<betawaffle>
gchristensen: so when i got my first apu2, someone (maybe you?) created a modified nixos installer iso that worked on the serial console. this time, i want to understand how to do that myself (building modified install media)
<betawaffle>
i'm looking for someone to point me in the right direction
<gchristensen>
cool
<gchristensen>
clone nixpkgs
<gchristensen>
edit ./nixos/modules/installer/cd-dvd/installation-cd-minimal.nix with the nixos config you want
<gchristensen>
and then run nix-build ./nixos/release.nix -A iso_minimal.x86_64-linux :)
<betawaffle>
cool
<betawaffle>
will that work on a macos host? or should i do this elsewhere?
<gchristensen>
you'll need to do that on a Linux machine
<betawaffle>
k
<betawaffle>
is it simpler from an existing nixos host?
<gchristensen>
possibly, but you don't need nixos to do it
<gchristensen>
any machine with Nix which can build x86_64-linux can do it
<betawaffle>
and what if i wanted to do this with ipxe instead of an iso?
<gchristensen>
nix-build ./nixos/release.nix -A netboot.x86_64-linux and edit ./modules/installer/netboot/netboot-minimal.nix;
<gchristensen>
:)
<betawaffle>
thanks
<gchristensen>
yep!@
<betawaffle>
guh, our power just went out :/
<betawaffle>
hooray for working UPSes
<clever>
gchristensen: i dont think you need to edit netboot-minimal
<clever>
[clever@amd-nixos:~/apps/nix-master]$ head ../nixpkgs/nixos/release.nix
<clever>
, configuration ? {}
<{^_^}>
Invalid command syntax
<betawaffle>
i managed to get it to work with a usb stick i made a week ago
<clever>
release.nix accepts a configuration blob
<clever>
which is passed to all machines release.nix can build
<clever>
nix-build ./nixos/release.nix -A netboot.x86_64-linux --arg configuration ./configuration.nix
<betawaffle>
power's back, and nixos' rollback feature totally saved my buns
<betawaffle>
i managed to bork my router's config, but rolling back to a few days ago fixed it
<betawaffle>
need to figure out what i did wrong
<betawaffle>
is it possible to get all the /etc/nixos files that originally went into a working configuration?
<gchristensen>
nice!
<andi->
betawaffle: yes, environment.etc.my-config.target = /etc/nixos; or similar ;0
<betawaffle>
i guess that brings me to another question... how can i get a nix repl with that stuff loaded? ^
<betawaffle>
so, one problem i was having is that nftables was coming up before my vlan interfaces were created... i've got a workaround i was using (and what i had to rollback to)
<betawaffle>
is there some way to have nftables start after all my network interfaces (including virtual ones like vlans) exist, but are not UP?
<andi->
betawaffle: so it does indeed try to validate all the interfaces names when the rules are being loaded?
<betawaffle>
if you use iif instead of iifname, yes
<andi->
well okay
<betawaffle>
it translates to an index, rather than a name
<andi->
Yeah
<betawaffle>
i've been using names up until now
<betawaffle>
because of this
<andi->
funny. I recently did "rant" about those indices because they aren
<betawaffle>
i just figured it had changed, maybe i had fixed something. but no, still doesn't work
<andi->
aren't unique and can flow over or IIRC change
<betawaffle>
yes
<betawaffle>
if you destroy an interface, it can be reused, and your firewall will not know
<betawaffle>
but iifname is even worse, tbh
<betawaffle>
because it only cares about name, nothing else
<andi->
I guess that depends on the setup. I'd rather have a stable name and not have to care about interfaces disappearing..
<andi->
but that is probably also why both things exist... there is usecases for both
<betawaffle>
well sure, i like/want stable names too
<betawaffle>
and i have them, except during boot, apparently ;)
<andi->
If I read the kernel code right then it tries to attach all the rules to each interface whenever they appear, change name or get removed
<andi->
so I am wondering why that is even a problem 🤔
<betawaffle>
i mean, error reporting and/or validation, probably
<andi->
maybe that is entirely a userspace thing?
