1 #cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))))
2 mermet_deployment := maintenance
3 mermet_disk := $(shell sed -ne 's/^device: \(.*\)/\1/p' sfdisk.txt)
5 mermet_cipher := aes-128-gcm
7 mermet_reservation := 40G
8 #mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path)
14 sudo zpool labelclear -f $(mermet_disk)-part3 || true
15 sudo zpool labelclear -f $(mermet_disk)-part5 || true
16 sudo $$(which sgdisk) --zap-all $(mermet_disk)
20 sudo $$(which sfdisk) $(mermet_disk) <sfdisk.txt
21 sudo $$(which sgdisk) --randomize-guids $(mermet_disk)
25 # DOC: https://github.com/zfsonlinux/zfs/wiki/Debian-Buster-Root-on-ZFS
26 sudo mkdir -p /mnt/mermet
27 blkid -t TYPE=ext2 $(mermet_disk)-part3; test $$? != 2 || \
28 mkfs.ext2 $(mermet_disk)-part3
30 ## NOTE: enable only ZFS features supported by GRUB
31 #sudo zpool list bpool 2>/dev/null || \
32 #sudo zpool create -o ashift=12 -d \
33 # -o feature@allocation_classes=enabled \
34 # -o feature@async_destroy=enabled \
35 # -o feature@bookmarks=enabled \
36 # -o feature@embedded_data=enabled \
37 # -o feature@empty_bpobj=enabled \
38 # -o feature@enabled_txg=enabled \
39 # -o feature@extensible_dataset=enabled \
40 # -o feature@filesystem_limits=enabled \
41 # -o feature@hole_birth=enabled \
42 # -o feature@large_blocks=enabled \
43 # -o feature@lz4_compress=enabled \
44 # -o feature@project_quota=enabled \
45 # -o feature@resilver_defer=enabled \
46 # -o feature@spacemap_histogram=enabled \
47 # -o feature@spacemap_v2=enabled \
48 # -o feature@userobj_accounting=enabled \
49 # -o feature@zpool_checkpoint=enabled \
50 # -o feature@multi_vdev_crash_dump=disabled \
51 # -o feature@large_dnode=disabled \
52 # -o feature@sha512=disabled \
53 # -o feature@skein=disabled \
54 # -o feature@edonr=disabled \
55 # -O normalization=formD \
56 # -R /mnt/mermet bpool $(mermet_disk)-part3
68 # Note: configured with a volatile key in configuration.nix
69 #blkid -t TYPE=crypto_LUKS $(mermet_disk)-part4; test $$? != 2 || \
70 #sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 $(mermet_disk)-part4
71 #sudo cryptsetup luksOpen $(mermet_disk)-part4 swap
72 #blkid -t TYPE=swap /dev/mapper/-swap; test $$? != 2 || \
73 #sudo mkswap --check --label swap
74 #sudo cryptsetup luksClose $(mermet_disk)-part4 swap
76 sudo zpool list rpool 2>/dev/null || \
77 sudo zpool create -o ashift=12 \
78 $(if $(mermet_cipher),-O encryption=$(mermet_cipher) \
79 -O keyformat=passphrase \
80 -O keylocation=prompt) \
81 -O normalization=formD \
82 -R /mnt/mermet rpool $(mermet_disk)-part5
86 $(if $(mermet_autotrim),autotrim=on) \
94 # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
95 sudo zfs list rpool/reserved 2>/dev/null || \
96 sudo zfs create -o canmount=off -o mountpoint=none rpool/reserved
97 sudo zfs set refreservation=$(mermet_reservation) rpool/reserved
99 # NOTE: mountpoint=legacy is required to let NixOS mount the ZFS filesystems.
