| 24 Sep 2021 |
 zrsk | However I found a discussione about this: https://github.com/NixOS/nix/issues/4265 | 10:24:05 |
 balsoft | In reply to @aciceri:nixos.dev
Maybe balsoft's solution is better since the only use case that comes to my mind is when the host's architecture is different, but I don't feel like I can express an opinion.
Any quick workaround to do what I'm trying to do instead? Maybe a sequence of nix check where I manually specifying what want to check?
What exactly are you trying to do? | 10:24:43 |
| balsoft | Just run checks for your platform? | 10:24:48 |
| balsoft | If so, just nix build all of them | 10:24:53 |
| zrsk | I'm trying to write a flake with the configurations of all my machines (using devos as template), included an aarch64 notebook. The problem is that when I run in the Github workflow nix flake check it tells me that "a 'aarch64-linux' with features {} is required to build blah blah..." and it stops.
Before adding the arm machine the workflow correctly worked.
| 10:35:54 |
| zrsk | The alternative would be to run several times nix build .#checks.x86_64-linux.<myCheck> with all the needed <myCheck>s. I see two problems:
- The number of my checks could grow in time and I don't want to manually add these lines in the workflow yaml, is there a way to get a flake's outputs? Then with a little bit of shell fu I could obtain the correct
nix build command to run.
- According to the doc
flake check not only builds the checks but also does checks that the flake's outputs are app definitions, nixos modules, overlays, etc... So it would'n be equivalent to just run a sequence of nix build
| 10:48:06 |
| zrsk | * The alternative would be to run several times nix build .#checks.x86_64-linux.<myCheck> with all the needed <myCheck>s. I see two problems:
- The number of my checks could grow in time and I don't want to manually add these lines in the workflow yaml, is there a way to get a flake's outputs? Then with a little bit of shell fu I could obtain the correct
nix build command to run.
- According to the doc
flake check not only builds the checks but also does checks that the flake's outputs are app definitions, nixos modules, overlays, etc... So it wouldn't be equivalent to just run a sequence of nix build
| 10:48:47 |
 ilkecan | In reply to @aciceri:nixos.dev
The alternative would be to run several times nix build .#checks.x86_64-linux.<myCheck> with all the needed <myCheck>s. I see two problems:
- The number of my checks could grow in time and I don't want to manually add these lines in the workflow yaml, is there a way to get a flake's outputs? Then with a little bit of shell fu I could obtain the correct
nix build command to run.
- According to the doc
flake check not only builds the checks but also does checks that the flake's outputs are app definitions, nixos modules, overlays, etc... So it wouldn't be equivalent to just run a sequence of nix build
To get the flake outputs, there is nix flake show but it is for humans. Recently a PR that adds --json flag is merged but it seems this didn't hit the channels yet. | 11:07:44 |
| balsoft | In reply to @aciceri:nixos.dev
The alternative would be to run several times nix build .#checks.x86_64-linux.<myCheck> with all the needed <myCheck>s. I see two problems:
- The number of my checks could grow in time and I don't want to manually add these lines in the workflow yaml, is there a way to get a flake's outputs? Then with a little bit of shell fu I could obtain the correct
nix build command to run.
- According to the doc
flake check not only builds the checks but also does checks that the flake's outputs are app definitions, nixos modules, overlays, etc... So it wouldn't be equivalent to just run a sequence of nix build
- AFAIR you can generate workflow YAML's at runtime. If so, nothing is stopping you from using Nix to generate them with
builtins.toJSON. If you want an example on how to do it for buildkite, see https://github.com/serokell/common-infra/blob/master/flake.nix#L69
| 11:51:40 |
| zrsk | In reply to @ilkecan:matrix.org
To get the flake outputs, there is nix flake show but it is for humans. Recently a PR that adds --json flag is merged but it seems this didn't hit the channels yet. This is exactly what I was looking for (I mean the --json option) and this is not a problem if it's not in the channels yet since I need it only in the Github workflow where I can directly specifiy which commit of Nix I need. | 12:12:35 |
| zrsk | In reply to @balsoft:balsoft.ru
- AFAIR you can generate workflow YAML's at runtime. If so, nothing is stopping you from using Nix to generate them with
builtins.toJSON. If you want an example on how to do it for buildkite, see https://github.com/serokell/common-infra/blob/master/flake.nix#L69
This is even better, the only problem are my Nix skills that are really basic. But I image this could be the right time I learn something new. | 12:14:41 |
| zrsk | Two completely unrelated questions:
- is it possible for a flake to "read the status" of the running system where it's executed (with
nix build or nix check for example)? I was thinking it would be convenient (for my use case written before) to understand during the flake evaluation the host's architecture (I mean the machine where I run nix)
- Does it exist a github bot that try to update my flake's inputs (the flake is hosted on Github)? Consider that for the pacakges I also use
nvfetcher this simplifies. However I would also like to update modules and all, not only packages.
| 20:17:06 |
| ilkecan | In reply to @aciceri:nixos.dev
Two completely unrelated questions:
- is it possible for a flake to "read the status" of the running system where it's executed (with
nix build or nix check for example)? I was thinking it would be convenient (for my use case written before) to understand during the flake evaluation the host's architecture (I mean the machine where I run nix)
- Does it exist a github bot that try to update my flake's inputs (the flake is hosted on Github)? Consider that for the pacakges I also use
nvfetcher this simplifies. However I would also like to update modules and all, not only packages.
