]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/Makefile
losurdo: init systemd-creds
[sourcephile-nix.git] / hosts / losurdo / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 #disk := /dev/disk/by-id/usb-Generic-_Multi-Card_20071114173400000-0:0
3 #disk := /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNJ0N211426T
4 server := losurdo
5 disk_sd := /dev/disk/by-id/mmc-SB32G_0xdb5e2237
6 disk_nvme := /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNJ0N211426T
7 disk_ssd := /dev/disk/by-id/ata-Samsung_SSD_860_EVO_250GB_S3YJNX0K863141Y
8 rpool := $(server)
9 cipher := aes-128-gcm
10 autotrim := on
11 reservation := 1G
12 #unicode_normalization := formD
13
14 wipe-sd:
15 sudo $$(which sgdisk) --zap-all $(disk_sd)
16 wipe-nvme:
17 sudo zpool labelclear -f /dev/disk/by-partlabel/$(server)_nvme_rpool || true
18 wipe-ssd:
19 sudo $$(which sgdisk) --zap-all $(disk_ssd)
20 sudo zpool labelclear -f /dev/disk/by-partlabel/$(server)_ssd_rpool || true
21
22 part: wipe-sd wipe-nvme wipe-ssd
23 part-sd: wipe-sd
24 sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(server)_sd_bios" $(disk_sd)
25 sudo $$(which sgdisk) -n0:1M:+100M -t0:EF00 -c0:"$(server)_sd_efi" $(disk_sd)
26 sudo $$(which sgdisk) -n0:0:+256M -t0:8300 -c0:"$(server)_sd_boot" $(disk_sd)
27 sudo $$(which sgdisk) --randomize-guids $(disk_sd)
28 sudo $$(which sgdisk) --backup=$(server)_sd.sgdisk $(disk_sd)
29 part-nvme:
30 sudo $$(which sgdisk) -n0:0:+8G -t0:8200 -c0:"$(server)_nvme_swap" $(disk_nvme)
31 sudo $$(which sgdisk) -n0:0:0 -t0:BF01 -c0:"$(server)_nvme_rpool" $(disk_nvme)
32 sudo $$(which sgdisk) --randomize-guids $(disk_nvme)
33 sudo $$(which sgdisk) --backup=$(server)_nvme.sgdisk $(disk_nvme)
34 part-ssd:
35 sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(server)_ssd_bios" $(disk_ssd)
36 sudo $$(which sgdisk) -n0:1M:+100M -t0:EF00 -c0:"$(server)_ssd_efi" $(disk_ssd)
37 sudo $$(which sgdisk) -n0:0:+256M -t0:8300 -c0:"$(server)_ssd_boot" $(disk_ssd)
38 sudo $$(which sgdisk) -n0:0:+8G -t0:8200 -c0:"$(server)_ssd_swap" $(disk_ssd)
39 sudo $$(which sgdisk) -n0:0:0 -t0:BF01 -c0:"$(server)_ssd_rpool" $(disk_ssd)
40 sudo $$(which sgdisk) --randomize-guids $(disk_ssd)
41 sudo $$(which sgdisk) --backup=$(server)_ssd.sgdisk $(disk_ssd)
42
43 format: umount format-sd-efi format-sd-boot format-nvme-rpool format-ssd-efi format-ssd-boot format-ssd-mirror
44 format-sd-efi:
45 sudo blkid /dev/disk/by-partlabel/$(server)_sd_efi -t TYPE=vfat || \
46 sudo mkfs.vfat -F 16 -s 1 -n EFI /dev/disk/by-partlabel/$(server)_sd_efi
47 format-sd-boot:
48 sudo mkdir -p /mnt/$(server)
49 sudo blkid -t TYPE=ext2 /dev/disk/by-partlabel/$(server)_sd_boot; test $$? != 2 || \
50 sudo mkfs.ext2 /dev/disk/by-partlabel/$(server)_sd_boot
51 format-nvme-rpool:
52 sudo zpool list $(rpool) 2>/dev/null || \
53 sudo zpool create -o ashift=12 \
54 $(if $(cipher),-O encryption=$(cipher) \
55 -O keyformat=passphrase \
56 -O keylocation=prompt) \
57 $(if $(unicode_normalization),-O normalization=$(unicode_normalization)) \
58 -R /mnt/$(server) $(rpool) /dev/disk/by-partlabel/$(server)_nvme_root
59 sudo zpool set \
60 autotrim=$(autotrim) \
61 $(rpool)
62 sudo zfs set \
63 acltype=posixacl \
64 atime=off \
65 canmount=off \
66 compression=zstd \
67 dnodesize=auto \
68 relatime=on \
69 xattr=off \
70 mountpoint=/ \
71 $(rpool)
72 # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
73 sudo zfs list $(rpool)/reserved 2>/dev/null || \
74 sudo zfs create -o canmount=off -o mountpoint=none $(rpool)/reserved
75 sudo zfs set refreservation=$(reservation) $(rpool)/reserved
76 # /
77 # mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
78 sudo zfs list $(rpool)/root 2>/dev/null || \
79 sudo zfs create \
