From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 9 Aug 2023 15:17:50 +0000 (+0200)
Subject: mkosi: Update to latest
X-Git-Tag: v255-rc1~778
X-Git-Url: http://git-history.diyao.me/?a=commitdiff_plain;h=1f035c91bb8f73d3fcfb325b1990859579774bc7;p=systemd%2F.git

mkosi: Update to latest

This update introduces the explicit Dependencies= setting, instead
of relying on implicit dependencies via alphanumerical ordering.

We also take the opportunity to rename the "final" preset to the
"system" preset, which seems like a better name.
---

diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 5f3ea2b38d..5a34e997db 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -76,7 +76,7 @@ jobs:
 
     steps:
     - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - uses: systemd/mkosi@f61dac009ee584797e61a961d508cc52d7f4a03c
+    - uses: systemd/mkosi@9ffcdac128c66935aa5d5a98633fa7498bce92d1
 
     - name: Configure
       run: |
@@ -106,17 +106,17 @@ jobs:
         # For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel
         # version, so we can't load the erofs module. squashfs is a builtin module so we use that instead.
 
-        mkdir -p mkosi.presets/20-final/mkosi.repart/10-usr.conf.d
-        tee mkosi.presets/20-final/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
+        mkdir -p mkosi.presets/system/mkosi.repart/10-usr.conf.d
+        tee mkosi.presets/system/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
         [Partition]
         Format=squashfs
         EOF
 
         # The emergency shell is not useful in the CI, as it just blocks for a long time before the job
         # eventually times out. Override it to just shutdown immediately.
-        mkdir -p mkosi.presets/10-initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
-        mkdir -p mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
-        tee mkosi.presets/10-initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf <<- EOF
+        mkdir -p mkosi.presets/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
+        mkdir -p mkosi.presets/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
+        tee mkosi.presets/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf <<- EOF
         [Unit]
         FailureAction=exit
         [Service]
@@ -124,7 +124,7 @@ jobs:
         ExecStart=
         ExecStart=false
         EOF
-        cp mkosi.presets/10-initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf
+        cp mkosi.presets/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf mkosi.presets/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf
 
     - name: Generate secure boot key
       run: mkosi --debug genkey
diff --git a/mkosi.presets/00-base/mkosi.build b/mkosi.presets/00-base/mkosi.build
deleted file mode 100755
index cbc305fa4b..0000000000
--- a/mkosi.presets/00-base/mkosi.build
+++ /dev/null
@@ -1,234 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
-# Simply invoke "mkosi" in the project directory to build an OS image.
-
-if [ "${container:-}" != "mkosi" ]; then
-    exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
-# initrd and final images, so override DESTDIR to store it in the output directory so we can reference it as
-# an extra tree in the initrd and final image builds.
-DESTDIR="$OUTPUTDIR/systemd"
-
-# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
-# as out-of-tree build dir. Otherwise, let's make up our own builddir.
-[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
-
-# Let's make sure we're using stuff from the build directory first if available there.
-PATH="$BUILDDIR:$PATH"
-export PATH
-
-# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
-# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
-# the ubuntu script with a symlink to the first bpftool program we can find.
-for bpftool in /usr/lib/linux-tools/*/bpftool; do
-    [ -x "$bpftool" ] || continue
-    ln -sf "$bpftool" "$BUILDDIR"/bpftool
-    break
-done
-
-# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
-# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
-# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
-. /usr/lib/os-release
-if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
-    cat >"$BUILDDIR"/bpftool <<EOF
-#!/bin/sh
-if [ "\$1" = --version ]; then
-    echo 5.6.0
-else
-    exec /usr/sbin/bpftool \$@
-fi
-EOF
-    chmod +x "$BUILDDIR"/bpftool
-fi
-
-if [ ! -f "$BUILDDIR"/build.ninja ]; then
-    sysvinit_path=$(realpath /etc/init.d)
-
-    if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
-        UKIFY=false
-    else
-        UKIFY=true
-    fi
-
-    # On Debian 'loadkeys us' fails
-    if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
-        DEFAULT_KEYMAP=""
-    else
-        DEFAULT_KEYMAP="us"
-    fi
-
-    CONFIGURE_OPTS=(
-        -D sysvinit-path="$sysvinit_path"
-        -D man=false
-        -D translations=false
-        -D version-tag="${VERSION_TAG}"
-        -D mode=developer
-        -D b_sanitize="${SANITIZERS:-none}"
-        -D install-tests=true
-        -D tests=unsafe
-        -D slow-tests="${SLOW_TESTS:-false}"
-        -D create-log-dirs=false
-        -D pamconfdir=no
-        -D utmp=true
-        -D hibernate=true
-        -D ldconfig=true
-        -D resolve=true
-        -D efi=true
-        -D tpm=true
-        -D environment-d=true
-        -D binfmt=true
-        -D repart=true
-        -D sysupdate=true
-        -D coredump=true
-        -D pstore=true
-        -D oomd=true
-        -D logind=true
-        -D hostnamed=true
-        -D localed=true
-        -D machined=true
-        -D portabled=true
-        -D sysext=true
-        -D userdb=true
-        -D homed=true
-        -D networkd=true
-        -D timedated=true
-        -D timesyncd=true
-        -D remote=true
-        -D nss-myhostname=true
-        -D nss-mymachines=true
-        -D nss-resolve=true
-        -D nss-systemd=true
-        -D firstboot=true
-        -D randomseed=true
-        -D backlight=true
-        -D vconsole=true
-        -D quotacheck=true
-        -D sysusers=true
-        -D tmpfiles=true
-        -D importd=true
-        -D hwdb=true
-        -D rfkill=true
-        -D xdg-autostart=true
-        -D translations=true
-        -D polkit=true
-        -D acl=true
-        -D audit=true
-        -D blkid=true
-        -D fdisk=true
-        -D kmod=true
-        -D pam=true
-        -D pwquality=true
-        -D microhttpd=true
-        -D libcryptsetup=true
-        -D libcurl=true
-        -D idn=true
-        -D libidn2=true
-        -D qrencode=true
-        -D gcrypt=true
-        -D gnutls=true
-        -D openssl=true
-        -D cryptolib=openssl
-        -D p11kit=true
-        -D libfido2=true
-        -D tpm2=true
-        -D elfutils=true
-        -D zstd=true
-        -D xkbcommon=true
-        -D pcre2=true
-        -D glib=true
-        -D dbus=true
-        -D bootloader=true
-        -D kernel-install=true
-        -D analyze=true
-        -D bpf-framework=true
-        -D ukify="$UKIFY"
-        -D seccomp=true
-        -D selinux=auto
-        -D apparmor=auto
-        -D smack=true
-        -D ima=true
-        -D first-boot-full-preset=true
-        -D initrd=true
-        -D fexecve=true
-        -D default-keymap="$DEFAULT_KEYMAP"
-    )
-
-    # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
-    # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
-    # installed in the wrong directory and not be found by cryptsetup. Assume native build.
-    if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
-        CONFIGURE_OPTS+=(
-            -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
-            -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
-        )
-    fi
-
-    # Set various uids and gids for which Fedora has "soft static" allocations.
-    # Without this, we would get warning about mismatched sysusers.d entries
-    # between the files that we and Fedora's setup package install.
