58"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "colorchoice"
 version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
 
-[[package]]
-name = "combine"
-version = "4.6.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
-dependencies = [
- "bytes",
- "memchr",
-]
-
 [[package]]
 name = "compression-codecs"
 version = "0.4.37"
@@ -367,8 +320,8 @@ dependencies = [
 
 [[package]]
 name = "dkl"
-version = "1.2.0"
+version = "1.2.1"
-source = "git+https://novit.tech/direktil/dkl#2e87e4d92f36ad6f5123e3e68c6d4e77d5bf4524"
+source = "git+https://novit.tech/direktil/dkl#5414b1d52992ef53cb03c9c6bf2a9793a501e0f6"
 dependencies = [
  "async-compression",
  "base32",
@@ -391,7 +344,7 @@ dependencies = [
  "nix",
  "openssl",
  "page_size",
- "reqwest",
+ "reqwest 0.13.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "rpassword",
  "rust-argon2",
  "serde",
@@ -399,31 +352,16 @@ dependencies = [
  "serde_yaml",
  "signal-hook",
  "tabled",
- "thiserror 2.0.18",
+ "thiserror",
  "tokio",
 ]
 
-[[package]]
-name = "dunce"
-version = "1.0.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
-
 [[package]]
 name = "either"
 version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
 
-[[package]]
-name = "encoding_rs"
-version = "0.8.35"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
-dependencies = [
- "cfg-if",
-]
-
 [[package]]
 name = "env_filter"
 version = "1.0.1"
@@ -521,12 +459,6 @@ dependencies = [
  "percent-encoding",
 ]
 
-[[package]]
-name = "fs_extra"
-version = "1.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
-
 [[package]]
 name = "futures"
 version = "0.3.32"
@@ -615,19 +547,6 @@ dependencies = [
  "slab",
 ]
 
-[[package]]
-name = "getrandom"
-version = "0.2.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
-dependencies = [
- "cfg-if",
- "js-sys",
- "libc",
- "wasi",
- "wasm-bindgen",
-]
-
 [[package]]
 name = "getrandom"
 version = "0.3.4"
@@ -635,11 +554,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
 dependencies = [
  "cfg-if",
- "js-sys",
  "libc",
  "r-efi 5.3.0",
  "wasip2",
- "wasm-bindgen",
 ]
 
 [[package]]
@@ -661,25 +578,6 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 
-[[package]]
-name = "h2"
-version = "0.4.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
-dependencies = [
- "atomic-waker",
- "bytes",
- "fnv",
- "futures-core",
- "futures-sink",
- "http",
- "indexmap",
- "slab",
- "tokio",
- "tokio-util",
- "tracing",
-]
-
 [[package]]
 name = "hashbrown"
 version = "0.15.5"
@@ -765,7 +663,6 @@ dependencies = [
  "bytes",
  "futures-channel",
  "futures-core",
- "h2",
  "http",
  "http-body",
  "httparse",
@@ -776,21 +673,6 @@ dependencies = [
  "want",
 ]
 
-[[package]]
-name = "hyper-rustls"
-version = "0.27.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33ca68d021ef39cf6463ab54c1d0f5daf03377b70561305bb89a8f83aab66e0f"
-dependencies = [
- "http",
- "hyper",
- "hyper-util",
- "rustls",
- "tokio",
- "tokio-rustls",
- "tower-service",
-]
-
 [[package]]
 name = "hyper-tls"
 version = "0.6.0"
@@ -807,6 +689,20 @@ dependencies = [
  "tower-service",
 ]
 
+[[package]]
+name = "hyper-tls"
+version = "0.6.0"
+source = "git+https://github.com/mcluseau/rs-hyper-tls#41d524b45de124b17b10f30d80665fcc9276b856"
+dependencies = [
+ "bytes",
+ "hyper",
+ "hyper-util",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+]
+
 [[package]]
 name = "hyper-util"
 version = "0.1.20"
@@ -991,13 +887,14 @@ dependencies = [
  "env_logger",
  "eyre",
  "glob",
+ "hex",
  "itertools",
  "libc",
  "log",
  "nix",
  "openssl",
  "regex",
- "reqwest",
+ "reqwest 0.13.2 (git+https://github.com/mcluseau/rs-reqwest)",
  "serde",
  "serde_json",
  "serde_yaml",
@@ -1078,50 +975,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "jni"
-version = "0.21.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97"
-dependencies = [
- "cesu8",
- "cfg-if",
- "combine",
- "jni-sys 0.3.1",
- "log",
- "thiserror 1.0.69",
- "walkdir",
- "windows-sys 0.45.0",
-]
-
-[[package]]
-name = "jni-sys"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41a652e1f9b6e0275df1f15b32661cf0d4b78d4d87ddec5e0c3c20f097433258"
-dependencies = [
- "jni-sys 0.4.1",
-]
-
-[[package]]
-name = "jni-sys"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c6377a88cb3910bee9b0fa88d4f42e1d2da8e79915598f65fb0c7ee14c878af2"
-dependencies = [
- "jni-sys-macros",
-]
-
-[[package]]
-name = "jni-sys-macros"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38c0b942f458fe50cdac086d2f946512305e5631e720728f2a61aabcd47a6264"
-dependencies = [
- "quote",
- "syn",
-]
-
 [[package]]
 name = "jobserver"
 version = "0.1.34"
@@ -1174,12 +1027,6 @@ version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
-[[package]]
-name = "lru-slab"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
-
 [[package]]
 name = "lz4"
 version = "1.28.1"
@@ -1205,12 +1052,6 @@ version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
-[[package]]
-name = "mime"
-version = "0.3.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
-
 [[package]]
 name = "mio"
 version = "1.2.0"
@@ -1274,9 +1115,9 @@ checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
 [[package]]
 name = "openssl"
-version = "0.10.77"
+version = "0.10.78"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfe4646e360ec77dff7dde40ed3d6c5fee52d156ef4a62f53973d38294dad87f"
+checksum = "f38c4372413cdaaf3cc79dd92d29d7d9f5ab09b51b10dded508fb90bb70b9222"
 dependencies = [
  "bitflags",
  "cfg-if",
@@ -1306,9 +1147,9 @@ checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.113"
+version = "0.9.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ad2f2c0eba47118757e4c6d2bff2838f3e0523380021356e7875e858372ce644"
+checksum = "13ce1245cd07fcc4cfdb438f7507b0c7e4f3849a69fd84d52374c66d83741bb6"
 dependencies = [
  "cc",
  "libc",
@@ -1385,15 +1226,6 @@ dependencies = [
  "zerovec",
 ]
 
