]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/nan2gua1/Makefile
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
blackberry: update Makefile
[julm/julm-nix.git] / hosts / nan2gua1 / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 hostName := nan2gua1
3 domainName := sourcephile.fr
4 disk1 := /dev/disk/by-id/nvme-SKHynix_HFS512GDE9X081N_FYABN01431060B636_1
5 zfs_pool := $(hostName)
6 zfs_encryption := aes-128-gcm
7 zfs_autotrim := on
8 zfs_emergency := 1G
9 zfs_compression := zstd
10 ssh_target ?= root@192.168.4.100
11 disk_bios :=
12 disk_boot_size := 512M
13 disk_swap_size := 4G
14 creds := \
15 ssh/host.key.cred \
16 nebula/$(domainName)/$(hostName).key.cred
17
18 git-crypt:
19 test -s ../../.git/git-crypt/keys/"$(hostName)" || \
20 git-crypt init --key-name "$(hostName)"
21 git-crypt add-gpg-user --key-name "$(hostName)" $$(cat .gpg-id)
22
23 creds: host-id.clear machine-id.clear credential.secret.gpg $(creds)
24 # ExplanationNote: avoid regenerating secrets that have been removed for security
25 .SECONDARY: credential.secret $(patsubst %.cred,%,$(creds))
26
27 .PRECIOUS: %.clear
28 host-id.clear:
29 uuidgen | head -c8 >"$@"
30 machine-id.clear:
31 uuidgen | tr -d - >"$@"
32 #touch -a $@
33 #sudo unshare --mount sh -xc 'mount --bind $@ /etc/machine-id && systemd-machine-id-setup'
34 credential.secret: machine-id.clear
35 sudo unshare --mount sh -xec ' \
36 mount --bind machine-id.clear /etc/machine-id && \
37 mount --bind . /var/lib/systemd && \
38 systemd-creds setup \
39 '
40
41 .PRECIOUS: %.cred
42 %.cred: %.gpg
43 #../gpg2cred-local.sh $< $(shell basename "$*")
44 ssh_target=$(ssh_target) ../gpg2cred-remote.sh "$*".gpg $(shell basename "$*")
45 .PRECIOUS: %.gpg
46 %.gpg: %
47 test $$(stat -c %U "$*") == "$(USER)" || sudo chown $(USER) credential.secret
48 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) "$*"
49 shred -fu "$*"
50 zpool_root.passphrase.gpg:
51 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@
52
53 users/%/login/hashedPassword.clear:
54 mkdir -p "$(@D)"
55 mkpasswd -m yescrypt | tr -d '\n' >"$@"
56
57 ssh/host.key ssh/host.key.pub:
58 mkdir -p $(@D)
59 ssh-keygen -t ed25519 -f $@
60
61 syncoid/ssh.key syncoid/ssh.key.pub:
62 mkdir -p $(@D)
63 ssh-keygen -t ed25519 -f $@
64
65 nebula/$(domainName)/$(hostName).key:
66 nebula-cert keygen \
67 -out-pub nebula/$(domainName)/$(hostName).pub \
68 -out-key nebula/$(domainName)/$(hostName).key
69 # Now nebula/$(hostName).pub needs to be signed by the CA
70 # to produce a nebula/$(hostName).crt
71
72 clears: \
73 users/julm/login/hashedPassword.clear
74
75 wipe:
76 ssh $(ssh_target) sh -xec '" \
77 test ! -d /home/julm; \
78 modprobe zfs; \
79 ! zpool list $(zfs_pool) || zpool export -f $(zfs_pool); \
80 zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_disk1_zpool || true; \
81 sgdisk --zap-all $(disk1); \
82 partprobe || true; \
83 udevadm settle; \
84 "'
85
86 part: wipe zpool_root.passphrase.gpg
87 # https://wiki.archlinux.org/index.php/BIOS_boot_partition
88 #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_disk1_bios" $(disk1)
89 # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
90 #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk1) bs=1 seek=462
91 # https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F
92 gpg --decrypt zpool_root.passphrase.gpg | \
93 ssh $(ssh_target) sh -xec '" \
94 $(if $(disk_bios),sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_disk1_bios $(disk1);,) \
95 sgdisk -n0::+$(disk_boot_size) -t0:EF00 -c0:"$(hostName)_disk1_boot" $(disk1); \
96 sgdisk -n0:0:+$(disk_swap_size) -t0:8200 -c0:"$(hostName)_disk1_swap" $(disk1); \
97 sgdisk -n0:0:0 -t0:BF01 -c0:"$(hostName)_disk1_zpool" $(disk1); \
98 sgdisk --randomize-guids $(disk1); \
99 sgdisk --backup=$(hostName)_disk1.sgdisk $(disk1); \
100 partprobe || true; \
101 udevadm settle; \
