]> Git — Sourcephile - sourcephile-nix.git/blob - bootstrap/mermet/Makefile.make
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: improve bootstrap/mermet/ upto ssh root@
[sourcephile-nix.git] / bootstrap / mermet / Makefile.make
1 mermet_mnt := mermet
2 mermet_rpool := rpool
3 mermet_bpool := bpool
4 mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' bootstrap/$(mermet_mnt)/etc/sfdisk.txt)
5 mermet_cipher :=
6 #mermet_cipher := aes-128-gcm
7 mermet_autotrim :=
8 mermet_reservation := 40G
9
10 mermet-wipeout: mermet-umount
11 sudo zpool labelclear -f $(mermet_disk)-part3 || true
12 sudo zpool labelclear -f $(mermet_disk)-part5 || true
13 sudo $$(which sgdisk) --zap-all $(mermet_disk)
14
15 mermet-partition:
16 sudo modprobe zfs
17 sudo $$(which sfdisk) $(mermet_disk) <bootstrap/$(mermet_mnt)/etc/sfdisk.txt
18 sudo $$(which sgdisk) --randomize-guids $(mermet_disk)
19 sudo partprobe
20
21 mermet-format:
22 # DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
23 sudo mkdir -p /mnt/$(mermet_mnt)
24 blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
25 mkfs.ext2 $(mermet_disk)-part3
26 # bpool
27 ## NOTE: enable only ZFS features supported by GRUB
28 #sudo zpool list $(mermet_bpool) 2>/dev/null || \
29 #sudo zpool create -o ashift=12 -d \
30 # -o feature@allocation_classes=enabled \
31 # -o feature@async_destroy=enabled \
32 # -o feature@bookmarks=enabled \
33 # -o feature@embedded_data=enabled \
34 # -o feature@empty_bpobj=enabled \
35 # -o feature@enabled_txg=enabled \
36 # -o feature@extensible_dataset=enabled \
37 # -o feature@filesystem_limits=enabled \
38 # -o feature@hole_birth=enabled \
39 # -o feature@large_blocks=enabled \
40 # -o feature@lz4_compress=enabled \
41 # -o feature@project_quota=enabled \
42 # -o feature@resilver_defer=enabled \
43 # -o feature@spacemap_histogram=enabled \
44 # -o feature@spacemap_v2=enabled \
45 # -o feature@userobj_accounting=enabled \
46 # -o feature@zpool_checkpoint=enabled \
47 # -o feature@multi_vdev_crash_dump=disabled \
48 # -o feature@large_dnode=disabled \
49 # -o feature@sha512=disabled \
50 # -o feature@skein=disabled \
51 # -o feature@edonr=disabled \
52 # -O normalization=formD \
53 # -R /mnt/$(mermet_mnt) $(mermet_bpool) $(mermet_disk)-part3
54 #sudo zfs set \
55 # acltype=posixacl \
56 # canmount=off \
57 # compression=lz4 \
58 # devices=off \
59 # relatime=on \
60 # xattr=sa \
61 # mountpoint=/ \
62 # $(mermet_bpool)
63
64 # swap
65 # FIXME: configure with a volatile key in configuration.nix
66 #blkid -t TYPE=crypto_LUKS $(mermet_disk)-part4; test $$? != 2 || \
67 #sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 $(mermet_disk)-part4
68 #sudo cryptsetup luksOpen $(mermet_disk)-part4 mermet-swap
69 #blkid -t TYPE=swap /dev/mapper/mermet--swap; test $$? != 2 || \
70 #sudo mkswap --check --label swap
71 #sudo cryptsetup luksClose $(mermet_disk)-part4 mermet-swap
72 # rpool
73 sudo zpool list $(mermet_rpool) 2>/dev/null || \
74 sudo zpool create -o ashift=12 \
75 $(if $(mermet_cipher),-O encryption=$(mermet_cipher) \
76 -O keyformat=passphrase \
77 -O keylocation=prompt) \
78 -O normalization=formD \
79 -R /mnt/$(mermet_mnt) $(mermet_rpool) $(mermet_disk)-part5
80 sudo zfs set \
81 acltype=posixacl \
82 atime=off \
83 $(if $(mermet_autotrim),autotrim=on) \
84 canmount=off \
85 compression=lz4 \
86 dnodesize=auto \
87 relatime=on \
88 $(if $(mermet_reservation),reservation=$(mermet_reservation)) \
89 xattr=sa \
90 mountpoint=/ \
91 $(mermet_rpool)
92 # /
93 # NOTE: mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
94 sudo zfs list $(mermet_rpool)/root 2>/dev/null || \
95 sudo zfs create \
96 -o canmount=on \
97 -o mountpoint=legacy \
98 $(mermet_rpool)/root
99 # /boot
100 #sudo zfs list $(mermet_bpool)/boot 2>/dev/null || \
101 #sudo zfs create \
102 # -o canmount=on \
103 # -o mountpoint=legacy \
104 # $(mermet_bpool)/boot
105 # /boot/efi
106 sudo blkid $(mermet_disk)-part2 -t TYPE=vfat || \
