Add NVMe storage auto-setup, sops secrets, fix SSH permissions

- setup-node-storage service auto-partitions NVMe for containerd/longhorn - Root password encrypted with sops/age, decrypted during build - Fix SSH host key permissions (0600) so sshd actually starts - Disable SSH socket activation for reliable boot - Add OPERATIONS.md with runbook - Makefile tracks source dependencies
2026-02-06 00:58:38 +01:00
parent 258d1ecc60
commit 3f191d8f93
7 changed files with 643 additions and 6 deletions
--- a/17
+++ b/17
@@ -1,9 +1,19 @@
-.PHONY: build deploy clean help
+.PHONY: deploy clean help check-nas all

 NAS_HOST=phoenix
 NAS_PATH=/srv/netboot
 SCRIPT_DIR=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))

+# Source files that trigger a rebuild
+BUILD_SOURCES := $(SCRIPT_DIR)/build-image.sh \
+                 $(wildcard $(SCRIPT_DIR)/initramfs/*) \
+                 $(wildcard $(SCRIPT_DIR)/initramfs/*/*) \
+                 $(wildcard $(SCRIPT_DIR)/files/*) \
+                 $(wildcard $(SCRIPT_DIR)/secrets/*.yaml)
+
+# Build artifact (used as target for dependency tracking)
+BUILD_ARTIFACT := $(SCRIPT_DIR)/http/filesystem.squashfs
+
 help:
 	@echo "Netboot image build and deployment"
 	@echo ""
@@ -23,7 +33,8 @@ check-nas:
 	@echo "Checking NAS connectivity..."
 	@ping -c 1 $(NAS_HOST) > /dev/null 2>&1 && echo "✓ NAS is reachable" || (echo "✗ Cannot reach $(NAS_HOST)"; exit 1)

-build:
+# Build depends on source files - only rebuilds if sources changed
+$(BUILD_ARTIFACT): $(BUILD_SOURCES)
 	@echo "Building netboot image..."
 	@echo "This will take 15-30 minutes..."
 	sudo $(SCRIPT_DIR)/build-image.sh
@@ -32,6 +43,8 @@ build:
 	@echo "Artifacts ready in $(SCRIPT_DIR)/http/"
 	@du -sh $(SCRIPT_DIR)/http/*

+build: $(BUILD_ARTIFACT)
+
 deploy: check-nas
 	@echo "Deploying to NAS ($(NAS_HOST):$(NAS_PATH))..."
 	@echo "Syncing http/ directory..."