-[[package]]
-name = "ppv-lite86"
-version = "0.2.21"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
-dependencies = [
- "zerocopy",
-]
-
 [[package]]
 name = "prettyplease"
 version = "0.2.37"
@@ -1435,62 +1267,6 @@ dependencies = [
  "unicode-ident",
 ]
 
-[[package]]
-name = "quinn"
-version = "0.11.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
-dependencies = [
- "bytes",
- "cfg_aliases",
- "pin-project-lite",
- "quinn-proto",
- "quinn-udp",
- "rustc-hash",
- "rustls",
- "socket2",
- "thiserror 2.0.18",
- "tokio",
- "tracing",
- "web-time",
-]
-
-[[package]]
-name = "quinn-proto"
-version = "0.11.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
-dependencies = [
- "aws-lc-rs",
- "bytes",
- "getrandom 0.3.4",
- "lru-slab",
- "rand",
- "ring",
- "rustc-hash",
- "rustls",
- "rustls-pki-types",
- "slab",
- "thiserror 2.0.18",
- "tinyvec",
- "tracing",
- "web-time",
-]
-
-[[package]]
-name = "quinn-udp"
-version = "0.5.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
-dependencies = [
- "cfg_aliases",
- "libc",
- "once_cell",
- "socket2",
- "tracing",
- "windows-sys 0.60.2",
-]
-
 [[package]]
 name = "quote"
 version = "1.0.45"
@@ -1512,35 +1288,6 @@ version = "6.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
 
-[[package]]
-name = "rand"
-version = "0.9.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
-dependencies = [
- "rand_chacha",
- "rand_core",
-]
-
-[[package]]
-name = "rand_chacha"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
-dependencies = [
- "ppv-lite86",
- "rand_core",
-]
-
-[[package]]
-name = "rand_core"
-version = "0.9.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
-dependencies = [
- "getrandom 0.3.4",
-]
-
 [[package]]
 name = "regex"
 version = "1.12.3"
@@ -1578,33 +1325,25 @@ checksum = "ab3f43e3283ab1488b624b44b0e988d0acea0b3214e694730a055cb6b2efa801"
 dependencies = [
  "base64",
  "bytes",
- "encoding_rs",
  "futures-core",
  "futures-util",
- "h2",
  "http",
  "http-body",
  "http-body-util",
  "hyper",
- "hyper-rustls",
+ "hyper-tls 0.6.0 (registry+https://github.com/rust-lang/crates.io-index)",
- "hyper-tls",
  "hyper-util",
  "js-sys",
  "log",
- "mime",
  "native-tls",
  "percent-encoding",
  "pin-project-lite",
- "quinn",
- "rustls",
  "rustls-pki-types",
- "rustls-platform-verifier",
  "serde",
  "serde_json",
  "sync_wrapper",
  "tokio",
  "tokio-native-tls",
- "tokio-rustls",
  "tokio-util",
  "tower",
  "tower-http",
@@ -1617,17 +1356,35 @@ dependencies = [
 ]
 
 [[package]]
-name = "ring"
+name = "reqwest"
-version = "0.17.14"
+version = "0.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
+source = "git+https://github.com/mcluseau/rs-reqwest#f82d6ca9bc05b80bf0b4fb84271afef5026a1d8a"
-checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
 dependencies = [
- "cc",
+ "base64",
- "cfg-if",
+ "bytes",
- "getrandom 0.2.17",
+ "futures-core",
- "libc",
+ "http",
- "untrusted",
+ "http-body",
- "windows-sys 0.52.0",
+ "http-body-util",
+ "hyper",
+ "hyper-tls 0.6.0 (git+https://github.com/mcluseau/rs-hyper-tls)",
+ "hyper-util",
+ "js-sys",
+ "log",
+ "native-tls",
+ "percent-encoding",
+ "pin-project-lite",
+ "rustls-pki-types",
+ "sync_wrapper",
+ "tokio",
+ "tokio-native-tls",
+ "tower",
+ "tower-http",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
 ]
 
 [[package]]
@@ -1663,12 +1420,6 @@ dependencies = [
  "crossbeam-utils",
 ]
 