102 mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_disk1_boot; \
103 zpool create -o ashift=12 \
104 -O utf8only=on \
105 -R /mnt/$(hostName) $(zfs_pool) /dev/disk/by-partlabel/$(hostName)_disk1_zpool; \
106 zpool set autotrim=$(zfs_autotrim) $(zfs_pool); \
107 zfs set \
108 acltype=off \
109 atime=off \
110 canmount=off \
111 compression=$(zfs_compression) \
112 dnodesize=auto \
113 relatime=on \
114 xattr=off \
115 mountpoint=none \
116 $(zfs_pool); \
117 zfs create \
118 -o canmount=off \
119 -o mountpoint=none \
120 -o refreservation=$(zfs_emergency) \
121 $(zfs_pool)/emergency; \
122 zfs create -o canmount=on -o mountpoint=/ \
123 $(if $(zfs_encryption),-o encryption=$(zfs_encryption) \
124 -o keyformat=passphrase \
125 -o keylocation=prompt) \
126 $(zfs_pool)/root; \
127 for p in nix home var; do \
128 zfs create $(zfs_pool)/root/\$$p; \
129 done; \
130 zfs set acltype=posixacl xattr=sa $(zfs_pool)/root/var; \
131 "'
132 #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported
133
134 #sudo zfs set sync=disabled $(zfs_pool)/root/var/tmp
135 #sudo zfs set copies=2 $(zfs_pool)/root/home/files
136
137 copy-ssh:
138 host=$(ssh_target); host=$${host#*@}; ssh-keygen -R $$host
139 ssh-copy-id $(ssh_target)
140 #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1
141
142 install: NIX_STORE_DIR=/nix/store
143 install: targetRoot=/mnt/$(hostName)
144 install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3freal=$(targetRoot)$(NIX_STORE_DIR)
145 #%26store=$(NIX_STORE_DIR)
146 install: credential.secret.gpg
147 # This may require to increase the size of the partition holding the Nix store.
148 # Especially when building from a live NixOS whose RAM is not compressed:
149 # mount -o remount,size=30G /nix/.rw-store
150 nix -L build --out-link ../$(hostName).root \
151 "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
152 ssh $(ssh_target) sh -xec '" \
153 mount -o remount,size=30G /nix/.rw-store; \
154 zpool list $(zfs_pool) || zpool import $(zfs_pool); \
155 test \$$(zfs get -H encryption -o value $(zfs_pool)/root) = off || \
156 test \$$(zfs get -H keystatus -o value $(zfs_pool)/root) = available || \
157 zfs load-key $(zfs_pool)/root; \
158 mountpoint $(targetRoot) || \
159 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root $(targetRoot); \
160 mountpoint $(targetRoot)/boot1 || \
161 mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_disk1_boot $(targetRoot)/boot1; \
162 mountpoint $(targetRoot)/nix || \
163 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/nix $(targetRoot)/nix; \
164 mountpoint $(targetRoot)/var || \
165 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/var $(targetRoot)/var; \
166 findmnt \
167 "'
168 nix copy --to "ssh://$(ssh_target)?$(targetStore)" ../$(hostName).root
169 gpg --decrypt credential.secret.gpg | \
170 ssh $(ssh_target) sh -xec '" \
171 nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
172 --set '$$(readlink -f ../$(hostName).root)'; \
173 mkdir -m 0755 -p $(targetRoot)/etc; \
174 touch $(targetRoot)/etc/NIXOS; \
175 install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
176 "'
177 ssh $(ssh_target) nixos-enter --root $(targetRoot) -c '" \
178 set -eux; \
179 mount --rbind --mkdir / $(targetRoot); \
180 mount --make-rslave $(targetRoot); \
181 NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \
182 umount -R $(targetRoot) && rmdir $(targetRoot) \
183 "'
184
185 unmount:
186 ssh $(ssh_target) sh -xec '" \
187 ! mountpoint $(targetRoot)/boot1 || \
188 umount -v $(targetRoot)/boot1; \
189 ! mountpoint $(targetRoot)/nix || \
190 umount -v $(targetRoot)/nix; \
191 ! mountpoint $(targetRoot)/var || \
192 umount -v $(targetRoot)/var; \
193 ! mountpoint $(targetRoot) || \
194 umount -v $(targetRoot); \
195 ! zpool list $(zfs_pool) || \
196 zpool export $(zfs_pool); \
197 findmnt \
198 "'
julm's NixOS and home-manager configs