mkosi: Switch to use mkosi presets with prebuilt initrds

Instead of building the initrds for the mkosi images with dracut,
let's switch to using mkosi presets to build the initrd with mkosi
as well.

This commit splits up our single image build into three separate
mkosi presets:

1. The "base" preset. This image contains systemd and all its runtime
dependencies. The sole purpose of this image is to serve as a base image
for the initrd and the final image. It's also responsible for building
systemd from source with the build script. The results are installed into
the base image. Note that we install the systemd and udev packages into this
image as well to prevent package managers from overriding the systemd we built
from source with the distro packaged systemd if it's pulled in as a dependency
by another package from the initrd or final profiles.
2. The "initrd" preset. This image provides the initrd. It's trivial and does
nothing more than packaging the base image up as a zstd compressed initramfs and
adds /init and /etc/initrd-release symlinks to the image.
3. The "final" preset. This image builds on top of the base image and adds
a kernel and extra packages that are useful for testing and debugging.

We also split out the optional kernel build into a separate set of config files
that are only included if a kernel to build is actually provided.

Note that this commit doesn't really change anything about how mkosi is used.
The commands remain the same, except that mkosi will now build all the presets
in order. "mkosi summary" will show the summary of all the presets. "mkosi qemu,
boot, shell" will always boot the final preset. With "-f", all presets will be
built and the final one is booted. "-i" makes a cache of each preset.

The only thing to keep in mind is that specifying config via the mkosi CLI will
apply to each of the presets. e.g. any extra packages added with "-p" will be
installed in both the initrd and the final image. To apply local configuration
to a single preset, create a file 00-local.conf in
mkosi.presets/<profile>/mkosi.conf.d and put all the preset specific configuration
in there.

