| 8 Apr 2025 |
|  @yuri:peori.space left the room. | 11:24:05 |
 kalessin | Thank you for your followup Robert Hensing (roberth)!
User input isn't part of the design yet, but could be added. I can also imagine that these prompts would be completed with NixOps4 resource data instead of actual interactive user input.
I think prompts could actually be completed with both/either NixOps4 resources data and/or user input.
Maybe I'm a bit off here. I'd have to play around with the PR a bit to get a feel for it. Maybe there's something I'm missing.
@lassulus:lassul.us, made a separate repo, it's a good playground, and we gotta fix the test…
For now my focus is on making stateful, Terraform-style resources work (i.e. making it remember what previous outputs were so that it can actually let resource providers talk to APIs in a sensible way). So Terraform is a pretty good analog for now, in terms of what it will be able to do - just imagine it's Nix instead of HCL so it's easier to transfer info into a NixOS configuration, and unlike in Terranix, you can also refer to real resource values in the Nix language.
While I haven't used Terraform extensively, I feel like I have a good grasp over it. I think the CRUD operations on some secrets storage backend already maps well to the Nixops4 model. The secret generation with the prompts, their outputs going into the script that generate the secrets, seems to be the tricky part, is that why you mentioned focus?
- The NixOS configuration [specifies] which vars backend to use;
- The vars definitions are [exported] to [JSON];
This might be somewhat expensive, as you're loading a whole NixOS configuration just to access the vars definitions. (broad adoption of modular services could drive down that evaluation cost, 2-4× for system.build.toplevel, maybe more for evaluating a small part of a config?)
It is a little expensive, I know the clan team has been trying to bring the cost down, and do some caching. I am not sure I understand how modular services would reduce evaluation time? Would it help avoid loading the entire NixOS module library, which I currently understand is one of the main issues regarding NixOS configurations eval times (and RAM usage)?
| 17:50:57 |
 Robert Hensing (roberth) | Loading all the services is a fairly significant portion of NixOS evaluation. Each file, a bunch of options and each config = mkIf cfg.enable has to be evaluated, at least. | 18:08:34 |
| kalessin | Ok, so it's not just all of the imports phase? | 18:10:23 |
| Robert Hensing (roberth) |
But to really see the potential:
- Make significant cuts in modules-list.nix and fix a few broken options references
- Watch instantiation of toplevel go down from 4.0 to 1.4 seconds.
- https://github.com/NixOS/nixpkgs/issues/137168
Seems safe to assume the list hasn't shrunk in the past 3.5 years :)
| 18:18:07 |
| Robert Hensing (roberth) | I assumed vars generation would run on the host, being part of the config. Is this representative or accidentally wonky? https://github.com/Lassulus/vars/blob/066dbc738838b79be6bc80b88559cb88e0fffffd/testing.nix#L75 | 18:25:40 |
| Robert Hensing (roberth) | fwiw this way the test can't run on a darwin VM host, but that's probably besides the point | 18:27:50 |
| kalessin | It's one representation, e.g. in clan vars generation is done from on the developer machine, ahead of deploying to a nixos host. | 18:27:52 |
| kalessin | * It's one representation, e.g. in clan vars generation is done on the developer machine, ahead of deploying to a nixos host. | 18:28:43 |
| kalessin | Like the vars definitions get evaluated, the result is exported, something does the prompting, and interacts with some secrets backend, then that something uploads some result/generated vars to the nixos host, or a key to decrypt them (if the result/generated vars are uploaded through the nix store), to the nixos host, and finally when you get to nixos-rebuild switch on your nixos host, your secrets get "activated" by something else that matches how something laid out the result/generated vars. | 18:34:43 |
| kalessin | hope that helps 🥵 | 18:35:25 |
| kalessin | My effort here, is to figure out how the vars interfaces could be used in different systems: clan, nixops4, …, in order to help the vars PR progress, and figure out where things intersect and overlap, to see if some of the work can be shared across different systems. | 18:42:38 |
|  @bradlugo:matrix.org left the room. | 23:03:07 |
| 9 Apr 2025 |
|  @earthwalker31:tchncs.de left the room. | 12:59:37 |
|  jkarni joined the room. | 15:45:56 |
| 10 Apr 2025 |
|  anselmetombarel joined the room. | 14:44:23 |
| 11 Apr 2025 |
|  @danish:pacmans.net left the room. | 22:44:40 |
| 12 Apr 2025 |
|  @NYXT:matrix.org left the room. | 02:00:37 |
|  @loving-melody:matrix.org left the room. | 02:17:31 |
|  aktaboot joined the room. | 11:21:17 |
|  Contact @rappet:rappet.xyz instead changed their display name from Lucy to rappet. | 12:10:56 |
|  oak 🏳️🌈♥️ changed their display name from oak to oak - mikatammi.fi ÄÄNESTÄ. | 12:11:10 |
| oak 🏳️🌈♥️ changed their profile picture. | 12:13:28 |
| oak 🏳️🌈♥️ changed their display name from oak - mikatammi.fi ÄÄNESTÄ to oak - mikatammi.fi. | 12:55:55 |
| 13 Apr 2025 |
|  mao zedong joined the room. | 08:20:01 |
| mao zedong changed their display name from zekeriya öz to nixosfanboy. | 08:25:20 |
| mao zedong changed their profile picture. | 08:26:43 |
| mao zedong changed their profile picture. | 08:26:52 |
|  Indrek joined the room. | 15:09:10 |
|  @dom:rodriguez.org.uk left the room. | 20:14:03 |
