| 6 Jun 2023 |
 @elvishjerricco:matrix.org | Ok I think I have a crude fix for flushBeforeStage2 to use KeepConfiguration instead of our screwy service. It's not meaningfully different, but it's certainly cleaner. Though my code for it could use some cleanup... | 20:59:44 |
| @elvishjerricco:matrix.org | That's a separate thing from oddlama's problem, so I guess I'll make these two separate PRs | 21:00:28 |
| 7 Jun 2023 |
| @elvishjerricco:matrix.org | oddlama: Turns out your bug was hitting my other system; it just didn't have any tangible effect because my network config was the same between stages :P | 20:34:18 |
 oddlama | Ah, that makes sense :D | 20:56:09 |
| 11 Jun 2023 |
| @elvishjerricco:matrix.org | https://github.com/NixOS/nixpkgs/pull/237154 | 06:36:56 |
 K900 | Wait so does this mean we can actually get from stage1 to stage2 without dropping the network? | 06:37:50 |
| @elvishjerricco:matrix.org | K900: That's always been possible with flushBeforeStage2 = false | 06:38:05 |
| @elvishjerricco:matrix.org | This just implements that in a sane way | 06:38:11 |
| K900 | Oh | 06:38:13 |
| K900 | I haven't really tried it because the only box I'd want to try it on gets confused when the network drops while it's booted | 06:38:41 |
| K900 | (for some reason) | 06:38:42 |
| @elvishjerricco:matrix.org | in fact the non-sane thing we did before was the implementation of flushBeforeStage2 = true, because systemd-networkd expects you to want to carry network configs over between stages | 06:39:06 |
| @elvishjerricco:matrix.org | * in fact the non-sane thing we did before was the implementation of flushBeforeStage2 = true, because systemd-networkd expects you to want to carry network configs over between stages and just does that by default | 06:39:20 |
| @elvishjerricco:matrix.org | now the real question is... do I upstream my tailscaled in initrd implementation... | 06:40:30 |
| K900 | Does it need special setup? | 06:41:24 |
| @elvishjerricco:matrix.org | yea | 06:41:30 |
| @elvishjerricco:matrix.org | where is the tailscale state dir? | 06:41:37 |
| @elvishjerricco:matrix.org | because if it isn't something persistent then it's useless | 06:41:47 |
| K900 | Oh yeah makes sense | 06:41:54 |
| @elvishjerricco:matrix.org | my system does it by having the tailscale state dir shared between stages and stored on a disk that's TPM2 encrypted, and unlocked in initrd without user input | 06:42:19 |
| @elvishjerricco:matrix.org | letting me log in so I can enter the key for the root fs and get the system booted | 06:42:43 |
| K900 | I have a horrible idea now | 06:43:15 |
| @elvishjerricco:matrix.org | do tell | 06:43:23 |
| K900 | You could, in theory, do OIDC with a key stored on the TPM | 06:44:20 |
| @elvishjerricco:matrix.org | what's OIDC? | 06:44:38 |
| K900 | OpenID Connect, which is the thing Tailscale uses for auth | 06:44:49 |
| @elvishjerricco:matrix.org | so what does it mean to store a key for it on the TPM? | 06:46:02 |
| K900 | It's just auth | 06:46:10 |
| K900 | You sign a token with your private key | 06:46:16 |
| K900 | And send it to the server that knows your public key | 06:46:23 |