-    if grep -q '^ID=fedora' /usr/lib/os-release; then
-        CONFIGURE_OPTS+=(
-            -Dadm-gid=4
-            -Daudio-gid=63
-            -Dcdrom-gid=11
-            -Ddialout-gid=18
-            -Ddisk-gid=6
-            -Dinput-gid=104
-            -Dkmem-gid=9
-            -Dkvm-gid=36
-            -Dlp-gid=7
-            -Drender-gid=105
-            -Dsgx-gid=106
-            -Dtape-gid=33
-            -Dtty-gid=5
-            -Dusers-gid=100
-            -Dutmp-gid=22
-            -Dvideo-gid=39
-            -Dwheel-gid=10
-            -Dsystemd-journal-gid=190
-            -Dsystemd-network-uid=192
-            -Dsystemd-resolve-uid=193
-        )
-    fi
-
-    if grep -q '^ID="opensuse' /usr/lib/os-release; then
-        CONFIGURE_OPTS+=(
-            -Dbpf-compiler=gcc
-        )
-    fi
-
-    ( set -x; meson setup "$BUILDDIR" "${CONFIGURE_OPTS[@]}" )
-fi
-
-( set -x; ninja -C "$BUILDDIR" "$@" )
-if [ "$WITH_TESTS" = 1 ]; then
-    if [ -n "$SANITIZERS" ]; then
-        export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
-        export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
-        TIMEOUT_MULTIPLIER=3
-    else
-        TIMEOUT_MULTIPLIER=1
-    fi
-
-    ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
-fi
-
-( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
-
-# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
-if [ -d "${DESTDIR}/boot/loader" ]; then
-    addons_dir="${DESTDIR}/boot/loader/addons"
-elif [ -d "${DESTDIR}/efi/loader" ]; then
-    addons_dir="${DESTDIR}/efi/loader/addons"
-fi
-if [ -n "${addons_dir}" ]; then
-    mkdir -p "${addons_dir}"
-    ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
-    ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
-fi
diff --git a/mkosi.presets/00-base/mkosi.conf b/mkosi.presets/00-base/mkosi.conf
deleted file mode 100644
index eb67bfcf62..0000000000
--- a/mkosi.presets/00-base/mkosi.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Output]
-Format=directory
-
-[Content]
-Bootable=no
-CleanPackageMetadata=no
-Packages=
-        kmod
-        less
-        util-linux
-
-BuildPackages=
-        acl
-        diffutils
-        gawk
-        binutils
-        clang
-        gettext
-        git
-        gperf
-        grep
-        lld
-        llvm
-        make
-        meson
-        pkgconf
-        rsync
-        sed
-        tar
-        zstd
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-arch.conf b/mkosi.presets/00-base/mkosi.conf.d/10-arch.conf
deleted file mode 100644
index 7ab0c712ae..0000000000
--- a/mkosi.presets/00-base/mkosi.conf.d/10-arch.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=arch
-
-[Content]
-Packages=
-        cryptsetup
-        dbus
-        gnutls
-        libbpf
-        libfido2
-        libmicrohttpd
-        libnftnl
-        libpwquality
-        libseccomp
-        libxkbcommon
-        openssl
-        qrencode
-        tpm2-tss
-
-BuildPackages=
-        bpf
-        docbook-xsl
-        glib2
-        libxslt
-        linux-api-headers
-        python
-        python-jinja
-        python-lxml
-        python-pefile
-        python-pyelftools
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf
deleted file mode 100644
index 4dec24cc20..0000000000
--- a/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf
+++ /dev/null
@@ -1,75 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
-        audit-libs
-        cryptsetup-libs
-        gnutls
-        libasan
-        libbpf
-        libfido2
-        libgcrypt
-        libmicrohttpd
-        libnftnl
-        libubsan
-        libxcrypt
-        libxkbcommon
-        openssl-libs
-        qrencode-libs
-        tpm2-tss
-        util-linux
-
-BuildPackages=
-        /usr/bin/pkg-config
-        bpftool
-        docbook-xsl
-        findutils
-        libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
-        libxslt
-        pam-devel
-        pkgconfig(audit)
-        pkgconfig(blkid)
-        pkgconfig(bzip2)
-        pkgconfig(dbus-1)
-        pkgconfig(fdisk)
-        pkgconfig(glib-2.0)
-        pkgconfig(gnutls)
-        pkgconfig(libacl)
-        pkgconfig(libbpf)
-        pkgconfig(libcap)
-        pkgconfig(libcryptsetup)
-        pkgconfig(libcurl)
-        pkgconfig(libdw)
-        pkgconfig(libfido2)
-        pkgconfig(libidn2)
-        pkgconfig(libkmod)
-        pkgconfig(libmicrohttpd)
-        pkgconfig(libnftnl)
-        pkgconfig(libpcre2-8)
-        pkgconfig(libqrencode)
-        pkgconfig(libseccomp)
-        pkgconfig(libselinux)
-        pkgconfig(libzstd)
-        pkgconfig(mount)
-        pkgconfig(numa)
-        pkgconfig(openssl)
-        pkgconfig(openssl)
-        pkgconfig(p11-kit-1)
-        pkgconfig(pwquality)
-        pkgconfig(tss2-esys)
-        pkgconfig(tss2-mu)
-        pkgconfig(tss2-rc)
-        pkgconfig(tss2-tcti-device)
-        pkgconfig(valgrind)
-        pkgconfig(xkbcommon)
-        python3
-        python3dist(jinja2)
-        python3dist(lxml)
-        python3dist(pefile)
-        python3dist(pyelftools)
-        python3dist(pytest)
-        rpm
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
deleted file mode 100644
index 5550511cf2..0000000000
--- a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
-        dmsetup
-        libapparmor1
-        libfdisk1
-        libfido2-1
-        libglib2.0-0
-        libgnutls30
-        libidn2-0
-        libmicrohttpd12
-        libnftnl11
-        libp11-kit0
-        libpam0g
-        libpwquality1
-        libqrencode4
-        libssl3
-        libtss2-dev # Use the -dev package to avoid churn in updating version numbers
-        tzdata
-
-BuildPackages=
-        docbook-xsl
-        dpkg-dev
-        g++
-        libacl1-dev
-        libapparmor-dev
-        libaudit-dev
-        libblkid-dev
-        libbpf-dev
-        libbz2-dev
-        libcap-dev
-        libcryptsetup-dev
-        libcurl4-openssl-dev
-        libdbus-1-dev
-        libdw-dev
-        libfdisk-dev
-        libfido2-dev
-        libgcrypt20-dev
-        libglib2.0-dev
-        libgnutls28-dev
-        libidn2-dev
-        libiptc-dev
-        libkmod-dev
-        libmicrohttpd-dev
-        libmount-dev
-        libnftnl-dev
-        libp11-kit-dev
-        libpam0g-dev
-        libpwquality-dev
-        libqrencode-dev
-        libseccomp-dev
-        libsmartcols-dev
-        libssl-dev
-        libxen-dev
-        libxkbcommon-dev
-        libzstd-dev
-        python3
-        python3-jinja2
-        python3-lxml
-        python3-pefile
-        python3-pyelftools
-        python3-pytest
-        xsltproc
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-debian.conf b/mkosi.presets/00-base/mkosi.conf.d/10-debian.conf
deleted file mode 100644
index 020b02b61c..0000000000
--- a/mkosi.presets/00-base/mkosi.conf.d/10-debian.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=debian
-
-[Content]
-Packages=
-        libbpf1
-
-BuildPackages=
-        bpftool
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-fedora.conf b/mkosi.presets/00-base/mkosi.conf.d/10-fedora.conf
deleted file mode 100644
index 9c4c12423c..0000000000
--- a/mkosi.presets/00-base/mkosi.conf.d/10-fedora.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Content]
-Packages=
-        python3dist(pytest-flakes)
-
-BuildPackages=
-        pkgconfig(xencontrol)
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
deleted file mode 100644
index ec91b4901f..0000000000
--- a/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
+++ /dev/null
@@ -1,91 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Content]
-# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
-# versions don't get installed instead.
-Packages=
-        device-mapper
-        distribution-release
-        docbook-xsl-stylesheets
-        gawk
-        grep
-        gzip
-        libbpf1
-        libcrypt1
-        libcryptsetup12
-        libdw1
-        libelf1
-        libfido2
-        libgcrypt20
-        libglib-2_0-0
-        libkmod2
-        libmount1
-        libnftnl11
-        libopenssl3
-        libp11-kit0
-        libqrencode4
-        libseccomp2
-        libtss2-esys0
-        libtss2-mu0
-        libtss2-rc0
-        libtss2-tcti-device0
-        libxkbcommon0
-        libzstd1
-        pam
-        rsync
-        sed
-        shadow
-        tpm2-0-tss
-        xz
-
-BuildPackages=
-        audit-devel
-        bpftool
-        cross-bpf-gcc13
-        dbus-1-devel
-        fdupes
-        gcc-c++
-        glib2-devel
-        glibc-locale
-        intltool
-        libacl-devel
-        libapparmor-devel
-        libblkid-devel
-        libbpf-devel
-        libcap-devel
-        libcryptsetup-devel
-        libcurl-devel
-        libdw-devel
-        libelf-devel
-        libfdisk-devel
-        libfido2-devel
-        libgcrypt-devel
-        libgnutls-devel
-        libkmod-devel
-        libmicrohttpd-devel
-        libmount-devel
-        libnftnl-devel
-        libpwquality-devel
-        libseccomp-devel
-        libselinux-devel
-        libxkbcommon-devel
-        libxslt-tools
-        libzstd-devel
-        openssl-devel
-        pam-devel
-        pciutils-devel
-        python3
-        python3-Jinja2
-        python3-lxml
-        python3-pefile
-        python3-pyelftools
-        python3-pytest
-        python3-pytest-flakes
-        qrencode-devel
-        shadow
-        timezone
-        tpm2-0-tss-devel
-        xen-devel
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/00-base/mkosi.conf.d/10-ubuntu.conf
deleted file mode 100644
index 717809fd03..0000000000
--- a/mkosi.presets/00-base/mkosi.conf.d/10-ubuntu.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=ubuntu
-
-[Content]
-Packages=
-        libbpf0
-
-BuildPackages=
-        linux-tools-common
-        linux-tools-generic
diff --git a/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
deleted file mode 100644
index 070af4c67a..0000000000
--- a/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
+++ /dev/null
@@ -1,30 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# mkosi adds its own ssh units via the --ssh switch so disable the default ones.
-disable ssh.service
-disable sshd.service
-
-# These are started manually in integration tests so don't start them by default.
-disable dnsmasq.service
-disable isc-dhcp-server.service
-disable isc-dhcp-server6.service
-
-# Pulled in via dracut-network by kexec-tools on Fedora.
-disable NetworkManager*
-
-# Make sure dbus-broker is started by default on Debian/Ubuntu.
-enable dbus-broker.service
-
-# systemd-networkd is disabled by default on Fedora so make sure it is enabled.
-enable systemd-networkd.service
-enable systemd-networkd-wait-online.service
-
-# We install dnf in some images but it's only going to be used rarely,
-# so let's not have dnf create its cache.
-disable dnf-makecache.*
-
-# We have journald to receive audit data so let's make sure we're not running auditd as well
-disable auditd.service
-
-# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
-enable systemd-timesyncd.service
diff --git a/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
deleted file mode 100644
index 710ee7c6f9..0000000000
--- a/mkosi.presets/00-base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# Make sure that services are disabled by default (primarily for Debian/Ubuntu).
