Open DavHau opened 1 year ago
Mic92
commented
11 months ago Question is where it would the closures to install from? Also this way of installing seems a bit brittle, if you get the installation wrong than there is no way to recover from it. Maybe it would be better to build a custom kexec image that is also able to connect from a VPN?
SomeoneSerge
commented
1 month ago Maybe it would be better to build a custom kexec image that is also able to connect from a VPN?
H'm, I don't exactly get the idea, how is the secret management (secrets for the vpn) meant to be handled in this case?
Mic92
commented
1 month ago You would need to hardcode it into the image in this case. Some vpns also allow to just have a join token embedded that needs to be confirmed in some controller (tailscale/zerotier). A different alternative is tor. This iso has tor: https://github.com/nix-community/nixos-images?tab=readme-ov-file#iso-installer-images
SomeoneSerge
commented
1 month ago I still haven't dug any deeper with nixos-anywhere, but I think the solution I'm rather after is to pass on a secret from the (already authenticated) pre-kexec host. Assuming I'm creating a new disk layout using disko in the same step, I could copy the host keys into the future system's /etc?
RE: tor
Awesome, but solves a slightly different problem
Mic92
commented
1 month ago Ah. Secret management for the installed host can already be done. There is an --extra-files parameter. In clan we use it to populate the age decryption key during installation.
DavHau
commented
3 weeks ago You would need to hardcode it into the image in this case. Some vpns also allow to just have a join token embedded that needs to be confirmed in some controller (tailscale/zerotier). A different alternative is tor. This iso has tor: https://github.com/nix-community/nixos-images?tab=readme-ov-file#iso-installer-images
The VPN would not be necessary if the installation would run on its own and not require the admins machine to re-connect after kexec.
Mic92
commented
3 weeks ago I don't think this is easy to accomplish. We already have big issues upload the installer into memory without going out of memory. We cannot do this easily for a whole full blown graphical installation. nixos-anywhere at the moment copies the installation to the target store instead after partitioning. Also these self-installing systems do not provide a good way to give feedback to the user in case something goes wrong.
My current recommendation would be to use disko-install in this case and build your own installer image: https://github.com/nix-community/disko/blob/master/docs/disko-install.md#example-for-a-nixos-installer
Is your feature request related to a problem? Please describe. It is currently not possible to use nixos-anywhere on hosts which run a software based VPN in order to be reachable, as that software will be killed by the kexec installer.
see https://github.com/numtide/nixos-anywhere/issues/204
Describe the solution you'd like
Once the kexec installer is booted/executed, don't require the build host to re-connect, instead just execute the installation independently from the build host. Once the installation is finalized, the connection will be back due to the correctly setup nixos system.
Describe alternatives you've considered
Additional context