]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/Makefile
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
losurdo: initial config
[sourcephile-nix.git] / servers / mermet / Makefile
1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 mermet_deployment := maintenance
3 mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' sfdisk.txt)
4 #mermet_cipher :=
5 mermet_cipher := aes-128-gcm
6 mermet_autotrim :=
7 mermet_reservation := 40G
8 #mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path)
9
10 echo:
11 echo $(MAKEFILES)
12
13 wipeout: umount
14 sudo zpool labelclear -f $(mermet_disk)-part3 || true
15 sudo zpool labelclear -f $(mermet_disk)-part5 || true
16 sudo $$(which sgdisk) --zap-all $(mermet_disk)
17
18 partition:
19 sudo modprobe zfs
20 sudo $$(which sfdisk) $(mermet_disk) <sfdisk.txt
21 sudo $$(which sgdisk) --randomize-guids $(mermet_disk)
22 sudo partprobe
23
24 format:
25 # DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
26 sudo mkdir -p /mnt/mermet
27 blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
28 mkfs.ext2 $(mermet_disk)-part3
29 # bpool
30 ## NOTE: enable only ZFS features supported by GRUB
31 #sudo zpool list bpool 2>/dev/null || \
32 #sudo zpool create -o ashift=12 -d \
33 # -o feature@allocation_classes=enabled \
34 # -o feature@async_destroy=enabled \
35 # -o feature@bookmarks=enabled \
36 # -o feature@embedded_data=enabled \
37 # -o feature@empty_bpobj=enabled \
38 # -o feature@enabled_txg=enabled \
39 # -o feature@extensible_dataset=enabled \
40 # -o feature@filesystem_limits=enabled \
41 # -o feature@hole_birth=enabled \
42 # -o feature@large_blocks=enabled \
43 # -o feature@lz4_compress=enabled \
44 # -o feature@project_quota=enabled \
45 # -o feature@resilver_defer=enabled \
46 # -o feature@spacemap_histogram=enabled \
47 # -o feature@spacemap_v2=enabled \
48 # -o feature@userobj_accounting=enabled \
49 # -o feature@zpool_checkpoint=enabled \
50 # -o feature@multi_vdev_crash_dump=disabled \
51 # -o feature@large_dnode=disabled \
52 # -o feature@sha512=disabled \
53 # -o feature@skein=disabled \
54 # -o feature@edonr=disabled \
55 # -O normalization=formD \
56 # -R /mnt/mermet bpool $(mermet_disk)-part3
57 #sudo zfs set \
58 # acltype=posixacl \
59 # canmount=off \
60 # compression=lz4 \
61 # devices=off \
62 # relatime=on \
63 # xattr=sa \
64 # mountpoint=/ \
65 # bpool
66
67 # swap
68 # Note: configured with a volatile key in configuration.nix
69 #blkid -t TYPE=crypto_LUKS $(mermet_disk)-part4; test $$? != 2 || \
70 #sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 $(mermet_disk)-part4
71 #sudo cryptsetup luksOpen $(mermet_disk)-part4 swap
72 #blkid -t TYPE=swap /dev/mapper/-swap; test $$? != 2 || \
73 #sudo mkswap --check --label swap
74 #sudo cryptsetup luksClose $(mermet_disk)-part4 swap
75 # rpool
76 sudo zpool list rpool 2>/dev/null || \
77 sudo zpool create -o ashift=12 \
78 $(if $(mermet_cipher),-O encryption=$(mermet_cipher) \
79 -O keyformat=passphrase \
80 -O keylocation=prompt) \
81 -O normalization=formD \
82 -R /mnt/mermet rpool $(mermet_disk)-part5
83 sudo zfs set \
84 acltype=posixacl \
85 atime=off \
86 $(if $(mermet_autotrim),autotrim=on) \
87 canmount=off \
88 compression=lz4 \
89 dnodesize=auto \
90 relatime=on \
91 xattr=sa \
92 mountpoint=/ \
93 rpool
94 # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
95 sudo zfs list rpool/reserved 2>/dev/null || \
96 sudo zfs create -o canmount=off -o mountpoint=none rpool/reserved
97 sudo zfs set refreservation=$(mermet_reservation) rpool/reserved
98 # /
99 # NOTE: mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
100 sudo zfs list rpool/root 2>/dev/null || \
101 sudo zfs create \
102 -o canmount=on \
103 -o mountpoint=legacy \
104 rpool/root
105 # /boot
106 #sudo zfs list bpool/boot 2>/dev/null || \
107 #sudo zfs create \
108 # -o canmount=on \
109 # -o mountpoint=legacy \
110 # bpool/boot
111 # /boot/efi