<andi->
e.g. passing the index initially and then the kernel doesn't have a string to re-attach the rules once devices appear.. also doesn't work because ifs are missing initially
<betawaffle>
the docs say you shouldn't use iif for interfaces that can be created dynamically
<betawaffle>
but... i don't really want these interfaces to be created dynamically, they just happen to only be create-able dynamically
<betawaffle>
and apparently aren't created early enough
<andi->
when is the firewall run? Whats the systemd unit configuration there?
<betawaffle>
it's set up for network-pre
<andi->
I'd say network.target before network-online.target
<andi->
so that interfaces are there already
<andi->
iptables is also network-pre on NixOS
<betawaffle>
yeah... looking at critical-chain it clearly happens before networkd, which is obviously the problem
<betawaffle>
but...
<andi->
but nobody uses that feature there
<betawaffle>
i also don't want the interfaces to come *UP* before nftables is loaded
<betawaffle>
i'm not sure how i could delay the UP-ness
<andi->
scripted networking? networkd?
<betawaffle>
networkd
<andi->
tough one
<betawaffle>
i make hard problems all by myself
<andi->
One day I'll add hook support to networkd...
<betawaffle>
can that one day be next week?
<betawaffle>
kthx
<andi->
My idea would be to have it fire when specific things have been reached. You can't use sytemd targets as they might come and go and you might want to reconfigure the firewall after / while / before network goes up again
<betawaffle>
yeah. another annoying thing about networkd is that it might look like you can use it like any other systemd units, but no
<andi->
yeah, it really much is an all or nothing model
<andi->
either you do everything using it or you don't and then you are f**ked
<betawaffle>
well i do want to do everything using networkd, but i can't, it seems
<andi->
the firewall story is missing :-)
<betawaffle>
and more control with IPv6
<betawaffle>
i still haven't figured out how to get it to even ask my ISP for one
<andi->
oh
<betawaffle>
it just doesn't seem to send out any DHCP for v6
* andi-
goes digging in some git stash
<betawaffle>
and afaict, i need to ask for a /60
<betawaffle>
because the internet says they don't offer a /56 at all
<betawaffle>
which is just the dumbest shit ever
<andi->
uff
<betawaffle>
it seems like *latest* networkd might have support for prefix hints, but not the one currently in nixos
<betawaffle>
tell me why i'm always drawn to the bleeding edge. this shit is sharp af
<gchristensen>
lol.
<andi->
which part is the bleeding edge thing? :D
<andi->
IPv6PrefixDelegation=dhcpv6 anf then multiple [IPv6Prefix] blocks on the interfaces where you want them. Don't ask me how you can configure the PD size...
<andi->
uff, it just sends one PD request per prefix that is configured in your settinsg
<betawaffle>
andi-: i tried all that (except for the [IPv6Prefix] part), and nothing happened
<betawaffle>
what does IPv6Prefix do?
<betawaffle>
and can i get an example of how it should be configured?
<andi->
you put IPv6Prefix on the interface where you need a prefix
<andi->
networkd then collects all of those and puts each of them as one PD request in the DHCP packages
<betawaffle>
just an empty [IPv6Prefix] block?
<andi->
no
* andi-
goes dig again
<andi->
AddressAutoconfiguration=yes or so at least
<betawaffle>
i thought i tried that, but i can try again
<betawaffle>
do i set ..Delegation=dhcpv6 on the wan interface?
<betawaffle>
i think i had it on the lan interface, which seems maybe wrong
<betawaffle>
ok, well i guess it's time to try this. wish me luck
<betawaffle>
andi-: ok, so nothing seems to have changed... is there some super debug mode i can enable to see it doing dhcp and failing? afaict, it isn't even trying to do dhcpv6
<andi->
betawaffle: there is a debug mode you can enable. It is the same as with anything systemd. You can either set the kernel cmdline or set the environment var. (systemd.log.level=debug or SYSTEMD_LOG_LEVEL=debug)
<betawaffle>
which is easier?
<betawaffle>
i can't do the former without rebooting. can i do the latter without rebooting?
<andi->
yeah you can
<andi->
just set it on the unit of networkd
<betawaffle>
ok, so i turned on über debug mode, and i still see no evidence of dhcpv6