-disable *
diff --git a/mkosi.presets/00-base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.presets/00-base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
deleted file mode 100644
index e1a8e8171a..0000000000
--- a/mkosi.presets/00-base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
+++ /dev/null
@@ -1 +0,0 @@
-L /etc/default/locale - - - - ../locale.conf
diff --git a/mkosi.presets/10-initrd/mkosi.conf b/mkosi.presets/10-initrd/mkosi.conf
deleted file mode 100644
index b672d7363b..0000000000
--- a/mkosi.presets/10-initrd/mkosi.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Bootable=|auto
-Bootable=|yes
-
-[Output]
-Format=cpio
-
-[Content]
-BaseTrees=../../mkosi.output/base
-ExtraTrees=../../mkosi.output/base-systemd
-MakeInitrd=yes
-Packages=
-        systemd
-        udev
-
-# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it
-# doesn't end up in the initrd.
-RemoveFiles=
-        /usr/lib/libgfortran.so*
-        /usr/lib/libgo.so*
-        /usr/lib/libgomp.so*
-        /usr/lib/libgphobos.so*
-        /usr/lib/libobjc.so*
-        /usr/lib/libstdc++.so*
diff --git a/mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf b/mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf
deleted file mode 100644
index 3f92e52300..0000000000
--- a/mkosi.presets/10-initrd/mkosi.conf.d/10-centos.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=centos
-
-[Output]
-# TODO: Switch to zstd once we stop building CentOS Stream 8.
-CompressOutput=xz
-
-[Content]
-Packages=xfsprogs
-         tpm2-tools
diff --git a/mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf b/mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf
deleted file mode 100644
index 9224b92dd0..0000000000
--- a/mkosi.presets/10-initrd/mkosi.conf.d/10-default.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=!centos
-Distribution=!opensuse
-
-[Output]
-CompressOutput=zst
-
-[Content]
-Packages=btrfs-progs
-         tpm2-tools
diff --git a/mkosi.presets/10-initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/10-initrd/mkosi.conf.d/10-opensuse.conf
deleted file mode 100644
index 5cf2df397e..0000000000
--- a/mkosi.presets/10-initrd/mkosi.conf.d/10-opensuse.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Output]
-CompressOutput=zst
-
-[Content]
-Packages=btrfs-progs
-         tpm2.0-tools
diff --git a/mkosi.presets/10-initrd/mkosi.postinst b/mkosi.presets/10-initrd/mkosi.postinst
deleted file mode 100755
index 6782ddd5fa..0000000000
--- a/mkosi.presets/10-initrd/mkosi.postinst
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-if [ "${container:-}" != "mkosi" ]; then
-    exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
-# See https://github.com/openSUSE/suse-module-tools/pull/71
-rm -f /usr/lib/modprobe.d/60-blacklist_fs-erofs.conf
diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf
deleted file mode 100644
index e1579ad273..0000000000
--- a/mkosi.presets/20-final/mkosi.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Content]
-Autologin=yes
-BaseTrees=../../mkosi.output/base
-ExtraTrees=../../mkosi.output/base-systemd
-ExtraTrees=../../src:/root/src
-Initrds=../../mkosi.output/initrd
-Packages=
-        acl
-        bash-completion
-        coreutils
-        diffutils
-        dnsmasq
-        dosfstools
-        e2fsprogs
-        findutils
-        gcc # Sanitizer libraries
-        gdb
-        grep
-        kbd
-        kexec-tools
-        less
-        mtools
-        nano
-        nftables
-        openssl
-        qrencode
-        sed
-        socat
-        strace
-        systemd
-        tmux
-        tree
-        udev
-        util-linux
-        valgrind
-        wireguard-tools
-        xfsprogs
-        zsh
-
-[Validation]
-SecureBoot=yes
-SignExpectedPcr=yes
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf b/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf
deleted file mode 100644
index 0b15677ff2..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-arch.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=arch
-
-[Content]
-Packages=
-        bpf
-        btrfs-progs
-        compsize
-        dhcp
-        f2fs-tools
-        glib2
-        iproute
-        linux
-        man-db
-        openbsd-netcat
-        openssh
-        polkit
-        python-pefile
-        python-psutil
-        python-pytest
-        python3
-        quota-tools
-        shadow
-        vim
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf
deleted file mode 100644
index ad77a2b8d4..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-centos-fedora.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
-        bpftool
-        cryptsetup
-        dhcp-server
-        dnf
-        glib2
-        iproute
-        iproute-tc
-        kernel-core
-        kernel-modules # For squashfs support
-        libcap-ng-utils
-        netcat
-        openssh-server
-        p11-kit
-        pam
-        passwd
-        polkit
-        procps-ng
-        python3
-        python3dist(pefile)
-        python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
-        python3dist(psutil)
-        python3dist(pytest)
-        quota
-        vim-common
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf
deleted file mode 100644
index af4862d4b1..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=centos
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
deleted file mode 100644
index 99b846d3a8..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support btrfs so we use xfs instead.
-[Partition]
-Format=xfs
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
deleted file mode 100644
index 393d5f038c..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support erofs so we use squashfs instead.
-[Partition]
-Format=squashfs
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf
deleted file mode 100644
index 588f833c8f..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-debian-ubuntu.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
-        apt
-        btrfs-progs
-        cryptsetup-bin
-        dbus-broker
-        default-dbus-session-bus
-        f2fs-tools
-        fdisk
-        iproute2
-        isc-dhcp-server
-        libcap-ng-utils
-        netcat-openbsd
-        openssh-server
-        passwd
-        policykit-1
-        procps
-        python3
-        python3-pefile
-        python3-psutil
-        python3-pytest
-        quota
-        xxd
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf b/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf
deleted file mode 100644
index d4cd53e6f2..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-debian.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=debian
-
-[Content]
-Packages=
-        bpftool
-        linux-image-cloud-amd64
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf
deleted file mode 100644
index 42d0093a89..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-fedora.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=fedora
-
-[Content]
-Packages=
-        btrfs-progs
-        compsize
-        f2fs-tools
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf
deleted file mode 100644
index 60a2b6dbfc..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-opensuse.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=opensuse
-
-[Content]
-Packages=
-        bpftool
-        btrfs-progs
-        cryptsetup
-        dbus-broker
-        f2fs-tools
-        glibc-locale-base
-        kernel-kvmsmall
-        libcap-ng-utils
-        openssh-server
-        python3
-        python3-pefile
-        python3-psutil
-        python3-pytest
-        quota
-        shadow
-        vim
diff --git a/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf
deleted file mode 100644
index 3290987824..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/10-ubuntu.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-Distribution=ubuntu
-
-[Content]
-Packages=
-        # We would like to use linux-image-kvm but it does not have support for dm-verity
-        # See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
-        linux-image-generic
-        linux-tools-common
-        linux-tools-generic
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf
deleted file mode 100644
index c97f5deff2..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-arch.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=arch
-
-[Content]
-Packages=
-        alsa-lib
-        fuse2
-        libcap
-        libcap-ng
-        libelf
-        libmnl
-        numactl
-        popt
-
-BuildPackages=
-        pahole
-        python-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf
deleted file mode 100644
index 14b18727ef..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-centos-fedora.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=|centos
-Distribution=|fedora
-
-[Content]
-Packages=
-        alsa-lib
-        elfutils-libelf
-        fuse
-        glibc.i686
-        libcap
-        libcap-ng
-        libcap-ng-utils
-        libmnl
-        numactl-libs
-        popt
-
-BuildPackages=
-        dwarves
-        glibc-devel.i686
-        glibc-static
-        glibc-static.i686
-        pkgconfig(alsa)
-        pkgconfig(fuse)
-        pkgconfig(libcap-ng)
-        pkgconfig(libcap)
-        pkgconfig(libelf)
-        pkgconfig(libmnl)
-        pkgconfig(numa)
-        pkgconfig(openssl)
-        pkgconfig(popt)
-        python3-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf
deleted file mode 100644
index f9413f1da6..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-debian-ubuntu.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=|debian
-Distribution=|ubuntu
-
-[Content]
-Packages=
-        fuse
-        libasound2
-        libc6-i386
-        libcap-ng0
-        libcap2
-        libelf1
-        libmnl0
-        libnuma1
-        libpopt0
-
-BuildPackages=
-        gcc-multilib
-        libasound-dev
-        libc6-dev
-        libc6-dev-i686
-        libcap-ng-dev
-        libcap-dev
-        libelf-dev
-        libfuse-dev
-        libmnl-dev
-        libnuma-dev
-        libpopt-dev
-        pahole
-        python3-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf
deleted file mode 100644
index 97091859d1..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-fedora.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=fedora
-
-[Content]
-BuildPackages=
-        libcap-static
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf
deleted file mode 100644
index 6d25af5af2..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/20-kernel-opensuse.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-Distribution=opensuse
-
-[Content]
-Packages=
-        fuse
-        glibc-32bit
-        libasound2
-        libcap-ng0
-        libcap2
-        libelf1
-        libmnl0
-        libnuma1
-        libpopt0
-
-BuildPackages=
-        alsa-devel
-        dwarves
-        fuse-devel
-        gcc-32bit
-        glibc-devel-32bit
-        glibc-devel-static-32bit
-        glibc-static
-        libcap-devel
-        libcap-ng-dev
-        libelf-devel
-        liblz4-dev
-        libmnl-dev
-        libnuma-devel
-        pcre-devel
-        popt-devel
-        python3-docutils
diff --git a/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf b/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf
deleted file mode 100644
index 838ab005c8..0000000000
--- a/mkosi.presets/20-final/mkosi.conf.d/20-kernel.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Match]
-PathExists=../../mkosi.kernel/
-
-[Content]
-BuildScript=mkosi.kernel.build
-BuildSources=../..
