#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))) hostName := courge disk_ssd1 := /dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHP91220R5E256B zpool := $(hostName) cipher := aes-128-gcm autotrim := on reservation := 1G compression := zstd TARGET ?= root@192.168.3.101 machine-id.clear: touch -a $@ sudo unshare --mount sh -xc 'mount --bind $@ /etc/machine-id && systemd-machine-id-setup' credential.secret: machine-id.clear sudo unshare --mount sh -xc 'mount --bind machine-id.clear /etc/machine-id && mount --bind . /var/lib/systemd && systemd-creds setup' credential.secret.gpg: credential.secret sudo chown $(USER) credential.secret gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret shred -fu $< ssh/host.key ssh/host.key.pub: mkdir -p $(@D) ssh-keygen -t ed25519 -f $@ ssh/host.key.gpg: ssh/host.key gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $< shred -fu $< ssh/host.key.cred: ssh/host.key.gpg ../gpg2cred-local.sh $< host.key wipe: ssh $(TARGET) sh -xec '" \ modprobe zfs; \ ! zpool list $(zpool) || zpool export -f $(zpool); \ zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_ssd1_zpool || true; \ sgdisk --zap-all $(disk_ssd1); \ partprobe || true; \ udevadm settle; \ "' part: wipe # https://wiki.archlinux.org/index.php/BIOS_boot_partition #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_ssd1_bios" $(disk_ssd1) # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd1) bs=1 seek=462 ssh $(TARGET) sh -xec '" \ sgdisk -n0::+256M -t0:EF00 -c0:"$(hostName)_ssd1_boot" $(disk_ssd1); \ sgdisk -n0:0:+4G -t0:8200 -c0:"$(hostName)_ssd1_swap" $(disk_ssd1); \ sgdisk -n0:0:0 -t0:BF01 -c0:"$(hostName)_ssd1_zpool" $(disk_ssd1); \ sgdisk --randomize-guids $(disk_ssd1); \ sgdisk --backup=$(hostName)_ssd1.sgdisk $(disk_ssd1); \ partprobe || true; \ udevadm settle; \ mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_ssd1_boot; \ zpool create -o ashift=12 \ -O utf8only=on \ -R /mnt/$(hostName) $(zpool) /dev/disk/by-partlabel/$(hostName)_ssd1_zpool; \ zpool set autotrim=$(autotrim) $(zpool); \ zfs set \ acltype=off \ atime=off \ canmount=off \ compression=$(compression) \ dnodesize=auto \ relatime=on \ xattr=off \ mountpoint=none \ $(zpool); \ zfs create -o canmount=off -o mountpoint=none $(zpool)/reserved; \ zfs set refreservation=$(reservation) $(zpool)/reserved; \ zfs create -o canmount=on -o mountpoint=/ \ $(if $(cipher),-o encryption=$(cipher) \ -o keyformat=passphrase \ -o keylocation=prompt) \ $(zpool)/root; \ for p in nix home var; do \ zfs create $(zpool)/root/\$$p; \ done; \ zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \ "' #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported #sudo zfs set sync=disabled $(zpool)/root/var/tmp #sudo zfs set copies=2 $(zpool)/root/home/files copy-ssh: host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host ssh-copy-id $(TARGET) #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1 install: NIX_STORE_DIR=/nix/store install: targetRoot=/mnt/$(hostName) install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR) install: nix -L build --out-link ../$(hostName).root \ "../..#nixosConfigurations.$(hostName).config.system.build.toplevel" ssh $(TARGET) sh -xec '" \ zpool list $(zpool) || zpool import $(zpool); \ test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \ test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \ zfs load-key $(zpool)/root; \ mountpoint $(targetRoot) || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \ mountpoint $(targetRoot)/boot1 || \ mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_ssd1_boot $(targetRoot)/boot1; \ mountpoint $(targetRoot)/nix || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \ mountpoint $(targetRoot)/var || \ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \ findmnt \ "' nix copy --to "ssh://$(TARGET)?$(targetStore)" ../$(hostName).root gpg -d credential.secret.gpg | \ ssh $(TARGET) sh -xec '" \ nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \ --set '$$(readlink -f ../$(hostName).root)'; \ mkdir -m 0755 -p $(targetRoot)/etc; \ touch $(targetRoot)/etc/NIXOS; \ install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \ "' ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \ set -eux; \ mount --rbind --mkdir / $(targetRoot); \ mount --make-rslave $(targetRoot); \ NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \ umount -R $(targetRoot) && rmdir $(targetRoot) \ "'