backlog(B-0792 P1): iter-5 wifi-credentials injection via USB ESP — homelab persona has NO ethernet; cluster must remember wifi on setup (Aaron 2026-05-26)#5102
Merged
AceHack merged 1 commit intoMay 26, 2026
Conversation
…omelab persona has NO ethernet; cluster must "remember the wifi on setup" Aaron 2026-05-26 surfaced the load-bearing substrate gap during iter-4.2 PC1 empirical test: > "we won't have ethernet for most machines it needs to remember > the wifi on setup" Today (full-ai-cluster/nixos/modules/common.nix) enables NetworkManager but bakes in ZERO wifi credentials. Wifi requires console-side nmtui / nmcli on first boot; defeats zero-typing for homelab persona where most cluster nodes are wifi-only mini-PCs with no ethernet jack populated. Extends iter-4.x ESP-injection pattern (which carries zeta-authorized-keys.pub) to also carry wifi credentials + hostname selection. Five sub-targets: 1. zflash extension: write zeta-wifi-credentials.json to ESP from operator's ~/.zeta/wifi-credentials.json (or CLI flags / env vars) 2. zeta-install.sh extension: read ESP creds + write NetworkManager profile to /etc/NetworkManager/ system-connections/zeta-wifi.nmconnection (chmod 0600) 3. NixOS config: NetworkManager wireless backend verify + Avahi mDNS publishing (so ssh zeta@control-plane.local resolves from operator Mac) 4. Multi-node hostname selection: --host flag → write zeta-hostname.txt to ESP → install picks right nixos/hosts/<host>/configuration.nix 5. Worker cluster join token (deferred; downstream of B-0776 simplest-first plugin sequence) Security framing: wifi password on ESP = plaintext to anyone who can read the partition. Acceptance: homelab + maintainer persona under physical-USB-control assumption. NOT acceptable for shared infrastructure / multi-tenant. Future hardening out-of-scope this row. Composes with B-0789 (depends_on; iter-4 substrate this extends) + B-0754 + B-0759 + B-0770 + B-0778 + B-0790 + .claude/rules/human-audit-and-legal-risk-acceptance-pattern-in-settings.md. Out-of-scope: cluster orchestration substrate (B-0776), worker join token (sub-target 5; deferred), encrypted credentials / Touch ID gate (future hardening), WPA-Enterprise / corporate wifi (not homelab scope). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
AceHack
deleted the
otto-cli/b0792-iter5-multi-node-substrate-per-usb-hostname-mdns-cluster-join-2026-05-26
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aaron 2026-05-26 surfaced the load-bearing substrate gap during iter-4.2 PC1 empirical test:
Today's NixOS install enables NetworkManager but bakes ZERO wifi credentials → first boot has no network on wifi-only mini-PCs (the homelab persona's default hardware). Defeats zero-typing discipline.
Five sub-targets
Empirical anchor
Aaron's PC1 booted iter-4.2-flashed USB; installed; rebooted; came up on console with no wifi configured (NetworkManager + zero creds = no network). `ssh zeta@control-plane.local` from operator Mac failed to resolve (no mDNS publishing). Cluster-side workaround would be `nmtui` on console (defeats zero-typing). Aaron's call: "lets just create another usb we are having cascading failures no need to continue" — fix substrate, re-flash with iter-5, retry.
Composes with
Security framing
Wifi password on ESP = plaintext to anyone who can read the partition. Acceptance: homelab + maintainer persona under physical-USB-control assumption. NOT acceptable for shared infrastructure / multi-tenant. Future hardening (encrypted creds + Touch ID gate at boot) out-of-scope this row.
Out of scope
Test plan
🤖 Generated with Claude Code