#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
hostName := courge
-disk_ssd := /dev/disk/by-id/ata-Samsung_SSD_850_PRO_128GB_S1SMNSAFC36436X
+disk_ssd1 := /dev/disk/by-id/nvme-INTEL_SSDPEKKF256G8L_BTHP91220R5E256B
zpool := $(hostName)
cipher := aes-128-gcm
autotrim := on
reservation := 1G
compression := zstd
+TARGET ?= root@192.168.3.101
machine-id.clear:
touch -a $@
../gpg2cred-local.sh $< host.key
wipe:
- sudo modprobe zfs
- sudo zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_ssd_zpool || true
- sudo $$(which sgdisk) --zap-all $(disk_ssd)
+ ssh $(TARGET) sh -xec '" \
+ modprobe zfs; \
+ ! zpool list $(zpool) || zpool export -f $(zpool); \
+ zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_ssd1_zpool || true; \
+ sgdisk --zap-all $(disk_ssd1); \
+ partprobe || true; \
+ udevadm settle; \
+ "'
part: wipe
# https://wiki.archlinux.org/index.php/BIOS_boot_partition
- sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_ssd_bios" $(disk_ssd)
- sudo $$(which sgdisk) -n0:1M:+32M -t0:EF00 -c0:"$(hostName)_ssd_efi" $(disk_ssd)
- sudo $$(which sgdisk) -n0:0:+256M -t0:8300 -c0:"$(hostName)_ssd_boot" $(disk_ssd)
- sudo $$(which sgdisk) -n0:0:+4G -t0:8200 -c0:"$(hostName)_ssd_swap" $(disk_ssd)
- sudo $$(which sgdisk) -n0:0:0 -t0:BF01 -c0:"$(hostName)_ssd_zpool" $(disk_ssd)
+ #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_ssd1_bios" $(disk_ssd1)
# https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
- printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd) bs=1 seek=462
- sudo $$(which sgdisk) --randomize-guids $(disk_ssd)
- sudo $$(which sgdisk) --backup=$(hostName)_ssd.sgdisk $(disk_ssd)
+ #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_ssd1) bs=1 seek=462
+ ssh $(TARGET) sh -xec '" \
+ sgdisk -n0::+256M -t0:EF00 -c0:"$(hostName)_ssd1_boot" $(disk_ssd1); \
+ sgdisk -n0:0:+4G -t0:8200 -c0:"$(hostName)_ssd1_swap" $(disk_ssd1); \
+ sgdisk -n0:0:0 -t0:BF01 -c0:"$(hostName)_ssd1_zpool" $(disk_ssd1); \
+ sgdisk --randomize-guids $(disk_ssd1); \
+ sgdisk --backup=$(hostName)_ssd1.sgdisk $(disk_ssd1); \
+ partprobe || true; \
+ udevadm settle; \
+ mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_ssd1_boot; \
+ zpool create -o ashift=12 \
+ -O utf8only=on \
+ -R /mnt/$(hostName) $(zpool) /dev/disk/by-partlabel/$(hostName)_ssd1_zpool; \
+ zpool set autotrim=$(autotrim) $(zpool); \
+ zfs set \
+ acltype=off \
+ atime=off \
+ canmount=off \
+ compression=$(compression) \
+ dnodesize=auto \
+ relatime=on \
+ xattr=off \
+ mountpoint=none \
+ $(zpool); \
+ zfs create -o canmount=off -o mountpoint=none $(zpool)/reserved; \
+ zfs set refreservation=$(reservation) $(zpool)/reserved; \
+ zfs create -o canmount=on -o mountpoint=/ \
+ $(if $(cipher),-o encryption=$(cipher) \
+ -o keyformat=passphrase \
+ -o keylocation=prompt) \
+ $(zpool)/root; \
+ for p in nix home var; do \
+ zfs create $(zpool)/root/\$$p; \
+ done; \
+ zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \
+ "'
+ #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported
-format: umount format-efi format-boot format-zpool
-format-efi:
- sudo blkid /dev/disk/by-partlabel/$(hostName)_ssd_efi -t TYPE=vfat || \
- sudo mkfs.vfat -F 16 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_ssd_efi
-format-boot:
- sudo mkdir -p /mnt/$(hostName)
- sudo blkid -t TYPE=ext2 /dev/disk/by-partlabel/$(hostName)_ssd_boot; test $$? != 2 || \
- sudo mkfs.ext2 /dev/disk/by-partlabel/$(hostName)_ssd_boot
-format-zpool:
- sudo zpool list $(zpool) 2>/dev/null || \
- sudo zpool create -o ashift=12 \
- -O utf8only=yes \
- $(if $(cipher),-O encryption=$(cipher) \
- -O keyformat=passphrase \
- -O keylocation=prompt) \
- -R /mnt/$(hostName) $(zpool) /dev/disk/by-partlabel/$(hostName)_ssd_zpool
- sudo zpool set \
- autotrim=$(autotrim) \
- $(zpool)
- sudo zfs set \
- acltype=off \
- atime=off \
- canmount=off \
- compression=$(compression) \
- dnodesize=auto \
- relatime=on \
- xattr=off \
- mountpoint=/ \
- $(zpool)
- # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
- sudo zfs list $(zpool)/reserved 2>/dev/null || \
- sudo zfs create -o canmount=off -o mountpoint=none $(zpool)/reserved
- sudo zfs set refreservation=$(reservation) $(zpool)/reserved
- # /
- # mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
- sudo zfs list $(zpool)/root 2>/dev/null || \
- sudo zfs create \
- -o canmount=on \
- -o mountpoint=legacy \
- $(zpool)/root
- # /*
- for p in \
- nix \
- var \
- ; do \
- sudo zfs list $(zpool)/"$$p" 2>/dev/null || \
