#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
hostName        := nan2gua1
domainName      := sourcephile.fr
disk1           := /dev/disk/by-id/nvme-SKHynix_HFS512GDE9X081N_FYABN01431060B636_1
zfs_pool        := $(hostName)
zfs_encryption  := aes-128-gcm
zfs_autotrim    := on
zfs_emergency   := 1G
zfs_compression := zstd
ssh_target      ?= root@192.168.4.100
disk_bios :=
disk_boot_size := 512M
disk_swap_size := 4G
creds := \
 ssh/host.key.cred \
 nebula/$(domainName)/$(hostName).key.cred

git-crypt:
	test -s ../../.git/git-crypt/keys/"$(hostName)" || \
	git-crypt init --key-name "$(hostName)"
	git-crypt add-gpg-user --key-name "$(hostName)" $$(cat .gpg-id)

creds: host-id.clear machine-id.clear credential.secret.gpg $(creds)
# ExplanationNote: avoid regenerating secrets that have been removed for security
.SECONDARY: credential.secret $(patsubst %.cred,%,$(creds))

.PRECIOUS: %.clear
host-id.clear:
	uuidgen | head -c8 >"$@"
machine-id.clear:
	uuidgen | tr -d - >"$@"
	#touch -a $@
	#sudo unshare --mount sh -xc 'mount --bind $@ /etc/machine-id && systemd-machine-id-setup'
credential.secret: machine-id.clear
	sudo unshare --mount sh -xec ' \
	  mount --bind machine-id.clear /etc/machine-id && \
	  mount --bind . /var/lib/systemd && \
	  systemd-creds setup \
	'

.PRECIOUS: %.cred
%.cred: %.gpg
	#../gpg2cred-local.sh $< $(shell basename "$*")
	ssh_target=$(ssh_target) ../gpg2cred-remote.sh "$*".gpg $(shell basename "$*")
.PRECIOUS: %.gpg
%.gpg: %
	test $$(stat -c %U "$*") == "$(USER)" || sudo chown $(USER) credential.secret
	gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) "$*"
	shred -fu "$*"
zpool_root.passphrase.gpg:
	gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) --output $@

users/%/login/hashedPassword.clear:
	mkdir -p "$(@D)"
	mkpasswd -m yescrypt | tr -d '\n' >"$@"

ssh/host.key ssh/host.key.pub:
	mkdir -p $(@D)
	ssh-keygen -t ed25519 -f $@

nebula/$(domainName)/$(hostName).key:
	nebula-cert keygen \
	  -out-pub nebula/$(domainName)/$(hostName).pub \
	  -out-key nebula/$(domainName)/$(hostName).key
	# Now nebula/$(hostName).pub needs to be signed by the CA
	# to produce a nebula/$(hostName).crt

clears: \
 users/julm/login/hashedPassword.clear

wipe:
	ssh $(ssh_target) sh -xec '" \
	  test ! -d /home/julm; \
	  modprobe zfs; \
	  ! zpool list $(zfs_pool) || zpool export -f $(zfs_pool); \
	  zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_disk1_zpool || true; \
	  sgdisk --zap-all $(disk1); \
	  partprobe || true; \
	  udevadm settle; \
	"'