22 files changed, 692 insertions, 0 deletions

diff --git a/mkosi.presets/20-final/mkosi.build b/mkosi.presets/20-final/mkosi.build
new file mode 100755
index 0000000000..ed355abd20
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.build
@@ -0,0 +1,32 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ -d "$SRCDIR"/mkosi.kernel/ ]; then
+    SRCDIR="$SRCDIR/mkosi.kernel"
+    BUILDDIR="$BUILDDIR/mkosi.kernel"
+    cd "$SRCDIR"
+    mkdir -p "$BUILDDIR"
+
+    # Ensure fast incremental builds by fixating these values which usually change for each build.
+    export KBUILD_BUILD_TIMESTAMP="Fri Jun  5 15:58:00 CEST 2015"
+    export KBUILD_BUILD_HOST="mkosi"
+
+    scripts/kconfig/merge_config.sh -O "$BUILDDIR" \
+            ../mkosi.kernel.config \
+            tools/testing/selftests/bpf/config.x86_64 \
+            tools/testing/selftests/bpf/config
+
+    # Make sure systemd-boot boots this kernel and not the distro provided one by overriding the version.
+    make O="$BUILDDIR" VERSION=99 -j "$(nproc)"
+
+    KERNEL_RELEASE=$(make O="$BUILDDIR" VERSION=99 -s kernelrelease)
+    mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE"
+    make O="$BUILDDIR" VERSION=99 INSTALL_MOD_PATH="$DESTDIR/usr" modules_install
+    make O="$BUILDDIR" VERSION=99 INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install
+    mkdir -p "$DESTDIR/usr/lib/kernel/selftests"
+    make -C tools/testing/selftests -j "$(nproc)" O="$BUILDDIR" VERSION=99 KSFT_INSTALL_PATH="$DESTDIR/usr/lib/kernel/selftests" SKIP_TARGETS="" install
+
+    mkdir -p "$DESTDIR"/usr/bin
+    ln -sf /usr/lib/kernel/selftests/bpf/bpftool "$DESTDIR/usr/bin/bpftool"
+fi
diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf
new file mode 100644
index 0000000000..d15a17a161
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf
@@ -0,0 +1,38 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Content]
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../src:/root/src
+Initrds=../../mkosi.output/initrd.cpio.xz
+Packages=
+        acl
+        bash-completion
+        coreutils
+        diffutils
+        dnsmasq
+        dosfstools
+        e2fsprogs
+        findutils
+        gcc # Sanitizer libraries
+        gdb
+        grep
+        kbd
+        kexec-tools
+        less
+        mtools
+        nano
+        nftables
+        openssl
+        qrencode
+        sed
+        strace
+        tree
+        util-linux
+        valgrind
+        wireguard-tools
+        xfsprogs
+        zsh
+
+[Validation]
+Password=
+Autologin=yes
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf b/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000000..b0bbcf0c6a
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+        btrfs-progs
+        compsize
+        dhcp
+        f2fs-tools
+        glib2
+        iproute
+        linux
+        man-db
+        openbsd-netcat
+        openssh
+        polkit
+        python-pefile
+        python-psutil
+        python-pytest
+        python3
+        quota-tools
+        shadow
+        vim
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000000..d89f827839
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos fedora
+
+[Content]
+Packages=
+        cryptsetup
+        dhcp-server
+        dnf
+        glib2
+        iproute
+        iproute-tc
+        kernel-core
+        libcap-ng-utils
+        netcat
+        openssh-server
+        p11-kit
+        pam
+        passwd
+        polkit
+        procps-ng
+        quota
+        vim-common
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000000..804aa67228
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian ubuntu
+
+[Content]
+Packages=
+        btrfs-progs
+        cryptsetup-bin
+        dbus-broker
+        default-dbus-session-bus
+        f2fs-tools
+        fdisk
+        iproute2
+        isc-dhcp-server
+        libcap-ng-utils
+        netcat-openbsd
+        openssh-server
+        passwd
+        policykit-1
+        procps
+        python3
+        python3-pefile
+        python3-psutil
+        python3-pytest
+        quota
+        xxd
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf b/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf
new file mode 100644
index 0000000000..3eb7a5453e
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+        linux-image-cloud-amd64
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000000..5ae623e47d
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+        btrfs-progs
+        compsize
+        f2fs-tools
+        python3
+        python3dist(pefile)
+        python3dist(psutil)
+        python3dist(pytest)
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000000..f948dd6a37
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+        btrfs-progs
+        cryptsetup
+        dbus-broker
+        f2fs-tools
+        glibc-locale-base
+        kernel-default
+        libcap-ng-utils
+        openssh-server
+        python3
+        python3-pefile
+        python3-psutil
+        python3-pytest
+        quota
+        shadow
+        vim
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000000..eb88ca7644
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+        linux-virtual
diff --git a/mkosi.presets/20-final/mkosi.conf.d/11-centos-8.conf b/mkosi.presets/20-final/mkosi.conf.d/11-centos-8.conf
new file mode 100644
index 0000000000..2fa476454d
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/11-centos-8.conf
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+Release=8
+
+[Content]
+Packages=
+        platform-python
+        python3.9dist(pefile)
+        python3.9dist(pluggy) # python39-pluggy is a pytest dependency that's not installed for some reason.
+        python3.9dist(psutil)