- sudo zfs create \
- -o canmount=on \
- -o mountpoint=legacy \
- $(zpool)/"$$p" ; \
- done
- #sudo zfs set sync=disabled $(zpool)/var/tmp
- #sudo zfs set copies=2 $(zpool)/home/files
+ #sudo zfs set sync=disabled $(zpool)/root/var/tmp
+ #sudo zfs set copies=2 $(zpool)/root/home/files
-mount: mount-zpool mount-boot mount-efi
-mount-zpool:
- # scan needed zpools
- sudo zpool list $(zpool) || \
- sudo zpool import -f $(zpool)
- # load encryption key
- sudo zfs get -H encryption $(zpool) | \
- grep -q '^$(zpool)\s*encryption\s*off' || \
- sudo zfs get -H keystatus $(zpool) | \
- grep -q '^$(zpool)\s*keystatus\s*available' || \
- sudo zfs load-key $(zpool)
- # /
- sudo mkdir -p /mnt/$(hostName)
- sudo mountpoint /mnt/$(hostName) || \
- sudo mount -v -t zfs $(zpool)/root /mnt/$(hostName)
- # /*
- for p in \
- nix \
- var \
- ; do \
- sudo mkdir -p /mnt/$(hostName)/"$$p"; \
- sudo mountpoint /mnt/$(hostName)/"$$p" || \
- sudo mount -v -t zfs $(zpool)/"$$p" /mnt/$(hostName)/"$$p" ; \
- done
- #sudo chmod 1777 /mnt/$(hostName)/var/tmp
-mount-boot:
- sudo mkdir -p /mnt/$(hostName)/boot
- sudo mountpoint /mnt/$(hostName)/boot || \
- sudo mount -v /dev/disk/by-partlabel/$(hostName)_ssd_boot /mnt/$(hostName)/boot
- #sudo mount -v -t zfs bpool/boot /mnt/$(hostName)/boot
-mount-efi: | mount-boot
- sudo mkdir -p /mnt/$(hostName)/boot/efi
- sudo mountpoint /mnt/$(hostName)/boot/efi || \
- sudo mount -v /dev/disk/by-partlabel/$(hostName)_ssd_efi /mnt/$(hostName)/boot/efi
+copy-ssh:
+ host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host
+ ssh-copy-id $(TARGET)
+ #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1
-bootstrap: mount
- # Workaround https://dev.gnupg.org/T3908
- chmod o+rw $$GPG_TTY $$XAUTHORITY
-
- sudo --preserve-env \
- $$(which nixos-install) \
- --root /mnt/$(hostName) \
- --flake '.#$(hostName)' \
- --no-root-passwd \
- --no-channel-copy \
- --option allow-import-from-derivation true \
- --show-trace
-
- # End workaround https://dev.gnupg.org/T3908
- chmod o-rw $$GPG_TTY $$XAUTHORITY
-
-umount:
- for p in \
- boot/efi \
- boot \
- nix \
- var \
- "" \
- ; do \
- ! sudo mountpoint /mnt/$(hostName)/"$$p" || \
- sudo umount -v /mnt/$(hostName)/"$$p" ; \
- done
- ! sudo zpool list $(zpool) 2>/dev/null || \
- zfs get -H encryption $(zpool) | \
- grep -q '^$(zpool)\s*encryption\s*off' || \
- zfs get -H keystatus $(zpool) | \
- grep -q '^$(zpool)\s*keystatus\s*unavailable' || \
- sudo zfs unload-key $(zpool)
- #! sudo zpool list bpool 2>/dev/null || \
- #sudo zpool export bpool
- ! sudo zpool list $(zpool) 2>/dev/null || \
- sudo zpool export $(zpool)
-
-unlock:
- pass hostNames/$(hostName)/zfs/zpool | \
- NIXOPS_DEPLOYMENT="$${NIXOPS_DEPLOYMENT:-$(LOSURDO_DEPLOYMENT)}" \
- nixops ssh $(hostName) -p 2222 'zfs load-key $(zpool) && pkill zfs'
+install: NIX_STORE_DIR=/nix/store
+install: targetRoot=/mnt/$(hostName)
+install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR)
+install:
+ nix -L build --out-link ../$(hostName).root \
+ "../..#nixosConfigurations.$(hostName).config.system.build.toplevel"
+ ssh $(TARGET) sh -xec '" \
+ zpool list $(zpool) || zpool import $(zpool); \
+ test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \
+ test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \
+ zfs load-key $(zpool)/root; \
+ mountpoint $(targetRoot) || \
+ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \
+ mountpoint $(targetRoot)/boot1 || \
+ mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_ssd1_boot $(targetRoot)/boot1; \
+ mountpoint $(targetRoot)/nix || \
+ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \
+ mountpoint $(targetRoot)/var || \
+ mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \
+ findmnt \
+ "'
+ nix copy --to "ssh://$(TARGET)?$(targetStore)" ../courge.root
+ gpg -d credential.secret.gpg | \
+ ssh $(TARGET) sh -xec '" \
+ nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \
+ --set '$$(readlink -f ../$(hostName).root)'; \
+ mkdir -m 0755 -p $(targetRoot)/etc; \
+ touch $(targetRoot)/etc/NIXOS; \
+ install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \
+ "'
+ ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \
+ set -eux; \
+ mount --rbind --mkdir / $(targetRoot); \
+ mount --make-rslave $(targetRoot); \
+ NIXOS_INSTALL_BOOTLOADER=1 $(shell realpath -e ../courge.root)/bin/switch-to-configuration boot; \
+ umount -R $(targetRoot) && rmdir $(targetRoot) \
+ "'
sourcephile / git / julm / julm-nix.git / blobdiff