1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
 
   3 disk1           := /dev/disk/by-id/ata-CT250MX500SSD1_2004E2849DD5
 
   4 zfs_pool        := $(hostName)
 
   5 zfs_cipher      := aes-128-gcm
 
   8 zfs_compression := zstd
 
   9 ssh_target      ?= root@192.168.3.105
 
  12         systemd-machine-id-setup --root $(@D)
 
  13         mv $(@D)/etc/machine-id $@
 
  15 credential.secret: machine-id.clear
 
  16         sudo unshare --mount sh -xec ' \
 
  17           mount --bind machine-id.clear /etc/machine-id && \
 
  18           mount --bind . /var/lib/systemd && \
 
  19           systemd-creds setup --with-key=host \
 
  21 credential.secret.gpg: credential.secret
 
  22         sudo chown $(USER) credential.secret
 
  23         gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret
 
  27         ../gpg2cred-local.sh $< $(shell basename "$*")
 
  29         gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) \
 
  32 users/%/login/hashedPassword.clear:
 
  33         mkpasswd -m yescrypt | tr -d '\n' >$@
 
  36         gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@
 
  38 ssh/host.key ssh/host.key.pub:
 
  40         ssh-keygen -t ed25519 -f $@
 
  41 ssh/host.key.gpg: ssh/host.key
 
  42         gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $<
 
  45 nebula/$(hostName).key:
 
  47           -out-pub nebula/$(hostName).pub \
 
  48           -out-key nebula/$(hostName).key
 
  49         # Now nebula/$(hostName).pub needs to be signed by the CA
 
  50         # to produce a nebula/$(hostName).crt
 
  53         ssh $(ssh_target) sh -xec '" \
 
  55           ! zfs_pool list $(zfs_pool) || zfs_pool export -f $(zfs_pool); \
 
  56           zfs_pool labelclear -f /dev/disk/by-partlabel/$(hostName)_disk1_zpool || true; \
 
  57           sgdisk --zap-all $(disk1); \
 
  62 part: wipe root.passphrase.gpg
 
  63         # https://wiki.archlinux.org/index.php/BIOS_boot_partition
 
  64         #sudo $$(which sgdisk) -a1 -n0:34:2047  -t0:EF02 -c0:"$(hostName)_disk1_bios"  $(disk1)
 
  65         # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
 
  66         #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk1) bs=1 seek=462
 
  67         # https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F
 
  68         gpg --decrypt root.passphrase.gpg | \
 
  69         ssh $(ssh_target) sh -xec '" \
 
  70           sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_disk1_bios  $(disk1); \
 
  71           sgdisk     -n0::+256M  -t0:EF00 -c0:$(hostName)_disk1_boot  $(disk1); \
 
  72           sgdisk     -n0:0:+4G   -t0:8200 -c0:$(hostName)_disk1_swap  $(disk1); \
 
  73           sgdisk     -n0:0:0     -t0:BF01 -c0:$(hostName)_disk1_zpool $(disk1); \
 
  74           sgdisk --randomize-guids $(disk1); \
 
  75           sgdisk --backup=$(hostName)_disk1.sgdisk $(disk1); \
 
  78           mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_disk1_boot; \
 
  79           zfs_pool create -o ashift=12 \
 
  81             -R /mnt/$(hostName) $(zfs_pool) /dev/disk/by-partlabel/$(hostName)_disk1_zpool; \
 
  82           zfs_pool set zfs_autotrim=$(zfs_autotrim) $(zfs_pool); \
 
  87             zfs_compression=$(zfs_compression) \
 
  96             -o refreservation=$(zfs_reservation) \
 
  97             $(zfs_pool)/reserved; \
 
  98           zfs create -o canmount=on -o mountpoint=/ \
 
  99             $(if $(zfs_cipher),-o encryption=$(zfs_cipher) \
 
 100             -o keyformat=passphrase \
 
 101             -o keylocation=prompt) \
 
 103           for p in nix home var; do \
 
 104             zfs create $(zfs_pool)/root/\$$p; \
 
 106           zfs set acltype=posixacl xattr=sa $(zfs_pool)/root/var; \
 
 108         #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported
 
 110           #sudo zfs set sync=disabled $(zfs_pool)/root/var/tmp
 
 111           #sudo zfs set copies=2 $(zfs_pool)/root/home/files
 
 114         host=$(ssh_target); host=$${host#*@}; ssh-keygen -R $$host
 
 115         ssh-copy-id $(ssh_target)
 
 116         #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1
 
 118 install: NIX_STORE_DIR=/nix/store
 
 119 install: targetRoot=/mnt/$(hostName)
 
 120 install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR)
 
 121 install: credential.secret.gpg
 
 122         # This may require to increase the size of the partition holding the Nix store.
 
 123         # Especially when building from a live NixOS whose RAM is not compressed:
 
 124         #   mount -o remount,size=30G /nix/.rw-store
 
 125         nix -L build --out-link ../$(hostName).root \
 
 126           "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
 
 127         ssh $(ssh_target) sh -xec '" \
 
 128           zfs_pool list $(zfs_pool) || zfs_pool import $(zfs_pool); \
 
 129           test \$$(zfs get -H encryption -o value $(zfs_pool)/root) = off || \
 
 130           test \$$(zfs get -H keystatus -o value $(zfs_pool)/root) = available || \
 
 131           zfs load-key $(zfs_pool)/root; \
 
 132           mountpoint $(targetRoot) || \
 
 133           mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root $(targetRoot); \
 
 134           mountpoint $(targetRoot)/boot1 || \
 
 135           mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_disk1_boot $(targetRoot)/boot1; \
 
 136           mountpoint $(targetRoot)/nix || \
 
 137           mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/nix $(targetRoot)/nix; \
 
 138           mountpoint $(targetRoot)/var || \
 
 139           mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/var $(targetRoot)/var; \
 
 142         nix copy --to "ssh://$(ssh_target)?$(targetStore)" ../$(hostName).root
 
 143         gpg --decrypt credential.secret.gpg | \
 
 144         ssh $(ssh_target) sh -xec '" \
 
 145           nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
 
 146             --set '$$(readlink -f ../$(hostName).root)'; \
 
 147           mkdir -m 0755 -p $(targetRoot)/etc; \
 
 148           touch $(targetRoot)/etc/NIXOS; \
 
 149           install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
 
 151         ssh $(ssh_target) nixos-enter --root $(targetRoot) -c '" \
 
 153           mount --rbind --mkdir / $(targetRoot); \
 
 154           mount --make-rslave $(targetRoot); \
 
 155           NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \
 
 156           umount -R $(targetRoot) && rmdir $(targetRoot) \
 
 160         ssh $(ssh_target) sh -xec '" \
 
 161           ! mountpoint $(targetRoot)/boot1 || \
 
 162           umount -v $(targetRoot)/boot1; \
 
 163           ! mountpoint $(targetRoot)/nix || \
 
 164           umount -v $(targetRoot)/nix; \
 
 165           ! mountpoint $(targetRoot)/var || \
 
 166           umount -v $(targetRoot)/var; \
 
 167           ! mountpoint $(targetRoot) || \
 
 168           umount -v $(targetRoot); \
 
 169           ! zfs_pool list $(zfs_pool) || \
 
 170           zfs_pool export $(zfs_pool); \