-BuildPackages=
-        bc
-        binutils
-        bison
-        clang
-        flex
-        gcc
-        lld
-        llvm
-        make
-        make
-        rsync
-        tar
diff --git a/mkosi.presets/20-final/mkosi.extra/etc/issue b/mkosi.presets/20-final/mkosi.extra/etc/issue
deleted file mode 100644
index 6aa6fc0ec0..0000000000
--- a/mkosi.presets/20-final/mkosi.extra/etc/issue
+++ /dev/null
@@ -1,2 +0,0 @@
-\S (built from systemd tree)
-Kernel \r on an \m (\l)
diff --git a/mkosi.presets/20-final/mkosi.extra/root/.gdbinit b/mkosi.presets/20-final/mkosi.extra/root/.gdbinit
deleted file mode 100644
index 1a2163e3a5..0000000000
--- a/mkosi.presets/20-final/mkosi.extra/root/.gdbinit
+++ /dev/null
@@ -1,3 +0,0 @@
-set debuginfod enabled off
-set build-id-verbose 0
-set substitute-path ../src /root/src
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.presets/20-final/mkosi.extra/usr/lib/repart.d/20-root.conf
deleted file mode 100644
index 2f92af248f..0000000000
--- a/mkosi.presets/20-final/mkosi.extra/usr/lib/repart.d/20-root.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=root
-Format=btrfs
-SizeMinBytes=1G
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
deleted file mode 100644
index 2f953290d3..0000000000
--- a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
-# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
-# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
-# Storage= to persistent to have systemd-journald create /var/log/journal itself.
-[Journal]
-Storage=persistent
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
deleted file mode 100755
index 9bb246263e..0000000000
--- a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash -eux
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# TODO: Figure out why this is failing
-systemctl reset-failed systemd-vconsole-setup.service
-
-systemctl --failed --no-legend | tee /failed-services
-
-# Check that secure boot keys were properly enrolled.
-if ! systemd-detect-virt --container; then
-    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
-    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
-    # TODO: Figure out why this is failing
-    # grep -q this_should_be_here /proc/cmdline
-    # grep -q this_should_not_be_here /proc/cmdline && exit 1
-fi
-
-# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
-[[ ! -s /failed-services ]]
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
deleted file mode 100644
index 7942cbfa77..0000000000
--- a/mkosi.presets/20-final/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
+++ /dev/null
@@ -1,15 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Unit]
-Description=Check if any service failed and then shutdown the machine
-After=multi-user.target network-online.target
-Requires=multi-user.target
-Wants=systemd-resolved.service systemd-networkd.service network-online.target
-SuccessAction=exit
-FailureAction=exit
-# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
-# host.
-SuccessActionExitStatus=123
-
-[Service]
-Type=oneshot
-ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
diff --git a/mkosi.presets/20-final/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.presets/20-final/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
deleted file mode 100644
index dac79ba4ed..0000000000
--- a/mkosi.presets/20-final/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-C+! /etc - - - - /usr/share/factory/mkosi
diff --git a/mkosi.presets/20-final/mkosi.finalize b/mkosi.presets/20-final/mkosi.finalize
deleted file mode 100755
index 74b810c152..0000000000
--- a/mkosi.presets/20-final/mkosi.finalize
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
diff --git a/mkosi.presets/20-final/mkosi.kernel.build b/mkosi.presets/20-final/mkosi.kernel.build
deleted file mode 100755
index 64cc48863f..0000000000
--- a/mkosi.presets/20-final/mkosi.kernel.build
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-if [ "${container:-}" != "mkosi" ]; then
-    exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-if [ -d "$SRCDIR"/mkosi.kernel/ ]; then
-    SRCDIR="$SRCDIR/mkosi.kernel"
-    BUILDDIR="$BUILDDIR/mkosi.kernel"
-    cd "$SRCDIR"
-    mkdir -p "$BUILDDIR"
-
-    # Ensure fast incremental builds by fixating these values which usually change for each build.
-    export KBUILD_BUILD_TIMESTAMP="Fri Jun  5 15:58:00 CEST 2015"
-    export KBUILD_BUILD_HOST="mkosi"
-
-    scripts/kconfig/merge_config.sh -O "$BUILDDIR" \
-            ../mkosi.kernel.config \
-            tools/testing/selftests/bpf/config.x86_64 \
-            tools/testing/selftests/bpf/config
-
-    # Make sure systemd-boot boots this kernel and not the distro provided one by overriding the version.
-    make O="$BUILDDIR" VERSION=99 -j "$(nproc)"
-    make O="$BUILDDIR" VERSION=99 -j "$(nproc)" headers
-
-    KERNEL_RELEASE=$(make O="$BUILDDIR" VERSION=99 -s kernelrelease)
-    mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE"
-    make O="$BUILDDIR" VERSION=99 INSTALL_MOD_PATH="$DESTDIR/usr" modules_install
-    make O="$BUILDDIR" VERSION=99 INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install
-    mkdir -p "$DESTDIR/usr/lib/kernel/selftests"
-    make -C tools/testing/selftests -j "$(nproc)" O="$BUILDDIR" VERSION=99 KSFT_INSTALL_PATH="$DESTDIR/usr/lib/kernel/selftests" SKIP_TARGETS="" install
-
-    mkdir -p "$DESTDIR"/usr/bin
-    ln -sf /usr/lib/kernel/selftests/bpf/bpftool "$DESTDIR/usr/bin/bpftool"
-fi
diff --git a/mkosi.presets/20-final/mkosi.postinst b/mkosi.presets/20-final/mkosi.postinst
deleted file mode 100755
index 663fa5c762..0000000000
--- a/mkosi.presets/20-final/mkosi.postinst
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -e
-
-if [ "$1" = "build" ]; then
-    exit 0
-fi
-
-if [ "${container:-}" != "mkosi" ]; then
-    exec mkosi-chroot "$SCRIPT" "$@"
-fi
-
-if [ -n "$SANITIZERS" ]; then
-    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
-
-    mkdir -p /etc/systemd/system.conf.d
-
-    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
-[Manager]
-ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
-                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
-                   LD_PRELOAD=$LD_PRELOAD
-DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
-                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
-                   LD_PRELOAD=$LD_PRELOAD
-EOF
-
-    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
-    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
-    # sanitizer failures appear directly on the user's console.
-    mkdir -p /etc/systemd/system/systemd-journald.service.d
-    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
-[Service]
-StandardOutput=tty
-EOF
-
-    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
-    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
-    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
-    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
-
-    mkdir -p /etc/systemd/system/console-getty.service.d
-    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
-[Service]
-TTYVHangup=no
-CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
-EOF
-    # ASAN and syscall filters aren't compatible with each other.
-    find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
-
-    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
-    systemctl mask systemd-hwdb-update.service
-fi
-
-if [ -n "$IMAGE_ID" ] ; then
-    sed -n \
-        -i \
-        -e '/^IMAGE_ID=/!p' \
-        -e "\$aIMAGE_ID=$IMAGE_ID" \
-        /usr/lib/os-release
-fi
-
-if [ -n "$IMAGE_VERSION" ] ; then
-    sed -n \
-        -i \
-        -e '/^IMAGE_VERSION=/!p' \
-        -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
-        /usr/lib/os-release
-fi
-
-if command -v authselect >/dev/null; then
-    authselect select minimal
-
-    if authselect list-features minimal | grep -q "with-homed"; then
-        authselect enable-feature with-homed
-    fi
-fi
-
-# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
-# if that's the case.
-mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
-rm -f /etc/resolv.conf
-
-. /usr/lib/os-release
-
-if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
-    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
-    alternatives --set python3 /usr/bin/python3.9
-fi
diff --git a/mkosi.presets/20-final/mkosi.repart/00-esp.conf b/mkosi.presets/20-final/mkosi.repart/00-esp.conf
deleted file mode 100644
index 96b292ecb8..0000000000
--- a/mkosi.presets/20-final/mkosi.repart/00-esp.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=esp
-Format=vfat
-CopyFiles=/efi:/
-SizeMinBytes=512M
-SizeMaxBytes=512M
diff --git a/mkosi.presets/20-final/mkosi.repart/10-usr.conf b/mkosi.presets/20-final/mkosi.repart/10-usr.conf
deleted file mode 100644
index 343761d097..0000000000
--- a/mkosi.presets/20-final/mkosi.repart/10-usr.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr
-Format=erofs
-CopyFiles=/usr:/
-Verity=data
-VerityMatchKey=usr
-Minimize=yes
diff --git a/mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf b/mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf
deleted file mode 100644
index b4d45dd7ef..0000000000
--- a/mkosi.presets/20-final/mkosi.repart/11-usr-verity.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr-verity
-Verity=hash
-VerityMatchKey=usr
-Minimize=yes
diff --git a/mkosi.presets/20-final/mkosi.repart/12-usr-verity-sig.conf b/mkosi.presets/20-final/mkosi.repart/12-usr-verity-sig.conf
deleted file mode 100644
index 1841d0a6db..0000000000
--- a/mkosi.presets/20-final/mkosi.repart/12-usr-verity-sig.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-[Partition]
-Type=usr-verity-sig
-Verity=signature
-VerityMatchKey=usr
diff --git a/mkosi.presets/base/mkosi.build b/mkosi.presets/base/mkosi.build
new file mode 100755
index 0000000000..d75f1425a5
--- /dev/null
+++ b/mkosi.presets/base/mkosi.build
@@ -0,0 +1,234 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
+# Simply invoke "mkosi" in the project directory to build an OS image.
