]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/Makefile
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
openldap: update to new settings
[sourcephile-nix.git] / machines / mermet / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 mermet_deployment := maintenance
3 mermet_disk := /dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R
4 #mermet_cipher :=
5 mermet_cipher := aes-128-gcm
6 mermet_autotrim :=
7 mermet_reservation := 1G
8 #mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path)
9 #mermet_unicode_normalization := formD
10
11 echo:
12 echo $(MAKEFILES)
13
14 wipeout: umount
15 #sudo zpool labelclear -f $(mermet_disk)-part3 || true
16 sudo zpool labelclear -f $(mermet_disk)-part5 || true
17 sudo $$(which sgdisk) --zap-all $(mermet_disk)
18
19 partition:
20 sudo modprobe zfs
21 set -x; if test -e sfdisk; then \
22 sudo $$(which sfdisk) $(losurdo_disk) <sfdisk.txt; \
23 else \
24 sudo $$(which sgdisk) --zap-all $(losurdo_disk) && \
25 sudo partprobe && \
26 sudo $$(which sgdisk) -a1 -n1:34:2047 -t1:EF02 $(losurdo_disk) && \
27 sudo $$(which sgdisk) -n2:1M:+512M -t2:EF00 $(losurdo_disk) && \
28 sudo $$(which sgdisk) -n3:0:+512M -t3:8300 $(losurdo_disk) && \
29 sudo $$(which sgdisk) -n4:0:+4G -t4:8200 $(losurdo_disk) && \
30 sudo $$(which sgdisk) -n5:0:0 -t5:BF01 $(losurdo_disk) && \
31 sudo $$(which sgdisk) --randomize-guids $(losurdo_disk) && \
32 sudo $$(which sfdisk) -d $(losurdo_disk) | \
33 sed -e 's&/dev/sd.&$(losurdo_disk)&' >sfdisk.txt; \
34 fi
35
36 format:
37 # DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
38 sudo mkdir -p /mnt/mermet
39 blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
40 mkfs.ext2 $(mermet_disk)-part3
41 # bpool
42 ## NOTE: enable only ZFS features supported by GRUB
43 #sudo zpool list bpool 2>/dev/null || \
44 #sudo zpool create -o ashift=12 -d \
45 # -o feature@allocation_classes=enabled \
46 # -o feature@async_destroy=enabled \
47 # -o feature@bookmarks=enabled \
48 # -o feature@embedded_data=enabled \
49 # -o feature@empty_bpobj=enabled \
50 # -o feature@enabled_txg=enabled \
51 # -o feature@extensible_dataset=enabled \
52 # -o feature@filesystem_limits=enabled \
53 # -o feature@hole_birth=enabled \
54 # -o feature@large_blocks=enabled \
55 # -o feature@lz4_compress=enabled \
56 # -o feature@project_quota=enabled \
57 # -o feature@resilver_defer=enabled \
58 # -o feature@spacemap_histogram=enabled \
59 # -o feature@spacemap_v2=enabled \
60 # -o feature@userobj_accounting=enabled \
61 # -o feature@zpool_checkpoint=enabled \
62 # -o feature@multi_vdev_crash_dump=disabled \
63 # -o feature@large_dnode=disabled \
64 # -o feature@sha512=disabled \
65 # -o feature@skein=disabled \
66 # -o feature@edonr=disabled \
67 # -O normalization=formD \
68 # -R /mnt/mermet bpool $(mermet_disk)-part3
69 #sudo zfs set \
70 # acltype=posixacl \
71 # canmount=off \
72 # compression=lz4 \
73 # devices=off \