112 sudo blkid $(mermet_disk)-part2 -t TYPE=vfat || \
113 sudo mkfs.vfat -F 32 -s 1 -n EFI $(mermet_disk)-part2
114 # /*
115 for p in \
116 home \
117 nix \
118 var \
119 var/cache \
120 var/log \
121 var/mail \
122 var/redis \
123 var/tmp \
124 var/www \
125 ; do \
126 sudo zfs list rpool/"$$p" 2>/dev/null || \
127 sudo zfs create \
128 -o canmount=on \
129 -o mountpoint=legacy \
130 rpool/"$$p" ; \
131 done
132 sudo zfs set \
133 com.sun:auto-snapshot=false \
134 rpool/nix
135 sudo zfs set \
136 com.sun:auto-snapshot=false \
137 rpool/var/cache
138 sudo zfs set \
139 com.sun:auto-snapshot=false \
140 sync=disabled \
141 rpool/var/tmp
142
143 mount:
144 # scan needed zpools
145 #sudo zpool list bpool || \
146 #sudo zpool import -f bpool
147 sudo zpool list rpool || \
148 sudo zpool import -f rpool
149 # load encryption key
150 zfs get -H encryption rpool | \
151 grep -q '^rpool\s*encryption\s*off' || \
152 zfs get -H keystatus rpool | \
153 grep -q '^rpool\s*keystatus\s*available' || \
154 sudo zfs load-key rpool
155 # /
156 sudo mkdir -p /mnt/mermet
157 sudo mountpoint /mnt/mermet || \
158 sudo mount -v -t zfs rpool/root /mnt/mermet
159 # /boot
160 sudo mkdir -p /mnt/mermet/boot
161 sudo mountpoint /mnt/mermet/boot || \
162 sudo mount -v $(mermet_disk)-part3 /mnt/mermet/boot
163 #sudo mount -v -t zfs bpool/boot /mnt/mermet/boot
164 # /boot/efi
165 sudo mkdir -p /mnt/mermet/boot/efi
166 sudo mountpoint /mnt/mermet/boot/efi || \
167 sudo mount -v $(mermet_disk)-part2 /mnt/mermet/boot/efi
168 # /*
169 for p in \
170 home \
171 nix \
172 var \
173 var/cache \
174 var/log \
175 var/mail \
176 var/redis \
177 var/tmp \
178 var/www \
179 ; do \
180 sudo mkdir -p /mnt/mermet/"$$p"; \
181 sudo mountpoint /mnt/mermet/"$$p" || \
182 sudo mount -v -t zfs rpool/"$$p" /mnt/mermet/"$$p" ; \
183 done
184 sudo chmod 1777 /mnt/mermet/var/tmp
185
186 bootstrap: mount
187 #test "$$(sudo grub-probe /mnt/mermet/boot)" = zfs
188 # NOTE: nixos-install will install GRUB following configuration.nix
189 # BIOS
190 #sudo grub-install $(mermet_disk)
191 # UEFI
192 #sudo grub-install \
193 # --target=x86_64-efi \
194 # --efi-directory=/mnt/mermet/boot/efi \
195 # --bootloader-id=nixos \
196 # --recheck \
197 # --no-floppy
198
199 pass servers/mermet/dropbear/host.key | \
200 sudo install -D -o root -g root -m 400 /dev/stdin \
201 /mnt/mermet/etc/dropbear/host.key && \
202 test -s /mnt/mermet/etc/dropbear/host.key
203
204 #trap "test ! -e SHRED-ME || sudo find SHRED-ME -type f -exec shred -u {} + && sudo rm -rf SHRED-ME" EXIT ;
205 sudo \
206 GNUPGHOME="$$GNUPGHOME" \
207 GPG_TTY="$$GPG_TTY" \
208 LANG="$$LANG" \
209 LC_CTYPE="$$LC_CTYPE" \
210 NIXOS_CONFIG="$$(readlink -e ../configuration.nix)" \
211 NIX_CONF_DIR="$$NIX_CONF_DIR" \
212 NIX_PATH="$$NIX_PATH" \
213 PASSWORD_STORE_DIR="$$PASSWORD_STORE_DIR" \
214 PATH="$$PATH" \
215 SSL_CERT_FILE="$$SSL_CERT_FILE" \
216 $$(which nixos-install) \
217 --root /mnt/mermet \
218 $(if $(mermet_channel),--channel "$(mermet_channel)") \
219 --no-root-passwd \
220 --show-trace
221
222 umount:
223 for p in \
224 boot/efi \
225 boot \
226 home \
227 nix \
228 var/cache \
229 var/log \
230 var/mail \
231 var/redis \
232 var/tmp \
233 var/www \
234 var \
235 "" \
236 ; do \
237 ! sudo mountpoint /mnt/mermet/"$$p" || \
238 sudo umount -v /mnt/mermet/"$$p" ; \
239 done
240 ! sudo zpool list rpool 2>/dev/null || \
241 zfs get -H encryption rpool | \
242 grep -q '^rpool\s*encryption\s*off' || \
243 zfs get -H keystatus rpool | \
244 grep -q '^rpool\s*keystatus\s*unavailable' || \
245 sudo zfs unload-key rpool
246 #! sudo zpool list bpool 2>/dev/null || \
247 #sudo zpool export bpool
248 ! sudo zpool list rpool 2>/dev/null || \
249 sudo zpool export rpool
250
251 unlock:
252 pass servers/mermet/zfs/rpool | \
253 NIXOPS_DEPLOYMENT="$${NIXOPS_DEPLOYMENT:-$(MERMET_DEPLOYMENT)}" \
254 nixops ssh mermet -p 2222 'zfs load-key rpool && pkill zfs'
NixOS configurations for Sourcephile's infrastructure