| 17 Jun 2021 |
 srhb | grandfathered-in wrt. pre-boot, that is. | 11:09:07 |
| srhb | But yeah, per-secret configurability should be the way to go in order to keep the current possibility while allowing your workflow, I think :) | 11:09:37 |
 @grahamc:nixos.org | I'm not sure that is true, I think I often see secrets get uploaded before users are created or tmpfiles.d runs | 11:09:40 |
| @grahamc:nixos.org | let me see if I can find a log ... | 11:09:49 |
| srhb | Oh, really? Maybe it's actually consistent then, that would make the strict "pre-activation/post-activation" logic clearer. | 11:10:01 |
| @grahamc:nixos.org | Uploading secrets to xxx-0 (xxx):
* promtail-password (40 bytes).. OK
* xxx-toml (143 bytes).. OK
- executing post-upload command: systemctl restart promtail.service
- executing post-upload command: ( systemctl restart xxx-serve.service || true )
Running healthchecks on xxx-0 (xxx):
Health checks OK
Executing 'test' on matched hosts:
** xxx-0
activating the configuration...
setting up /etc...
reloading user units for root...
setting up tmpfiles
the following new units were started: xxx-manifest.service
Running healthchecks on xxx-0 (xxx):
Health checks OK
Done: xxx-0
| 11:12:15 |
| @grahamc:nixos.org | ^ this is from morph deploy ./network.nix test --upload-secrets | 11:12:45 |
| srhb | Ah, good! | 11:13:13 |
| @grahamc:nixos.org | well... not sure :P | 11:13:25 |
| srhb | Then your ternary makes great sense and is consistent across the board. | 11:13:28 |
| srhb | Because everything is pre-activation today. | 11:13:42 |
| @grahamc:nixos.org | right | 11:13:53 |
| srhb | My worry was that non-boot switches were post-activation today and boot switches were pre-activation | 11:13:58 |
| srhb | Which would be a mess option-wise. | 11:14:02 |
| @grahamc:nixos.org | yeah | 11:14:18 |
| @grahamc:nixos.org | if that were the issue, I wouldn't mind :) | 11:14:23 |
| @grahamc:nixos.org | I wish hexa were around, but I happen to know he didn't sleep until like 6am local time | 11:14:28 |
| @grahamc:nixos.org | he has some design questions about unlocking an encrypted root | 11:14:48 |
| @grahamc:nixos.org | I am a bit confused about the use case of ever uploading before activation? except in very simple cases where all secrets are owned by root | 11:15:09 |
| srhb | Yes indeed, it's likely to not be consistent in other cases. | 11:20:33 |
| @grahamc:nixos.org | let's postpone the rest of this discussion until hexa gets here :) | 11:30:56 |
 hexa | I'm here | 11:31:27 |
| hexa | catching up on the backlog | 11:31:38 |
| hexa | my use cases are somewhat aligned with andi's | 11:33:46 |
| hexa | and unlocking encrypted root at boot is probably more in the hooks category of things | 11:34:31 |
| @grahamc:nixos.org | cc srhb | 11:40:14 |
| hexa | I agree that per secret targets is probably the way to satisfy everyone | 11:40:52 |
| srhb | Yeah, we use some other tool entirely for unlocking root fs in initrd, completely out of band. I don't feel like I can just spit out a design decision for that re. morph. | 11:40:56 |
| hexa | and I'd hope it would as simple as saying systemctl run --wait with the appropriate properties set | 11:42:23 |
| hexa | I don't have anything to add, I think we are all in agreement kind of | 11:44:33 |