part: wipe zpool_root.passphrase.gpg
	# https://wiki.archlinux.org/index.php/BIOS_boot_partition
	#sudo $$(which sgdisk) -a1 -n0:34:2047  -t0:EF02 -c0:"$(hostName)_disk1_bios"  $(disk1)
	# https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
	#printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk1) bs=1 seek=462
	# https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F
	gpg --decrypt zpool_root.passphrase.gpg | \
	ssh $(ssh_target) sh -xec '" \
	  $(if $(disk_bios),sgdisk -a1 -n0:34:2047 -t0:EF02 -c0:$(hostName)_disk1_bios $(disk1);,) \
	  sgdisk -n0::+$(disk_boot_size) -t0:EF00 -c0:"$(hostName)_disk1_boot" $(disk1); \
	  sgdisk -n0:0:+$(disk_swap_size) -t0:8200 -c0:"$(hostName)_disk1_swap" $(disk1); \
	  sgdisk -n0:0:0 -t0:BF01 -c0:"$(hostName)_disk1_zpool" $(disk1); \
	  sgdisk --randomize-guids $(disk1); \
	  sgdisk --backup=$(hostName)_disk1.sgdisk $(disk1); \
	  partprobe || true; \
	  udevadm settle; \
	  mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_disk1_boot; \
	  zpool create -o ashift=12 \
	    -O utf8only=on \
	    -R /mnt/$(hostName) $(zfs_pool) /dev/disk/by-partlabel/$(hostName)_disk1_zpool; \
	  zpool set autotrim=$(zfs_autotrim) $(zfs_pool); \
	  zfs set \
	    acltype=off \
	    atime=off \
	    canmount=off \
	    compression=$(zfs_compression) \
	    dnodesize=auto \
	    relatime=on \
	    xattr=off \
	    mountpoint=none \
	    $(zfs_pool); \
	  zfs create \
	    -o canmount=off \
	    -o mountpoint=none \
	    -o refreservation=$(zfs_emergency) \
	    $(zfs_pool)/emergency; \
	  zfs create -o canmount=on -o mountpoint=/ \
	    $(if $(zfs_encryption),-o encryption=$(zfs_encryption) \
	    -o keyformat=passphrase \
	    -o keylocation=prompt) \
	    $(zfs_pool)/root; \
	  for p in nix home var; do \
	    zfs create $(zfs_pool)/root/\$$p; \
	  done; \
	  zfs set acltype=posixacl xattr=sa $(zfs_pool)/root/var; \
	"'
	#https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported

	  #sudo zfs set sync=disabled $(zfs_pool)/root/var/tmp
	  #sudo zfs set copies=2 $(zfs_pool)/root/home/files

copy-ssh:
	host=$(ssh_target); host=$${host#*@}; ssh-keygen -R $$host
	ssh-copy-id $(ssh_target)
	#ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1

install: NIX_STORE_DIR=/nix/store
install: targetRoot=/mnt/$(hostName)
install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3freal=$(targetRoot)$(NIX_STORE_DIR)
#%26store=$(NIX_STORE_DIR)
install: credential.secret.gpg
	# This may require to increase the size of the partition holding the Nix store.
	# Especially when building from a live NixOS whose RAM is not compressed:
	#   mount -o remount,size=30G /nix/.rw-store
	nix -L build --out-link ../$(hostName).root \
	  "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
	ssh $(ssh_target) sh -xec '" \
	  mount -o remount,size=30G /nix/.rw-store; \
	  zpool list $(zfs_pool) || zpool import $(zfs_pool); \
	  test \$$(zfs get -H encryption -o value $(zfs_pool)/root) = off || \
	  test \$$(zfs get -H keystatus -o value $(zfs_pool)/root) = available || \
	  zfs load-key $(zfs_pool)/root; \
	  mountpoint $(targetRoot) || \
	  mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root $(targetRoot); \
	  mountpoint $(targetRoot)/boot1 || \
	  mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_disk1_boot $(targetRoot)/boot1; \
	  mountpoint $(targetRoot)/nix || \
	  mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/nix $(targetRoot)/nix; \
	  mountpoint $(targetRoot)/var || \
	  mount -v -o zfsutil,X-mount.mkdir -t zfs $(zfs_pool)/root/var $(targetRoot)/var; \
	  findmnt \
	"'
	nix copy --to "ssh://$(ssh_target)?$(targetStore)" ../$(hostName).root
	gpg --decrypt credential.secret.gpg | \
	ssh $(ssh_target) sh -xec '" \
	  nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
	    --set '$$(readlink -f ../$(hostName).root)'; \
	  mkdir -m 0755 -p $(targetRoot)/etc; \
	  touch $(targetRoot)/etc/NIXOS; \
	  install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
	"'
	ssh $(ssh_target) nixos-enter --root $(targetRoot) -c '" \
	  set -eux; \
	  mount --rbind --mkdir / $(targetRoot); \
	  mount --make-rslave $(targetRoot); \
	  NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \
	  umount -R $(targetRoot) && rmdir $(targetRoot) \
	"'

unmount:
	ssh $(ssh_target) sh -xec '" \
	  ! mountpoint $(targetRoot)/boot1 || \
	  umount -v $(targetRoot)/boot1; \
	  ! mountpoint $(targetRoot)/nix || \
	  umount -v $(targetRoot)/nix; \
	  ! mountpoint $(targetRoot)/var || \
	  umount -v $(targetRoot)/var; \
	  ! mountpoint $(targetRoot) || \
	  umount -v $(targetRoot); \
	  ! zpool list $(zfs_pool) || \
	  zpool export $(zfs_pool); \
	  findmnt \
	"'