#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))) hostName := blackberry disk_ssd1 := /dev/disk/by-id/ata-CT250MX500SSD1_2004E2849DD5 zpool := $(hostName) cipher := aes-128-gcm autotrim := on reservation := 1G compression := zstd #TARGET ?= root@localhost TARGET ?= root@192.168.3.105 machine-id.clear: systemd-machine-id-setup --root $(@D) mv $(@D)/etc/machine-id $@ rmdir -p etc credential.secret: machine-id.clear sudo unshare --mount sh -xec ' \ mount --bind machine-id.clear /etc/machine-id && \ mount --bind . /var/lib/systemd && \ systemd-creds setup --with-key=host \ ' credential.secret.gpg: sudo chown $(USER) credential.secret gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret shred -fu $< %.cred: %.gpg ../gpg2cred-local.sh $< $(shell basename "$*") users/%/login/hashedPassword.clear: mkpasswd -m yescrypt | tr -d '\n' >$@ root.passphrase.gpg: gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@ ssh/host.key ssh/host.key.pub: mkdir -p $(@D) ssh-keygen -t ed25519 -f $@ ssh/host.key.gpg: ssh/host.key gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $< shred -fu $< nebula/$(hostName).key.gpg: nebula-cert keygen \ -out-pub nebula/$(hostName).pub \ -out-key nebula/$(hostName).key gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) \ nebula/$(hostName).key wipe: ssh $(TARGET) sh -xec '" \ modprobe zfs; \ ! zpool list $(zpool) || zpool export -f $(zpool); \ zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_ssd1_zpool || true; \ sgdisk --zap-all $(disk_ssd1); \ partprobe || true; \ udevadm settle; \ "' part: wipe root.passphrase.gpg # https://wiki.archlinux.org/index.php/BIOS_boot_partition #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_ssd1_bios" $(disk_ssd1) # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd1) bs=1 seek=462 gpg --decrypt root.passphrase.gpg | \ ssh $(TARGET) sh -xec '" \ sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_ssd1_bios $(disk_ssd1); \ sgdisk -n0::+256M -t0:EF00 -c0:$(hostName)_ssd1_boot $(disk_ssd1); \ sgdisk -n0:0:+4G -t0:8200 -c0:$(hostName)_ssd1_swap $(disk_ssd1); \ sgdisk -n0:0:0 -t0:BF01 -c0:$(hostName)_ssd1_zpool $(disk_ssd1); \ sgdisk --randomize-guids $(disk_ssd1); \ sgdisk --backup=$(hostName)_ssd1.sgdisk $(disk_ssd1); \ partprobe || true; \ udevadm settle; \ mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_ssd1_boot; \ zpool create -o ashift=12 \ -O utf8only=on \ -R /mnt/$(zpool) $(zpool) /dev/disk/by-partlabel/$(hostName)_ssd1_zpool; \ zpool set autotrim=$(autotrim) $(zpool); \ zfs set \ acltype=off \ atime=off \ canmount=off \ compression=$(compression) \ dnodesize=auto \ relatime=on \ xattr=off \ mountpoint=none \ $(zpool); \ zfs create \ -o canmount=off \ -o mountpoint=none \ -o refreservation=$(reservation) \ $(zpool)/reserved; \ zfs create -o canmount=on -o mountpoint=/ \ $(if $(cipher),-o encryption=$(cipher) \ -o keyformat=passphrase \ -o keylocation=prompt) \ $(zpool)/root; \ for p in nix home var; do \ zfs create $(zpool)/root/\$$p; \ done; \ zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \ "' #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported #sudo zfs set sync=disabled $(zpool)/root/var/tmp #sudo zfs set copies=2 $(zpool)/root/home/files copy-ssh: host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host ssh-copy-id $(TARGET) #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1 install: NIX_STORE_DIR=/nix/store install: targetRoot=/mnt/$(zpool) install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR) install: credential.secret.gpg nix -L build --out-link ../$(hostName).root \ "../..#nixosConfigurations.$(hostName).config.system.build.toplevel" ssh $(TARGET) sh -xec '" \ zpool list $(zpool) || zpool import $(zpool); \ test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \ test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \ zfs load-key $(zpool)/root; \ mountpoint $(targetRoot) || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \ mountpoint $(targetRoot)/boot1 || \ mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_ssd1_boot $(targetRoot)/boot1; \ mountpoint $(targetRoot)/nix || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \ mountpoint $(targetRoot)/var || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \ findmnt \ "' nix copy --to "ssh://$(TARGET)?$(targetStore)" ../blackberry.root gpg --decrypt credential.secret.gpg | \ ssh $(TARGET) sh -xec '" \ nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \ --set '$$(readlink -f ../$(hostName).root)'; \ mkdir -m 0755 -p $(targetRoot)/etc; \ touch $(targetRoot)/etc/NIXOS; \ install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \ "' ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \ set -eux; \ mount --rbind --mkdir / $(targetRoot); \ mount --make-rslave $(targetRoot); \ NIXOS_INSTALL_BOOTLOADER=1 $(shell realpath -e ../blackberry.root)/bin/switch-to-configuration boot; \ umount -R $(targetRoot) && rmdir $(targetRoot) \ "' ssh $(TARGET) sh -xec '" \ ! mountpoint $(targetRoot)/boot1 || \ umount -v $(targetRoot)/boot1; \ ! mountpoint $(targetRoot)/nix || \ umount -v $(targetRoot)/nix; \ ! mountpoint $(targetRoot)/var || \ umount -v $(targetRoot)/var; \ ! mountpoint $(targetRoot) || \ umount -v $(targetRoot); \ ! zpool list $(zpool) || \ zpool export $(zpool); \ findmnt \ "'