+
+if [ "${container:-}" != "mkosi" ]; then
+    exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+# We don't want to install our build of systemd in the base image, but use it as an extra tree for the
+# initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
+# an extra tree in the initrd and system image builds.
+DESTDIR="$OUTPUTDIR/systemd"
+
+# If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
+# as out-of-tree build dir. Otherwise, let's make up our own builddir.
+[ -z "$BUILDDIR" ] && BUILDDIR="$PWD"/build
+
+# Let's make sure we're using stuff from the build directory first if available there.
+PATH="$BUILDDIR:$PATH"
+export PATH
+
+# The bpftool script shipped by Ubuntu tries to find the actual program to run via querying `uname -r` and
+# using the current kernel version. This obviously doesn't work in containers. As a workaround, we override
+# the ubuntu script with a symlink to the first bpftool program we can find.
+for bpftool in /usr/lib/linux-tools/*/bpftool; do
+    [ -x "$bpftool" ] || continue
+    ln -sf "$bpftool" "$BUILDDIR"/bpftool
+    break
+done
+
+# CentOS Stream 8 includes bpftool 4.18.0 which is lower than what we need. However, they've backported the
+# specific feature we need ("gen skeleton") to this version, so we replace bpftool with a script that reports
+# version 5.6.0 to satisfy meson which makes bpf work on CentOS Stream 8 as well.
+. /usr/lib/os-release
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+    cat >"$BUILDDIR"/bpftool <<EOF
+#!/bin/sh
+if [ "\$1" = --version ]; then
+    echo 5.6.0
+else
+    exec /usr/sbin/bpftool \$@
+fi
+EOF
+    chmod +x "$BUILDDIR"/bpftool
+fi
+
+if [ ! -f "$BUILDDIR"/build.ninja ]; then
+    sysvinit_path=$(realpath /etc/init.d)
+
+    if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+        UKIFY=false
+    else
+        UKIFY=true
+    fi
+
+    # On Debian 'loadkeys us' fails
+    if [ "$ID" = "debian" ] || [ "$ID_LIKE" = "debian" ]; then
+        DEFAULT_KEYMAP=""
+    else
+        DEFAULT_KEYMAP="us"
+    fi
+
+    CONFIGURE_OPTS=(
+        -D sysvinit-path="$sysvinit_path"
+        -D man=false
+        -D translations=false
+        -D version-tag="${VERSION_TAG}"
+        -D mode=developer
+        -D b_sanitize="${SANITIZERS:-none}"
+        -D install-tests=true
+        -D tests=unsafe
+        -D slow-tests="${SLOW_TESTS:-false}"
+        -D create-log-dirs=false
+        -D pamconfdir=no
+        -D utmp=true
+        -D hibernate=true
+        -D ldconfig=true
+        -D resolve=true
+        -D efi=true
+        -D tpm=true
+        -D environment-d=true
+        -D binfmt=true
+        -D repart=true
+        -D sysupdate=true
+        -D coredump=true
+        -D pstore=true
+        -D oomd=true
+        -D logind=true
+        -D hostnamed=true
+        -D localed=true
+        -D machined=true
+        -D portabled=true
+        -D sysext=true
+        -D userdb=true
+        -D homed=true
+        -D networkd=true
+        -D timedated=true
+        -D timesyncd=true
+        -D remote=true
+        -D nss-myhostname=true
+        -D nss-mymachines=true
+        -D nss-resolve=true
+        -D nss-systemd=true
+        -D firstboot=true
+        -D randomseed=true
+        -D backlight=true
+        -D vconsole=true
+        -D quotacheck=true
+        -D sysusers=true
+        -D tmpfiles=true
+        -D importd=true
+        -D hwdb=true
+        -D rfkill=true
+        -D xdg-autostart=true
+        -D translations=true
+        -D polkit=true
+        -D acl=true
+        -D audit=true
+        -D blkid=true
+        -D fdisk=true
+        -D kmod=true
+        -D pam=true
+        -D pwquality=true
+        -D microhttpd=true
+        -D libcryptsetup=true
+        -D libcurl=true
+        -D idn=true
+        -D libidn2=true
+        -D qrencode=true
+        -D gcrypt=true
+        -D gnutls=true
+        -D openssl=true
+        -D cryptolib=openssl
+        -D p11kit=true
+        -D libfido2=true
+        -D tpm2=true
+        -D elfutils=true
+        -D zstd=true
+        -D xkbcommon=true
+        -D pcre2=true
+        -D glib=true
+        -D dbus=true
+        -D bootloader=true
+        -D kernel-install=true
+        -D analyze=true
+        -D bpf-framework=true
+        -D ukify="$UKIFY"
+        -D seccomp=true
+        -D selinux=auto
+        -D apparmor=auto
+        -D smack=true
+        -D ima=true
+        -D first-boot-full-preset=true
+        -D initrd=true
+        -D fexecve=true
+        -D default-keymap="$DEFAULT_KEYMAP"
+    )
+
+    # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
+    # It is important to use the right one especially for cryptsetup plugins, otherwise they will be
+    # installed in the wrong directory and not be found by cryptsetup. Assume native build.
+    if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then
+        CONFIGURE_OPTS+=(
+            -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
+            -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security"
+        )
+    fi
+
+    # Set various uids and gids for which Fedora has "soft static" allocations.
+    # Without this, we would get warning about mismatched sysusers.d entries
+    # between the files that we and Fedora's setup package install.
+    if grep -q '^ID=fedora' /usr/lib/os-release; then
+        CONFIGURE_OPTS+=(
+            -Dadm-gid=4
+            -Daudio-gid=63
+            -Dcdrom-gid=11
+            -Ddialout-gid=18
+            -Ddisk-gid=6
+            -Dinput-gid=104
+            -Dkmem-gid=9
+            -Dkvm-gid=36
+            -Dlp-gid=7
+            -Drender-gid=105
+            -Dsgx-gid=106
+            -Dtape-gid=33
+            -Dtty-gid=5
+            -Dusers-gid=100
+            -Dutmp-gid=22
+            -Dvideo-gid=39
+            -Dwheel-gid=10
+            -Dsystemd-journal-gid=190
+            -Dsystemd-network-uid=192
+            -Dsystemd-resolve-uid=193
+        )
+    fi
+
+    if grep -q '^ID="opensuse' /usr/lib/os-release; then
+        CONFIGURE_OPTS+=(
+            -Dbpf-compiler=gcc
+        )
+    fi
+
+    ( set -x; meson setup "$BUILDDIR" "${CONFIGURE_OPTS[@]}" )
+fi
+
+( set -x; ninja -C "$BUILDDIR" "$@" )
+if [ "$WITH_TESTS" = 1 ]; then
+    if [ -n "$SANITIZERS" ]; then
+        export ASAN_OPTIONS="$MKOSI_ASAN_OPTIONS"
+        export UBSAN_OPTIONS="$MKOSI_UBSAN_OPTIONS"
+        TIMEOUT_MULTIPLIER=3
+    else
+        TIMEOUT_MULTIPLIER=1
+    fi
+
+    ( set -x; meson test -C "$BUILDDIR" --print-errorlogs --timeout-multiplier=$TIMEOUT_MULTIPLIER )
+fi
+
+( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
+
+# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+if [ -d "${DESTDIR}/boot/loader" ]; then
+    addons_dir="${DESTDIR}/boot/loader/addons"
+elif [ -d "${DESTDIR}/efi/loader" ]; then
+    addons_dir="${DESTDIR}/efi/loader/addons"
+fi
+if [ -n "${addons_dir}" ]; then
+    mkdir -p "${addons_dir}"
+    ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
+    ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
+fi
diff --git a/mkosi.presets/base/mkosi.conf b/mkosi.presets/base/mkosi.conf
new file mode 100644
index 0000000000..eb67bfcf62
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+CleanPackageMetadata=no
+Packages=
+        kmod
+        less
+        util-linux
+
+BuildPackages=
+        acl
+        diffutils
+        gawk
+        binutils
+        clang
+        gettext
+        git
+        gperf
+        grep
+        lld
+        llvm
+        make
+        meson
+        pkgconf
+        rsync
+        sed
+        tar
+        zstd
diff --git a/mkosi.presets/base/mkosi.conf.d/10-arch.conf b/mkosi.presets/base/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000000..7ab0c712ae
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+        cryptsetup
+        dbus
+        gnutls
+        libbpf
+        libfido2
+        libmicrohttpd
+        libnftnl
+        libpwquality
+        libseccomp
+        libxkbcommon
+        openssl
+        qrencode
+        tpm2-tss
+
+BuildPackages=
+        bpf
+        docbook-xsl
+        glib2
+        libxslt
+        linux-api-headers
+        python
+        python-jinja
+        python-lxml
+        python-pefile
+        python-pyelftools
diff --git a/mkosi.presets/base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/base/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000000..4dec24cc20
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,75 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+        audit-libs
+        cryptsetup-libs
+        gnutls
+        libasan
+        libbpf
+        libfido2
+        libgcrypt
+        libmicrohttpd
+        libnftnl
+        libubsan
+        libxcrypt
+        libxkbcommon
+        openssl-libs
+        qrencode-libs
+        tpm2-tss
+        util-linux
+
+BuildPackages=
+        /usr/bin/pkg-config
+        bpftool
+        docbook-xsl
+        findutils
+        libgcrypt-devel # CentOS Stream 8 libgcrypt-devel doesn't ship a pkg-config file.