For the first question, not sure if I understood what you want but you can get the current system from shell with nix show-config --json | jq ".system.value" and from Nix with builtins.currentSystem. But I think the latter is disabled by default with flakes and requires --impure. | 20:55:30 |
| balsoft | In reply to @aciceri:nixos.dev
Two completely unrelated questions:
- is it possible for a flake to "read the status" of the running system where it's executed (with
nix build or nix check for example)? I was thinking it would be convenient (for my use case written before) to understand during the flake evaluation the host's architecture (I mean the machine where I run nix)
- Does it exist a github bot that try to update my flake's inputs (the flake is hosted on Github)? Consider that for the pacakges I also use
nvfetcher this simplifies. However I would also like to update modules and all, not only packages.
- No, it's not, by design (it wouldn't be hermetic otherwise)
- Yes! https://github.com/serokell/update-daemon (it's still somewhat WIP though)
| 21:02:07 |
| 25 Sep 2021 |
 colemickens 🏳️🌈 | when using nix cli 2, you can often structure things such that your commands are actually arch amiguous. nix run .#install-secrets does the right thing because it auto-coerces that to (a number of things including) .apps.{archs}.install-secrets. The {arch} it tries during the coercion is based on the host executing nix. | 05:10:02 |
| 27 Sep 2021 |
| zrsk | In reply to @balsoft:balsoft.ru
- No, it's not, by design (it wouldn't be hermetic otherwise)
- Yes! https://github.com/serokell/update-daemon (it's still somewhat WIP though)
- I understand, it makes sense
- Really interesting, it could be exactly what I was looking for, I'm definitely going to try it. Looking at module definition I can't understand how to set the
agentSetup option. I also don't understand if I have to create another GitHub user or what. Are there any examples?
| 15:38:56 |
| balsoft | In reply to @aciceri:nixos.dev
- I understand, it makes sense
- Really interesting, it could be exactly what I was looking for, I'm definitely going to try it. Looking at module definition I can't understand how to set the
agentSetup option. I also don't understand if I have to create another GitHub user or what. Are there any examples?
(2) Sadly examples aren't public, but I can provide you with a snippet if you want | 15:41:17 |
| balsoft | Also, note that it's currently WIP, there's definitely going to be changes in the way it works (though hopefully not breaking the module interface) | 15:41:44 |
| zrsk | In reply to @colemickens:matrix.org
when using nix cli 2, you can often structure things such that your commands are actually arch amiguous. nix run .#install-secrets does the right thing because it auto-coerces that to (a number of things including) .apps.{archs}.install-secrets. The {arch} it tries during the coercion is based on the host executing nix. Sorry but what is nix cli 2? And is nix run .# install-secrets standard or you meant a particular flake? I'm really interested but I really can't understand what are you talking about | 15:43:25 |
| balsoft | In reply to @aciceri:nixos.dev
Sorry but what is nix cli 2? And is nix run .# install-secrets standard or you meant a particular flake? I'm really interested but I really can't understand what are you talking about install-secrets is not standard | 15:43:48 |
| balsoft | nix cli 2 is the experimental nix-command feature, I suppose | 15:43:59 |
| zrsk | In reply to @balsoft:balsoft.ru
(2) Sadly examples aren't public, but I can provide you with a snippet if you want If it's not a problem and you've a working example at hand I would like to see it. | 15:44:04 |
| balsoft | In reply to @aciceri:nixos.dev
If it's not a problem and you've a working example at hand I would like to see it. { config, pkgs, lib, inputs, ... }: {
vault-secrets.secrets.update-daemon = {
secretsAreBase64 = true;
};
services.update-daemon = {
enable = true;
secretFile = "${config.vault-secrets.secrets.update-daemon}/environment";
agentSetup = ''
export PATH="$PATH":${lib.makeBinPath [ pkgs.openssh ]}
if [[ -z "''${SSH_AGENT_PID:-}" ]] ; then
echo "Starting an ephemeral ssh-agent" >&2;
eval "$(ssh-agent -s)"
fi
cat ${config.vault-secrets.secrets.update-daemon}/private_ssh_key | env SSH_ASKPASS="$(command -v false)" ssh-add -
'';
repos = {
github = {
serokell = {
gemini-infra = {};
pegasus-infra = {};
};
};
};
settings = {
author.email = "operations@serokell.io";
extra_body = "CC @serokell/operations";
};
};
}
| 15:46:07 |
| balsoft | Here's an example | 15:46:15 |
| balsoft | It shows what to do in agentSetup | 15:46:27 |
| zrsk | In reply to @balsoft:balsoft.ru
nix cli 2 is the experimental nix-command feature, I suppose Ahhh, thank you | 15:46:41 |
| zrsk | In reply to @balsoft:balsoft.ru
{ config, pkgs, lib, inputs, ... }: {
vault-secrets.secrets.update-daemon = {
secretsAreBase64 = true;
};
services.update-daemon = {
enable = true;
secretFile = "${config.vault-secrets.secrets.update-daemon}/environment";
agentSetup = ''
export PATH="$PATH":${lib.makeBinPath [ pkgs.openssh ]}
if [[ -z "''${SSH_AGENT_PID:-}" ]] ; then
echo "Starting an ephemeral ssh-agent" >&2;
eval "$(ssh-agent -s)"
fi
cat ${config.vault-secrets.secrets.update-daemon}/private_ssh_key | env SSH_ASKPASS="$(command -v false)" ssh-add -
'';
repos = {
github = {
serokell = {
gemini-infra = {};
pegasus-infra = {};
};
};
};
settings = {
author.email = "operations@serokell.io";
extra_body = "CC @serokell/operations";
};
};
}
Thank you! I'll try it soon | 15:48:20 |
| zrsk | A curiosity: could you send me an example of PR that this process generates, please? | 15:49:54 |
| zrsk | I mean the Github link | 15:50:05 |
| balsoft | Uh, it's quite... Noisy at the moment | 15:50:05 |
