From 5452058bcefecb5d8adc3021e41fd1e659d55229 Mon Sep 17 00:00:00 2001 From: David Arnold Date: Mon, 15 Mar 2021 20:58:11 -0500 Subject: [PATCH] lib/devos: bake bootstaping link-local network into live iso Replace default networking with a specially configured systemd-networkd network which is responsible for setting up DHCP and also provide a well known ipv6 link-local address as well as enable multicastDNS to expose the hostname on the local link over the reserved `local.` top level domain. --- doc/start/iso.md | 70 +++++++++++++++++++++++++++++++++++++-- lib/devos/devosSystem.nix | 28 ++++++++++++++++ 2 files changed, 95 insertions(+), 3 deletions(-) diff --git a/doc/start/iso.md b/doc/start/iso.md index c8b34e4d5..1d28e4f98 100644 --- a/doc/start/iso.md +++ b/doc/start/iso.md @@ -10,11 +10,68 @@ dd bs=4M if=result/iso/*.iso of=/dev/$your_installation_device \ This works for any file matching `hosts/*.nix` excluding `default.nix`. +## Remote access to the live installer + +The iso live installer comes preconfigured with a network configuration +which announces it's hostname via [MulticastDNS][mDNS] as `hostname.local`, +that is `NixOS.local` in the above example. + +In the rare case that [MulticastDNS][mDNS] is not availabe or turned off +in your network, there is a static link-local IPv6 address configured to +`fe80::47`(mnemonic from the letter's position in the english alphabet: +`n=14 i=9 x=24; 47 = n+i+x`). + +Provided that you have added your public key to the authorized keys of the +`nixos` user: + +```nix +{ ... }: +{ + users.users.nixos.openssh.authorizedKeys.keyFiles = [ + ../secrets/path/to/key.pub + ]; +} +``` + +You can then ssh into the live installer through one of the +following options: + +```console +ssh nixos@NixOS.local + +ssh nixos@fe80::47%eno1 # where eno1 is your network interface on which you are linked to the target +``` + +_Note: the [static link-local IPv6 address][staticLLA] and [MulticastDNS][mDNS] is only +configured on the live installer. If you wish to enable [MulticastDNS][mDNS] +for your environment, you ought to configure that in a regular [profile](../../profiles)._ + +## EUI-64 LLA & Host Identity + +The iso's IPv6 Link Local Address (LLA) is configured with a static 64-bit Extended +Unique Identifiers (EUI-64) that is derived from the host interface's Message +Authentication Code (MAC) address. + +After a little while (a few seconds), you can remotely disvover this unique and host +specific address over [NDP][NDP] for example with: + +```console +ip -6 neigh show # also shows fe80::47 +``` + +***This LLA is stable for the host, unless you need to swap that particular network card.*** +Under this reservation, though, you may use this EUI-64 to wire up a specific +(cryptographic) host identity. + ## Bootstrap Target Machine +_Note: nothing prevents you from remotely exceuting the boostrapping process._ + Once your target host has booted into the live iso, you need to partion and format your disk according to the [official manual][manual]. +### Mount partitions + Then properly mount the formatted partitions at `/mnt`, so that you can install your system to those new partitions. @@ -27,6 +84,8 @@ $ mkdir -p /mnt/boot && mount /dev/disk/by-label/boot /mnt/boot # UEFI only $ swapon /dev/$your_swap_partition ``` +### Install + Install using the `flk` wrapper baked into the iso off of a copy of devos from the time the iso was built: @@ -36,9 +95,14 @@ $ nix develop $ flk install NixOS --impure # use same host as above ``` -_Note: You _could_ install another machine than the one your iso was built for, -but the iso doesn't necesarily already carry all the necesary build artifacts._ - +_Note: You _could_ install another machine than the one your iso was built for, +but the iso doesn't carry all the necesary build artifacts so the target would +start to build the missing parts on demand instead of substituting them from +the iso itself._ + [manual]: https://nixos.org/manual/nixos/stable/index.html#sec-installation-partitioning +[mDNS]: https://en.wikipedia.org/wiki/Multicast_DNS +[NDP]: https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol +[staticLLA]: https://tools.ietf.org/html/rfc7404 diff --git a/lib/devos/devosSystem.nix b/lib/devos/devosSystem.nix index 06842efb3..78b7f3630 100644 --- a/lib/devos/devosSystem.nix +++ b/lib/devos/devosSystem.nix @@ -22,6 +22,34 @@ lib.nixosSystem (args // { networking.networkmanager.enable = lib.mkForce false; # confilcts with networking.wireless networking.wireless.iwd.enable = lib.mkForce false; + # Set up a link-local boostrap network + # See also: https://github.com/NixOS/nixpkgs/issues/75515#issuecomment-571661659 + networking.usePredictableInterfaceNames = lib.mkForce true; # so prefix matching works + networking.useNetworkd = lib.mkForce true; + networking.useDHCP = lib.mkForce false; + networking.dhcpcd.enable = lib.mkForce false; + systemd.network = { + # https://www.freedesktop.org/software/systemd/man/systemd.network.html + networks."boostrap-link-local" = { + matchConfig = { + Name = "en* wl* ww*"; + }; + networkConfig = { + Description = "Link-local host bootstrap network"; + MulticastDNS = true; + LinkLocalAddressing = "ipv6"; + DHCP = "yes"; + }; + address = [ + # fall back well-known link-local for situations where MulticastDNS is not available + "fe80::47" # 47: n=14 i=9 x=24; n+i+x + ]; + extraConfig = '' + # Unique, yet stable. Based off the MAC address. + IPv6LinkLocalAddressGenerationMode = "eui64" + ''; + }; + }; }) ]; })).config;