+        libxslt
+        pam-devel
+        pkgconfig(audit)
+        pkgconfig(blkid)
+        pkgconfig(bzip2)
+        pkgconfig(dbus-1)
+        pkgconfig(fdisk)
+        pkgconfig(glib-2.0)
+        pkgconfig(gnutls)
+        pkgconfig(libacl)
+        pkgconfig(libbpf)
+        pkgconfig(libcap)
+        pkgconfig(libcryptsetup)
+        pkgconfig(libcurl)
+        pkgconfig(libdw)
+        pkgconfig(libfido2)
+        pkgconfig(libidn2)
+        pkgconfig(libkmod)
+        pkgconfig(libmicrohttpd)
+        pkgconfig(libnftnl)
+        pkgconfig(libpcre2-8)
+        pkgconfig(libqrencode)
+        pkgconfig(libseccomp)
+        pkgconfig(libselinux)
+        pkgconfig(libzstd)
+        pkgconfig(mount)
+        pkgconfig(numa)
+        pkgconfig(openssl)
+        pkgconfig(openssl)
+        pkgconfig(p11-kit-1)
+        pkgconfig(pwquality)
+        pkgconfig(tss2-esys)
+        pkgconfig(tss2-mu)
+        pkgconfig(tss2-rc)
+        pkgconfig(tss2-tcti-device)
+        pkgconfig(valgrind)
+        pkgconfig(xkbcommon)
+        python3
+        python3dist(jinja2)
+        python3dist(lxml)
+        python3dist(pefile)
+        python3dist(pyelftools)
+        python3dist(pytest)
+        rpm
diff --git a/mkosi.presets/base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/base/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000000..5550511cf2
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,68 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+        dmsetup
+        libapparmor1
+        libfdisk1
+        libfido2-1
+        libglib2.0-0
+        libgnutls30
+        libidn2-0
+        libmicrohttpd12
+        libnftnl11
+        libp11-kit0
+        libpam0g
+        libpwquality1
+        libqrencode4
+        libssl3
+        libtss2-dev # Use the -dev package to avoid churn in updating version numbers
+        tzdata
+
+BuildPackages=
+        docbook-xsl
+        dpkg-dev
+        g++
+        libacl1-dev
+        libapparmor-dev
+        libaudit-dev
+        libblkid-dev
+        libbpf-dev
+        libbz2-dev
+        libcap-dev
+        libcryptsetup-dev
+        libcurl4-openssl-dev
+        libdbus-1-dev
+        libdw-dev
+        libfdisk-dev
+        libfido2-dev
+        libgcrypt20-dev
+        libglib2.0-dev
+        libgnutls28-dev
+        libidn2-dev
+        libiptc-dev
+        libkmod-dev
+        libmicrohttpd-dev
+        libmount-dev
+        libnftnl-dev
+        libp11-kit-dev
+        libpam0g-dev
+        libpwquality-dev
+        libqrencode-dev
+        libseccomp-dev
+        libsmartcols-dev
+        libssl-dev
+        libxen-dev
+        libxkbcommon-dev
+        libzstd-dev
+        python3
+        python3-jinja2
+        python3-lxml
+        python3-pefile
+        python3-pyelftools
+        python3-pytest
+        xsltproc
diff --git a/mkosi.presets/base/mkosi.conf.d/10-debian.conf b/mkosi.presets/base/mkosi.conf.d/10-debian.conf
new file mode 100644
index 0000000000..020b02b61c
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf.d/10-debian.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+        libbpf1
+
+BuildPackages=
+        bpftool
diff --git a/mkosi.presets/base/mkosi.conf.d/10-fedora.conf b/mkosi.presets/base/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000000..9c4c12423c
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+        python3dist(pytest-flakes)
+
+BuildPackages=
+        pkgconfig(xencontrol)
diff --git a/mkosi.presets/base/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/base/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000000..ec91b4901f
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,91 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+# We install gawk, gzip, grep, xz, sed, rsync and docbook-xsl-stylesheets here explicitly so that the busybox
+# versions don't get installed instead.
+Packages=
+        device-mapper
+        distribution-release
+        docbook-xsl-stylesheets
+        gawk
+        grep
+        gzip
+        libbpf1
+        libcrypt1
+        libcryptsetup12
+        libdw1
+        libelf1
+        libfido2
+        libgcrypt20
+        libglib-2_0-0
+        libkmod2
+        libmount1
+        libnftnl11
+        libopenssl3
+        libp11-kit0
+        libqrencode4
+        libseccomp2
+        libtss2-esys0
+        libtss2-mu0
+        libtss2-rc0
+        libtss2-tcti-device0
+        libxkbcommon0
+        libzstd1
+        pam
+        rsync
+        sed
+        shadow
+        tpm2-0-tss
+        xz
+
+BuildPackages=
+        audit-devel
+        bpftool
+        cross-bpf-gcc13
+        dbus-1-devel
+        fdupes
+        gcc-c++
+        glib2-devel
+        glibc-locale
+        intltool
+        libacl-devel
+        libapparmor-devel
+        libblkid-devel
+        libbpf-devel
+        libcap-devel
+        libcryptsetup-devel
+        libcurl-devel
+        libdw-devel
+        libelf-devel
+        libfdisk-devel
+        libfido2-devel
+        libgcrypt-devel
+        libgnutls-devel
+        libkmod-devel
+        libmicrohttpd-devel
+        libmount-devel
+        libnftnl-devel
+        libpwquality-devel
+        libseccomp-devel
+        libselinux-devel
+        libxkbcommon-devel
+        libxslt-tools
+        libzstd-devel
+        openssl-devel
+        pam-devel
+        pciutils-devel
+        python3
+        python3-Jinja2
+        python3-lxml
+        python3-pefile
+        python3-pyelftools
+        python3-pytest
+        python3-pytest-flakes
+        qrencode-devel
+        shadow
+        timezone
+        tpm2-0-tss-devel
+        xen-devel
diff --git a/mkosi.presets/base/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/base/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000000..717809fd03
--- /dev/null
+++ b/mkosi.presets/base/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+        libbpf0
+
+BuildPackages=
+        linux-tools-common
+        linux-tools-generic
diff --git a/mkosi.presets/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.presets/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
new file mode 100644
index 0000000000..070af4c67a
--- /dev/null
+++ b/mkosi.presets/base/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# mkosi adds its own ssh units via the --ssh switch so disable the default ones.
+disable ssh.service
+disable sshd.service
+
+# These are started manually in integration tests so don't start them by default.
+disable dnsmasq.service
+disable isc-dhcp-server.service
+disable isc-dhcp-server6.service
+
+# Pulled in via dracut-network by kexec-tools on Fedora.
+disable NetworkManager*
+
+# Make sure dbus-broker is started by default on Debian/Ubuntu.
+enable dbus-broker.service
+
+# systemd-networkd is disabled by default on Fedora so make sure it is enabled.
+enable systemd-networkd.service
+enable systemd-networkd-wait-online.service
+
+# We install dnf in some images but it's only going to be used rarely,
+# so let's not have dnf create its cache.
+disable dnf-makecache.*
+
+# We have journald to receive audit data so let's make sure we're not running auditd as well
+disable auditd.service
+
+# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
+enable systemd-timesyncd.service
diff --git a/mkosi.presets/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset b/mkosi.presets/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
new file mode 100644
index 0000000000..710ee7c6f9
--- /dev/null
+++ b/mkosi.presets/base/mkosi.extra/usr/lib/systemd/system-preset/99-mkosi.preset
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Make sure that services are disabled by default (primarily for Debian/Ubuntu).
+disable *
diff --git a/mkosi.presets/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf b/mkosi.presets/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
new file mode 100644
index 0000000000..e1a8e8171a
--- /dev/null
+++ b/mkosi.presets/base/mkosi.extra/usr/lib/tmpfiles.d/locale.conf
@@ -0,0 +1 @@
+L /etc/default/locale - - - - ../locale.conf
diff --git a/mkosi.presets/initrd/mkosi.conf b/mkosi.presets/initrd/mkosi.conf
new file mode 100644
index 0000000000..78d55ba7cb
--- /dev/null
+++ b/mkosi.presets/initrd/mkosi.conf
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Bootable=|auto
+Bootable=|yes
+
+[Preset]
+Dependencies=base
+
+[Output]
+Format=cpio
+
+[Content]
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+MakeInitrd=yes
+Packages=
+        systemd
+        udev
+
+# Arch Linux doesn't split their gcc-libs package so we manually remove unneeded stuff here to make sure it
+# doesn't end up in the initrd.
