]> Git — Sourcephile - sourcephile-nix.git/blob - network/mermet/Makefile
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: revamp the hierarchy
[sourcephile-nix.git] / network / mermet / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 MERMET_MACHINE ?= apu2e4
3 MERMET_HOSTING ?= lab
4 mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' machine/$(MERMET_MACHINE)/sfdisk.txt)
5 mermet_cipher :=
6 #mermet_cipher := aes-128-gcm
7 mermet_autotrim :=
8 mermet_reservation := 40G
9 #mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path)
10
11 echo:
12 echo $(MAKEFILES)
13
14 mermet-wipeout: mermet-umount
15 sudo zpool labelclear -f $(mermet_disk)-part3 || true
16 sudo zpool labelclear -f $(mermet_disk)-part5 || true
17 sudo $$(which sgdisk) --zap-all $(mermet_disk)
18
19 mermet-partition:
20 sudo modprobe zfs
21 sudo $$(which sfdisk) $(mermet_disk) <machine/$(MERMET_MACHINE)/sfdisk.txt
22 sudo $$(which sgdisk) --randomize-guids $(mermet_disk)
23 sudo partprobe
24
25 mermet-format:
26 # DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
27 sudo mkdir -p /mnt/mermet
28 blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
29 mkfs.ext2 $(mermet_disk)-part3
30 # bpool
31 ## NOTE: enable only ZFS features supported by GRUB
32 #sudo zpool list bpool 2>/dev/null || \
33 #sudo zpool create -o ashift=12 -d \
34 # -o feature@allocation_classes=enabled \
35 # -o feature@async_destroy=enabled \
36 # -o feature@bookmarks=enabled \
37 # -o feature@embedded_data=enabled \
38 # -o feature@empty_bpobj=enabled \
39 # -o feature@enabled_txg=enabled \
40 # -o feature@extensible_dataset=enabled \
41 # -o feature@filesystem_limits=enabled \
42 # -o feature@hole_birth=enabled \
43 # -o feature@large_blocks=enabled \
44 # -o feature@lz4_compress=enabled \
45 # -o feature@project_quota=enabled \
46 # -o feature@resilver_defer=enabled \
47 # -o feature@spacemap_histogram=enabled \
48 # -o feature@spacemap_v2=enabled \
49 # -o feature@userobj_accounting=enabled \
50 # -o feature@zpool_checkpoint=enabled \
51 # -o feature@multi_vdev_crash_dump=disabled \
52 # -o feature@large_dnode=disabled \
53 # -o feature@sha512=disabled \
54 # -o feature@skein=disabled \
55 # -o feature@edonr=disabled \
56 # -O normalization=formD \
57 # -R /mnt/mermet bpool $(mermet_disk)-part3
58 #sudo zfs set \
59 # acltype=posixacl \
60 # canmount=off \
61 # compression=lz4 \
62 # devices=off \
63 # relatime=on \
64 # xattr=sa \
65 # mountpoint=/ \
66 # bpool
67
68 # swap
69 # FIXME: configure with a volatile key in configuration.nix
70 #blkid -t TYPE=crypto_LUKS $(mermet_disk)-part4; test $$? != 2 || \
71 #sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 $(mermet_disk)-part4
72 #sudo cryptsetup luksOpen $(mermet_disk)-part4 mermet-swap
73 #blkid -t TYPE=swap /dev/mapper/mermet--swap; test $$? != 2 || \
74 #sudo mkswap --check --label swap
75 #sudo cryptsetup luksClose $(mermet_disk)-part4 mermet-swap
76 # rpool
77 sudo zpool list rpool 2>/dev/null || \
78 sudo zpool create -o ashift=12 \
79 $(if $(mermet_cipher),-O encryption=$(mermet_cipher) \
80 -O keyformat=passphrase \
81 -O keylocation=prompt) \
82 -O normalization=formD \
83 -R /mnt/mermet rpool $(mermet_disk)-part5
84 sudo zfs set \
85 acltype=posixacl \
86 atime=off \
87 $(if $(mermet_autotrim),autotrim=on) \
88 canmount=off \
89 compression=lz4 \
90 dnodesize=auto \
91 relatime=on \
92 $(if $(mermet_reservation),reservation=$(mermet_reservation)) \
93 xattr=sa \
94 mountpoint=/ \
95 rpool
96 # /
97 # NOTE: mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
98 sudo zfs list rpool/root 2>/dev/null || \
99 sudo zfs create \
100 -o canmount=on \
101 -o mountpoint=legacy \
102 rpool/root
103 # /boot
104 #sudo zfs list bpool/boot 2>/dev/null || \
105 #sudo zfs create \
106 # -o canmount=on \
107 # -o mountpoint=legacy \
108 # bpool/boot
109 # /boot/efi
110 sudo blkid $(mermet_disk)-part2 -t TYPE=vfat || \
