nix-community / nixos-anywhere

install nixos everywhere via ssh [maintainer=@numtide]
https://nix-community.github.io/nixos-anywhere/
MIT License
1.7k stars 115 forks source link

Offline installation (fixes VPN problem) #205

Open DavHau opened 1 year ago

DavHau commented 1 year ago

Is your feature request related to a problem? Please describe. It is currently not possible to use nixos-anywhere on hosts which run a software based VPN in order to be reachable, as that software will be killed by the kexec installer.

see https://github.com/numtide/nixos-anywhere/issues/204

Describe the solution you'd like

Once the kexec installer is booted/executed, don't require the build host to re-connect, instead just execute the installation independently from the build host. Once the installation is finalized, the connection will be back due to the correctly setup nixos system.

Describe alternatives you've considered

Additional context

Mic92 commented 1 year ago

Question is where it would the closures to install from? Also this way of installing seems a bit brittle, if you get the installation wrong than there is no way to recover from it. Maybe it would be better to build a custom kexec image that is also able to connect from a VPN?

SomeoneSerge commented 4 months ago

Maybe it would be better to build a custom kexec image that is also able to connect from a VPN?

H'm, I don't exactly get the idea, how is the secret management (secrets for the vpn) meant to be handled in this case?

Mic92 commented 3 months ago

You would need to hardcode it into the image in this case. Some vpns also allow to just have a join token embedded that needs to be confirmed in some controller (tailscale/zerotier). A different alternative is tor. This iso has tor: https://github.com/nix-community/nixos-images?tab=readme-ov-file#iso-installer-images

SomeoneSerge commented 3 months ago

I still haven't dug any deeper with nixos-anywhere, but I think the solution I'm rather after is to pass on a secret from the (already authenticated) pre-kexec host. Assuming I'm creating a new disk layout using disko in the same step, I could copy the host keys into the future system's /etc?

RE: tor

Awesome, but solves a slightly different problem

Mic92 commented 3 months ago

Ah. Secret management for the installed host can already be done. There is an --extra-files parameter. In clan we use it to populate the age decryption key during installation.

DavHau commented 3 months ago

You would need to hardcode it into the image in this case. Some vpns also allow to just have a join token embedded that needs to be confirmed in some controller (tailscale/zerotier). A different alternative is tor. This iso has tor: https://github.com/nix-community/nixos-images?tab=readme-ov-file#iso-installer-images

The VPN would not be necessary if the installation would run on its own and not require the admins machine to re-connect after kexec.

Mic92 commented 3 months ago

I don't think this is easy to accomplish. We already have big issues upload the installer into memory without going out of memory. We cannot do this easily for a whole full blown graphical installation. nixos-anywhere at the moment copies the installation to the target store instead after partitioning. Also these self-installing systems do not provide a good way to give feedback to the user in case something goes wrong.

My current recommendation would be to use disko-install in this case and build your own installer image: https://github.com/nix-community/disko/blob/master/docs/disko-install.md#example-for-a-nixos-installer