| 31 Aug 2021 |
 raunov | Testing! | 08:21:35 |
| raunov | Hum, nothing different | 08:30:20 |
| raunov | test-1> warning: substituter 's3://binary-cache' does not have a valid signature for path '/nix/store/3dvpr7knrsnay2v23yw3lqsscan0x5x1-etc' | 08:30:40 |
 Linux Hackerman | you may need to clear the binary cache cache on test-1 | 08:31:40 |
| raunov | you mean this: ~/.cache/nix/binary-cache-v* ? | 08:33:47 |
| Linux Hackerman | yeah | 08:35:20 |
| raunov | still nothing.. | 08:41:46 |
| raunov | Linux Hackerman: is it possible to automatically update the binary cache also with nixops? Or the easiest way is some kind of bash alias ? | 09:07:40 |
 Robert Hensing (roberth) | curl s3://binary-cache/<hash>.narinfo is a good question to ask | 11:24:53 |
| Robert Hensing (roberth) | because that's not cached in any significant way | 11:25:27 |
| Robert Hensing (roberth) | Amine Chikhaoui: would you like to review https://github.com/NixOS/nixops/pull/1464? | 12:51:27 |
 Amine Chikhaoui | Robert Hensing (roberth): lgtm, thanks. | 19:11:46 |
| 1 Sep 2021 |
 nate5824 | Hi, does anyone know how to fix this error with the deploy_nixos Terraform module? copying path '/nix/store/0km4ablsx26i1755jq4vq49d21q7p5vp-unit-google-clock-skew-daemon.service' to
│ 'ssh://USER@IP'...
│ error: cannot add path '/nix/store/0km4ablsx26i1755jq4vq49d21q7p5vp-unit-google-clock-skew-daemon.service'
│ because it lacks a valid signature
| 03:00:12 |
| nate5824 | It has copying path ofor other ones and they go fine | 03:00:26 |
| nate5824 | Is it safe to disable verification? idk what it really means | 03:45:30 |
| nate5824 | well I fixed it by enabling build_on_target true | 04:05:39 |
| nate5824 | But now I run into this: https://github.com/tweag/terraform-nixos/issues/59 :( | 07:54:00 |
| 2 Sep 2021 |
| raunov | Why am i hitting constantly warning: reached FD_SETSIZE limit ? | 09:21:40 |
| raunov | When there many packages from cache.nixos.org and my own s3 binary-cache ? | 09:21:56 |
| raunov | Or is it only the old nix problem and it will be resolved by upgrade ? | 09:26:06 |
 manveru | grahamc (he/him): just saw https://github.com/DeterminateSystems/nix-netboot-serve and was wondering how hard it'd be to add a feature to give each server a predefined ssh host key via a separate non-nix-built cpio? | 10:35:45 |
 vika (she/her) 🏳️⚧️ | In reply to @manveru:matrix.org
grahamc (he/him): just saw https://github.com/DeterminateSystems/nix-netboot-serve and was wondering how hard it'd be to add a feature to give each server a predefined ssh host key via a separate non-nix-built cpio? I think that's a good idea! Probably the stage1 would then use the key inside initrd and save it to the / if no key exists on the system | 10:48:52 |
| manveru | In reply to @vika:matrix.nice.sampler.fi
I think that's a good idea! Probably the stage1 would then use the key inside initrd and save it to the / if no key exists on the system yep, and i also use age in activation scripts to use that key to decrypt all the machine secrets from the nix store :) | 10:49:55 |
| vika (she/her) 🏳️⚧️ | Yay! In this case the key is a root of trust for installing the machine and it authenticates it on later access | 10:50:44 |
| manveru | atm i have a systemd service that fetches the key after boot within a short time window and then runs the system activate script again to trigger decryption... not awesome | 10:50:52 |
| vika (she/her) 🏳️⚧️ | And the keys can be centrally managed, e.g. with SSH CA signing them | 10:51:02 |
| manveru | yep | 10:51:11 |
| manveru | i just wrote my own ipxe server this week, but of course grahams stuff is much nicer :P | 10:51:50 |
| vika (she/her) 🏳️⚧️ | In reply to @manveru:matrix.org
atm i have a systemd service that fetches the key after boot within a short time window and then runs the system activate script again to trigger decryption... not awesome Ouch, I definitely think this needs to be moved at least to stage1 or earlier in stage2 | 10:51:56 |
| manveru | there's no networking in stage1... | 10:52:11 |