-[[package]]
-name = "rustc-hash"
-version = "2.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
-
 [[package]]
 name = "rustix"
 version = "1.1.4"
@@ -1682,81 +1433,15 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "rustls"
-version = "0.23.38"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69f9466fb2c14ea04357e91413efb882e2a6d4a406e625449bc0a5d360d53a21"
-dependencies = [
- "aws-lc-rs",
- "once_cell",
- "rustls-pki-types",
- "rustls-webpki",
- "subtle",
- "zeroize",
-]
-
-[[package]]
-name = "rustls-native-certs"
-version = "0.8.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
-dependencies = [
- "openssl-probe",
- "rustls-pki-types",
- "schannel",
- "security-framework",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
 dependencies = [
- "web-time",
  "zeroize",
 ]
 
-[[package]]
-name = "rustls-platform-verifier"
-version = "0.6.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
-dependencies = [
- "core-foundation 0.10.1",
- "core-foundation-sys",
- "jni",
- "log",
- "once_cell",
- "rustls",
- "rustls-native-certs",
- "rustls-platform-verifier-android",
- "rustls-webpki",
- "security-framework",
- "security-framework-sys",
- "webpki-root-certs",
- "windows-sys 0.61.2",
-]
-
-[[package]]
-name = "rustls-platform-verifier-android"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
-
-[[package]]
-name = "rustls-webpki"
-version = "0.103.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06"
-dependencies = [
- "aws-lc-rs",
- "ring",
- "rustls-pki-types",
- "untrusted",
-]
-
 [[package]]
 name = "rustversion"
 version = "1.0.22"
@@ -1769,15 +1454,6 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
 
-[[package]]
-name = "same-file"
-version = "1.0.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
-dependencies = [
- "winapi-util",
-]
-
 [[package]]
 name = "schannel"
 version = "0.1.29"
@@ -1938,12 +1614,6 @@ version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
-[[package]]
-name = "subtle"
-version = "2.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
-
 [[package]]
 name = "syn"
 version = "2.0.117"
@@ -2061,33 +1731,13 @@ dependencies = [
  "unicode-width",
 ]
 
-[[package]]
-name = "thiserror"
-version = "1.0.69"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
-dependencies = [
- "thiserror-impl 1.0.69",
-]
-
 [[package]]
 name = "thiserror"
 version = "2.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
 dependencies = [
- "thiserror-impl 2.0.18",
+ "thiserror-impl",
-]
-
-[[package]]
-name = "thiserror-impl"
-version = "1.0.69"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
 ]
 
 [[package]]
@@ -2111,21 +1761,6 @@ dependencies = [
  "zerovec",
 ]
 
-[[package]]
-name = "tinyvec"
-version = "1.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
-dependencies = [
- "tinyvec_macros",
-]
-
-[[package]]
-name = "tinyvec_macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
-
 [[package]]
 name = "tokio"
 version = "1.52.1"
@@ -2163,16 +1798,6 @@ dependencies = [
  "tokio",
 ]
 
-[[package]]
-name = "tokio-rustls"
-version = "0.26.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
-dependencies = [
- "rustls",
- "tokio",
-]
-
 [[package]]
 name = "tokio-util"
 version = "0.7.18"
@@ -2286,12 +1911,6 @@ version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
 
-[[package]]
-name = "untrusted"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
-
 [[package]]
 name = "url"
 version = "2.5.8"
@@ -2322,16 +1941,6 @@ version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
 
-[[package]]
-name = "walkdir"
-version = "2.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
-dependencies = [
- "same-file",
- "winapi-util",
-]
-
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -2477,25 +2086,6 @@ dependencies = [
  "wasm-bindgen",
 ]
 
-[[package]]
-name = "web-time"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
-dependencies = [
- "js-sys",
- "wasm-bindgen",
-]
-
-[[package]]
-name = "webpki-root-certs"
-version = "1.0.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f31141ce3fc3e300ae89b78c0dd67f9708061d1d2eda54b8209346fd6be9a92c"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "winapi"
 version = "0.3.9"
@@ -2512,15 +2102,6 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
-[[package]]
-name = "winapi-util"
-version = "0.1.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
-dependencies = [
- "windows-sys 0.61.2",
-]
-
 [[package]]
 name = "winapi-x86_64-pc-windows-gnu"
 version = "0.4.0"
@@ -2597,24 +2178,6 @@ dependencies = [
  "windows-link",
 ]
 
-[[package]]
-name = "windows-sys"
-version = "0.45.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
-dependencies = [
- "windows-targets 0.42.2",
-]
-
-[[package]]
-name = "windows-sys"
-version = "0.52.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
-dependencies = [
- "windows-targets 0.52.6",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.59.0"
@@ -2642,21 +2205,6 @@ dependencies = [
  "windows-link",
 ]
 
-[[package]]
-name = "windows-targets"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
-dependencies = [
- "windows_aarch64_gnullvm 0.42.2",
- "windows_aarch64_msvc 0.42.2",
- "windows_i686_gnu 0.42.2",
- "windows_i686_msvc 0.42.2",
- "windows_x86_64_gnu 0.42.2",
- "windows_x86_64_gnullvm 0.42.2",
- "windows_x86_64_msvc 0.42.2",
-]
-
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -2690,12 +2238,6 @@ dependencies = [
  "windows_x86_64_msvc 0.53.1",
 ]
 
-[[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
-
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -2708,12 +2250,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
 
-[[package]]
-name = "windows_aarch64_msvc"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
-
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -2726,12 +2262,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
 
-[[package]]
-name = "windows_i686_gnu"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
-
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -2756,12 +2286,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
 
-[[package]]
-name = "windows_i686_msvc"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
-
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -2774,12 +2298,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
 
-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
-
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -2792,12 +2310,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
 
-[[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
-
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -2810,12 +2322,6 @@ version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
 
