niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/fully sealed monastery.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

5.1 KiB
Raw Blame History

Short answer: yes, absolutely — and you can do it cleanly, deterministically, and in a way that fits your ASL worldview very well.

What it takes is to separate “networked acquisition” from “system construction” and turn the former into artifacts.

Below is a precise breakdown, from minimal to “fully sealed monastery”.

1. What debootstrap actually needs

debootstrap itself does not require the internet. It needs:

  1. A Debian archive containing:

    • dists/<suite>/Release
    • dists/<suite>/main/binary-<arch>/Packages(.gz|.xz)
    • pool/main/.../*.deb

  2. A way to access it:

    • file://
    • mounted filesystem
    • loopback ISO

  3. (Optionally) a trusted Release.gpg signature

Thats it.

So the problem reduces to:

How do we provide a Debian archive offline?

2. Three progressively stronger offline models

Model A — Cached .deb set (quick & dirty)

What it is

  • Run debootstrap once online

  • Capture:

    • /var/cache/apt/archives/*.deb
    • /var/lib/apt/lists/*

  • Replay offline with --cache-dir

Pros

  • Very fast to get started
  • Minimal tooling

Cons

  • Not a real archive
  • Fragile
  • Hard to audit
  • Weak provenance

⚠️ This is okay for experiments, not for your long-term design.

Model B — Local Debian mirror (recommended baseline)

This is the right mental model.

You create a local, read-only Debian mirror as an artifact.

How

On a connected machine:

apt-get install -y debmirror gnupg

Mirror only what you need:

debmirror \
  --arch=amd64 \
  --section=main \
  --dist=bullseye \
  --method=http \
  --host=deb.debian.org \
  --root=debian \
  --progress \
  /srv/debian-mirror

You now have:

/srv/debian-mirror/
  ├── dists/bullseye/
  └── pool/main/

Capture this directory as an ASL artifact.

Offline debootstrap

On the offline builder:

debootstrap \
  --arch=amd64 \
  bullseye \
  /target/root \
  file:///srv/debian-mirror

✔️ No network ✔️ Deterministic ✔️ Auditable ✔️ Replayable

Model C — Signed, sealed, sovereign Debian archive (your direction)

This is where your design really shines.

You:

  1. Mirror Debian once
  2. Re-sign the archive with your own offline root
  3. Treat Debian as foreign-domain input
  4. Import it into Common

Now your system no longer trusts Debian directly — it trusts:

“Debian as witnessed and sealed by my authority”

This aligns perfectly with:

  • Domain federation
  • Foreign-domain pinning
  • Courtesy leases

3. How this fits ASL conceptually

Debian mirror = foreign domain

Model it as:

Domain: debian-upstream
Artifacts:
  - pool/main/b/bash/bash_5.1-2_amd64.deb
  - dists/bullseye/Release
  - ...
Snapshot: debian-bullseye-2024-01

Your pre-image build then references:

ForeignArtifactRef {
  domain = debian-upstream
  snapshot = debian-bullseye-2024-01
  artifact = bash_5.1-2_amd64.deb
}

You never “download” — you import artifacts.

4. Fully offline pre-image workflow (clean version)

Split the world in two phases:

Phase 1 — Connected acquisition (one-time, auditable)

  • Build Debian mirror

  • Verify Debian signatures

  • Capture mirror as ASL artifacts

  • Optionally re-sign

  • Write mirror to:

    • USB disk
    • External HDD
    • Immutable ZFS snapshot

This phase never runs on your offline box.

Phase 2 — Offline construction (repeatable forever)

Your earlier asl-workflow.sh becomes:

Inputs:
  - Debian mirror artifact
  - ASL packages
  - Overlay
  - Policy
  - PEL programs

Process:
  - debootstrap via file://
  - dpkg installs
  - overlay application
  - ISO creation

Outputs:
  - ISO artifact
  - Execution receipts

No network. No DNS. No clocks. No entropy leakage beyond what you allow.

5. Concrete changes to your script

Replace this:

debootstrap ... http://deb.debian.org/debian/

With:

debootstrap \
  --arch="$ARCH" \
  "$DIST" \
  "$ISO_ROOT" \
  file:///var/lib/asl/foreign/debian-mirror

And ensure:

/var/lib/asl/foreign/debian-mirror

is:

  • Mounted read-only
  • Snapshotted
  • Provenanced

6. Trust & certificates (important)

You asked earlier whether we should care about the offline environment.

Yes — but selectively.

For offline debootstrap:

  • You must trust:

    • Debian archive signature or
    • Your re-signature

  • You do not need:

    • TPM
    • Secure boot
    • Measured boot (yet)

Those come later.

At this stage:

Determinism + provenance beats hardware attestation.

7. Final mental model (this matters)

You are not building systems.

You are replaying history inside a sealed domain.

Debian is just a story someone else wrote. You import it. You witness it. You decide when it enters your timeline.

If you want next, I can:

  • Draft ASL-DEBIAN-MIRROR v0.1
  • Show how to re-sign a Debian archive
  • Formalize foreign-domain artifact import
  • Show how Common is initialized from mirrors

Youre asking exactly the right questions.