+        python3.9dist(pytest)
+        python39
diff --git a/mkosi.presets/20-final/mkosi.conf.d/11-centos-9.conf b/mkosi.presets/20-final/mkosi.conf.d/11-centos-9.conf
new file mode 100644
index 0000000000..d6ab3ee1c3
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/11-centos-9.conf
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+Release=9
+
+[Content]
+Packages=
+        platform-python
+        python3dist(pefile)
+        python3dist(pluggy) # python39-pluggy is a pytest dependency that's not installed for some reason.
+        python3dist(psutil)
+        python3dist(pytest)
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf
new file mode 100644
index 0000000000..6ac0b58495
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=mkosi.kernel/
+Distribution=arch
+
+[Content]
+Packages=
+        alsa-lib
+        fuse2
+        libcap
+        libcap-ng
+        libelf
+        libmnl
+        numactl
+        popt
+
+BuildPackages=
+        pahole
+        python-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf
new file mode 100644
index 0000000000..c42f9916ee
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=mkosi.kernel/
+Distribution=centos fedora
+
+[Content]
+Packages=
+        alsa-lib
+        elfutils-libelf
+        fuse
+        glibc.i686
+        libcap
+        libcap-ng
+        libcap-ng-utils
+        libmnl
+        numactl-libs
+        popt
+
+BuildPackages=
+        dwarves
+        glibc-devel.i686
+        glibc-static
+        glibc-static.i686
+        pkgconfig(alsa)
+        pkgconfig(fuse)
+        pkgconfig(libcap-ng)
+        pkgconfig(libcap)
+        pkgconfig(libelf)
+        pkgconfig(libmnl)
+        pkgconfig(numa)
+        pkgconfig(openssl)
+        pkgconfig(popt)
+        python3-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf
new file mode 100644
index 0000000000..00338fa4d1
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=mkosi.kernel/
+Distribution=debian ubuntu
+
+[Content]
+Packages=
+        fuse
+        libasound2
+        libc6-i386
+        libcap-ng0
+        libcap2
+        libelf1
+        libmnl0
+        libnuma1
+        libpopt0
+
+BuildPackages=
+        gcc-multilib
+        libasound-dev
+        libc6-dev
+        libc6-dev-i686
+        libcap-ng-dev
+        libcap-dev
+        libelf-dev
+        libfuse-dev
+        libmnl-dev
+        libnuma-dev
+        libpopt-dev
+        pahole
+        python3-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf
new file mode 100644
index 0000000000..ea94c14346
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=mkosi.kernel/
+Distribution=fedora
+
+[Content]
+BuildPackages=
+        libcap-static
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf
new file mode 100644
index 0000000000..aec631f1af
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=mkosi.kernel/
+Distribution=opensuse
+
+[Content]
+Packages=
+        fuse
+        glibc-32bit
+        libasound2
+        libcap-ng0
+        libcap2
+        libelf1
+        libmnl0
+        libnuma1
+        libpopt0
+
+BuildPackages=
+        alsa-devel
+        dwarves
+        fuse-devel
+        gcc-32bit
+        glibc-devel-32bit
+        glibc-devel-static-32bit
+        glibc-static
+        libcap-devel
+        libcap-ng-dev
+        libelf-devel
+        liblz4-dev
+        libmnl-dev
+        libnuma-devel
+        pcre-devel
+        popt-devel
+        python3-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf
new file mode 100644
index 0000000000..5505b41a86
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=mkosi.kernel/
+
+[Content]
+BuildSources=./
+BuildPackages=
+        bc
+        binutils
+        bison
+        clang
+        flex
+        gcc
+        lld
+        llvm
+        make
+        make
+        rsync
+        tar
diff --git a/mkosi.presets/20-final/mkosi.extra/etc/issue b/mkosi.presets/20-final/mkosi.extra/etc/issue
new file mode 100644
index 0000000000..6aa6fc0ec0
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.extra/etc/issue
@@ -0,0 +1,2 @@
+\S (built from systemd tree)
+Kernel \r on an \m (\l)
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
new file mode 100755
index 0000000000..b86d2d3e69
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -0,0 +1,15 @@
+#!/bin/bash -eux
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+systemctl --failed --no-legend | tee /failed-services
+
+# Check that secure boot keys were properly enrolled.
+if [[ -d /sys/firmware/efi/efivars/ ]]; then
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+fi
+
+# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
+[[ ! -s /failed-services ]]
+
+: >/testok
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
new file mode 100644
index 0000000000..6539325108
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Check if any service failed and then shutdown the machine
+After=multi-user.target network-online.target
+Requires=multi-user.target
+Wants=systemd-resolved.service systemd-networkd.service network-online.target
+OnFailure=poweroff.target
+OnFailureJobMode=replace-irreversibly
+
+[Service]
+Type=oneshot
+ExecStartPre=-rm -f /failed-services
+ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
+ExecStartPost=systemctl poweroff --no-block
diff --git a/mkosi.presets/20-final/mkosi.kernel.config b/mkosi.presets/20-final/mkosi.kernel.config
new file mode 100644
index 0000000000..ab3ffe2fea
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.kernel.config
@@ -0,0 +1,204 @@
+# CONFIG_COMPAT_BRK is not set
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_ATA=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_BINFMT_MISC=y
+CONFIG_BLK_CGROUP_IOCOST=y
+CONFIG_BLK_CGROUP_IOLATENCY=y