80 -o canmount=on \
81 -o mountpoint=legacy \
82 $(rpool)/root
83 # /boot
84 #sudo zfs list bpool/boot 2>/dev/null || \
85 #sudo zfs create \
86 # -o canmount=on \
87 # -o mountpoint=legacy \
88 # bpool/boot
89 # /*
90 for p in \
91 home \
92 nix \
93 var \
94 var/cache \
95 var/log \
96 var/tmp \
97 ; do \
98 sudo zfs list $(rpool)/"$$p" 2>/dev/null || \
99 sudo zfs create \
100 -o canmount=on \
101 -o mountpoint=legacy \
102 $(rpool)/"$$p" ; \
103 done
104 sudo zfs set \
105 com.sun:auto-snapshot=false \
106 $(rpool)/nix
107 sudo zfs set \
108 com.sun:auto-snapshot=false \
109 $(rpool)/var/cache
110 sudo zfs set \
111 com.sun:auto-snapshot=false \
112 sync=disabled \
113 $(rpool)/var/tmp
114 format-ssd-efi:
115 sudo blkid /dev/disk/by-partlabel/$(server)_ssd_efi -t TYPE=vfat || \
116 sudo mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(server)_ssd_efi
117 format-ssd-boot:
118 sudo blkid -t TYPE=ext2 /dev/disk/by-partlabel/$(server)_ssd_boot; test $$? != 2 || \
119 sudo mkfs.ext2 /dev/disk/by-partlabel/$(server)_ssd_boot
120 format-ssd-mirror:
121 sudo zpool attach $(rpool) $(disk_nvme)-part5 $(disk_ssd)-part5
122
123 mount: mount-rpool mount-boot mount-efi
124 mount-rpool:
125 # scan needed zpools
126 sudo zpool list $(rpool) || \
127 sudo zpool import -f $(rpool)
128 # load encryption key
129 sudo zfs get -H encryption $(rpool) | \
130 grep -q '^$(rpool)\s*encryption\s*off' || \
131 sudo zfs get -H keystatus $(rpool) | \
132 grep -q '^$(rpool)\s*keystatus\s*available' || \
133 sudo zfs load-key $(rpool)
134 # /
135 sudo mkdir -p /mnt/$(server)
136 sudo mountpoint /mnt/$(server) || \
137 sudo mount -v -t zfs $(rpool)/root /mnt/$(server)
138 # /*
139 for p in \
140 home \
141 nix \
142 var \
143 var/cache \
144 var/log \
145 var/tmp \
146 ; do \
147 sudo mkdir -p /mnt/$(server)/"$$p"; \
148 sudo mountpoint /mnt/$(server)/"$$p" || \
149 sudo mount -v -t zfs $(rpool)/"$$p" /mnt/$(server)/"$$p" ; \
150 done
151 sudo chmod 1777 /mnt/$(server)/var/tmp
152 mount-boot:
153 sudo mkdir -p /mnt/$(server)/boot
154 sudo mountpoint /mnt/$(server)/boot || \
155 sudo mount -v /dev/disk/by-partlabel/$(server)_sd_boot /mnt/$(server)/boot
156 #sudo mount -v -t zfs bpool/boot /mnt/$(server)/boot
157 mount-efi: | mount-boot
158 sudo mkdir -p /mnt/$(server)/boot/efi
159 sudo mountpoint /mnt/$(server)/boot/efi || \
160 sudo mount -v /dev/disk/by-partlabel/$(server)_sd_efi /mnt/$(server)/boot/efi
161
162 bootstrap: mount
163 # Workaround https://dev.gnupg.org/T3908
164 chmod o+rw $$GPG_TTY $$XAUTHORITY
165
166 sudo --preserve-env \
167 NIXOS_CONFIG="$$PWD/install.nix" \
168 $$(which nixos-install) \
169 --root /mnt/$(server) \
170 --no-root-passwd \
171 --no-channel-copy \
172 --show-trace
173
174 # End workaround https://dev.gnupg.org/T3908
175 chmod o-rw $$GPG_TTY $$XAUTHORITY
176
177 sudo sourcephile-shred-tmp
178
179 umount:
180 for p in \
181 boot/efi \
182 boot \
183 home \
184 nix \
185 var/cache \
186 var/log \
187 var/tmp \
188 var \
189 "" \
190 ; do \
191 ! sudo mountpoint /mnt/$(server)/"$$p" || \
192 sudo umount -v /mnt/$(server)/"$$p" ; \
193 done
194 ! sudo zpool list $(rpool) 2>/dev/null || \
195 zfs get -H encryption $(rpool) | \
196 grep -q '^$(rpool)\s*encryption\s*off' || \
197 zfs get -H keystatus $(rpool) | \
198 grep -q '^$(rpool)\s*keystatus\s*unavailable' || \
199 sudo zfs unload-key $(rpool)
200 #! sudo zpool list bpool 2>/dev/null || \
201 #sudo zpool export bpool
202 ! sudo zpool list $(rpool) 2>/dev/null || \
203 sudo zpool export $(rpool)
204
205 unlock:
206 pass hosts/$(server)/zfs/rpool | \
207 NIXOPS_DEPLOYMENT="$${NIXOPS_DEPLOYMENT:-$(LOSURDO_DEPLOYMENT)}" \
208 nixops ssh $(server) -p 2222 'zfs load-key $(rpool) && pkill zfs'