| 27 Sep 2021 |
 balsoft | Also, note that it's currently WIP, there's definitely going to be changes in the way it works (though hopefully not breaking the module interface) | 15:41:44 |
 zrsk | In reply to @colemickens:matrix.org
when using nix cli 2, you can often structure things such that your commands are actually arch amiguous. nix run .#install-secrets does the right thing because it auto-coerces that to (a number of things including) .apps.{archs}.install-secrets. The {arch} it tries during the coercion is based on the host executing nix. Sorry but what is nix cli 2? And is nix run .# install-secrets standard or you meant a particular flake? I'm really interested but I really can't understand what are you talking about | 15:43:25 |
| balsoft | In reply to @aciceri:nixos.dev
Sorry but what is nix cli 2? And is nix run .# install-secrets standard or you meant a particular flake? I'm really interested but I really can't understand what are you talking about install-secrets is not standard | 15:43:48 |
| balsoft | nix cli 2 is the experimental nix-command feature, I suppose | 15:43:59 |
| zrsk | In reply to @balsoft:balsoft.ru
(2) Sadly examples aren't public, but I can provide you with a snippet if you want If it's not a problem and you've a working example at hand I would like to see it. | 15:44:04 |
| balsoft | In reply to @aciceri:nixos.dev
If it's not a problem and you've a working example at hand I would like to see it. { config, pkgs, lib, inputs, ... }: {
vault-secrets.secrets.update-daemon = {
secretsAreBase64 = true;
};
services.update-daemon = {
enable = true;
secretFile = "${config.vault-secrets.secrets.update-daemon}/environment";
agentSetup = ''
export PATH="$PATH":${lib.makeBinPath [ pkgs.openssh ]}
if [[ -z "''${SSH_AGENT_PID:-}" ]] ; then
echo "Starting an ephemeral ssh-agent" >&2;
eval "$(ssh-agent -s)"
fi
cat ${config.vault-secrets.secrets.update-daemon}/private_ssh_key | env SSH_ASKPASS="$(command -v false)" ssh-add -
'';
repos = {
github = {
serokell = {
gemini-infra = {};
pegasus-infra = {};
};
};
};
settings = {
author.email = "operations@serokell.io";
extra_body = "CC @serokell/operations";
};
};
}
| 15:46:07 |
| balsoft | Here's an example | 15:46:15 |
| balsoft | It shows what to do in agentSetup | 15:46:27 |
| zrsk | In reply to @balsoft:balsoft.ru
nix cli 2 is the experimental nix-command feature, I suppose Ahhh, thank you | 15:46:41 |
| zrsk | In reply to @balsoft:balsoft.ru
{ config, pkgs, lib, inputs, ... }: {
vault-secrets.secrets.update-daemon = {
secretsAreBase64 = true;
};
services.update-daemon = {
enable = true;
secretFile = "${config.vault-secrets.secrets.update-daemon}/environment";
agentSetup = ''
export PATH="$PATH":${lib.makeBinPath [ pkgs.openssh ]}
if [[ -z "''${SSH_AGENT_PID:-}" ]] ; then
echo "Starting an ephemeral ssh-agent" >&2;
eval "$(ssh-agent -s)"
fi
cat ${config.vault-secrets.secrets.update-daemon}/private_ssh_key | env SSH_ASKPASS="$(command -v false)" ssh-add -
'';
repos = {
github = {
serokell = {
gemini-infra = {};
pegasus-infra = {};
};
};
};
settings = {
author.email = "operations@serokell.io";
extra_body = "CC @serokell/operations";
};
};
}
Thank you! I'll try it soon | 15:48:20 |
| zrsk | A curiosity: could you send me an example of PR that this process generates, please? | 15:49:54 |
| zrsk | I mean the Github link | 15:50:05 |
| balsoft | Uh, it's quite... Noisy at the moment | 15:50:05 |
| balsoft | I'm working on it right now | 15:50:08 |
| zrsk | What you mean with noisy? | 15:50:33 |
| balsoft | https://github.com/serokell/update-daemon/pull/2 | 15:50:36 |
| balsoft | In reply to @aciceri:nixos.dev
What you mean with noisy? It creates a new commit every time it is ran and there are updates for the repository | 15:50:49 |
| balsoft | Which seemed like a good idea at the time of writing, but turned out not to be | 15:51:00 |
| balsoft | The idea was that humans could push fixes to the same branch, so that changes related to the update are merged together with the update | 15:51:29 |
| balsoft | But unfortunately it just creates a sea of commits, which is rather overwhelming | 15:51:47 |
| balsoft | I'm rewriting it to only create one meaningful commit and then stop updating if there are any human changes on the branch, under the assumption that if humans have pushed something they are going to merge rather soon. | 15:52:29 |
| balsoft | Also, I'll add error reporting (if it fails to update it should create an issue) and gitlab support some time in the future | 15:53:37 |
| balsoft | Currently it has rudimentary "plain git" support, but it can't submit oldschool patches via email or anything like that, it simply pushes changes to a remote branch | 15:54:28 |
| zrsk | If I understand correctly, the bot pushes to a branch called automatic-update in the same repository, I suppose I have to create it before, right?
And the ssh key must be that of the bot user on Github (I've to give it the write permissions in the automatic-update branch). However could I use also my ssh key specifying a custom author.name? In this case giving permissions wouldn't be necessary since I would have a single GIthub account.
However I understand the problem you exposed, I hope you solve it soon, it's a nice project that could be used by many since the increment of people passing to Flake.
| 16:04:42 |
| balsoft | In reply to @aciceri:nixos.dev
If I understand correctly, the bot pushes to a branch called automatic-update in the same repository, I suppose I have to create it before, right?
And the ssh key must be that of the bot user on Github (I've to give it the write permissions in the automatic-update branch). However could I use also my ssh key specifying a custom author.name? In this case giving permissions wouldn't be necessary since I would have a single GIthub account.
However I understand the problem you exposed, I hope you solve it soon, it's a nice project that could be used by many since the increment of people passing to Flake.
- The bot will automatically create the update branch if it doesn't exist
- Yes, the ssh key must have push permission to the repository. You can use
author.name but that would only affect commits, not the github interface (e.g. the pull requests will still show you as the initiator)
| 16:07:16 |
| balsoft | The "problem" is not actually a showstopper, more of an annoyance. | 16:07:31 |
| balsoft | See for example https://github.com/serokell/pegasus-infra/pull/23 | 16:07:44 |
| balsoft | Where we just resorted to manually updating in a separate pull request rather than dealing with all the commits | 16:08:10 |
| zrsk | In case any of the flakes fail to update, update-daemon will exit with a non-zero exit code (but still finish updating all the other flakes);
But what does this (from README) mean?
It fails only if the strings replacement in flake.lock fails or is it also running tests/checks?
| 16:15:14 |
| balsoft | In reply to @aciceri:nixos.dev
In case any of the flakes fail to update, update-daemon will exit with a non-zero exit code (but still finish updating all the other flakes);
But what does this (from README) mean?
It fails only if the strings replacement in flake.lock fails or is it also running tests/checks?
It fails if some part of the operation fails. | 16:39:12 |
