]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/courge/Makefile
courge: nftables: open ssh on LAN
[julm/julm-nix.git] / hosts / courge / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 hostName := courge
3 disk_ssd1 := /dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHP91220R5E256B
4 zpool := $(hostName)
5 cipher := aes-128-gcm
6 autotrim := on
7 reservation := 1G
8 compression := zstd
9 target := nixos@192.168.3.101
10 TARGET := root@192.168.3.101
11
12 machine-id.clear:
13 touch -a $@
14 sudo unshare --mount sh -xc 'mount --bind $@ /etc/machine-id && systemd-machine-id-setup'
15 credential.secret: machine-id.clear
16 sudo unshare --mount sh -xc 'mount --bind machine-id.clear /etc/machine-id && mount --bind . /var/lib/systemd && systemd-creds setup'
17 credential.secret.gpg: credential.secret
18 sudo chown $(USER) credential.secret
19 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret
20 shred -fu $<
21
22 ssh/host.key ssh/host.key.pub:
23 mkdir -p $(@D)
24 ssh-keygen -t ed25519 -f $@
25 ssh/host.key.gpg: ssh/host.key
26 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $<
27 shred -fu $<
28 ssh/host.key.cred: ssh/host.key.gpg
29 ../gpg2cred-local.sh $< host.key
30
31 wipe:
32 ssh $(TARGET) sh -xec '" \
33 modprobe zfs; \
34 ! zpool list $(zpool) || zpool export -f $(zpool); \
35 zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_ssd1_zpool || true; \
36 sgdisk --zap-all $(disk_ssd1); \
37 partprobe || true; \
38 udevadm settle; \
39 "'
40
41 part: wipe
42 # https://wiki.archlinux.org/index.php/BIOS_boot_partition
43 #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_ssd1_bios" $(disk_ssd1)
44 # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
45 #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd1) bs=1 seek=462
46 ssh $(TARGET) sh -xec '" \
47 sgdisk -n0::+256M -t0:EF00 -c0:"$(hostName)_ssd1_boot" $(disk_ssd1); \
48 sgdisk -n0:0:+4G -t0:8200 -c0:"$(hostName)_ssd1_swap" $(disk_ssd1); \
49 sgdisk -n0:0:0 -t0:BF01 -c0:"$(hostName)_ssd1_zpool" $(disk_ssd1); \
50 sgdisk --randomize-guids $(disk_ssd1); \
51 sgdisk --backup=$(hostName)_ssd1.sgdisk $(disk_ssd1); \
52 partprobe || true; \
53 udevadm settle; \
54 mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_ssd1_boot; \
55 zpool create -o ashift=12 \
56 -O utf8only=on \
57 -R /mnt/$(hostName) $(zpool) /dev/disk/by-partlabel/$(hostName)_ssd1_zpool; \
58 zpool set autotrim=$(autotrim) $(zpool); \
59 zfs set \
60 acltype=off \
61 atime=off \
62 canmount=off \
63 compression=$(compression) \
64 dnodesize=auto \
65 relatime=on \
66 xattr=off \
67 mountpoint=none \
68 $(zpool); \
69 zfs create -o canmount=off -o mountpoint=none $(zpool)/reserved; \
70 zfs set refreservation=$(reservation) $(zpool)/reserved; \
71 zfs create -o canmount=on -o mountpoint=/ \
72 $(if $(cipher),-o encryption=$(cipher) \
73 -o keyformat=passphrase \
74 -o keylocation=prompt) \
75 $(zpool)/root; \
76 for p in nix home var; do \
77 zfs create $(zpool)/root/\$$p; \
78 done; \
79 zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \
80 "'
81 #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported
82
83 #sudo zfs set sync=disabled $(zpool)/root/var/tmp
84 #sudo zfs set copies=2 $(zpool)/root/home/files
85
86 copy-ssh:
87 host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host
88 ssh-copy-id $(TARGET)
89 #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1
90
91 install: NIX_STORE_DIR=/nix/store
92 install: targetRoot=/mnt/$(hostName)
93 install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR)
94 install:
95 nix -L build --out-link ../$(hostName).root \
96 "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
97 ssh $(TARGET) sh -xec '" \
98 zpool list $(zpool) || zpool import $(zpool); \
99 test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \
100 test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \
101 zfs load-key $(zpool)/root; \
102 mountpoint $(targetRoot) || \
103 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \
104 mountpoint $(targetRoot)/boot1 || \
105 mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_ssd1_boot $(targetRoot)/boot1; \
106 mountpoint $(targetRoot)/nix || \
107 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \
108 mountpoint $(targetRoot)/var || \
109 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \
110 findmnt \
111 "'
112 nix copy --to "ssh://$(TARGET)?$(targetStore)" ../courge.root
113 gpg -d credential.secret.gpg | \
114 ssh $(TARGET) sh -xec '" \
115 nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
116 --set '$$(readlink -f ../$(hostName).root)'; \
117 mkdir -m 0755 -p $(targetRoot)/etc; \
118 touch $(targetRoot)/etc/NIXOS; \
119 install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
120 "'
121 ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \
122 set -eux; \
123 mount --rbind --mkdir / $(targetRoot); \
124 mount --make-rslave $(targetRoot); \
125 NIXOS_INSTALL_BOOTLOADER=1 $(shell realpath -e ../courge.root)/bin/switch-to-configuration boot; \
126 umount -R $(targetRoot) && rmdir $(targetRoot) \
127 "'