| 4 Aug 2025 |
 hexa (signing key rotation when) | frankly, I don't know why we have the trailing slash prefixes | 13:38:57 |
 vcunat | Oops. I thought I was wrong. Let me repost. Maybe it's better to use links like https://releases.nixos.org/?prefix=nixos/25.05-small/ ? | 13:40:06 |
 Sandro 🐧 | true, especially since the combined ISO | 13:40:27 |
 djacu | Sorry. By source of truth we meant that we don't want people to treat where the logo files are in the website as stable paths for linking. E.g. the Infra and Nixpkgs README files were previously linking to paths in the website to display the logo in the readme. The goal would be serving up the branding artifacts (currently just logos and branding guide PDF) to a location where we can use it for the website and repos can use it for their README | 15:33:51 |
 Jeremy Fleischman (jfly) | djacu, that makes sense! Pick the tech you want to use, and let us know how we can help. I imagine at the very least you'll need a DNS entry. Feel free to send us a PR (relevant code here), or just ask for help here. | 16:43:15 |
| Sandro 🐧 | Is it just me or is hydra currently insanely slow? every request takes like 10s | 17:55:58 |
| hexa (signing key rotation when) | https://grafana.nixos.org/d/fejx5cl0i0s1sb/anubis?orgId=1&from=now-24h&to=now&timezone=utc&var-site=hydra.nixos.org:9001&viewPanel=panel-3 | 18:08:36 |
| hexa (signing key rotation when) | Can take a look in 30m | 18:08:53 |
| Sandro 🐧 | hmmm, so someone or something is doing lots of load currently... | 18:20:40 |
|  @paperdigits:matrix.org left the room. | 18:25:20 |
| hexa (signing key rotation when) | 700+ source addresses hammering out over 2.7million requests | 18:48:01 |
| hexa (signing key rotation when) | over 600k 429 responses | 18:48:06 |
| hexa (signing key rotation when) | source seems to be tor, but there is an email address in the user-agent | 18:48:16 |
 @emma:rory.gay | personally i'd just throw up a few temporary iptables rules | 18:52:28 |
| hexa (signing key rotation when) | yeah, I'm temporarily blocking tor exits | 18:53:12 |
| hexa (signing key rotation when) | the requests stopped a minute after I sent the mail | 18:57:02 |
| hexa (signing key rotation when) | also boo, we're still using iptables | 18:57:17 |
| 5 Aug 2025 |
| @emma:rory.gay | or youre using the nftables wrapper lol | 02:59:30 |
| hexa (signing key rotation when) | the nixos default 🤷 | 03:00:29 |
| hexa (signing key rotation when) | quite a bit of technical debt in there | 03:00:51 |
| @emma:rory.gay | yeah, thats the nftables wraper | 03:02:10 |
| @emma:rory.gay | iptables v1.8.11 (nf_tables) | 03:02:18 |
| @emma:rory.gay | glad that still exists because i have no clue how to manage nftables | 03:02:46 |
| hexa (signing key rotation when) | systemd.services.nft-update-tor-exits = {
wantedBy = [ "nftables.service" ];
after = [ "nftables.service" ];
startAt = "hourly";
script = ''
curl -sSL "https://check.torproject.org/cgi-bin/TorBulkExitList.py?exit" | sed '/^#/d' | while read IP; do
nft add element inet filter torexits { $IP }
done
'';
path = with pkgs; [
curl
nftables
];
};
| 03:10:29 |
| hexa (signing key rotation when) | set torexits {
type ipv4_addr;
flags dynamic, timeout;
timeout 6h;
}
| 03:11:00 |
| hexa (signing key rotation when) | basically you can create a datatype, e.g. a set | 03:11:06 |
| hexa (signing key rotation when) | and add to it, and have entries timeout automatically | 03:11:14 |
| hexa (signing key rotation when) | and then match on that set | 03:11:31 |
| hexa (signing key rotation when) | ip saddr @torexits counter drop
| 03:11:38 |
|  sinan changed their profile picture. | 03:58:54 |
