[hex4def6]

This is extremely cool!

I've had an idea percolating in my mind for a while: Would it be possible to have VPN credentials stored in UEFI, and have a system reach out to a server for PXE network boot?

It seems like it would be a neat way of (securely?) allowing a remote system to automatically recover in the event of a nuked install that prevents proper bootup.

[contingencies]

Actually, all it takes on modern hardware for PXE boot to occur on hardware failure is the BIOS boot order setting.

As PXE inherently trusts the LAN, and a LAN may have VLAN support, you can assign a default VLAN to the port which equates to the PXE server you want.

The PXE server can further configure by client MAC prefix, DHCP-assigned IP mapped to physical port number or similar. Configured systems can report status and/or other hardware identifiers to a server after installation and have default VLAN changed by the network fabric (more secure), or can actively request to join alternate VLANs (less secure).

With PXE, any information can be fed to the machine, not just VPN credentials.

This is how a lot of clusters are built, especially diskless (for CPU-bound operations) in this era of more-RAM-than-you-can-use.

All of the above should work with IPMI ports if the controller is flashed with PXE-enabled firmware.

[nucleardog]

Well shit, glad I stumbled on this comment. Thanks for posting.

Biggest gripe with my home lab setup is managing when something does or doesn’t PXE boot.

Plug anything in and PXE boot it and it wipes the drive, does a scripted Debian install chained to an Ansible playbook that eventually installs k3s, discovers the rest of the cluster, and joins itself to it. So 0-click and 10 minutes from plug in to node in the cluster. If anything breaks, just PXE boot it and wait 10 minutes and it’s back. If anything needs updating, just PXE boot it and wait 10 minutes and it’s back.

Except… these are a bunch of tiny PCs on a high shelf in my utility room. Selecting the boot order is a _project_.

Never even thought about handling this from the network end. Either swapping the untagged VLAN on the switch or setting DHCP options per MAC address would let me handle this without getting up from my desk.

[kbenson]

> Except… these are a bunch of tiny PCs on a high shelf in my utility room. Selecting the boot order is a _project_.

Every once in a while I look for a cheap remote KVM I can use as a crappy IPMI stand in, either with RJ45 or WiFi. I haven't looked in a year or so, but at the time the options I found all seemed far more costly than I would have hoped (the pi based ones seemed interesting but once you add the requirements together it wasn't cheap enough to be attractive to me for a home use). Server class equipment with built-in IPMI is quite a bit more expensive. I just want something affordable to put in front of a NUC to make dealing with it easier in some instances. You could stick some refurbished old KVM device in front of it to support multiple systems on that one KVM as long as they were in close proximity.

Seems like you could benefit from that as well (but in your case you might get a workable solution out of switch config though).

[toast0]

Per mac dhcp probably works. Also, per mac pxe config... I have pxe for general use that is just a menu, but for my test machine autoboots my hobby os.

[ahepp]

I believe if you are on a UEFI system, “systemctl reboot” has some flags to let you select boot options.

[Jhsto]

Not OP, but what is much simpler is buying a motherboard with IPMI and placing that behind a VPN. If you cannot afford the couple hundred extra bucks for the motherboard, then a USB stick with minimal Linux setup + SSH and then doing a kexec from that is another option.

[E39M5S62]

https://docs.zfsbootmenu.org/en/v2.3.x/general/tailscale.htm... . Connect to your bootloader via your Tailscale network, select your ZFS boot environment and kexec in to it, all through a 'pretty' TUI !