74 # relatime=on \
75 # xattr=sa \
76 # mountpoint=/ \
77 # bpool
78
79 # swap
80 # Note: configured with a volatile key in configuration.nix
81 #blkid -t TYPE=crypto_LUKS $(mermet_disk)-part4; test $$? != 2 || \
82 #sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 $(mermet_disk)-part4
83 #sudo cryptsetup luksOpen $(mermet_disk)-part4 swap
84 #blkid -t TYPE=swap /dev/mapper/-swap; test $$? != 2 || \
85 #sudo mkswap --check --label swap
86 #sudo cryptsetup luksClose $(mermet_disk)-part4 swap
87 # rpool
88 sudo zpool list rpool 2>/dev/null || \
89 sudo zpool create -o ashift=12 \
90 $(if $(mermet_cipher),-O encryption=$(mermet_cipher) \
91 -O keyformat=passphrase \
92 -O keylocation=prompt) \
93 $(if $(mermet_unicode_normalization),-O normalization=$(mermet_unicode_normalization) \
94 -R /mnt/mermet rpool $(mermet_disk)-part5
95 sudo zfs set \
96 acltype=posixacl \
97 atime=off \
98 $(if $(mermet_autotrim),autotrim=on) \
99 canmount=off \
100 compression=lz4 \
101 dnodesize=auto \
102 relatime=on \
103 xattr=sa \
104 mountpoint=/ \
105 rpool
106 # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
107 sudo zfs list rpool/reserved 2>/dev/null || \
108 sudo zfs create -o canmount=off -o mountpoint=none rpool/reserved
109 sudo zfs set refreservation=$(mermet_reservation) rpool/reserved
110 # /
111 # NOTE: mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
112 sudo zfs list rpool/root 2>/dev/null || \
113 sudo zfs create \
114 -o canmount=on \
115 -o mountpoint=legacy \
116 rpool/root
117 # /boot
118 #sudo zfs list bpool/boot 2>/dev/null || \
119 #sudo zfs create \
120 # -o canmount=on \
121 # -o mountpoint=legacy \
122 # bpool/boot
123 # /boot/efi
124 sudo blkid $(mermet_disk)-part2 -t TYPE=vfat || \
125 sudo mkfs.vfat -F 32 -s 1 -n EFI $(mermet_disk)-part2
126 # /*
127 for p in \
128 home \
129 nix \
130 var \
131 var/cache \
132 var/log \
133 var/mail \
134 var/redis \
135 var/tmp \
136 var/www \
137 ; do \
138 sudo zfs list rpool/"$$p" 2>/dev/null || \
139 sudo zfs create \
140 -o canmount=on \
141 -o mountpoint=legacy \
142 rpool/"$$p" ; \
143 done
144 sudo zfs set \
145 com.sun:auto-snapshot=false \
146 rpool/nix
147 sudo zfs set \
148 com.sun:auto-snapshot=false \
149 rpool/var/cache
150 sudo zfs set \
151 com.sun:auto-snapshot=false \
152 sync=disabled \
153 rpool/var/tmp
154
155 mount:
156 # scan needed zpools
157 #sudo zpool list bpool || \
158 #sudo zpool import -f bpool
159 sudo zpool list rpool || \
160 sudo zpool import -f rpool
161 # load encryption key
162 zfs get -H encryption rpool | \
163 grep -q '^rpool\s*encryption\s*off' || \
164 zfs get -H keystatus rpool | \
165 grep -q '^rpool\s*keystatus\s*available' || \
166 sudo zfs load-key rpool
167 # /
168 sudo mkdir -p /mnt/mermet
169 sudo mountpoint /mnt/mermet || \
170 sudo mount -v -t zfs rpool/root /mnt/mermet
171 # /boot
172 sudo mkdir -p /mnt/mermet/boot
173 sudo mountpoint /mnt/mermet/boot || \
