!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

865 Members
Declaratively manage your switching, routing, wireless, tunneling and more. | Don't rely on `networking.*` use systemd-networkd and NetworkManager instead. | Set `SYSTEMD_LOG_LEVEL=debug` to debug networking issues with networkd | No bad nft puns, please. | Room recommendations: #sysops:nixos.org247 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
30 Jul 2025
@marcel:envs.netMarcel (this is about packaging ifstate, everything works already, also initrd, its just about reducing it's addition to the initrd) 19:31:00
@denkn:denkn.atDenKnso you need network in initrd?19:31:08
@marcel:envs.netMarcelif you have an encrypted systemd which is not directly accessable (e.g. a server in a datancenter) and you wan't to reboot it you someshow need to enter the password - i know. there are thinkgs like ipmi but you cloud also start an sshd in the initrd and connect to it in order to enter the password19:32:27
@marcel:envs.netMarcelsee https://wiki.nixos.org/wiki/Remote_disk_unlocking for some background info19:33:07
@marcel:envs.netMarcel * (this is about packaging ifstate, everyth ing works already, also initrd, its just about reducing it's addition to the initrd in terms of size) 19:34:26
@denkn:denkn.atDenKnThere is not secure datacenter. If it is not your hardware, encryption is useless.19:34:29
@marcel:envs.netMarcelits my hardware in a datancenter operator i trust19:34:54
@marcel:envs.netMarcelbut i thinks think this is off topic now19:35:09
@marcel:envs.netMarcel * 19:35:19
@denkn:denkn.atDenKnah, ok, than it is something different.19:35:49
@denkn:denkn.atDenKnso, you have also a sshd in your initrd...19:37:53
@emilazy:matrix.orgemilyyou can use TPM etc. to get a not-easily-extractable host key prior to decryption19:37:54
@emilazy:matrix.orgemily(and that host key can be only accessible if you are booting a trusted kernel/initrd and nothing funny went on with the bootloader)19:38:10
@hexa:lossy.networkhexa (clat on linux when)yes, and an unencrypted ssh hostkey19:38:14
@hexa:lossy.networkhexa (clat on linux when)the threat modelling on this is pretty clear19:38:24
@emilazy:matrix.orgemilywell, that's the less effective option :D19:38:28
@emilazy:matrix.orgemilybut yes19:38:30
@emilazy:matrix.orgemilywe have had support for this in NixOS for years19:38:39
@hexa:lossy.networkhexa (clat on linux when)right19:38:41
@denkn:denkn.atDenKnthan you could also install a second system with a full nixos, which will be booted first. than you use containers for the encrypted services.19:39:35
@hexa:lossy.networkhexa (clat on linux when)the discussion is about bringing parity for network configuration options between the running system and the initrd, no need to question everything from first principles19:41:08
@denkn:denkn.atDenKnyes, than you have only one network config19:48:42

Show newer messages

Back to Room ListRoom Version: 6