111 sudo mkfs.vfat -F 32 -s 1 -n EFI $(mermet_disk)-part2
112 # /*
113 for p in \
114 home \
115 nix \
116 nix/var \
117 var \
118 var/cache \
119 var/log \
120 var/mail \
121 var/tmp \
122 var/www \
123 ; do \
124 sudo zfs list rpool/"$$p" 2>/dev/null || \
125 sudo zfs create \
126 -o canmount=on \
127 -o mountpoint=legacy \
128 rpool/"$$p" ; \
129 done
130 sudo zfs set \
131 com.sun:auto-snapshot=false \
132 rpool/nix
133 sudo zfs set \
134 sync=always \
135 rpool/nix/var
136 sudo zfs set \
137 com.sun:auto-snapshot=false \
138 rpool/var/cache
139 sudo zfs set \
140 com.sun:auto-snapshot=false \
141 sync=disabled \
142 rpool/var/tmp
143
144 mermet-mount:
145 # scan needed zpools
146 #sudo zpool list bpool || \
147 #sudo zpool import -f bpool
148 sudo zpool list rpool || \
149 sudo zpool import -f rpool
150 # load encryption key
151 zfs get -H encryption rpool | \
152 grep -q '^rpool\s*encryption\s*off' || \
153 zfs get -H keystatus rpool | \
154 grep -q '^rpool\s*keystatus\s*available' || \
155 sudo zfs load-key rpool
156 # /
157 sudo mkdir -p /mnt/mermet
158 sudo mountpoint /mnt/mermet || \
159 sudo mount -v -t zfs rpool/root /mnt/mermet
160 # /boot
161 sudo mkdir -p /mnt/mermet/boot
162 sudo mountpoint /mnt/mermet/boot || \
163 sudo mount -v $(mermet_disk)-part3 /mnt/mermet/boot
164 #sudo mount -v -t zfs bpool/boot /mnt/mermet/boot
165 # /boot/efi
166 sudo mkdir -p /mnt/mermet/boot/efi
167 sudo mountpoint /mnt/mermet/boot/efi || \
168 sudo mount -v $(mermet_disk)-part2 /mnt/mermet/boot/efi
169 # /*
170 for p in \
171 home \
172 nix \
173 nix/var \
174 var \
175 var/cache \
176 var/log \
177 var/mail \
178 var/tmp \
179 var/www \
180 ; do \
181 sudo mkdir -p /mnt/mermet/"$$p"; \
182 sudo mountpoint /mnt/mermet/"$$p" || \
183 sudo mount -v -t zfs rpool/"$$p" /mnt/mermet/"$$p" ; \
184 done
185 sudo chmod 1777 /mnt/mermet/var/tmp
186
187 mermet-bootstrap: mermet-mount
188 sudo rm -rf /mnt/mermet/etc/nixos
189 #test "$$(sudo grub-probe /mnt/mermet/boot)" = zfs
190 # NOTE: nixos-install will install GRUB following configuration.nix
191 # BIOS
192 #sudo grub-install $(mermet_disk)
193 # UEFI
194 #sudo grub-install \
195 # --target=x86_64-efi \
196 # --efi-directory=/mnt/mermet/boot/efi \
197 # --bootloader-id=nixos \
198 # --recheck \
199 # --no-floppy
200
201 pass sourcephile/mermet/dropbear/host-ecdsa.key | \
202 sudo install -D -o root -g root -m 400 /dev/stdin \
203 /mnt/mermet/etc/dropbear/host-ecdsa.key && \
204 test -s /mnt/mermet/etc/dropbear/host-ecdsa.key
205
206 #trap "test ! -e SHRED-ME || sudo find SHRED-ME -type f -exec shred -u {} + && sudo rm -rf SHRED-ME" EXIT ;
207 sudo \
208 GNUPGHOME="$$GNUPGHOME" \
209 GPG_TTY="$$GPG_TTY" \
210 LANG="$$LANG" \
211 LC_CTYPE="$$LC_CTYPE" \
212 MERMET_HOSTING="$(MERMET_HOSTING)" \
213 MERMET_MACHINE="$(MERMET_MACHINE)" \
214 NIXOS_CONFIG="$$(readlink -e ./configuration.nix)" \
215 NIX_CONF_DIR="$$NIX_CONF_DIR" \
216 NIX_PATH="$$NIX_PATH" \
217 PASSWORD_STORE_DIR="$$PASSWORD_STORE_DIR" \
218 PATH="$$PATH" \
219 SSL_CERT_FILE="$$SSL_CERT_FILE" \
220 $$(which nixos-install) \
221 --root /mnt/mermet \
222 $(if $(mermet_channel),--channel "$(mermet_channel)") \
223 --no-root-passwd \
224 --show-trace
225
226 mermet-umount:
227 for p in \
228 boot/efi \
229 boot \
230 home \
231 nix/var \
232 nix \
233 var/cache \
234 var/log \
235 var/mail \
236 var/tmp \
237 var/www \
238 var \
239 "" \
240 ; do \
241 ! sudo mountpoint /mnt/mermet/"$$p" || \
242 sudo umount -v /mnt/mermet/"$$p" ; \
243 done
244 ! sudo zpool list rpool 2>/dev/null || \
245 zfs get -H encryption rpool | \
246 grep -q '^rpool\s*encryption\s*off' || \
247 zfs get -H keystatus rpool | \
248 grep -q '^rpool\s*keystatus\s*unavailable' || \
249 sudo zfs unload-key rpool
250 #! sudo zpool list bpool 2>/dev/null || \
251 #sudo zpool export bpool
252 ! sudo zpool list rpool 2>/dev/null || \
253 sudo zpool export rpool
NixOS configurations for Sourcephile's infrastructure