]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/blackberry/Makefile
xsecurelock: use options to enable customizations
[julm/julm-nix.git] / hosts / blackberry / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 hostName := blackberry
3 disk_ssd1 := /dev/disk/by-id/ata-CT250MX500SSD1_2004E2849DD5
4 zpool := $(hostName)
5 cipher := aes-128-gcm
6 autotrim := on
7 reservation := 1G
8 compression := zstd
9 #TARGET ?= root@localhost
10 TARGET ?= root@192.168.3.105
11
12 machine-id.clear:
13 systemd-machine-id-setup --root $(@D)
14 mv $(@D)/etc/machine-id $@
15 rmdir -p etc
16 credential.secret: machine-id.clear
17 sudo unshare --mount sh -xec ' \
18 mount --bind machine-id.clear /etc/machine-id && \
19 mount --bind . /var/lib/systemd && \
20 systemd-creds setup --with-key=host \
21 '
22 credential.secret.gpg:
23 sudo chown $(USER) credential.secret
24 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret
25 shred -fu $<
26
27 %.cred: %.gpg
28 ../gpg2cred-local.sh $< $(shell basename "$*")
29
30 users/%/login/hashedPassword.clear:
31 mkpasswd -m yescrypt | tr -d '\n' >$@
32
33 root.passphrase.gpg:
34 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@
35
36 ssh/host.key ssh/host.key.pub:
37 mkdir -p $(@D)
38 ssh-keygen -t ed25519 -f $@
39 ssh/host.key.gpg: ssh/host.key
40 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $<
41 shred -fu $<
42
43 nebula/$(hostName).key.gpg:
44 nebula-cert keygen \
45 -out-pub nebula/$(hostName).pub \
46 -out-key nebula/$(hostName).key
47 gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) \
48 nebula/$(hostName).key
49
50 wipe:
51 ssh $(TARGET) sh -xec '" \
52 modprobe zfs; \
53 ! zpool list $(zpool) || zpool export -f $(zpool); \
54 zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_ssd1_zpool || true; \
55 sgdisk --zap-all $(disk_ssd1); \
56 partprobe || true; \
57 udevadm settle; \
58 "'
59
60 part: wipe root.passphrase.gpg
61 # https://wiki.archlinux.org/index.php/BIOS_boot_partition
62 #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_ssd1_bios" $(disk_ssd1)
63 # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
64 #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd1) bs=1 seek=462
65 gpg --decrypt root.passphrase.gpg | \
66 ssh $(TARGET) sh -xec '" \
67 sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_ssd1_bios $(disk_ssd1); \
68 sgdisk -n0::+256M -t0:EF00 -c0:$(hostName)_ssd1_boot $(disk_ssd1); \
69 sgdisk -n0:0:+4G -t0:8200 -c0:$(hostName)_ssd1_swap $(disk_ssd1); \
70 sgdisk -n0:0:0 -t0:BF01 -c0:$(hostName)_ssd1_zpool $(disk_ssd1); \
71 sgdisk --randomize-guids $(disk_ssd1); \
72 sgdisk --backup=$(hostName)_ssd1.sgdisk $(disk_ssd1); \
73 partprobe || true; \
74 udevadm settle; \
75 mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_ssd1_boot; \
76 zpool create -o ashift=12 \
77 -O utf8only=on \
78 -R /mnt/$(zpool) $(zpool) /dev/disk/by-partlabel/$(hostName)_ssd1_zpool; \
79 zpool set autotrim=$(autotrim) $(zpool); \
80 zfs set \
81 acltype=off \
82 atime=off \
83 canmount=off \
84 compression=$(compression) \
85 dnodesize=auto \
86 relatime=on \
87 xattr=off \
88 mountpoint=none \
89 $(zpool); \
90 zfs create \
91 -o canmount=off \
92 -o mountpoint=none \
93 -o refreservation=$(reservation) \
94 $(zpool)/reserved; \
95 zfs create -o canmount=on -o mountpoint=/ \
96 $(if $(cipher),-o encryption=$(cipher) \
97 -o keyformat=passphrase \
98 -o keylocation=prompt) \
99 $(zpool)/root; \
100 for p in nix home var; do \
101 zfs create $(zpool)/root/\$$p; \
102 done; \
103 zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \
104 "'
105 #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported
106
107 #sudo zfs set sync=disabled $(zpool)/root/var/tmp
108 #sudo zfs set copies=2 $(zpool)/root/home/files
109
110 copy-ssh:
111 host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host
112 ssh-copy-id $(TARGET)
113 #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1
114
115 install: NIX_STORE_DIR=/nix/store
116 install: targetRoot=/mnt/$(zpool)
117 install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR)
118 install: credential.secret.gpg
119 nix -L build --out-link ../$(hostName).root \
120 "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
121 ssh $(TARGET) sh -xec '" \
122 zpool list $(zpool) || zpool import $(zpool); \
123 test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \
124 test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \
125 zfs load-key $(zpool)/root; \
126 mountpoint $(targetRoot) || \
127 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \
128 mountpoint $(targetRoot)/boot1 || \
129 mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_ssd1_boot $(targetRoot)/boot1; \
130 mountpoint $(targetRoot)/nix || \
131 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \
132 mountpoint $(targetRoot)/var || \
133 mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \
134 findmnt \
135 "'
136 nix copy --to "ssh://$(TARGET)?$(targetStore)" ../blackberry.root
137 gpg --decrypt credential.secret.gpg | \
138 ssh $(TARGET) sh -xec '" \
139 nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
140 --set '$$(readlink -f ../$(hostName).root)'; \
141 mkdir -m 0755 -p $(targetRoot)/etc; \
142 touch $(targetRoot)/etc/NIXOS; \
143 install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
144 "'
145 ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \
146 set -eux; \
147 mount --rbind --mkdir / $(targetRoot); \
148 mount --make-rslave $(targetRoot); \
149 NIXOS_INSTALL_BOOTLOADER=1 $(shell realpath -e ../blackberry.root)/bin/switch-to-configuration boot; \
150 umount -R $(targetRoot) && rmdir $(targetRoot) \
151 "'
152 ssh $(TARGET) sh -xec '" \
153 ! mountpoint $(targetRoot)/boot1 || \
154 umount -v $(targetRoot)/boot1; \
155 ! mountpoint $(targetRoot)/nix || \
156 umount -v $(targetRoot)/nix; \
157 ! mountpoint $(targetRoot)/var || \
158 umount -v $(targetRoot)/var; \
159 ! mountpoint $(targetRoot) || \
160 umount -v $(targetRoot); \
161 ! zpool list $(zpool) || \
162 zpool export $(zpool); \
163 findmnt \
164 "'