+RemoveFiles=
+        /usr/lib/libgfortran.so*
+        /usr/lib/libgo.so*
+        /usr/lib/libgomp.so*
+        /usr/lib/libgphobos.so*
+        /usr/lib/libobjc.so*
+        /usr/lib/libstdc++.so*
diff --git a/mkosi.presets/initrd/mkosi.conf.d/10-centos.conf b/mkosi.presets/initrd/mkosi.conf.d/10-centos.conf
new file mode 100644
index 0000000000..3f92e52300
--- /dev/null
+++ b/mkosi.presets/initrd/mkosi.conf.d/10-centos.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Output]
+# TODO: Switch to zstd once we stop building CentOS Stream 8.
+CompressOutput=xz
+
+[Content]
+Packages=xfsprogs
+         tpm2-tools
diff --git a/mkosi.presets/initrd/mkosi.conf.d/10-default.conf b/mkosi.presets/initrd/mkosi.conf.d/10-default.conf
new file mode 100644
index 0000000000..9224b92dd0
--- /dev/null
+++ b/mkosi.presets/initrd/mkosi.conf.d/10-default.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=!centos
+Distribution=!opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+         tpm2-tools
diff --git a/mkosi.presets/initrd/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/initrd/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000000..5cf2df397e
--- /dev/null
+++ b/mkosi.presets/initrd/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Output]
+CompressOutput=zst
+
+[Content]
+Packages=btrfs-progs
+         tpm2.0-tools
diff --git a/mkosi.presets/initrd/mkosi.postinst b/mkosi.presets/initrd/mkosi.postinst
new file mode 100755
index 0000000000..6782ddd5fa
--- /dev/null
+++ b/mkosi.presets/initrd/mkosi.postinst
@@ -0,0 +1,11 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "${container:-}" != "mkosi" ]; then
+    exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
+# See https://github.com/openSUSE/suse-module-tools/pull/71
+rm -f /usr/lib/modprobe.d/60-blacklist_fs-erofs.conf
diff --git a/mkosi.presets/system/mkosi.conf b/mkosi.presets/system/mkosi.conf
new file mode 100644
index 0000000000..aab7a13dbc
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf
@@ -0,0 +1,48 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Preset]
+Dependencies=base
+             initrd
+
+[Content]
+Autologin=yes
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+ExtraTrees=../../src:/root/src
+Initrds=../../mkosi.output/initrd
+Packages=
+        acl
+        bash-completion
+        coreutils
+        diffutils
+        dnsmasq
+        dosfstools
+        e2fsprogs
+        findutils
+        gcc # Sanitizer libraries
+        gdb
+        grep
+        kbd
+        kexec-tools
+        less
+        mtools
+        nano
+        nftables
+        openssl
+        qrencode
+        sed
+        socat
+        strace
+        systemd
+        tmux
+        tree
+        udev
+        util-linux
+        valgrind
+        wireguard-tools
+        xfsprogs
+        zsh
+
+[Validation]
+SecureBoot=yes
+SignExpectedPcr=yes
diff --git a/mkosi.presets/system/mkosi.conf.d/10-arch.conf b/mkosi.presets/system/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000000..0b15677ff2
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+        bpf
+        btrfs-progs
+        compsize
+        dhcp
+        f2fs-tools
+        glib2
+        iproute
+        linux
+        man-db
+        openbsd-netcat
+        openssh
+        polkit
+        python-pefile
+        python-psutil
+        python-pytest
+        python3
+        quota-tools
+        shadow
+        vim
diff --git a/mkosi.presets/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/system/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000000..ad77a2b8d4
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+        bpftool
+        cryptsetup
+        dhcp-server
+        dnf
+        glib2
+        iproute
+        iproute-tc
+        kernel-core
+        kernel-modules # For squashfs support
+        libcap-ng-utils
+        netcat
+        openssh-server
+        p11-kit
+        pam
+        passwd
+        polkit
+        procps-ng
+        python3
+        python3dist(pefile)
+        python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
+        python3dist(psutil)
+        python3dist(pytest)
+        quota
+        vim-common
diff --git a/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.conf
new file mode 100644
index 0000000000..af4862d4b1
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
diff --git a/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
new file mode 100644
index 0000000000..99b846d3a8
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support btrfs so we use xfs instead.
+[Partition]
+Format=xfs
diff --git a/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
new file mode 100644
index 0000000000..393d5f038c
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support erofs so we use squashfs instead.
+[Partition]
+Format=squashfs
diff --git a/mkosi.presets/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/system/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000000..588f833c8f
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+        apt
+        btrfs-progs
+        cryptsetup-bin
+        dbus-broker
+        default-dbus-session-bus
+        f2fs-tools
+        fdisk
+        iproute2
+        isc-dhcp-server
+        libcap-ng-utils
+        netcat-openbsd
+        openssh-server
+        passwd
+        policykit-1
+        procps
+        python3
+        python3-pefile
+        python3-psutil
+        python3-pytest
+        quota
+        xxd
diff --git a/mkosi.presets/system/mkosi.conf.d/10-debian.conf b/mkosi.presets/system/mkosi.conf.d/10-debian.conf
new file mode 100644
index 0000000000..d4cd53e6f2
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-debian.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+
+[Content]
+Packages=
+        bpftool
+        linux-image-cloud-amd64
diff --git a/mkosi.presets/system/mkosi.conf.d/10-fedora.conf b/mkosi.presets/system/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000000..42d0093a89
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+        btrfs-progs
+        compsize
+        f2fs-tools
diff --git a/mkosi.presets/system/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/system/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000000..60a2b6dbfc
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+        bpftool
+        btrfs-progs
+        cryptsetup
+        dbus-broker
+        f2fs-tools
+        glibc-locale-base
+        kernel-kvmsmall
+        libcap-ng-utils
+        openssh-server
+        python3
+        python3-pefile
+        python3-psutil
+        python3-pytest
+        quota
+        shadow
+        vim
diff --git a/mkosi.presets/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.presets/system/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000000..3290987824
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+        # We would like to use linux-image-kvm but it does not have support for dm-verity
+        # See https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040.
+        linux-image-generic
+        linux-tools-common
+        linux-tools-generic
diff --git a/mkosi.presets/system/mkosi.conf.d/20-kernel-arch.conf b/mkosi.presets/system/mkosi.conf.d/20-kernel-arch.conf
new file mode 100644
index 0000000000..c97f5deff2
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/20-kernel-arch.conf
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=arch
+
+[Content]
+Packages=
+        alsa-lib
+        fuse2
+        libcap
+        libcap-ng
+        libelf
+        libmnl
+        numactl
+        popt
+
+BuildPackages=
+        pahole
+        python-docutils
diff --git a/mkosi.presets/system/mkosi.conf.d/20-kernel-centos-fedora.conf b/mkosi.presets/system/mkosi.conf.d/20-kernel-centos-fedora.conf
new file mode 100644
index 0000000000..14b18727ef
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/20-kernel-centos-fedora.conf
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+        alsa-lib
+        elfutils-libelf
+        fuse
+        glibc.i686
+        libcap
+        libcap-ng
+        libcap-ng-utils
+        libmnl
+        numactl-libs
+        popt
+
+BuildPackages=
+        dwarves
+        glibc-devel.i686
+        glibc-static
+        glibc-static.i686
+        pkgconfig(alsa)
+        pkgconfig(fuse)
+        pkgconfig(libcap-ng)
+        pkgconfig(libcap)
+        pkgconfig(libelf)
+        pkgconfig(libmnl)
+        pkgconfig(numa)
+        pkgconfig(openssl)
+        pkgconfig(popt)
+        python3-docutils
diff --git a/mkosi.presets/system/mkosi.conf.d/20-kernel-debian-ubuntu.conf b/mkosi.presets/system/mkosi.conf.d/20-kernel-debian-ubuntu.conf
new file mode 100644
index 0000000000..f9413f1da6
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/20-kernel-debian-ubuntu.conf
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+        fuse
+        libasound2
+        libc6-i386
+        libcap-ng0
+        libcap2
+        libelf1
+        libmnl0
+        libnuma1
+        libpopt0
+
+BuildPackages=
+        gcc-multilib
+        libasound-dev
+        libc6-dev
+        libc6-dev-i686
+        libcap-ng-dev
+        libcap-dev
+        libelf-dev
+        libfuse-dev
+        libmnl-dev
+        libnuma-dev
+        libpopt-dev
+        pahole
+        python3-docutils
diff --git a/mkosi.presets/system/mkosi.conf.d/20-kernel-fedora.conf b/mkosi.presets/system/mkosi.conf.d/20-kernel-fedora.conf
new file mode 100644
index 0000000000..97091859d1
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/20-kernel-fedora.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=fedora
+
+[Content]
+BuildPackages=
+        libcap-static
diff --git a/mkosi.presets/system/mkosi.conf.d/20-kernel-opensuse.conf b/mkosi.presets/system/mkosi.conf.d/20-kernel-opensuse.conf
new file mode 100644
index 0000000000..6d25af5af2
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/20-kernel-opensuse.conf
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+Distribution=opensuse
+
+[Content]
+Packages=
+        fuse
+        glibc-32bit
+        libasound2
+        libcap-ng0
+        libcap2
+        libelf1
+        libmnl0
+        libnuma1
+        libpopt0
+
+BuildPackages=
+        alsa-devel
+        dwarves
+        fuse-devel
+        gcc-32bit
+        glibc-devel-32bit
+        glibc-devel-static-32bit
+        glibc-static
+        libcap-devel
+        libcap-ng-dev
+        libelf-devel
+        liblz4-dev
+        libmnl-dev
+        libnuma-devel
+        pcre-devel
+        popt-devel
+        python3-docutils
diff --git a/mkosi.presets/system/mkosi.conf.d/20-kernel.conf b/mkosi.presets/system/mkosi.conf.d/20-kernel.conf
new file mode 100644
index 0000000000..838ab005c8
--- /dev/null
+++ b/mkosi.presets/system/mkosi.conf.d/20-kernel.conf
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+PathExists=../../mkosi.kernel/
+
+[Content]
+BuildScript=mkosi.kernel.build
+BuildSources=../..
