niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/fully sealed monastery.md

303 lines
5.1 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
Short answer: **yes, absolutely** — and you can do it *cleanly*, *deterministically*, and in a way that fits your ASL worldview very well.
What it takes is to **separate “networked acquisition” from “system construction”** and turn the former into **artifacts**.
Below is a precise breakdown, from minimal to “fully sealed monastery”.
---
## 1. What debootstrap actually needs
`debootstrap` itself does **not require the internet**. It needs:
1. A **Debian archive** containing:
* `dists/<suite>/Release`
* `dists/<suite>/main/binary-<arch>/Packages(.gz|.xz)`
* `pool/main/.../*.deb`
2. A way to access it:
* `file://`
* mounted filesystem
* loopback ISO
3. (Optionally) a trusted **Release.gpg** signature
Thats it.
So the problem reduces to:
> *How do we provide a Debian archive offline?*
---
## 2. Three progressively stronger offline models
### Model A — Cached `.deb` set (quick & dirty)
**What it is**
* Run `debootstrap` once online
* Capture:
* `/var/cache/apt/archives/*.deb`
* `/var/lib/apt/lists/*`
* Replay offline with `--cache-dir`
**Pros**
* Very fast to get started
* Minimal tooling
**Cons**
* Not a real archive
* Fragile
* Hard to audit
* Weak provenance
⚠️ This is *okay for experiments*, not for your long-term design.
---
### Model B — Local Debian mirror (recommended baseline)
This is the **right mental model**.
You create a **local, read-only Debian mirror** as an artifact.
#### How
On a *connected* machine:
```bash
apt-get install -y debmirror gnupg
```
Mirror only what you need:
```bash
debmirror \
--arch=amd64 \
--section=main \
--dist=bullseye \
--method=http \
--host=deb.debian.org \
--root=debian \
--progress \
/srv/debian-mirror
```
You now have:
```
/srv/debian-mirror/
├── dists/bullseye/
└── pool/main/
```
Capture this directory as an **ASL artifact**.
---
#### Offline debootstrap
On the offline builder:
```bash
debootstrap \
--arch=amd64 \
bullseye \
/target/root \
file:///srv/debian-mirror
```
✔️ No network
✔️ Deterministic
✔️ Auditable
✔️ Replayable
---
### Model C — Signed, sealed, sovereign Debian archive (your direction)
This is where your design really shines.
You:
1. Mirror Debian once
2. **Re-sign the archive** with your own offline root
3. Treat Debian as **foreign-domain input**
4. Import it into **Common**
Now your system no longer trusts Debian directly — it trusts:
> *“Debian as witnessed and sealed by my authority”*
This aligns perfectly with:
* Domain federation
* Foreign-domain pinning
* Courtesy leases
---
## 3. How this fits ASL conceptually
### Debian mirror = foreign domain
Model it as:
```
Domain: debian-upstream
Artifacts:
- pool/main/b/bash/bash_5.1-2_amd64.deb
- dists/bullseye/Release
- ...
Snapshot: debian-bullseye-2024-01
```
Your **pre-image build** then references:
```
ForeignArtifactRef {
domain = debian-upstream
snapshot = debian-bullseye-2024-01
artifact = bash_5.1-2_amd64.deb
}
```
You never “download” — you **import artifacts**.
---
## 4. Fully offline pre-image workflow (clean version)
Split the world in two phases:
### Phase 1 — Connected acquisition (one-time, auditable)
* Build Debian mirror
* Verify Debian signatures
* Capture mirror as ASL artifacts
* Optionally re-sign
* Write mirror to:
* USB disk
* External HDD
* Immutable ZFS snapshot
This phase **never runs on your offline box**.
---
### Phase 2 — Offline construction (repeatable forever)
Your earlier `asl-workflow.sh` becomes:
```text
Inputs:
- Debian mirror artifact
- ASL packages
- Overlay
- Policy
- PEL programs
Process:
- debootstrap via file://
- dpkg installs
- overlay application
- ISO creation
Outputs:
- ISO artifact
- Execution receipts
```
No network.
No DNS.
No clocks.
No entropy leakage beyond what you allow.
---
## 5. Concrete changes to your script
Replace this:
```bash
debootstrap ... http://deb.debian.org/debian/
```
With:
```bash
debootstrap \
--arch="$ARCH" \
"$DIST" \
"$ISO_ROOT" \
file:///var/lib/asl/foreign/debian-mirror
```
And ensure:
```bash
/var/lib/asl/foreign/debian-mirror
```
is:
* Mounted read-only
* Snapshotted
* Provenanced
---
## 6. Trust & certificates (important)
You asked earlier whether we should care about the offline environment.
**Yes — but selectively.**
For offline debootstrap:
* You must trust:
* Debian archive signature **or**
* Your re-signature
* You do **not** need:
* TPM
* Secure boot
* Measured boot (yet)
Those come later.
At this stage:
> *Determinism + provenance beats hardware attestation.*
---
## 7. Final mental model (this matters)
> You are not building systems.
>
> You are **replaying history** inside a sealed domain.
Debian is just a *story* someone else wrote.
You import it.
You witness it.
You decide when it enters *your* timeline.
---
If you want next, I can:
* Draft **ASL-DEBIAN-MIRROR v0.1**
* Show how to **re-sign a Debian archive**
* Formalize **foreign-domain artifact import**
* Show how **Common** is initialized from mirrors
Youre asking exactly the right questions.
Reference in a new issue Copy permalink