From 4cc5e08f53c2ec732ba7ddd8658139dc71141281 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 30 Oct 2024 15:53:51 +0100
Subject: [PATCH 1/3] image: unset password reset date

---
 image/base/BUILD.bazel    | 1 +
 image/base/mkosi.finalize | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100755 image/base/mkosi.finalize

diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
index 9028b83761..2928787f16 100644
--- a/image/base/BUILD.bazel
+++ b/image/base/BUILD.bazel
@@ -30,6 +30,7 @@ copy_to_directory(
     mkosi_image(
         name = "base_" + kernel_variant,
         srcs = [
+            "mkosi.finalize",
             "mkosi.postinst",
             "mkosi.prepare",
         ] + glob([
diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize
new file mode 100755
index 0000000000..f832f5d0ae
--- /dev/null
+++ b/image/base/mkosi.finalize
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+# Disable password age for Constellation sysusers.
+tmp=$(mktemp)
+cp -a "${BUILDROOT}/etc/shadow-" "${tmp}"
+mkosi-chroot chage -d "20014" etcd
+cp -a "${tmp}" "${BUILDROOT}/etc/shadow-"
\ No newline at end of file

From a9ce1c1f042ffc7c26645c689d1dbb95908359d8 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 30 Oct 2024 16:33:16 +0100
Subject: [PATCH 2/3] fixup! image: unset password reset date

unset instead of hard-code
---
 image/base/mkosi.finalize | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize
index f832f5d0ae..e183c1fe18 100755
--- a/image/base/mkosi.finalize
+++ b/image/base/mkosi.finalize
@@ -4,5 +4,5 @@ set -euxo pipefail
 # Disable password age for Constellation sysusers.
 tmp=$(mktemp)
 cp -a "${BUILDROOT}/etc/shadow-" "${tmp}"
-mkosi-chroot chage -d "20014" etcd
-cp -a "${tmp}" "${BUILDROOT}/etc/shadow-"
\ No newline at end of file
+mkosi-chroot chage -d "" etcd
+cp -a "${tmp}" "${BUILDROOT}/etc/shadow-"

From 4fdbb198148f2d13dbe29ebe0bca63e964a40289 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 30 Oct 2024 20:04:22 +0100
Subject: [PATCH 3/3] fixup! image: unset password reset date

detailed description
---
 image/base/mkosi.finalize | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize
index e183c1fe18..561db202f9 100755
--- a/image/base/mkosi.finalize
+++ b/image/base/mkosi.finalize
@@ -1,7 +1,13 @@
 #!/usr/bin/env bash
 set -euxo pipefail
 
-# Disable password age for Constellation sysusers.
+# For some reason yet unknown, SourceDateEpoch is not applied correctly to the
+# users added by systemd-sysusers. This has only been observed in our mkosi
+# flake so far, not in an upstream mkosi configuration.
+# TODO(burgerdev): wait for a couple of Nix package upgrades and try again?
+
+# Strategy: unset the "last password change" date without leaving a trace in
+# /etc/shadow-.
 tmp=$(mktemp)
 cp -a "${BUILDROOT}/etc/shadow-" "${tmp}"
 mkosi-chroot chage -d "" etcd