+BuildPackages=
+        bc
+        binutils
+        bison
+        clang
+        flex
+        gcc
+        lld
+        llvm
+        make
+        make
+        rsync
+        tar
diff --git a/mkosi.presets/system/mkosi.extra/etc/issue b/mkosi.presets/system/mkosi.extra/etc/issue
new file mode 100644
index 0000000000..6aa6fc0ec0
--- /dev/null
+++ b/mkosi.presets/system/mkosi.extra/etc/issue
@@ -0,0 +1,2 @@
+\S (built from systemd tree)
+Kernel \r on an \m (\l)
diff --git a/mkosi.presets/system/mkosi.extra/root/.gdbinit b/mkosi.presets/system/mkosi.extra/root/.gdbinit
new file mode 100644
index 0000000000..1a2163e3a5
--- /dev/null
+++ b/mkosi.presets/system/mkosi.extra/root/.gdbinit
@@ -0,0 +1,3 @@
+set debuginfod enabled off
+set build-id-verbose 0
+set substitute-path ../src /root/src
diff --git a/mkosi.presets/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.presets/system/mkosi.extra/usr/lib/repart.d/20-root.conf
new file mode 100644
index 0000000000..2f92af248f
--- /dev/null
+++ b/mkosi.presets/system/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
diff --git a/mkosi.presets/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.presets/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
new file mode 100644
index 0000000000..2f953290d3
--- /dev/null
+++ b/mkosi.presets/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
+# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
+# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
+# Storage= to persistent to have systemd-journald create /var/log/journal itself.
+[Journal]
+Storage=persistent
diff --git a/mkosi.presets/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.presets/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
new file mode 100755
index 0000000000..9bb246263e
--- /dev/null
+++ b/mkosi.presets/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -eux
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# TODO: Figure out why this is failing
+systemctl reset-failed systemd-vconsole-setup.service
+
+systemctl --failed --no-legend | tee /failed-services
+
+# Check that secure boot keys were properly enrolled.
+if ! systemd-detect-virt --container; then
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+    # TODO: Figure out why this is failing
+    # grep -q this_should_be_here /proc/cmdline
+    # grep -q this_should_not_be_here /proc/cmdline && exit 1
+fi
+
+# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
+[[ ! -s /failed-services ]]
diff --git a/mkosi.presets/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.presets/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
new file mode 100644
index 0000000000..7942cbfa77
--- /dev/null
+++ b/mkosi.presets/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Check if any service failed and then shutdown the machine
+After=multi-user.target network-online.target
+Requires=multi-user.target
+Wants=systemd-resolved.service systemd-networkd.service network-online.target
+SuccessAction=exit
+FailureAction=exit
+# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
+# host.
+SuccessActionExitStatus=123
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
diff --git a/mkosi.presets/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.presets/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
new file mode 100644
index 0000000000..dac79ba4ed
--- /dev/null
+++ b/mkosi.presets/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
diff --git a/mkosi.presets/system/mkosi.finalize b/mkosi.presets/system/mkosi.finalize
new file mode 100755
index 0000000000..74b810c152
--- /dev/null
+++ b/mkosi.presets/system/mkosi.finalize
@@ -0,0 +1,4 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
diff --git a/mkosi.presets/system/mkosi.kernel.build b/mkosi.presets/system/mkosi.kernel.build
new file mode 100755
index 0000000000..64cc48863f
--- /dev/null
+++ b/mkosi.presets/system/mkosi.kernel.build
@@ -0,0 +1,37 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "${container:-}" != "mkosi" ]; then
+    exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+if [ -d "$SRCDIR"/mkosi.kernel/ ]; then
+    SRCDIR="$SRCDIR/mkosi.kernel"
+    BUILDDIR="$BUILDDIR/mkosi.kernel"
+    cd "$SRCDIR"
+    mkdir -p "$BUILDDIR"
+
+    # Ensure fast incremental builds by fixating these values which usually change for each build.
+    export KBUILD_BUILD_TIMESTAMP="Fri Jun  5 15:58:00 CEST 2015"
+    export KBUILD_BUILD_HOST="mkosi"
+
+    scripts/kconfig/merge_config.sh -O "$BUILDDIR" \
+            ../mkosi.kernel.config \
+            tools/testing/selftests/bpf/config.x86_64 \
+            tools/testing/selftests/bpf/config
+
+    # Make sure systemd-boot boots this kernel and not the distro provided one by overriding the version.
+    make O="$BUILDDIR" VERSION=99 -j "$(nproc)"
+    make O="$BUILDDIR" VERSION=99 -j "$(nproc)" headers
+
+    KERNEL_RELEASE=$(make O="$BUILDDIR" VERSION=99 -s kernelrelease)
+    mkdir -p "$DESTDIR/usr/lib/modules/$KERNEL_RELEASE"
+    make O="$BUILDDIR" VERSION=99 INSTALL_MOD_PATH="$DESTDIR/usr" modules_install
+    make O="$BUILDDIR" VERSION=99 INSTALL_PATH="$DESTDIR/usr/lib/modules/$KERNEL_RELEASE" install
+    mkdir -p "$DESTDIR/usr/lib/kernel/selftests"
+    make -C tools/testing/selftests -j "$(nproc)" O="$BUILDDIR" VERSION=99 KSFT_INSTALL_PATH="$DESTDIR/usr/lib/kernel/selftests" SKIP_TARGETS="" install
+
+    mkdir -p "$DESTDIR"/usr/bin
+    ln -sf /usr/lib/kernel/selftests/bpf/bpftool "$DESTDIR/usr/bin/bpftool"
+fi
diff --git a/mkosi.presets/system/mkosi.postinst b/mkosi.presets/system/mkosi.postinst
new file mode 100755
index 0000000000..663fa5c762
--- /dev/null
+++ b/mkosi.presets/system/mkosi.postinst
@@ -0,0 +1,89 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ]; then
+    exit 0
+fi
+
+if [ "${container:-}" != "mkosi" ]; then
+    exec mkosi-chroot "$SCRIPT" "$@"
+fi
+
+if [ -n "$SANITIZERS" ]; then
+    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
+
+    mkdir -p /etc/systemd/system.conf.d
+
+    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+                   LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+                   LD_PRELOAD=$LD_PRELOAD
+EOF
+
+    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+    # sanitizer failures appear directly on the user's console.
+    mkdir -p /etc/systemd/system/systemd-journald.service.d
+    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+    mkdir -p /etc/systemd/system/console-getty.service.d
+    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+    # ASAN and syscall filters aren't compatible with each other.
+    find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+    systemctl mask systemd-hwdb-update.service
+fi
+
+if [ -n "$IMAGE_ID" ] ; then
+    sed -n \
+        -i \
+        -e '/^IMAGE_ID=/!p' \
+        -e "\$aIMAGE_ID=$IMAGE_ID" \
+        /usr/lib/os-release
+fi
+
+if [ -n "$IMAGE_VERSION" ] ; then
+    sed -n \
+        -i \
+        -e '/^IMAGE_VERSION=/!p' \
+        -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
+        /usr/lib/os-release
+fi
+
+if command -v authselect >/dev/null; then
+    authselect select minimal
+
+    if authselect list-features minimal | grep -q "with-homed"; then
+        authselect enable-feature with-homed
+    fi
+fi
+
+# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
+# if that's the case.
+mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
+rm -f /etc/resolv.conf
+
+. /usr/lib/os-release
+
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
+    alternatives --set python3 /usr/bin/python3.9
+fi
diff --git a/mkosi.presets/system/mkosi.repart/00-esp.conf b/mkosi.presets/system/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000000..96b292ecb8
--- /dev/null
+++ b/mkosi.presets/system/mkosi.repart/00-esp.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
diff --git a/mkosi.presets/system/mkosi.repart/10-usr.conf b/mkosi.presets/system/mkosi.repart/10-usr.conf
new file mode 100644
index 0000000000..343761d097
--- /dev/null
+++ b/mkosi.presets/system/mkosi.repart/10-usr.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.presets/system/mkosi.repart/11-usr-verity.conf b/mkosi.presets/system/mkosi.repart/11-usr-verity.conf
new file mode 100644
index 0000000000..b4d45dd7ef
--- /dev/null
+++ b/mkosi.presets/system/mkosi.repart/11-usr-verity.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.presets/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.presets/system/mkosi.repart/12-usr-verity-sig.conf
new file mode 100644
index 0000000000..1841d0a6db
--- /dev/null
+++ b/mkosi.presets/system/mkosi.repart/12-usr-verity-sig.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr