]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/Makefile
openldap: no SHA2 anor PBKDF2 password modules by default
[sourcephile-nix.git] / servers / losurdo / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 #disk := /dev/disk/by-id/usb-Generic-_Multi-Card_20071114173400000-0:0
3 #disk := /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNJ0N211426T
4 server := losurdo
5 disk_sd := $(shell sourcephile-nix-get nodes.$(server).config.boot.loader.grub.devices.0)
6 disk_nvme := /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNJ0N211426T
7 rpool := $(server)_nvme
8 cipher := aes-128-gcm
9 autotrim := on
10 reservation := 1G
11
12 wipe-sd:
13 sudo modprobe zfs
14 sudo zpool labelclear -f /dev/disk/by-partlabel/$(server)_nvme_rpool || true
15 sudo $$(which sgdisk) --zap-all $(disk_sd)
16
17 part: wipe-sd wipe-nvme
18 part-sd: wipe-sd
19 sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(server)_sd_bios" $(disk_sd)
20 sudo $$(which sgdisk) -n0:1M:+100M -t0:EF00 -c0:"$(server)_sd_efi" $(disk_sd)
21 sudo $$(which sgdisk) -n0:0:+256M -t0:8300 -c0:"$(server)_sd_boot" $(disk_sd)
22 sudo $$(which sgdisk) --randomize-guids $(disk_sd)
23 sudo $$(which sgdisk) --backup=$(server)_sd.sgdisk $(disk_sd)
24 part-nvme:
25 sudo $$(which sgdisk) -n0:0:+8G -t0:8200 -c0:"$(server)_nvme_swap" $(disk_nvme)
26 sudo $$(which sgdisk) -n0:0:0 -t0:BF01 -c0:"$(server)_nvme_rpool" $(disk_nvme)
27 sudo $$(which sgdisk) --randomize-guids $(disk_nvme)
28 sudo $$(which sgdisk) --backup=$(server)_nvme.sgdisk $(disk_nvme)
29
30 format: umount format-efi format-boot format-rpool
31 format-efi:
32 sudo blkid /dev/disk/by-partlabel/$(server)_sd_efi -t TYPE=vfat || \
33 sudo mkfs.vfat -F 16 -s 1 -n EFI /dev/disk/by-partlabel/$(server)_sd_efi
34 format-boot:
35 sudo mkdir -p /mnt/$(server)
36 sudo blkid -t TYPE=ext2 /dev/disk/by-partlabel/$(server)_sd_boot; test $$? != 2 || \
37 sudo mkfs.ext2 /dev/disk/by-partlabel/$(server)_sd_boot
38 format-rpool:
39 sudo zpool list $(rpool) 2>/dev/null || \
40 sudo zpool create -o ashift=12 \
41 $(if $(cipher),-O encryption=$(cipher) \
42 -O keyformat=passphrase \
43 -O keylocation=prompt) \
44 -O normalization=formD \
45 -R /mnt/$(server) $(rpool) /dev/disk/by-partlabel/$(server)_nvme_root
46 sudo zpool set \
47 autotrim=$(autotrim) \
48 $(rpool)
49 sudo zfs set \
50 acltype=posixacl \
51 atime=off \
52 canmount=off \
53 compression=lz4 \
54 dnodesize=auto \
55 relatime=on \
56 xattr=sa \
57 mountpoint=/ \
58 $(rpool)
59 # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
60 sudo zfs list $(rpool)/reserved 2>/dev/null || \
61 sudo zfs create -o canmount=off -o mountpoint=none $(rpool)/reserved
62 sudo zfs set refreservation=$(reservation) $(rpool)/reserved
63 # /
64 # mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
65 sudo zfs list $(rpool)/root 2>/dev/null || \
66 sudo zfs create \
67 -o canmount=on \
68 -o mountpoint=legacy \
69 $(rpool)/root
70 # /boot
71 #sudo zfs list bpool/boot 2>/dev/null || \
72 #sudo zfs create \
73 # -o canmount=on \
74 # -o mountpoint=legacy \
75 # bpool/boot
76 # /*
77 for p in \
78 home \
79 nix \
80 var \
81 var/cache \
82 var/log \
83 var/tmp \
84 ; do \
85 sudo zfs list $(rpool)/"$$p" 2>/dev/null || \
86 sudo zfs create \
87 -o canmount=on \
88 -o mountpoint=legacy \
89 $(rpool)/"$$p" ; \
90 done
91 sudo zfs set \
92 com.sun:auto-snapshot=false \
93 $(rpool)/nix
94 sudo zfs set \
95 com.sun:auto-snapshot=false \
96 $(rpool)/var/cache
97 sudo zfs set \
98 com.sun:auto-snapshot=false \
99 sync=disabled \
100 $(rpool)/var/tmp
101
102 mount: mount-rpool mount-boot mount-efi
103 mount-rpool:
104 # scan needed zpools
105 sudo zpool list $(rpool) || \
106 sudo zpool import -f $(rpool)
107 # load encryption key
108 sudo zfs get -H encryption $(rpool) | \
109 grep -q '^$(rpool)\s*encryption\s*off' || \
110 sudo zfs get -H keystatus $(rpool) | \
111 grep -q '^$(rpool)\s*keystatus\s*available' || \
112 sudo zfs load-key $(rpool)
113 # /
114 sudo mkdir -p /mnt/$(server)
115 sudo mountpoint /mnt/$(server) || \
116 sudo mount -v -t zfs $(rpool)/root /mnt/$(server)
117 # /*
118 for p in \
119 home \
120 nix \
121 var \
122 var/cache \
123 var/log \
124 var/tmp \
125 ; do \
126 sudo mkdir -p /mnt/$(server)/"$$p"; \
127 sudo mountpoint /mnt/$(server)/"$$p" || \
128 sudo mount -v -t zfs $(rpool)/"$$p" /mnt/$(server)/"$$p" ; \
129 done
130 sudo chmod 1777 /mnt/$(server)/var/tmp
131 mount-boot:
132 sudo mkdir -p /mnt/$(server)/boot
133 sudo mountpoint /mnt/$(server)/boot || \
134 sudo mount -v /dev/disk/by-partlabel/$(server)_sd_boot /mnt/$(server)/boot
135 #sudo mount -v -t zfs bpool/boot /mnt/$(server)/boot
136 mount-efi: | mount-boot
137 sudo mkdir -p /mnt/$(server)/boot/efi
138 sudo mountpoint /mnt/$(server)/boot/efi || \
139 sudo mount -v /dev/disk/by-partlabel/$(server)_sd_efi /mnt/$(server)/boot/efi
140
141 bootstrap: mount
142 # Workaround https://dev.gnupg.org/T3908
143 chmod o+rw $$GPG_TTY $$XAUTHORITY
144
145 sudo --preserve-env \
146 NIXOS_CONFIG="$$PWD/configuration.nix" \
147 $$(which nixos-install) \
148 --root /mnt/$(server) \
149 --no-root-passwd \
150 --no-channel-copy \
151 --show-trace
152
153 # End workaround https://dev.gnupg.org/T3908
154 chmod o-rw $$GPG_TTY $$XAUTHORITY
155
156 sudo sourcephile-shred-tmp
157
158 umount:
159 for p in \
160 boot/efi \
161 boot \
162 home \
163 nix \
164 var/cache \
165 var/log \
166 var/tmp \
167 var \
168 "" \
169 ; do \
170 ! sudo mountpoint /mnt/$(server)/"$$p" || \
171 sudo umount -v /mnt/$(server)/"$$p" ; \
172 done
173 ! sudo zpool list $(rpool) 2>/dev/null || \
174 zfs get -H encryption $(rpool) | \
175 grep -q '^$(rpool)\s*encryption\s*off' || \
176 zfs get -H keystatus $(rpool) | \
177 grep -q '^$(rpool)\s*keystatus\s*unavailable' || \
178 sudo zfs unload-key $(rpool)
179 #! sudo zpool list bpool 2>/dev/null || \
180 #sudo zpool export bpool
181 ! sudo zpool list $(rpool) 2>/dev/null || \
182 sudo zpool export $(rpool)
183
184 unlock:
185 pass servers/$(server)/zfs/rpool | \
186 NIXOPS_DEPLOYMENT="$${NIXOPS_DEPLOYMENT:-$(LOSURDO_DEPLOYMENT)}" \
187 nixops ssh $(server) -p 2222 'zfs load-key $(rpool) && pkill zfs'