11 Oct 2024 |
mjm | maybe services.foo.enablePreservation ? | 18:26:37 |
antifuchs | only tangentially related to systemd itself, but if anyone else is using vector for aggregating logs, here's a thing that lets you use systemd credentials with it https://github.com/antifuchs/vector-systemd-secrets | 18:28:24 |
ElvishJerricco | tangentially related, I wonder if there's some overlay magic that could be done, so that instead of having /persist and its bind mounts, the rootfs is just an overlay of some persistent FS and a tmpfs, such that the persistent FS does take writes but only for the directories it already had... | 18:28:38 |
mjm | idk this is a whole other thing, it just seems like right now you have to do some digging to figure out where a service keeps state, and it seems like the service module can encode that information and make it easy to persist a service with a simple flag | 18:29:14 |
mjm | i wanna introduce something in my own system configs to do it automatically for systemd state directories, so you just say "persist these services" and it does the right thing based on the unit config. that was impossible with impermanence, because it used systemd services itself for some things so you would get infinite recursion | 18:30:29 |
mjm | and that would not be an issue with preservation | 18:30:34 |
emily | In reply to @mjm:midna.dev maybe services.foo.enablePreservation ? that sounds reasonable (though I don't like the name) | 18:30:33 |
ElvishJerricco | antifuchs: very nice; I don't really know what vector is but I always really like seeing systemd credentials getting good use :) | 18:30:36 |
emily | although | 18:30:37 |
emily | it reminds me of like, opening firewall stuff | 18:30:41 |
emily | which I'm also uneasy about when we do it in modules | 18:30:47 |
mjm | In reply to @emilazy:matrix.org which I'm also uneasy about when we do it in modules why's that? | 18:31:08 |
mjm | In reply to @emilazy:matrix.org that sounds reasonable (though I don't like the name) not like i spent a ton of time figuring out the right name :) just thinking about the concept | 18:31:24 |
aloisw | In reply to @elvishjerricco:matrix.org tangentially related, I wonder if there's some overlay magic that could be done, so that instead of having /persist and its bind mounts, the rootfs is just an overlay of some persistent FS and a tmpfs, such that the persistent FS does take writes but only for the directories it already had... There's rewritefs, but I don't know how well it works. Also FUSE. | 18:31:27 |
emily | I don't like it when system-wide policy intrudes into modules for specific functionality | 18:31:32 |
emily | whether you want an OpenSSH daemon running and whether you want port 22 open aren't necessarily the same thing | 18:31:41 |
mjm | oh, i was thinking about the openFirewall flags that are separate | 18:32:02 |
emily | in general modules "helpfully" twiddling settings in other modules that aren't actually required makes me a bit uncomfortable | 18:32:03 |
emily | though of course in this case it'd be opt-in | 18:32:07 |
emily | In reply to @mjm:midna.dev oh, i was thinking about the openFirewall flags that are separate right | 18:32:12 |
mjm | right, i think it's fine if it's opt-in at least | 18:32:18 |
emily | the layering just feels weird to me sometimes | 18:32:18 |
emily | I think: I'd rather be passing something from this module to the firewall module | 18:32:24 |
mjm | well, layering in nixos modules is always gonna be wild | 18:32:28 |
mjm | just cuz of how the module system works | 18:32:38 |
aloisw | In reply to @emilazy:matrix.org I think: I'd rather be passing something from this module to the firewall module It pretty much does that though? | 18:32:56 |
emily | anyway I think we can land the bare functionality with no conveniences and then decide how we want to integrate systemd state directories into it | 18:33:05 |
mjm | In reply to @emilazy:matrix.org anyway I think we can land the bare functionality with no conveniences and then decide how we want to integrate systemd state directories into it yeah for sure | 18:33:13 |
emily | In reply to @aloisw:kde.org It pretty much does that though? what I mean is that I'd rather be setting something under networking.firewall than asking another module to set something under networking.firewall . but, we don't have nice ways for modules to "talk" like that currently, so meh | 18:33:43 |
emily | like ideally I'd want to say something like persist.services = [ services.postgresql ]; | 18:34:01 |