Add tech_docs/UEFI_arch_deploy.md

tech_docs/UEFI_arch_deploy.md

@@ -0,0 +1,132 @@
+Below is a **UEFI-only** recipe that has worked for me every time.  
+It uses the **official Arch netboot images** (which already contain UEFI-signed iPXE binaries) and the smallest possible amount of tooling on the PXE server.
+
+────────────────────
+1.  What the client will download (in this order)
+   1. DHCP → gives IP + TFTP server + filename **ipxe.efi**  
+   2. TFTP → **ipxe.efi** is executed  
+   3. HTTP → iPXE downloads kernel + initrd + squashfs from the mirror you choose
+
+Nothing is extracted from the ISO, so you don’t need the ISO at all.
+
+────────────────────
+2.  Prepare the PXE server (any Linux box)
+
+Install packages
+```
+sudo pacman -S dnsmasq nginx
+sudo systemctl enable --now dnsmasq nginx
+```
+
+Create a directory that will be served over HTTP
+```
+sudo mkdir -p /srv/archlive
+cd /srv/archlive
+```
+
+────────────────────
+3.  Download the **netboot** files (kernel + initrd + squashfs)
+
+Pick the mirror closest to you, then:
+```
+sudo wget -r -np -nH --cut-dirs=3 \
+  https://mirror.pkgbuild.com/iso/latest/arch/boot/x86_64/vmlinuz-linux
+sudo wget -r -np -nH --cut-dirs=3 \
+  https://mirror.pkgbuild.com/iso/latest/arch/boot/x86_64/initramfs-linux.img
+sudo wget -r -np -nH --cut-dirs=3 \
+  https://mirror.pkgbuild.com/iso/latest/arch/x86_64/airootfs.sfs
+```
+Adjust the URLs if you prefer another mirror.
+
+Make them reachable:
+```
+sudo ln -s /srv/archlive /srv/http/archlive
+```
+
+────────────────────
+4.  Add the UEFI-signed iPXE binary to TFTP
+
+```
+sudo mkdir -p /srv/tftp
+cd /srv/tftp
+sudo wget https://archlinux.org/releng/netboot/ipxe.efi
+```
+
+────────────────────
+5.  Configure dnsmasq for **UEFI PXE only**
+
+/etc/dnsmasq.d/arch-uefi.conf
+```
+interface=eno1            # NIC facing the clients
+port=0                    # disable DNS
+enable-tftp
+tftp-root=/srv/tftp
+dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+dhcp-match=set:efi-x86_64,option:client-arch,7
+dhcp-boot=tag:efi-x86_64,ipxe.efi
+```
+Reload:
+```
+sudo systemctl restart dnsmasq
+```
+
+────────────────────
+6.  Create the iPXE script (menu)
+
+/srv/http/archlive/boot.ipxe
+```
+#!ipxe
+set base-url http://YOUR_PXE_SERVER/archlive
+kernel ${base-url}/vmlinuz-linux archisobasedir=arch archiso_http_srv=${base-url}/ ip=:::::eth0:dhcp
+initrd ${base-url}/initramfs-linux.img
+boot
+```
+Make it world-readable:
+```
+sudo chmod 644 /srv/http/archlive/boot.ipxe
+```
+
+────────────────────
+7.  Point iPXE to that script automatically
+
+Option A – embed the script inside iPXE **(recommended)**  
+```
+# On any Linux box
+git clone https://github.com/ipxe/ipxe.git
+cd ipxe/src
+cat <<'EOF' > arch.ipxe
+#!ipxe
+chain http://YOUR_PXE_SERVER/archlive/boot.ipxe
+EOF
+make bin-x86_64-efi/ipxe.efi EMBED=arch.ipxe
+sudo cp bin-x86_64-efi/ipxe.efi /srv/tftp/ipxe.efi
+```
+Option B – let iPXE fall back to DHCP option 175 (more complex).
+
+────────────────────
+8.  Boot the target machine
+
+1. Enter firmware → disable **Secure Boot** (Arch media is unsigned).  
+2. Enable **Network Stack / PXE boot** on the NIC.  
+3. Reboot → press F12 (or whatever key) → choose **UEFI: IPv4** or **PXE**.  
+4. You should see iPXE banner, then the Arch prompt.  Login as **root**.
+
+────────────────────
+9.  Install Arch as usual
+```
+# verify network
+ping archlinux.org
+
+# quick interactive installer
+archinstall
+# or manual
+pacstrap /mnt base linux ...
+```
+
+────────────────────
+10.  Common UEFI-specific pitfalls
+• **Secure Boot must be off** until you sign your own kernels.  
+• The NIC must appear in the **UEFI boot menu**; if it doesn’t, update firmware or enable CSM → then disable CSM again once the installer boots.  
+• If you only have Wi-Fi, plug in a USB-to-Ethernet dongle for the PXE phase—Wi-Fi PXE is still rare.
+
+That’s it: a single TFTP file (`ipxe.efi`) and an HTTP folder with three files (`vmlinuz`, `initramfs`, `airootfs.sfs`) are all you need to UEFI-PXE install Arch on any modern machine.