-[[package]]
-name = "windows_x86_64_msvc"
-version = "0.42.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
-
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -2951,26 +2457,6 @@ dependencies = [
  "synstructure",
 ]
 
-[[package]]
-name = "zerocopy"
-version = "0.8.48"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9"
-dependencies = [
- "zerocopy-derive",
-]
-
-[[package]]
-name = "zerocopy-derive"
-version = "0.8.48"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "zerofrom"
 version = "0.1.7"

Cargo.toml

@@ -28,5 +28,7 @@ unix_mode = "0.1.4"
 sys-info = "0.9.1"
 dkl = { git = "https://novit.tech/direktil/dkl", version = "1.0.0" }
 openssl = "0.10.73"
-reqwest = { version = "0.13.1", features = ["native-tls"] }
+#reqwest = { version = "0.13.1", features = ["native-tls", "system-proxy"], default-features = false }
+reqwest = { git = "https://github.com/mcluseau/rs-reqwest", version = "0.13.1", features = ["native-tls", "system-proxy", "socks"], default-features = false }
 glob = "0.3.3"
+hex = "0.4.3"

Dockerfile

@@ -1,4 +1,4 @@
-from rust:1.93.0-alpine as rust
+from rust:1.95.0-alpine as rust
 
 run apk add --no-cache git musl-dev libudev-zero-dev openssl-dev cryptsetup-dev lvm2-dev clang-libs clang-dev
 
@@ -9,8 +9,7 @@ run --mount=type=cache,id=novit-rs,target=/usr/local/cargo/registry \
     RUSTFLAGS="-C target-feature=-crt-static" cargo install --path . --root /dist
 
 # ------------------------------------------------------------------------
-from alpine:3.23.3 as initrd
+from alpine:3.23.4 as system
-run apk add zstd lz4
 
 workdir /system
 
@@ -31,9 +30,26 @@ run mkdir -p bin run var/log; cd bin && for cmd in init-version init-connect boo
 # check viability
 run chroot . init-version
 
-run find * |cpio -H newc -oF /initrd
+# ------------------------------------------------------------------------
+from alpine:3.23.4 as initrd
+
+copy --from=system /system /system
+run cd /system && find * |cpio -H newc -oF /initrd
 
 # ------------------------------------------------------------------------
-from alpine:3.23.2
+from debian:stable-backports as initramfs
-copy --from=initrd /initrd /
+run apt update && apt install -y erofs-utils
+
+copy --from=system /system /system
+run mkfs.erofs \
+  -z lzma -C131072 -Efragments,ztailpacking \
+  -T0 --all-time --ignore-mtime \
+  /initramfs /system
+
+# ------------------------------------------------------------------------
+from alpine:3.23.4
+copy --from=initrd /initrd /initrd
 entrypoint ["base64","/initrd"]
+
+#copy --from=initramfs /initramfs /
+#entrypoint ["base64","/initramfs"]

src/cmd/init.rs

@@ -54,10 +54,10 @@ pub async fn run() {
     info!("Linux version {kernel_version}");
 
     // mount basic filesystems
-    mount(None, "/proc", "proc", None).await;
+    mount(None::<&str>, "/proc", "proc", None).await;
-    mount(None, "/sys", "sysfs", None).await;
+    mount(None::<&str>, "/sys", "sysfs", None).await;
-    mount(None, "/dev", "devtmpfs", None).await;
+    mount(None::<&str>, "/dev", "devtmpfs", None).await;
-    mount(None, "/dev/pts", "devpts", Some("gid=5,mode=620")).await;
+    mount(None::<&str>, "/dev/pts", "devpts", Some("gid=5,mode=620")).await;
 
     if utils::bool_param("debug") {
         log::set_max_level(log::LevelFilter::Debug);
@@ -144,6 +144,9 @@ pub async fn run() {
         warn!("failed to copy {INIT_LOG} to system: {e}");
     }
 
+    if let Err(e) = nix::mount::umount2("/modules", nix::mount::MntFlags::MNT_DETACH) {
+        warn!("failed to umount /modules: {e}");
+    }
     retry(async || switch_root("/system").await).await;
 }
 
@@ -174,15 +177,27 @@ async fn chmod(path: impl AsRef<Path>, mode: u32) -> std::io::Result<()> {
     fs::set_permissions(path, perms).await
 }
 
-async fn mount(src: Option<&str>, dst: &str, fstype: &str, opts: Option<&str>) {
+async fn mount<S: AsRef<Path>>(
+    src: Option<S>,
+    dst: impl AsRef<Path>,
+    fstype: &str,
+    opts: Option<&str>,
+) {
+    let src = src.as_ref().map(|s| s.as_ref());
+    let src_str = src.map(|s| s.display().to_string());
+    let src_str = src_str.as_deref();
+
+    let dst = dst.as_ref();
+    let dst_str = &dst.display().to_string();
+
     if let Err(e) = fs::create_dir_all(dst).await {
-        error!("failed to create dir {dst}: {e}");
+        error!("failed to create dir {dst_str}: {e}");
     }
 
     retry_or_ignore(async || {
         let mut is_file = false;
 
-        if let Some(src) = src {
+        if let Some(src) = src_str {
             is_file = (fs::metadata(src).await)
                 .map_err(|e| format_err!("stat {src} failed: {e}"))?
                 .is_file();
@@ -194,7 +209,7 @@ async fn mount(src: Option<&str>, dst: &str, fstype: &str, opts: Option<&str>) {
             }
         }
 
-        let mut args = vec![src.unwrap_or("none"), dst, "-t", fstype];
+        let mut args = vec![src_str.unwrap_or("none"), dst_str, "-t", fstype];
         if let Some(opts) = opts {
             args.extend(["-o", opts]);
         }
@@ -206,11 +221,17 @@ async fn mount(src: Option<&str>, dst: &str, fstype: &str, opts: Option<&str>) {
         }
 
         let (cmd_str, _) = cmd_str("mount", &args);
-        let flags = nix::mount::MsFlags::empty();
 
         info!("# {cmd_str}",);
-        nix::mount::mount(src, dst, Some(fstype), flags, opts)
+
-            .map_err(|e| format_err!("mount {dst} failed: {e}"))
+        let mount = |flags| nix::mount::mount(src, dst, Some(fstype), flags, opts);
+
+        use nix::{errno::Errno, mount::MsFlags};
+        match mount(MsFlags::empty()) {
+            Err(Errno::EACCES) => mount(MsFlags::MS_RDONLY),
+            r => r,
+        }
+        .map_err(|e| format_err!("mount {dst_str} failed: {e}"))
     })
     .await
 }
@@ -225,6 +246,25 @@ async fn start_daemon(prog: &str, args: &[&str]) {
     .await;
 }
 
+async fn try_exec_cmd(mut cmd: tokio::process::Command) -> Result<()> {
+    info!(
+        "# {} {}",
+        cmd.as_std().get_program().to_string_lossy(),
+        cmd.as_std()
+            .get_args()
+            .map(|a| a.to_string_lossy())
+            .collect::<Vec<_>>()
+            .join(" ")
+    );
+
+    let s = cmd.status().await?;
+    if s.success() {
+        Ok(())
+    } else {
+        Err(format_err!("command failed: {s}"))
+    }
+}
+
 async fn try_exec(prog: &str, args: &[&str]) -> Result<()> {
     let (cmd_str, mut cmd) = cmd_str(prog, args);
     info!("# {cmd_str}");

src/cmd/init/bootstrap.rs

@@ -1,8 +1,9 @@
 use eyre::{format_err, Result};
-use log::{info, warn};
+use log::{debug, info, warn};
+use std::path::{Path, PathBuf};
 use tokio::{
     fs,
-    io::{AsyncBufReadExt, AsyncWriteExt, BufReader},
+    io::{AsyncBufReadExt, AsyncReadExt, AsyncWrite, AsyncWriteExt, BufReader},
 };
 
 use dkl::{
@@ -12,12 +13,12 @@ use dkl::{
     bootstrap::Config,
 };
 
-use super::{exec, mount, retry, retry_or_ignore, try_exec};
+use super::{exec, mount, retry, retry_or_ignore, try_exec, try_exec_cmd};
 use crate::{fs::walk_dir, utils};
 
 pub async fn bootstrap(cfg: Config) {
     let verifier = retry(async || Verifier::from_config(&cfg)).await;
-    let bs = cfg.bootstrap;
+    let bs = &cfg.bootstrap;
 
     mount(Some(&bs.dev), "/bootstrap", "ext4", None).await;
 
@@ -48,12 +49,12 @@ pub async fn bootstrap(cfg: Config) {
     .await;
 
     let sys_cfg: dkl::Config = retry(async || {
-        let sys_cfg_bytes = seed_config(base_dir, &bs.seed, &verifier).await?;
+        let sys_cfg_bytes = seed_config(base_dir, &bs, &verifier).await?;
         Ok(serde_yaml::from_slice(&sys_cfg_bytes)?)
     })
     .await;
 
-    mount_system(&sys_cfg, base_dir, &verifier).await;
+    mount_system(&sys_cfg, &cfg, base_dir, &verifier).await;
 
     retry_or_ignore(async || {
         let path = "/etc/resolv.conf";
@@ -96,17 +97,21 @@ impl Verifier {
         return Ok(Self { pubkey });
     }
 
-    async fn verify_path(&self, path: &str) -> Result<Vec<u8>> {
+    async fn verify_path(&self, path: impl AsRef<Path>) -> Result<Vec<u8>> {
-        let data = (fs::read(path).await).map_err(|e| format_err!("failed to read {path}: {e}"))?;
+        let path = path.as_ref();
+        let p = path.display();
+
+        let data = (fs::read(path).await).map_err(|e| format_err!("failed to read {p}: {e}"))?;
 
         let Some(ref pubkey) = self.pubkey else {
             return Ok(data);
         };
 
-        info!("verifying {path}");
+        info!("verifying {p}");
 
-        let sig = &format!("{path}.sig");
+        let sig = path.with_added_extension("sig");
-        let sig = (fs::read(sig).await).map_err(|e| format_err!("failed to read {sig}: {e}"))?;
+        let sig = (fs::read(&sig).await)
+            .map_err(|e| format_err!("failed to read {}: {e}", sig.display()))?;
 
         use openssl::{hash::MessageDigest, pkey::PKey, sign::Verifier};
         let pubkey = PKey::public_key_from_der(pubkey)?;
@@ -118,14 +123,14 @@ impl Verifier {
         if sig_ok {
             Ok(data)
         } else {
-            Err(format_err!("signature verification failed for {path}"))
+            Err(format_err!("signature verification failed for {p}"))
         }
     }
 }
 
 async fn seed_config(
     base_dir: &str,
-    seed_url: &Option<String>,
+    bs: &dkl::bootstrap::Bootstrap,
     verifier: &Verifier,
 ) -> Result<Vec<u8>> {
     let cfg_path = &format!("{base_dir}/config.yaml");
@@ -136,13 +141,12 @@ async fn seed_config(
 