+CONFIG_BLK_CGROUP_IOPRIO=y
+CONFIG_BLK_CGROUP=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_MD=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_BPF_EVENTS=y
+CONFIG_BPF_JIT=y
+CONFIG_BPF_LSM=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_BPF=y
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_BTRFS_FS_POSIX_ACL=y
+CONFIG_BTRFS_FS=y
+CONFIG_CFG80211=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_CGROUP_BPF=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_HUGETLB=y
+CONFIG_CGROUP_MISC=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_RDMA=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CGROUPS=y
+CONFIG_CONNECTOR=y
+CONFIG_CPUSETS=y
+CONFIG_CRASH_DUMP=y
+CONFIG_DEBUG_INFO_BTF=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS=y
+CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y
+CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
+CONFIG_DM_VERITY=y
+CONFIG_DMI_SYSFS=y
+CONFIG_DMI=y
+CONFIG_EFI_MIXED=y
+CONFIG_EFI_STUB=y
+CONFIG_EFI_ZBOOT=y
+CONFIG_EFI=y
+CONFIG_EXPERT=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_EXT4_FS=y
+CONFIG_HIBERNATION=y
+CONFIG_HIDRAW=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HPET=y
+CONFIG_HUGETLBFS=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_HW_RANDOM=y
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_IKCONFIG=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA=y
+CONFIG_INET=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INPUT_EVDEV=y
+CONFIG_INPUT_MISC=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_MACHINE_KEYRING=y
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_IOSCHED_BFQ=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_ISO9660_FS=y
+CONFIG_KEXEC=y
+CONFIG_KPROBES=y
+CONFIG_LOAD_UEFI_KEYS=y
+CONFIG_MAC80211=y
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_MD=y
+CONFIG_MEMCG_KMEM=y
+CONFIG_MEMCG=y
+CONFIG_MICROCODE_AMD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULES=y
+CONFIG_MSDOS_FS=y
+CONFIG_NAMESPACES=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_NET_9P=y
+CONFIG_NET_CLS_ACT=y
+CONFIG_NET_CLS_CGROUP=y
+CONFIG_NET_EMATCH=y
+CONFIG_NET_SCHED=y
+CONFIG_NET=y
+CONFIG_NETCONSOLE=y
+CONFIG_NETDEVICES=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER=y
+CONFIG_NETLABEL=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NF_NAT=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
+CONFIG_NO_HZ_FULL=y
+CONFIG_NUMA=y
+CONFIG_NVRAM=y
+CONFIG_PACKET=y
+CONFIG_PARAVIRT=y
+CONFIG_PCI=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_PERF_EVENTS=y
+CONFIG_PM_DEBUG=y
+CONFIG_PM_TRACE_RTC=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_PRINTK_TIME=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROFILING=y
+CONFIG_PSI=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+CONFIG_QUOTA=y
+CONFIG_RFKILL=y
+CONFIG_RTC_CLASS=y
+CONFIG_SATA_AHCI=y
+CONFIG_SCSI_CONSTANTS=y
+CONFIG_SCSI_SPI_ATTRS=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_SCSI=y
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_PCI=y
+CONFIG_SERIAL_8250=y
+CONFIG_SMP=y
+CONFIG_SWAP=y
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSVIPC=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_TMPFS=y
+CONFIG_UNIX=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_MON=y
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_STORAGE=y
+CONFIG_USB_UHCI_HCD=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB=y
+CONFIG_USER_NS=y
+CONFIG_VFAT_FS=y
+CONFIG_VIRTIO_BLK=y
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_INPUT=y
+CONFIG_VIRTIO_NET=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_VSOCKETS=y
+CONFIG_VSOCKETS=y
+CONFIG_WATCHDOG=y
+CONFIG_X86_ACPI_CPUFREQ=y
+CONFIG_X86_CPUID=y
+CONFIG_X86_MSR=y
+CONFIG_XFRM_USER=y
+CONFIG_XFS_FS=y
+CONFIG_XFS_POSIX_ACL=y
diff --git a/mkosi.presets/20-final/mkosi.postinst b/mkosi.presets/20-final/mkosi.postinst
new file mode 100755
index 0000000000..4339d7fd22
--- /dev/null
+++ b/mkosi.presets/20-final/mkosi.postinst
@@ -0,0 +1,82 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if [ "$1" = "build" ]; then
+    exit 0
+fi
+
+if [ -n "$SANITIZERS" ]; then
+    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
+
+    mkdir -p /etc/systemd/system.conf.d
+
+    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+                   LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+                   LD_PRELOAD=$LD_PRELOAD
+EOF
+
+    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+    # sanitizer failures appear directly on the user's console.
+    mkdir -p /etc/systemd/system/systemd-journald.service.d
+    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+    mkdir -p /etc/systemd/system/console-getty.service.d
+    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+    # ASAN and syscall filters aren't compatible with each other.
+    find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+    systemctl mask systemd-hwdb-update.service
+fi
+
+if [ -n "$IMAGE_ID" ] ; then
+    sed -n \
+        -i \
+        -e '/^IMAGE_ID=/!p' \
+        -e "\$aIMAGE_ID=$IMAGE_ID" \
+        /usr/lib/os-release
+fi
+
+if [ -n "$IMAGE_VERSION" ] ; then
+    sed -n \
+        -i \
+        -e '/^IMAGE_VERSION=/!p' \
+        -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
+        /usr/lib/os-release
+fi
+
+if command -v authselect >/dev/null; then
+    authselect select minimal
+
+    if authselect list-features minimal | grep -q "with-homed"; then
+        authselect enable-feature with-homed
+    fi
+fi
+
+# Let tmpfiles.d/systemd-resolve.conf handle the symlink
+rm -f /etc/resolv.conf
+
+. /etc/os-release
+
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
+    alternatives --set python3 /usr/bin/python3.9
+fi