niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/fully sealed monastery.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

303 lines
5.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Short answer: **yes, absolutely** — and you can do it *cleanly*, *deterministically*, and in a way that fits your ASL worldview very well.
What it takes is to **separate “networked acquisition” from “system construction”** and turn the former into **artifacts**.
Below is a precise breakdown, from minimal to “fully sealed monastery”.
---
## 1. What debootstrap actually needs
`debootstrap` itself does **not require the internet**. It needs:
1. A **Debian archive** containing:
* `dists/<suite>/Release`
* `dists/<suite>/main/binary-<arch>/Packages(.gz|.xz)`
* `pool/main/.../*.deb`
2. A way to access it:
* `file://`
* mounted filesystem
* loopback ISO
3. (Optionally) a trusted **Release.gpg** signature
Thats it.
So the problem reduces to:
> *How do we provide a Debian archive offline?*
---
## 2. Three progressively stronger offline models
### Model A — Cached `.deb` set (quick & dirty)
**What it is**
* Run `debootstrap` once online
* Capture:
* `/var/cache/apt/archives/*.deb`
* `/var/lib/apt/lists/*`
* Replay offline with `--cache-dir`
**Pros**
* Very fast to get started
* Minimal tooling
**Cons**
* Not a real archive
* Fragile
* Hard to audit
* Weak provenance
⚠️ This is *okay for experiments*, not for your long-term design.
---
### Model B — Local Debian mirror (recommended baseline)
This is the **right mental model**.
You create a **local, read-only Debian mirror** as an artifact.
#### How
On a *connected* machine:
```bash
apt-get install -y debmirror gnupg
```
Mirror only what you need:
```bash
debmirror \
--arch=amd64 \
--section=main \
--dist=bullseye \
--method=http \
--host=deb.debian.org \
--root=debian \
--progress \
/srv/debian-mirror
```
You now have:
```
/srv/debian-mirror/
├── dists/bullseye/
└── pool/main/
```
Capture this directory as an **ASL artifact**.
---
#### Offline debootstrap
On the offline builder:
```bash
debootstrap \
--arch=amd64 \
bullseye \
/target/root \
file:///srv/debian-mirror
```
✔️ No network
✔️ Deterministic
✔️ Auditable
✔️ Replayable
---
### Model C — Signed, sealed, sovereign Debian archive (your direction)
This is where your design really shines.
You:
1. Mirror Debian once
2. **Re-sign the archive** with your own offline root
3. Treat Debian as **foreign-domain input**
4. Import it into **Common**
Now your system no longer trusts Debian directly — it trusts:
> *“Debian as witnessed and sealed by my authority”*
This aligns perfectly with:
* Domain federation
* Foreign-domain pinning
* Courtesy leases
---
## 3. How this fits ASL conceptually
### Debian mirror = foreign domain
Model it as:
```
Domain: debian-upstream
Artifacts:
- pool/main/b/bash/bash_5.1-2_amd64.deb
- dists/bullseye/Release
- ...
Snapshot: debian-bullseye-2024-01
```
Your **pre-image build** then references:
```
ForeignArtifactRef {
domain = debian-upstream
snapshot = debian-bullseye-2024-01
artifact = bash_5.1-2_amd64.deb
}
```
You never “download” — you **import artifacts**.
---
## 4. Fully offline pre-image workflow (clean version)
Split the world in two phases:
### Phase 1 — Connected acquisition (one-time, auditable)
* Build Debian mirror
* Verify Debian signatures
* Capture mirror as ASL artifacts
* Optionally re-sign
* Write mirror to:
* USB disk
* External HDD
* Immutable ZFS snapshot
This phase **never runs on your offline box**.
---
### Phase 2 — Offline construction (repeatable forever)
Your earlier `asl-workflow.sh` becomes:
```text
Inputs:
- Debian mirror artifact
- ASL packages
- Overlay
- Policy
- PEL programs
Process:
- debootstrap via file://
- dpkg installs
- overlay application
- ISO creation
Outputs:
- ISO artifact
- Execution receipts
```
No network.
No DNS.
No clocks.
No entropy leakage beyond what you allow.
---
## 5. Concrete changes to your script
Replace this:
```bash
debootstrap ... http://deb.debian.org/debian/
```
With:
```bash
debootstrap \
--arch="$ARCH" \
"$DIST" \
"$ISO_ROOT" \
file:///var/lib/asl/foreign/debian-mirror
```
And ensure:
```bash
/var/lib/asl/foreign/debian-mirror
```
is:
* Mounted read-only
* Snapshotted
* Provenanced
---
## 6. Trust & certificates (important)
You asked earlier whether we should care about the offline environment.
**Yes — but selectively.**
For offline debootstrap:
* You must trust:
* Debian archive signature **or**
* Your re-signature
* You do **not** need:
* TPM
* Secure boot
* Measured boot (yet)
Those come later.
At this stage:
> *Determinism + provenance beats hardware attestation.*
---
## 7. Final mental model (this matters)
> You are not building systems.
>
> You are **replaying history** inside a sealed domain.
Debian is just a *story* someone else wrote.
You import it.
You witness it.
You decide when it enters *your* timeline.
---
If you want next, I can:
* Draft **ASL-DEBIAN-MIRROR v0.1**
* Show how to **re-sign a Debian archive**
* Formalize **foreign-domain artifact import**
* Show how **Common** is initialized from mirrors
Youre asking exactly the right questions.
Reference in a new issue View git blame Copy permalink