     let bs_tar = "/bootstrap.tar";
     if !fs::try_exists(bs_tar).await? {
-        if let Some(seed_url) = seed_url.as_ref() {
+        if bs.seed.is_none() {
-            fetch_bootstrap(seed_url, bs_tar).await?;
-        } else {
             return Err(format_err!(
-                "no {cfg_path}, no {bs_tar} and no seed, can't bootstrap"
+                "no {cfg_path}, no {bs_tar} and no seed URL, can't bootstrap"
             ));
         }
+        fetch_bootstrap(bs, bs_tar).await?;
     }
 
     try_exec("tar", &["xf", bs_tar, "-C", base_dir]).await?;
@@ -154,15 +158,41 @@ async fn seed_config(
     verifier.verify_path(&cfg_path).await
 }
 
-async fn fetch_bootstrap(seed_url: &str, output_file: &str) -> Result<()> {
+async fn fetch_bootstrap(bs: &dkl::bootstrap::Bootstrap, output_file: &str) -> Result<()> {
-    let seed_url: reqwest::Url = seed_url.parse()?;
+    let seed_url: reqwest::Url = (bs.seed.as_ref())
+        .ok_or(format_err!("no seed URL"))?
+        .parse()
+        .map_err(|e| format_err!("invalid seed URL: {e}"))?;
 
     info!(
         "fetching {output_file} from {}",
         seed_url.host_str().unwrap_or("<no host>")
     );
 
-    let resp = reqwest::get(seed_url).await?;
+    let mut builder = reqwest::Client::builder();
+
+    if let Some(ref proxy) = bs.seed_proxy {
+        debug!("using proxy {proxy}");
+        let proxy = reqwest::Proxy::all(proxy) //
+            .map_err(|e| format_err!("seed proxy setup failed: {e}"))?;
+        builder = builder.proxy(proxy);
+    }
+
+    if let Some(ref ca) = bs.seed_ca {
+        debug!("using custom CA certificate");
+        let ca = base64_decode(ca).map_err(|e| format_err!("invalid seed CA: decode: {e}"))?;
+        let ca = reqwest::Certificate::from_der(&ca)
+            .map_err(|e| format_err!("invalid seed CA: parse: {e}"))?;
+        builder = builder.tls_certs_only([ca]);
+    }
+
+    if let Some(ref sn) = bs.seed_servername {
+        debug!("tls server name: {sn}");
+        builder = builder.tls_server_name(bs.seed_servername.clone());
+    }
+
+    let req = builder.build()?.get(seed_url);
+    let resp = req.send().await?;
 
     if !resp.status().is_success() {
         return Err(format_err!("HTTP request failed: {}", resp.status()));
@@ -187,53 +217,135 @@ fn default_root_tmpfs_opts() -> Option<String> {
     Some(format!("size={fs_size}m"))
 }
 
-async fn mount_system(cfg: &dkl::Config, bs_dir: &str, verifier: &Verifier) {
+struct LayerMounter<'t> {
+    bs_dir: &'t str,
+    layers_dir: &'t str,
+    verifier: &'t Verifier,
+    lower_dir: String,
+}
+
+impl LayerMounter<'_> {
+    fn src_path(&self, name: &str) -> PathBuf {
+        let mut p = PathBuf::from(self.bs_dir);
+        p.push(name);
+        if name != "merged" {
+            p.add_extension("fs");
+        }
+        p
+    }
+
+    async fn exists(&self, name: &str) -> bool {
+        retry(async || Ok(fs::try_exists(self.src_path(name)).await?)).await
+    }
+
+    async fn mount(&mut self, name: &str) {
+        self.mount_path(self.src_path(name), name, true).await
+    }
+
+    async fn mount_path(&mut self, src: impl AsRef<Path>, name: &str, verify: bool) {
+        let src = src.as_ref();
+        let tgt_dir = PathBuf::from(self.layers_dir).join(name);
+        let tgt = tgt_dir.with_added_extension("fs");
+
+        if let Err(e) = fs::create_dir_all(&tgt_dir).await {
+            warn!("mkdir -p {}: {e}", tgt_dir.display());
+        }
+
+        let mount_src = if name == "merged" {
+            retry(async || {
+                let data = self.verifier.verify_path(src).await?;
+                let data = MergedLayer::from_bytes(&data)
+                    .ok_or(format_err!("{}: invalid data", src.display()))?;
+
+                data.create(&tgt)
+                    .await
+                    .map_err(|e| format_err!("write {}: {e}", tgt.display()))?;
+
+                let dm_name = &format!("system");
+
+                let mut cmd = tokio::process::Command::new("veritysetup");
+                cmd.arg("open")
+                    .arg(format!("--hash-offset={}", data.hash_offset()))
+                    .arg(&tgt)
+                    .arg(dm_name)
+                    .arg(&tgt)
+                    .arg(data.root_hash_hex());
+
+                try_exec_cmd(cmd).await?;
+
+                Ok(PathBuf::from("/dev/mapper").join(dm_name))
+            })
+            .await
+        } else {
+            retry(async || {
+                let src = if verify {
+                    self.verifier.verify_path(src).await?
+                } else {
+                    fs::read(src).await?
+                };
+                fs::write(&tgt, &src).await?;
+
+                Ok(tgt.clone())
+            })
+            .await
+        };
+
+        retry(async || {
+            let mut buf = [0u8; 1028];
+            fs::File::open(&mount_src)
+                .await
+                .map_err(|e| format_err!("open {}: {e}", mount_src.display()))?
+                .read_exact(&mut buf)
+                .await
+                .map_err(|e| format_err!("read {}: {e}", mount_src.display()))?;
+
+            let fstype = if buf[1024..1028] == 0xE0F5E1E2u32.to_le_bytes() {
+                "erofs"
+            } else {
+                "squashfs"
+            };
+
+            mount(Some(&mount_src), &tgt_dir, fstype, None).await;
+            Ok(())
+        })
+        .await;
+
+        if !self.lower_dir.is_empty() {
+            self.lower_dir.push(':');
+        }
+        self.lower_dir.push_str(&tgt_dir.to_string_lossy());
+    }
+}
+
+async fn mount_system(cfg: &dkl::Config, bs_cfg: &Config, bs_dir: &str, verifier: &Verifier) {
     let opts = match utils::param("root-opts") {
         Some(s) => Some(s.to_string()),
         None => default_root_tmpfs_opts(),
     };
 
