]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/blackberry/Makefile
blackberry: update Makefile
[julm/julm-nix.git] / hosts / blackberry / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 hostName := blackberry
3 disk1 := /dev/disk/by-id/ata-CT250MX500SSD1_2004E2849DD5
4 zfs_pool := $(hostName)
5 zfs_cipher := aes-128-gcm
6 zfs_autotrim := on
7 zfs_reservation := 1G
8 zfs_compression := zstd
9 ssh_target ?= root@192.168.3.105
10
11 machine-id.clear:
12 systemd-machine-id-setup --root $(@D)
13 mv $(@D)/etc/machine-id $@
14 rmdir -p etc
15 credential.secret: machine-id.clear
16 sudo unshare --mount sh -xec ' \
17 mount --bind machine-id.clear /etc/machine-id && \
18 mount --bind . /var/lib/systemd && \
19 systemd-creds setup --with-key=host \
20 '
21 credential.secret.gpg: credential.secret
22 sudo chown $(USER) credential.secret
23 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret
24 shred -fu $<
25
26 %.cred: %.gpg
27 ../gpg2cred-local.sh $< $(shell basename "$*")
28 %.gpg: %
29 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) \
30 "$*"
31
32 users/%/login/hashedPassword.clear:
33 mkpasswd -m yescrypt | tr -d '\n' >$@
34
35 root.passphrase.gpg:
36 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@
37
38 ssh/host.key ssh/host.key.pub:
39 mkdir -p $(@D)
40 ssh-keygen -t ed25519 -f $@
41 ssh/host.key.gpg: ssh/host.key
42 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $<
43 shred -fu $<
44
45 nebula/$(hostName).key:
46 nebula-cert keygen \
47 -out-pub nebula/$(hostName).pub \
48 -out-key nebula/$(hostName).key
49 # Now nebula/$(hostName).pub needs to be signed by the CA
50 # to produce a nebula/$(hostName).crt
51
52 wipe:
53 ssh $(ssh_target) sh -xec '" \
54 modprobe zfs; \
55 ! zfs_pool list $(zfs_pool) || zfs_pool export -f $(zfs_pool); \
56 zfs_pool labelclear -f /dev/disk/by-partlabel/$(hostName)_disk1_zpool || true; \
57 sgdisk --zap-all $(disk1); \
58 partprobe || true; \
59 udevadm settle; \
60 "'
61
62 part: wipe root.passphrase.gpg
63 # https://wiki.archlinux.org/index.php/BIOS_boot_partition
64 #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_disk1_bios" $(disk1)
65 # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
66 #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk1) bs=1 seek=462
67 # https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F
68 gpg --decrypt root.passphrase.gpg | \
69 ssh $(ssh_target) sh -xec '" \
70 sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_disk1_bios $(disk1); \
71 sgdisk -n0::+256M -t0:EF00 -c0:$(hostName)_disk1_boot $(disk1); \
72 sgdisk -n0:0:+4G -t0:8200 -c0:$(hostName)_disk1_swap $(disk1); \
73 sgdisk -n0:0:0 -t0:BF01 -c0:$(hostName)_disk1_zpool $(disk1); \
74 sgdisk --randomize-guids $(disk1); \
75 sgdisk --backup=$(hostName)_disk1.sgdisk $(disk1); \
76 partprobe || true; \
77 udevadm settle; \
78 mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_disk1_boot; \
79 zfs_pool create -o ashift=12 \
80 -O utf8only=on \
81 -R /mnt/$(hostName) $(zfs_pool) /dev/disk/by-partlabel/$(hostName)_disk1_zpool; \
82 zfs_pool set zfs_autotrim=$(zfs_autotrim) $(zfs_pool); \
83 zfs set \
84 acltype=off \
85 atime=off \
86 canmount=off \
87 zfs_compression=$(zfs_compression) \
88 dnodesize=auto \
89 relatime=on \
90 xattr=off \
91 mountpoint=none \
92 $(zfs_pool); \
93 zfs create \
94 -o canmount=off \
95 -o mountpoint=none \
96 -o refreservation=$(zfs_reservation) \
97 $(zfs_pool)/reserved; \
98 zfs create -o canmount=on -o mountpoint=/ \
99 $(if $(zfs_cipher),-o encryption=$(zfs_cipher) \
100 -o keyformat=passphrase \
101 -o keylocation=prompt) \
102 $(zfs_pool)/root; \
103 for p in nix home var; do \
104 zfs create $(zfs_pool)/root/\$$p; \
105 done; \
106 zfs set acltype=posixacl xattr=sa $(zfs_pool)/root/var; \
107 "'
108 #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported
109
110 #sudo zfs set sync=disabled $(zfs_pool)/root/var/tmp
111 #sudo zfs set copies=2 $(zfs_pool)/root/home/files
112
113 copy-ssh:
114 host=$(ssh_target); host=$${host#*@}; ssh-keygen -R $$host
115 ssh-copy-id $(ssh_target)
116 #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1
117
118 install: NIX_STORE_DIR=/nix/store
119 install: targetRoot=/mnt/$(hostName)
120 install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR)
121 install: credential.secret.gpg
122 # This may require to increase the size of the partition holding the Nix store.
123 # Especially when building from a live NixOS whose RAM is not compressed:
124 # mount -o remount,size=30G /nix/.rw-store
125 nix -L build --out-link ../$(hostName).root \
126 "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
127 ssh $(ssh_target) sh -xec '" \
128 zfs_pool list $(zfs_pool) || zfs_pool import $(zfs_pool); \
129 test \$$(zfs get -H encryption -o value $(zfs_pool)/root) = off || \
130 test \$$(zfs get -H keystatus -o value $(zfs_pool)/root) = available || \
131 zfs load-key $(zfs_pool)/root; \
132 mountpoint $(targetRoot) || \
133 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root $(targetRoot); \
134 mountpoint $(targetRoot)/boot1 || \
135 mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_disk1_boot $(targetRoot)/boot1; \
136 mountpoint $(targetRoot)/nix || \
137 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/nix $(targetRoot)/nix; \
138 mountpoint $(targetRoot)/var || \
139 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/var $(targetRoot)/var; \
140 findmnt \
141 "'
142 nix copy --to "ssh://$(ssh_target)?$(targetStore)" ../$(hostName).root
143 gpg --decrypt credential.secret.gpg | \
144 ssh $(ssh_target) sh -xec '" \
145 nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
146 --set '$$(readlink -f ../$(hostName).root)'; \
147 mkdir -m 0755 -p $(targetRoot)/etc; \
148 touch $(targetRoot)/etc/NIXOS; \
149 install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
150 "'
151 ssh $(ssh_target) nixos-enter --root $(targetRoot) -c '" \
152 set -eux; \
153 mount --rbind --mkdir / $(targetRoot); \
154 mount --make-rslave $(targetRoot); \
155 NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \
156 umount -R $(targetRoot) && rmdir $(targetRoot) \
157 "'
158
159 unmount:
160 ssh $(ssh_target) sh -xec '" \
161 ! mountpoint $(targetRoot)/boot1 || \
162 umount -v $(targetRoot)/boot1; \
163 ! mountpoint $(targetRoot)/nix || \
164 umount -v $(targetRoot)/nix; \
165 ! mountpoint $(targetRoot)/var || \
166 umount -v $(targetRoot)/var; \
167 ! mountpoint $(targetRoot) || \
168 umount -v $(targetRoot); \
169 ! zfs_pool list $(zfs_pool) || \
170 zfs_pool export $(zfs_pool); \
171 findmnt \
172 "'