]> Git — Sourcephile - sourcephile-nix.git/blob - install/mermet/Makefile
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nixops: add mermet
[sourcephile-nix.git] / install / mermet / Makefile
1 mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' physical/sfdisk.txt)
2 mermet_cipher :=
3 #mermet_cipher := aes-128-gcm
4 mermet_autotrim :=
5 mermet_reservation := 40G
6 #mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path)
7 MERMET_PHYSICAL ?= apu2e4
8 MERMET_HOSTING ?= lab
9
10 mermet-wipeout: mermet-umount
11 sudo zpool labelclear -f $(mermet_disk)-part3 || true
12 sudo zpool labelclear -f $(mermet_disk)-part5 || true
13 sudo $$(which sgdisk) --zap-all $(mermet_disk)
14
15 mermet-partition:
16 sudo modprobe zfs
17 sudo $$(which sfdisk) $(mermet_disk) <physical/sfdisk.txt
18 sudo $$(which sgdisk) --randomize-guids $(mermet_disk)
19 sudo partprobe
20
21 mermet-format:
22 # DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
23 sudo mkdir -p /mnt/mermet
24 blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
25 mkfs.ext2 $(mermet_disk)-part3
26 # bpool
27 ## NOTE: enable only ZFS features supported by GRUB
28 #sudo zpool list bpool 2>/dev/null || \
29 #sudo zpool create -o ashift=12 -d \
30 # -o feature@allocation_classes=enabled \
31 # -o feature@async_destroy=enabled \
32 # -o feature@bookmarks=enabled \
33 # -o feature@embedded_data=enabled \
34 # -o feature@empty_bpobj=enabled \
35 # -o feature@enabled_txg=enabled \
36 # -o feature@extensible_dataset=enabled \
37 # -o feature@filesystem_limits=enabled \
38 # -o feature@hole_birth=enabled \
39 # -o feature@large_blocks=enabled \
40 # -o feature@lz4_compress=enabled \
41 # -o feature@project_quota=enabled \
42 # -o feature@resilver_defer=enabled \
43 # -o feature@spacemap_histogram=enabled \
44 # -o feature@spacemap_v2=enabled \
45 # -o feature@userobj_accounting=enabled \
46 # -o feature@zpool_checkpoint=enabled \
47 # -o feature@multi_vdev_crash_dump=disabled \
48 # -o feature@large_dnode=disabled \
49 # -o feature@sha512=disabled \
50 # -o feature@skein=disabled \
51 # -o feature@edonr=disabled \
52 # -O normalization=formD \
53 # -R /mnt/mermet bpool $(mermet_disk)-part3
54 #sudo zfs set \
55 # acltype=posixacl \
56 # canmount=off \
57 # compression=lz4 \
58 # devices=off \
59 # relatime=on \
60 # xattr=sa \
61 # mountpoint=/ \
62 # bpool
63
64 # swap
65 # FIXME: configure with a volatile key in configuration.nix
66 #blkid -t TYPE=crypto_LUKS $(mermet_disk)-part4; test $$? != 2 || \
67 #sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 $(mermet_disk)-part4
68 #sudo cryptsetup luksOpen $(mermet_disk)-part4 mermet-swap
69 #blkid -t TYPE=swap /dev/mapper/mermet--swap; test $$? != 2 || \
70 #sudo mkswap --check --label swap
71 #sudo cryptsetup luksClose $(mermet_disk)-part4 mermet-swap
72 # rpool
73 sudo zpool list rpool 2>/dev/null || \
74 sudo zpool create -o ashift=12 \
75 $(if $(mermet_cipher),-O encryption=$(mermet_cipher) \
76 -O keyformat=passphrase \
77 -O keylocation=prompt) \
78 -O normalization=formD \
79 -R /mnt/mermet rpool $(mermet_disk)-part5
80 sudo zfs set \
81 acltype=posixacl \
82 atime=off \
83 $(if $(mermet_autotrim),autotrim=on) \
84 canmount=off \
85 compression=lz4 \
86 dnodesize=auto \
87 relatime=on \
88 $(if $(mermet_reservation),reservation=$(mermet_reservation)) \
89 xattr=sa \
90 mountpoint=/ \
91 rpool
92 # /
93 # NOTE: mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
94 sudo zfs list rpool/root 2>/dev/null || \
95 sudo zfs create \
96 -o canmount=on \
97 -o mountpoint=legacy \
98 rpool/root
99 # /boot
100 #sudo zfs list bpool/boot 2>/dev/null || \
101 #sudo zfs create \
102 # -o canmount=on \
103 # -o mountpoint=legacy \
104 # bpool/boot
105 # /boot/efi
106 sudo blkid $(mermet_disk)-part2 -t TYPE=vfat || \
107 sudo mkfs.vfat -F 32 -s 1 -n EFI $(mermet_disk)-part2
108 # /*