     let mem_dir = "/mem";
-    mount(None, mem_dir, "tmpfs", opts.as_deref()).await;
+    mount(None::<&str>, mem_dir, "tmpfs", opts.as_deref()).await;
 
-    let layers_dir = &format!("{mem_dir}/layers");
+    let mut mounter = LayerMounter {
-    let mut lower_dir = String::new();
+        bs_dir,
-
+        layers_dir: &format!("{mem_dir}/layers"),
-    for layer in &cfg.layers {
+        verifier,
-        let src = retry(async || {
+        lower_dir: String::new(),
-            if layer == "modules" {
-                let src = "/modules.sqfs";
-                (fs::read(src).await).map_err(|e| format_err!("read {src} failed: {e}"))
-            } else {
-                verifier.verify_path(&format!("{bs_dir}/{layer}.fs")).await
-            }
-        })
-        .await;
-
-        let fstype = if src.get(1024..1028) == Some(&0xE0F5E1E2u32.to_le_bytes()) {
-            "erofs"
-        } else {
-            "squashfs"
     };
 
-        let tgt = &format!("{mem_dir}/{layer}.fs");
+    if mounter.exists("merged").await {
-        retry(async || {
+        mounter.mount("merged").await;
-            info!("copying layer {layer}");
+    } else {
-
+        for layer in &cfg.layers {
-            let mut out = (fs::File::create(tgt).await)
+            if layer == "modules" && bs_cfg.modules.is_some() {
-                .map_err(|e| format_err!("create {tgt} failed: {e}"))?;
+                continue; // take modules from initrd
-            (out.write_all(&src).await).map_err(|e| format_err!("write failed: {e}"))?;
-            (out.flush().await).map_err(|e| format_err!("write failed: {e}"))
-        })
-        .await;
-
-        let layer_dir = &format!("{layers_dir}/{layer}");
-        mount(Some(tgt), layer_dir, fstype, None).await;
-
-        if !lower_dir.is_empty() {
-            lower_dir.push(':');
             }
-        lower_dir.push_str(&layer_dir);
+            mounter.mount(layer).await;
+        }
+    }
+
+    if let Some(ref modules) = bs_cfg.modules {
+        mounter.mount_path(modules, "modules", false).await;
     }
 
     let upper_dir = &format!("{mem_dir}/upper");
@@ -246,8 +358,9 @@ async fn mount_system(cfg: &dkl::Config, bs_dir: &str, verifier: &Verifier) {
     })
     .await;
 
+    let lower_dir = &mounter.lower_dir;
     let opts = format!("lowerdir={lower_dir},upperdir={upper_dir},workdir={work_dir}");
-    mount(None, "/system", "overlay", Some(&opts)).await;
+    mount(None::<&str>, "/system", "overlay", Some(&opts)).await;
 
     // make root rshared (default in systemd, required by Kubernetes 1.10+)
     // equivalent to "mount --make-rshared /"
@@ -261,6 +374,53 @@ async fn mount_system(cfg: &dkl::Config, bs_dir: &str, verifier: &Verifier) {
     .await;
 }
 
+struct MergedLayer<'t> {
+    #[allow(unused)]
+    root_hash_sig: &'t [u8],
+    root_hash: &'t [u8],
+    data: &'t [u8],
+    hash: &'t [u8],
+}
+
+impl<'t> MergedLayer<'t> {
+    fn from_bytes(mut src: &'t [u8]) -> Option<Self> {
+        let mut next = || {
+            let (len, rem) = src.split_at_checked(8)?;
+            let len = u64::from_be_bytes(len.try_into().ok()?);
+            let (data, rem) = rem.split_at_checked(len as usize)?;
+            src = rem;
+            Some(data)
+        };
+
+        Some(Self {
+            root_hash_sig: next()?,
+            root_hash: next()?,
+            data: next()?,
+            hash: next()?,
+        })
+    }
+
+    async fn create(&self, path: impl AsRef<Path>) -> std::io::Result<()> {
+        let mut out = fs::File::create(path).await?;
+        self.write_to(&mut out).await?;
+        out.shutdown().await
+    }
+
+    async fn write_to(&self, mut out: impl AsyncWrite + Unpin) -> std::io::Result<()> {
+        out.write_all(self.data).await?;
+        out.write_all(self.hash).await?;
+        Ok(())
+    }
+
+    fn hash_offset(&self) -> usize {
+        self.data.len()
+    }
+
+    fn root_hash_hex(&self) -> String {
+        hex::encode(self.root_hash)
+    }
+}
+
 async fn apply_groups(groups: &[dkl::Group], root: &str) {
     for group in groups {
         let mut args = vec![root, "groupadd", "-r"];

test-initrd/config.yaml

@@ -21,8 +21,6 @@ auths:
     sshKey:   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkpbU6sf4t0f6XAv9DuW3XH5iLM0AI5rc8PT2jwea1N
     password: bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0 # mypass
 