107 sudo mkfs.vfat -F 32 -s 1 -n EFI $(mermet_disk)-part2
108 # /*
109 for p in \
110 home \
111 nix \
112 nix/var \
113 var \
114 var/cache \
115 var/log \
116 var/mail \
117 var/tmp \
118 var/www \
119 ; do \
120 sudo zfs list $(mermet_rpool)/"$$p" 2>/dev/null || \
121 sudo zfs create \
122 -o canmount=on \
123 -o mountpoint=legacy \
124 $(mermet_rpool)/"$$p" ; \
125 done
126 sudo zfs set \
127 com.sun:auto-snapshot=false \
128 $(mermet_rpool)/nix
129 sudo zfs set \
130 sync=always \
131 $(mermet_rpool)/nix/var
132 sudo zfs set \
133 com.sun:auto-snapshot=false \
134 $(mermet_rpool)/var/cache
135 sudo zfs set \
136 com.sun:auto-snapshot=false \
137 sync=disabled \
138 $(mermet_rpool)/var/tmp
139
140 mermet-mount:
141 # scan needed zpools
142 #sudo zpool list $(mermet_bpool) || \
143 #sudo zpool import -f $(mermet_bpool)
144 sudo zpool list $(mermet_rpool) || \
145 sudo zpool import -f $(mermet_rpool)
146 # load encryption key
147 zfs get -H encryption $(mermet_rpool) | \
148 grep -q '^$(mermet_rpool)\s*encryption\s*off' || \
149 zfs get -H keystatus $(mermet_rpool) | \
150 grep -q '^$(mermet_rpool)\s*keystatus\s*available' || \
151 sudo zfs load-key $(mermet_rpool)
152 # /
153 sudo mkdir -p /mnt/$(mermet_mnt)
154 sudo mountpoint /mnt/$(mermet_mnt) || \
155 sudo mount -v -t zfs $(mermet_rpool)/root /mnt/$(mermet_mnt)
156 # /boot
157 sudo mkdir -p /mnt/$(mermet_mnt)/boot
158 sudo mountpoint /mnt/$(mermet_mnt)/boot || \
159 sudo mount -v $(mermet_disk)-part3 /mnt/$(mermet_mnt)/boot
160 #sudo mount -v -t zfs $(mermet_bpool)/boot /mnt/$(mermet_mnt)/boot
161 # /boot/efi
162 sudo mkdir -p /mnt/$(mermet_mnt)/boot/efi
163 sudo mountpoint /mnt/$(mermet_mnt)/boot/efi || \
164 sudo mount -v $(mermet_disk)-part2 /mnt/$(mermet_mnt)/boot/efi
165 # /*
166 for p in \
167 home \
168 nix \
169 nix/var \
170 var \
171 var/cache \
172 var/log \
173 var/mail \
174 var/tmp \
175 var/www \
176 ; do \
177 sudo mkdir -p /mnt/$(mermet_mnt)/"$$p"; \
178 sudo mountpoint /mnt/$(mermet_mnt)/"$$p" || \
179 sudo mount -v -t zfs $(mermet_rpool)/"$$p" /mnt/$(mermet_mnt)/"$$p" ; \
180 done
181 sudo chmod 1777 /mnt/$(mermet_mnt)/var/tmp
182
183 mermet-bootstrap: mermet-mount
184 sudo mkdir -p bootstrap/$(mermet_mnt)/etc/nixos
185 sudo rm -rf "/mnt/$(mermet_mnt)/etc/nixos"
186 sudo mkdir -p /mnt/$(mermet_mnt)/etc
187 sudo install -D -o root -g root -m 600 \
188 bootstrap/$(mermet_mnt)/etc/dropbear/host-ecdsa-key \
189 /mnt/$(mermet_mnt)/etc/dropbear/host-ecdsa-key
190 sudo cp -vr \
191 bootstrap/$(mermet_mnt)/etc/nixos \
192 /mnt/$(mermet_mnt)/etc/
193 #test "$$(sudo grub-probe /mnt/$(mermet_mnt)/boot)" = zfs
194 # NOTE: nixos-install will install GRUB following configuration.nix
195 # BIOS
196 #sudo grub-install $(mermet_disk)
197 # UEFI
198 #sudo grub-install \
199 # --target=x86_64-efi \
200 # --efi-directory=/mnt/$(mermet_mnt)/boot/efi \
201 # --bootloader-id=nixos \
202 # --recheck \
203 # --no-floppy
204 sudo NIX_PATH="$$NIX_PATH" PATH="$$PATH" $$(which nixos-install) \
205 --root /mnt/$(mermet_mnt) \
206 --no-root-passwd
207
208 mermet-umount:
209 for p in \
210 boot/efi \
211 boot \
212 home \
213 nix/var \
214 nix \
215 var/cache \
216 var/log \
217 var/mail \
218 var/tmp \
219 var/www \
220 var \
221 "" \
222 ; do \
223 ! sudo mountpoint /mnt/$(mermet_mnt)/"$$p" || \
224 sudo umount -v /mnt/$(mermet_mnt)/"$$p" ; \
225 done
226 ! sudo zpool list $(mermet_rpool) 2>/dev/null || \
227 zfs get -H encryption $(mermet_rpool) | \
228 grep -q '^$(mermet_rpool)\s*encryption\s*off' || \
229 zfs get -H keystatus $(mermet_rpool) | \
230 grep -q '^$(mermet_rpool)\s*keystatus\s*unavailable' || \
231 sudo zfs unload-key $(mermet_rpool)
232 #! sudo zpool list $(mermet_bpool) 2>/dev/null || \
233 #sudo zpool export $(mermet_bpool)
234 ! sudo zpool list $(mermet_rpool) 2>/dev/null || \
235 sudo zpool export $(mermet_rpool)
NixOS configurations for Sourcephile's infrastructure