109 for p in \
110 home \
111 nix \
112 nix/var \
113 var \
114 var/cache \
115 var/log \
116 var/mail \
117 var/tmp \
118 var/www \
119 ; do \
120 sudo zfs list rpool/"$$p" 2>/dev/null || \
121 sudo zfs create \
122 -o canmount=on \
123 -o mountpoint=legacy \
124 rpool/"$$p" ; \
125 done
126 sudo zfs set \
127 com.sun:auto-snapshot=false \
128 rpool/nix
129 sudo zfs set \
130 sync=always \
131 rpool/nix/var
132 sudo zfs set \
133 com.sun:auto-snapshot=false \
134 rpool/var/cache
135 sudo zfs set \
136 com.sun:auto-snapshot=false \
137 sync=disabled \
138 rpool/var/tmp
139
140 mermet-mount:
141 # scan needed zpools
142 #sudo zpool list bpool || \
143 #sudo zpool import -f bpool
144 sudo zpool list rpool || \
145 sudo zpool import -f rpool
146 # load encryption key
147 zfs get -H encryption rpool | \
148 grep -q '^rpool\s*encryption\s*off' || \
149 zfs get -H keystatus rpool | \
150 grep -q '^rpool\s*keystatus\s*available' || \
151 sudo zfs load-key rpool
152 # /
153 sudo mkdir -p /mnt/mermet
154 sudo mountpoint /mnt/mermet || \
155 sudo mount -v -t zfs rpool/root /mnt/mermet
156 # /boot
157 sudo mkdir -p /mnt/mermet/boot
158 sudo mountpoint /mnt/mermet/boot || \
159 sudo mount -v $(mermet_disk)-part3 /mnt/mermet/boot
160 #sudo mount -v -t zfs bpool/boot /mnt/mermet/boot
161 # /boot/efi
162 sudo mkdir -p /mnt/mermet/boot/efi
163 sudo mountpoint /mnt/mermet/boot/efi || \
164 sudo mount -v $(mermet_disk)-part2 /mnt/mermet/boot/efi
165 # /*
166 for p in \
167 home \
168 nix \
169 nix/var \
170 var \
171 var/cache \
172 var/log \
173 var/mail \
174 var/tmp \
175 var/www \
176 ; do \
177 sudo mkdir -p /mnt/mermet/"$$p"; \
178 sudo mountpoint /mnt/mermet/"$$p" || \
179 sudo mount -v -t zfs rpool/"$$p" /mnt/mermet/"$$p" ; \
180 done
181 sudo chmod 1777 /mnt/mermet/var/tmp
182
183 mermet-bootstrap: mermet-mount
184 sudo rm -rf /mnt/mermet/etc/nixos
185 #test "$$(sudo grub-probe /mnt/mermet/boot)" = zfs
186 # NOTE: nixos-install will install GRUB following configuration.nix
187 # BIOS
188 #sudo grub-install $(mermet_disk)
189 # UEFI
190 #sudo grub-install \
191 # --target=x86_64-efi \
192 # --efi-directory=/mnt/mermet/boot/efi \
193 # --bootloader-id=nixos \
194 # --recheck \
195 # --no-floppy
196
197 pass sourcephile/mermet/dropbear/host-ecdsa.key | \
198 sudo install -D -o root -g root -m 400 /dev/stdin \
199 /mnt/mermet/etc/dropbear/host-ecdsa.key && \
200 test -s /mnt/mermet/etc/dropbear/host-ecdsa.key
201
202 #trap "test ! -e SHRED-ME || sudo find SHRED-ME -type f -exec shred -u {} + && sudo rm -rf SHRED-ME" EXIT ;
203 sudo \
204 GNUPGHOME="$$GNUPGHOME" \
205 GPG_TTY="$$GPG_TTY" \
206 LANG="$$LANG" \
207 LC_CTYPE="$$LC_CTYPE" \
208 MERMET_HOSTING="$(MERMET_HOSTING)" \
209 MERMET_PHYSICAL="$(MERMET_PHYSICAL)" \
210 NIXOS_CONFIG="$$(readlink -e ./configuration.nix)" \
211 NIX_CONF_DIR="$$NIX_CONF_DIR" \
212 NIX_PATH="$$NIX_PATH" \
213 PASSWORD_STORE_DIR="$$PASSWORD_STORE_DIR" \
214 PATH="$$PATH" \
215 SSL_CERT_FILE="$$SSL_CERT_FILE" \
216 $$(which nixos-install) \
217 --root /mnt/mermet \
218 $(if $(mermet_channel),--channel "$(mermet_channel)") \
219 --no-root-passwd
220
221 mermet-umount:
222 for p in \
223 boot/efi \
224 boot \
225 home \
226 nix/var \
227 nix \
228 var/cache \
229 var/log \
230 var/mail \
231 var/tmp \
232 var/www \
233 var \
234 "" \
235 ; do \
236 ! sudo mountpoint /mnt/mermet/"$$p" || \
237 sudo umount -v /mnt/mermet/"$$p" ; \
238 done
239 ! sudo zpool list rpool 2>/dev/null || \
240 zfs get -H encryption rpool | \
241 grep -q '^rpool\s*encryption\s*off' || \
242 zfs get -H keystatus rpool | \
243 grep -q '^rpool\s*keystatus\s*unavailable' || \
244 sudo zfs unload-key rpool
245 #! sudo zpool list bpool 2>/dev/null || \
246 #sudo zpool export bpool
247 ! sudo zpool list rpool 2>/dev/null || \
248 sudo zpool export rpool
NixOS configurations for Sourcephile's infrastructure