#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))) hostName := blackberry disk1 := /dev/disk/by-id/ata-CT250MX500SSD1_2004E2849DD5 zfs_pool := $(hostName) zfs_cipher := aes-128-gcm zfs_autotrim := on zfs_reservation := 1G zfs_compression := zstd ssh_target ?= root@192.168.3.105 machine-id.clear: systemd-machine-id-setup --root $(@D) mv $(@D)/etc/machine-id $@ rmdir -p etc credential.secret: machine-id.clear sudo unshare --mount sh -xec ' \ mount --bind machine-id.clear /etc/machine-id && \ mount --bind . /var/lib/systemd && \ systemd-creds setup --with-key=host \ ' credential.secret.gpg: credential.secret sudo chown $(USER) credential.secret gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret shred -fu $< %.cred: %.gpg ../gpg2cred-local.sh $< $(shell basename "$*") %.gpg: % gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) \ "$*" users/%/login/hashedPassword.clear: mkpasswd -m yescrypt | tr -d '\n' >$@ root.passphrase.gpg: gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@ ssh/host.key ssh/host.key.pub: mkdir -p $(@D) ssh-keygen -t ed25519 -f $@ ssh/host.key.gpg: ssh/host.key gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $< shred -fu $< nebula/$(hostName).key: nebula-cert keygen \ -out-pub nebula/$(hostName).pub \ -out-key nebula/$(hostName).key # Now nebula/$(hostName).pub needs to be signed by the CA # to produce a nebula/$(hostName).crt wipe: ssh $(ssh_target) sh -xec '" \ modprobe zfs; \ ! zfs_pool list $(zfs_pool) || zfs_pool export -f $(zfs_pool); \ zfs_pool labelclear -f /dev/disk/by-partlabel/$(hostName)_disk1_zpool || true; \ sgdisk --zap-all $(disk1); \ partprobe || true; \ udevadm settle; \ "' part: wipe root.passphrase.gpg # https://wiki.archlinux.org/index.php/BIOS_boot_partition #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_disk1_bios" $(disk1) # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk1) bs=1 seek=462 # https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F gpg --decrypt root.passphrase.gpg | \ ssh $(ssh_target) sh -xec '" \ sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_disk1_bios $(disk1); \ sgdisk -n0::+256M -t0:EF00 -c0:$(hostName)_disk1_boot $(disk1); \ sgdisk -n0:0:+4G -t0:8200 -c0:$(hostName)_disk1_swap $(disk1); \ sgdisk -n0:0:0 -t0:BF01 -c0:$(hostName)_disk1_zpool $(disk1); \ sgdisk --randomize-guids $(disk1); \ sgdisk --backup=$(hostName)_disk1.sgdisk $(disk1); \ partprobe || true; \ udevadm settle; \ mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_disk1_boot; \ zfs_pool create -o ashift=12 \ -O utf8only=on \ -R /mnt/$(hostName) $(zfs_pool) /dev/disk/by-partlabel/$(hostName)_disk1_zpool; \ zfs_pool set zfs_autotrim=$(zfs_autotrim) $(zfs_pool); \ zfs set \ acltype=off \ atime=off \ canmount=off \ zfs_compression=$(zfs_compression) \ dnodesize=auto \ relatime=on \ xattr=off \ mountpoint=none \ $(zfs_pool); \ zfs create \ -o canmount=off \ -o mountpoint=none \ -o refreservation=$(zfs_reservation) \ $(zfs_pool)/reserved; \ zfs create -o canmount=on -o mountpoint=/ \ $(if $(zfs_cipher),-o encryption=$(zfs_cipher) \ -o keyformat=passphrase \ -o keylocation=prompt) \ $(zfs_pool)/root; \ for p in nix home var; do \ zfs create $(zfs_pool)/root/\$$p; \ done; \ zfs set acltype=posixacl xattr=sa $(zfs_pool)/root/var; \ "' #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported #sudo zfs set sync=disabled $(zfs_pool)/root/var/tmp #sudo zfs set copies=2 $(zfs_pool)/root/home/files copy-ssh: host=$(ssh_target); host=$${host#*@}; ssh-keygen -R $$host ssh-copy-id $(ssh_target) #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1 install: NIX_STORE_DIR=/nix/store install: targetRoot=/mnt/$(hostName) install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR) install: credential.secret.gpg # This may require to increase the size of the partition holding the Nix store. # Especially when building from a live NixOS whose RAM is not compressed: # mount -o remount,size=30G /nix/.rw-store nix -L build --out-link ../$(hostName).root \ "../..#nixosConfigurations.$(hostName).config.system.build.toplevel" ssh $(ssh_target) sh -xec '" \ zfs_pool list $(zfs_pool) || zfs_pool import $(zfs_pool); \ test \$$(zfs get -H encryption -o value $(zfs_pool)/root) = off || \ test \$$(zfs get -H keystatus -o value $(zfs_pool)/root) = available || \ zfs load-key $(zfs_pool)/root; \ mountpoint $(targetRoot) || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root $(targetRoot); \ mountpoint $(targetRoot)/boot1 || \ mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_disk1_boot $(targetRoot)/boot1; \ mountpoint $(targetRoot)/nix || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/nix $(targetRoot)/nix; \ mountpoint $(targetRoot)/var || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/var $(targetRoot)/var; \ findmnt \ "' nix copy --to "ssh://$(ssh_target)?$(targetStore)" ../$(hostName).root gpg --decrypt credential.secret.gpg | \ ssh $(ssh_target) sh -xec '" \ nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \ --set '$$(readlink -f ../$(hostName).root)'; \ mkdir -m 0755 -p $(targetRoot)/etc; \ touch $(targetRoot)/etc/NIXOS; \ install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \ "' ssh $(ssh_target) nixos-enter --root $(targetRoot) -c '" \ set -eux; \ mount --rbind --mkdir / $(targetRoot); \ mount --make-rslave $(targetRoot); \ NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \ umount -R $(targetRoot) && rmdir $(targetRoot) \ "' unmount: ssh $(ssh_target) sh -xec '" \ ! mountpoint $(targetRoot)/boot1 || \ umount -v $(targetRoot)/boot1; \ ! mountpoint $(targetRoot)/nix || \ umount -v $(targetRoot)/nix; \ ! mountpoint $(targetRoot)/var || \ umount -v $(targetRoot)/var; \ ! mountpoint $(targetRoot) || \ umount -v $(targetRoot); \ ! zfs_pool list $(zfs_pool) || \ zfs_pool export $(zfs_pool); \ findmnt \ "'