From ae278d745dd8eca94374b27c1fa9a977e54c23c2 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 12 Mar 2022 18:40:38 +0100
Subject: vidhar: netboot installer

---
 hosts/sif/default.nix            | 17 +----------------
 hosts/vidhar/network/default.nix | 41 +++++++++++++++++++++++++++++++++++++++-
 hosts/vidhar/network/ruleset.nft |  4 ++--
 3 files changed, 43 insertions(+), 19 deletions(-)

(limited to 'hosts')

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 24cc86ac..647021ca 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -14,6 +14,7 @@ in {
     ./hw.nix
     ./mail
     initrd-all-crypto-modules default-locale openssh rebuild-machines
+    networkmanager
   ];
 
   config = {
@@ -71,16 +72,6 @@ in {
                           ];
       };
 
-      networkmanager = {
-        enable = true;
-        dhcp = "internal";
-        dns = lib.mkForce "dnsmasq";
-        extraConfig = ''
-          [connectivity]
-          uri=https://online.yggdrasil.li
-        '';
-      };
-
       # wlanInterfaces = {
       #   wlan0 = {
       #     device = "wlp82s0";
@@ -98,7 +89,6 @@ in {
       #   };
       # };
 
-      dhcpcd.enable = false;
       useDHCP = false;
       useNetworkd = true;
 
@@ -109,9 +99,6 @@ in {
       # };
     };
 
-    systemd.services."NetworkManager-wait-online".enable = false;
-    systemd.services."systemd-networkd-wait-online".enable = false;
-
     environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
       text = ''
         server=/sif.libvirt/192.168.122.1
@@ -205,8 +192,6 @@ in {
     };
     networking.networkmanager.unmanaged = ["wgrz"];
 
-    services.resolved.enable = false;
-
     services.openssh.enable = true;
 
     powerManagement = {
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 2444f537..ab79dd16 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ flake, config, lib, pkgs, ... }:
 {
   imports = [ ./dsl.nix ./bifrost ];
 
@@ -71,6 +71,27 @@
             type = "memfile";
           };
 
+          client-classes = [
+            { name = "ipxe";
+              test = "option[77].hex == 'iPXE'";
+              next-server = "10.141.0.1";
+              boot-file-name = "netboot.ipxe";
+              only-if-required = true;
+            }
+            { name = "uefi-64";
+              test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
+              only-if-required = true;
+              tftp-server-name = "10.141.0.1";
+              boot-file-name = "ipxe.efi";
+            }
+            { name = "legacy";
+              test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
+              only-if-required = true;
+              tftp-server-name = "10.141.0.1";
+              boot-file-name = "undionly.kpxe";
+            }
+          ];
+
           subnet4 = [
             { subnet = "10.141.0.0/24";
               option-data = [
@@ -89,6 +110,7 @@
               ];
               pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
               reservations = [];
+              require-client-classes = ["ipxe" "uefi-64" "legacy"];
             }
             { subnet = "10.141.1.0/24";
               option-data = [
@@ -157,5 +179,22 @@
         networkConfig.LinkLocalAddressing = "no";
       };
     };
+
+    systemd.services."installer-atftpd" = {
+      description = "TFTP Server for PXE Booting NixOS Installer";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = let
+        installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build;
+        tftpRoot = pkgs.runCommandLocal "installer-netboot" {} ''
+          mkdir -p $out
+          install -m 0444 -t $out \
+            ${installerBuild.netbootRamdisk}/initrd \
+            ${installerBuild.kernel}/bzImage \
+            ${installerBuild.netbootIpxeScript}/netboot.ipxe \
+            ${pkgs.ipxe}/ipxe.efi ${pkgs.ipxe}/undionly.kpxe
+        '';
+      in "${pkgs.atftp} --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
+    };
   };
 }
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index f2b1eda0..0f591f24 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -183,7 +183,7 @@ table inet filter {
 
     iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
     
-    iifname mgmt udp dport 69 counter name tftp-rx accept
+    iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
 
     ct state {established, related} counter name established-rx accept
 
@@ -228,7 +228,7 @@ table inet filter {
     tcp sport 80 counter name http-tx accept
 
     udp sport 69 counter name tftp-tx accept
-    iifname mgmt udp dport 69 counter name tftp-tx accept
+    udp dport 69 counter name tftp-tx accept
 
 
     counter name tx
-- 
cgit v1.2.3