diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix index fd9075a..418fa9f 100644 --- a/services/baremetal-builder/default.nix +++ b/services/baremetal-builder/default.nix @@ -135,7 +135,7 @@ in { address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; } ]; networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; }; - deployment.targetHost = "2a01:584:11::1:${toString cfg.num}"; + deployment.targetHost = lib.mkIf (!cfg.netboot) "2a01:584:11::1:${toString cfg.num}"; deployment.tags = [ "builders" ]; # Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568 diff --git a/services/baremetal-builder/netboot.nix b/services/baremetal-builder/netboot.nix index 4f6782d..a1067eb 100644 --- a/services/baremetal-builder/netboot.nix +++ b/services/baremetal-builder/netboot.nix @@ -21,13 +21,22 @@ in ''; }; + # machines with the netboot module enabled should only be updated by appliying wob-vpn-gw and rebooting + deployment.targetHost = "invalid.example.com"; + # fixes initrd eval assertion error, and allows `colmena build` to succeed + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=64G" "mode=755" ]; + }; + system.build = { # Build a kernel and initramfs which will download the IPXE script from hydra using # u-root pxeboot tool and kexec into the final netbooted system. notipxe = import (modulesPath + "/..") { system = "x86_64-linux"; - configuration = + configuration = { pkgs, config, ... }: { @@ -57,7 +66,7 @@ in script = '' ln -sf /dev/console /dev/tty until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done - ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe + ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe ''; }; boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";