100 sudo zfs list rpool/root 2>/dev/null || \
103 -o mountpoint=legacy \
106 #sudo zfs list bpool/boot 2>/dev/null || \
109 # -o mountpoint=legacy \
112 sudo blkid $(mermet_disk)-part2 -t TYPE=vfat || \
113 sudo mkfs.vfat -F 32 -s 1 -n EFI $(mermet_disk)-part2
126 sudo zfs list rpool/"$$p" 2>/dev/null || \
129 -o mountpoint=legacy \
133 com.sun:auto-snapshot=false \
136 com.sun:auto-snapshot=false \
139 com.sun:auto-snapshot=false \
145 #sudo zpool list bpool || \
146 #sudo zpool import -f bpool
147 sudo zpool list rpool || \
148 sudo zpool import -f rpool
149 # load encryption key
150 zfs get -H encryption rpool | \
151 grep -q '^rpool\s*encryption\s*off' || \
152 zfs get -H keystatus rpool | \
153 grep -q '^rpool\s*keystatus\s*available' || \
154 sudo zfs load-key rpool
156 sudo mkdir -p /mnt/mermet
157 sudo mountpoint /mnt/mermet || \
158 sudo mount -v -t zfs rpool/root /mnt/mermet
160 sudo mkdir -p /mnt/mermet/boot
161 sudo mountpoint /mnt/mermet/boot || \
162 sudo mount -v $(mermet_disk)-part3 /mnt/mermet/boot
163 #sudo mount -v -t zfs bpool/boot /mnt/mermet/boot
165 sudo mkdir -p /mnt/mermet/boot/efi
166 sudo mountpoint /mnt/mermet/boot/efi || \
167 sudo mount -v $(mermet_disk)-part2 /mnt/mermet/boot/efi
180 sudo mkdir -p /mnt/mermet/"$$p"; \
181 sudo mountpoint /mnt/mermet/"$$p" || \
182 sudo mount -v -t zfs rpool/"$$p" /mnt/mermet/"$$p" ; \
184 sudo chmod 1777 /mnt/mermet/var/tmp
187 #test "$$(sudo grub-probe /mnt/mermet/boot)" = zfs
188 # NOTE: nixos-install will install GRUB following configuration.nix
190 #sudo grub-install $(mermet_disk)
193 # --target=x86_64-efi \
194 # --efi-directory=/mnt/mermet/boot/efi \
195 # --bootloader-id=nixos \
199 pass servers/mermet/dropbear/host.key | \
200 sudo install -D -o root -g root -m 400 /dev/stdin \
201 /mnt/mermet/etc/dropbear/host.key && \
202 test -s /mnt/mermet/etc/dropbear/host.key
204 #trap "test ! -e SHRED-ME || sudo find SHRED-ME -type f -exec shred -u {} + && sudo rm -rf SHRED-ME" EXIT ;
206 GNUPGHOME="$$GNUPGHOME" \
207 GPG_TTY="$$GPG_TTY" \
209 LC_CTYPE="$$LC_CTYPE" \
210 NIXOS_CONFIG="$$(readlink -e ../configuration.nix)" \
211 NIX_CONF_DIR="$$NIX_CONF_DIR" \
212 NIX_PATH="$$NIX_PATH" \
213 PASSWORD_STORE_DIR="$$PASSWORD_STORE_DIR" \
215 SSL_CERT_FILE="$$SSL_CERT_FILE" \
216 $$(which nixos-install) \
218 $(if $(mermet_channel),--channel "$(mermet_channel)") \
237 ! sudo mountpoint /mnt/mermet/"$$p" || \
238 sudo umount -v /mnt/mermet/"$$p" ; \
240 ! sudo zpool list rpool 2>/dev/null || \
241 zfs get -H encryption rpool | \
242 grep -q '^rpool\s*encryption\s*off' || \
243 zfs get -H keystatus rpool | \
244 grep -q '^rpool\s*keystatus\s*unavailable' || \
245 sudo zfs unload-key rpool
246 #! sudo zpool list bpool 2>/dev/null || \
247 #sudo zpool export bpool
248 ! sudo zpool list rpool 2>/dev/null || \
249 sudo zpool export rpool
252 pass servers/mermet/zfs/rpool | \
253 NIXOPS_DEPLOYMENT="$${NIXOPS_DEPLOYMENT:-$(MERMET_DEPLOYMENT)}" \
254 nixops ssh mermet -p 2222 'zfs load-key rpool && pkill zfs'