174 sudo mount -v $(mermet_disk)-part3 /mnt/mermet/boot
175 #sudo mount -v -t zfs bpool/boot /mnt/mermet/boot
176 # /boot/efi
177 sudo mkdir -p /mnt/mermet/boot/efi
178 sudo mountpoint /mnt/mermet/boot/efi || \
179 sudo mount -v $(mermet_disk)-part2 /mnt/mermet/boot/efi
180 # /*
181 for p in \
182 home \
183 nix \
184 var \
185 var/cache \
186 var/log \
187 var/mail \
188 var/redis \
189 var/tmp \
190 var/www \
191 ; do \
192 sudo mkdir -p /mnt/mermet/"$$p"; \
193 sudo mountpoint /mnt/mermet/"$$p" || \
194 sudo mount -v -t zfs rpool/"$$p" /mnt/mermet/"$$p" ; \
195 done
196 sudo chmod 1777 /mnt/mermet/var/tmp
197
198 bootstrap: mount
199 #test "$$(sudo grub-probe /mnt/mermet/boot)" = zfs
200 # NOTE: nixos-install will install GRUB following configuration.nix
201 # BIOS
202 #sudo grub-install $(mermet_disk)
203 # UEFI
204 #sudo grub-install \
205 # --target=x86_64-efi \
206 # --efi-directory=/mnt/mermet/boot/efi \
207 # --bootloader-id=nixos \
208 # --recheck \
209 # --no-floppy
210
211 pass machines/mermet/dropbear/host.key | \
212 sudo install -D -o root -g root -m 400 /dev/stdin \
213 /mnt/mermet/etc/dropbear/host.key && \
214 test -s /mnt/mermet/etc/dropbear/host.key
215
216 #trap "test ! -e SHRED-ME || sudo find SHRED-ME -type f -exec shred -u {} + && sudo rm -rf SHRED-ME" EXIT ;
217 sudo \
218 GNUPGHOME="$$GNUPGHOME" \
219 GPG_TTY="$$GPG_TTY" \
220 DBUS_SESSION_BUS_ADDRESS="$$DBUS_SESSION_BUS_ADDRESS" \
221 LANG="$$LANG" \
222 LC_CTYPE="$$LC_CTYPE" \
223 MERMET_DEPLOYMENT="$$MERMET_DEPLOYMENT" \
224 NIXOS_CONFIG="$$(readlink -e ../install.nix)" \
225 NIX_CONF_DIR="$$NIX_CONF_DIR" \
226 NIX_PATH="$$NIX_PATH" \
227 PASSWORD_STORE_DIR="$$PASSWORD_STORE_DIR" \
228 PATH="$$PATH" \
229 SSL_CERT_FILE="$$SSL_CERT_FILE" \
230 $$(which nixos-install) \
231 --root /mnt/mermet \
232 $(if $(mermet_channel),--channel "$(mermet_channel)") \
233 --option -Inixops=$$(nix-instantiate --eval -E '(import <nixpkgs> {}).nixops + ""') \
234 --no-root-passwd \
235 --show-trace
236
237 umount:
238 for p in \
239 boot/efi \
240 boot \
241 home \
242 nix \
243 var/cache \
244 var/log \
245 var/mail \
246 var/redis \
247 var/tmp \
248 var/www \
249 var \
250 "" \
251 ; do \
252 ! sudo mountpoint /mnt/mermet/"$$p" || \
253 sudo umount -v /mnt/mermet/"$$p" ; \
254 done
255 ! sudo zpool list rpool 2>/dev/null || \
256 zfs get -H encryption rpool | \
257 grep -q '^rpool\s*encryption\s*off' || \
258 zfs get -H keystatus rpool | \
259 grep -q '^rpool\s*keystatus\s*unavailable' || \
260 sudo zfs unload-key rpool
261 #! sudo zpool list bpool 2>/dev/null || \
262 #sudo zpool export bpool
263 ! sudo zpool list rpool 2>/dev/null || \
264 sudo zpool export rpool
265
266 unlock:
267 pass machines/mermet/zfs/rpool | \
268 NIXOPS_DEPLOYMENT="$${NIXOPS_DEPLOYMENT:-$(MERMET_DEPLOYMENT)}" \
269 nixops ssh mermet -p 2222 'zfs load-key rpool && pkill zfs'
NixOS configurations for Sourcephile's infrastructure