-signer_public_key: MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA29glSqk7MqoUIjD+UQG+b4v59pTFkn8rYtNhOftTe7uiLUvGFsjNdzP3tW64t/c6YD2p6dtI3oQXGOVQO1vIWPEBc6Sq++BRpQ0FVna+dgNQx8/kLXN9Na0ZYbK7q0haCI7/EHWOX79JFFxJE9HJ67AOMmXwGJ2jrfa1CUnWvfCmT+E=
-
 ssh:
   listen: "[::]:22"
   user_ca: /user_ca.pub
@@ -41,22 +39,24 @@ networks:
     udev: !has ID_NET_NAME_MAC
   script: |
     ip li set $iface up
-    udhcpc -i $iface -b -t1 -T1 -A5 ||
+    ip a add 192.168.12.42/24 dev $iface
-    ip a add 2001:41d0:306:168f::1337:2eed/64 dev $iface
+    ip a add fd12:6e76:7474::1337:2eed/64 dev $iface
+    ip route add default via 192.168.12.254
+    ip route add default via fd12:6e76:7474::1 dev $iface
 
-pre_lvm_crypt:
+#pre_lvm_crypt:
-- name: sys-${name}
+#- name: sys-${name}
-  udev: !glob [ DEVNAME, /dev/vd* ]
+#  udev: !glob [ DEVNAME, /dev/vd* ]
 
 lvm:
 - vg: storage
   pvs:
     n: 2
     regexps:
-    - ^/dev/mapper/sys-
+    #- ^/dev/mapper/sys-
     # to match full disks
     #- /dev/nvme[0-9]+n[0-9]+
-    #- /dev/vd[a-z]+
+    - /dev/vd[a-z]+
     #- /dev/sd[a-z]+
     #- /dev/hd[a-z]+
     # to match partitions:
@@ -72,11 +72,16 @@ lvm:
 
   lvs:
   - name: bootstrap
-    size: 2g
+    size: 1g
 
   - name: varlog
-    extents: 10%FREE
+    size: 256m
-    # size: 10g
+  - name: kubelet
+    size: 256m
+  - name: containerd
+    size: 1g
+  - name: etcd
+    size: 256m
 
   - name: podman
     extents: 10%FREE
@@ -90,11 +95,11 @@ lvm:
 #- dev: /dev/storage/bootstrap
 #- dev: /dev/storage/dls
 
+signer_public_key: 'MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBe6Y3zGQUIHvVXoS5GI8irY8yoB0ozFpzn/cUykA46TkHdJ8xCEaaM1MpqMrfWgDtP/rA2KeE9HjVerLnEFD01uUAUh4/OYgCBDYJPhridVDoC78KOJpkWBj7Shl0Rp0AtETvatNPa1RRe15V7nDF/Nm75Y6O3IL29lYPQ6jqEGhR810='
 bootstrap:
-  #dev: /dev/mapper/bootstrap
   dev: /dev/storage/bootstrap
-  # TODO seed: https://direktil.novit.io/bootstraps/dls-crypt
+  seed_proxy: "http://[fd6e:7674:6f70::1]:8888"
-  seed: http://192.168.10.254:7606/hosts/m1/bootstrap.tar
+  seed_ca: 'MIIBhTCCASugAwIBAgIRAMiu/MXPMl/6vjR2HZHwflQwCgYIKoZIzj0EAwIwIjEgMB4GA1UEAxMXbm92aXQtaW50ZXJuYWwtY2EtZWNkc2EwHhcNMjYwNDIxMDkzMTEyWhcNMjYwNzIwMDkzMTEyWjAiMSAwHgYDVQQDExdub3ZpdC1pbnRlcm5hbC1jYS1lY2RzYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC87aJX1WltmkZQ2Am4kCIQTFLqkLE4zTAznP5K9k3RH4kxuB2IjkQyyii6zk/9bus0q76UmennubDxtH5Y7ZgGjQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSlmVUj3CIWL1CW7K1BgOXjR6j6kjAKBggqhkjOPQQDAgNIADBFAiEAhIvi4eGFjC4xu80yKKYFeZ5X3f2RPfnOg4hK3GqZgc0CIF97A9An2Pt4TkKkC/W+TX/tEXGxcDyJHBpB3BdpN7QW'
-  # TODO seed_sign_key: "..."
+  seed: https://dls.edicia-prod.nv/public/downloads/V6VWZWQEGX7T7Q524Z4HLL2ZAG42YRXHVGXSTVAL4WEC2VIG4GWQ/bootstrap.tar
-  # TODO load_and_close: true
+  #seed: https://192.168.12.254:7606/public/download-set/host/m1/bootstrap.tar?set=IDZTK4AUNCYCTKF3GIEGSNZF3I7XCINCTJSOWL2JPHCJ2IAZWDECY2XCGQ5MCTJBNFIKBNCLIA3PJSN7IOH7URGXYRYZRCGF4VSW4RIAAQRE2GDEOC4RWAAAQA3DSZJZMU4TGOL4NA5G2MJ2MJXW65DTORZGC4BOORQXEAAAAAADJMFLUE