From ae278d745dd8eca94374b27c1fa9a977e54c23c2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 12 Mar 2022 18:40:38 +0100 Subject: vidhar: netboot installer --- hosts/vidhar/network/default.nix | 41 +++++++++++++++++++++++++++++++++++++++- hosts/vidhar/network/ruleset.nft | 4 ++-- 2 files changed, 42 insertions(+), 3 deletions(-) (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 2444f537..ab79dd16 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ flake, config, lib, pkgs, ... }: { imports = [ ./dsl.nix ./bifrost ]; @@ -71,6 +71,27 @@ type = "memfile"; }; + client-classes = [ + { name = "ipxe"; + test = "option[77].hex == 'iPXE'"; + next-server = "10.141.0.1"; + boot-file-name = "netboot.ipxe"; + only-if-required = true; + } + { name = "uefi-64"; + test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'"; + only-if-required = true; + tftp-server-name = "10.141.0.1"; + boot-file-name = "ipxe.efi"; + } + { name = "legacy"; + test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'"; + only-if-required = true; + tftp-server-name = "10.141.0.1"; + boot-file-name = "undionly.kpxe"; + } + ]; + subnet4 = [ { subnet = "10.141.0.0/24"; option-data = [ @@ -89,6 +110,7 @@ ]; pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ]; reservations = []; + require-client-classes = ["ipxe" "uefi-64" "legacy"]; } { subnet = "10.141.1.0/24"; option-data = [ @@ -157,5 +179,22 @@ networkConfig.LinkLocalAddressing = "no"; }; }; + + systemd.services."installer-atftpd" = { + description = "TFTP Server for PXE Booting NixOS Installer"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = let + installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build; + tftpRoot = pkgs.runCommandLocal "installer-netboot" {} '' + mkdir -p $out + install -m 0444 -t $out \ + ${installerBuild.netbootRamdisk}/initrd \ + ${installerBuild.kernel}/bzImage \ + ${installerBuild.netbootIpxeScript}/netboot.ipxe \ + ${pkgs.ipxe}/ipxe.efi ${pkgs.ipxe}/undionly.kpxe + ''; + in "${pkgs.atftp} --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}"; + }; }; } diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index f2b1eda0..0f591f24 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -183,7 +183,7 @@ table inet filter { iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept - iifname mgmt udp dport 69 counter name tftp-rx accept + iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept ct state {established, related} counter name established-rx accept @@ -228,7 +228,7 @@ table inet filter { tcp sport 80 counter name http-tx accept udp sport 69 counter name tftp-tx accept - iifname mgmt udp dport 69 counter name tftp-tx accept + udp dport 69 counter name tftp-tx accept counter name tx -- cgit v1.2.3