| 24 Sep 2021 |
 zrsk | In reply to @balsoft:balsoft.ru
- AFAIR you can generate workflow YAML's at runtime. If so, nothing is stopping you from using Nix to generate them with
builtins.toJSON. If you want an example on how to do it for buildkite, see https://github.com/serokell/common-infra/blob/master/flake.nix#L69
This is even better, the only problem are my Nix skills that are really basic. But I image this could be the right time I learn something new. | 12:14:41 |
| zrsk | Two completely unrelated questions:
- is it possible for a flake to "read the status" of the running system where it's executed (with
nix build or nix check for example)? I was thinking it would be convenient (for my use case written before) to understand during the flake evaluation the host's architecture (I mean the machine where I run nix)
- Does it exist a github bot that try to update my flake's inputs (the flake is hosted on Github)? Consider that for the pacakges I also use
nvfetcher this simplifies. However I would also like to update modules and all, not only packages.
| 20:17:06 |
 ilkecan | In reply to @aciceri:nixos.dev
Two completely unrelated questions:
- is it possible for a flake to "read the status" of the running system where it's executed (with
nix build or nix check for example)? I was thinking it would be convenient (for my use case written before) to understand during the flake evaluation the host's architecture (I mean the machine where I run nix)
- Does it exist a github bot that try to update my flake's inputs (the flake is hosted on Github)? Consider that for the pacakges I also use
nvfetcher this simplifies. However I would also like to update modules and all, not only packages.
For the first question, not sure if I understood what you want but you can get the current system from shell with nix show-config --json | jq ".system.value" and from Nix with builtins.currentSystem. But I think the latter is disabled by default with flakes and requires --impure. | 20:55:30 |
 balsoft | In reply to @aciceri:nixos.dev
Two completely unrelated questions:
- is it possible for a flake to "read the status" of the running system where it's executed (with
nix build or nix check for example)? I was thinking it would be convenient (for my use case written before) to understand during the flake evaluation the host's architecture (I mean the machine where I run nix)
- Does it exist a github bot that try to update my flake's inputs (the flake is hosted on Github)? Consider that for the pacakges I also use
nvfetcher this simplifies. However I would also like to update modules and all, not only packages.
- No, it's not, by design (it wouldn't be hermetic otherwise)
- Yes! https://github.com/serokell/update-daemon (it's still somewhat WIP though)
| 21:02:07 |
| 25 Sep 2021 |
 colemickens 🏳️🌈 | when using nix cli 2, you can often structure things such that your commands are actually arch amiguous. nix run .#install-secrets does the right thing because it auto-coerces that to (a number of things including) .apps.{archs}.install-secrets. The {arch} it tries during the coercion is based on the host executing nix. | 05:10:02 |
| 27 Sep 2021 |
| zrsk | In reply to @balsoft:balsoft.ru
- No, it's not, by design (it wouldn't be hermetic otherwise)
- Yes! https://github.com/serokell/update-daemon (it's still somewhat WIP though)
- I understand, it makes sense
- Really interesting, it could be exactly what I was looking for, I'm definitely going to try it. Looking at module definition I can't understand how to set the
agentSetup option. I also don't understand if I have to create another GitHub user or what. Are there any examples?
| 15:38:56 |
| balsoft | In reply to @aciceri:nixos.dev
- I understand, it makes sense
- Really interesting, it could be exactly what I was looking for, I'm definitely going to try it. Looking at module definition I can't understand how to set the
agentSetup option. I also don't understand if I have to create another GitHub user or what. Are there any examples?
(2) Sadly examples aren't public, but I can provide you with a snippet if you want | 15:41:17 |
| balsoft | Also, note that it's currently WIP, there's definitely going to be changes in the way it works (though hopefully not breaking the module interface) | 15:41:44 |
| zrsk | In reply to @colemickens:matrix.org
when using nix cli 2, you can often structure things such that your commands are actually arch amiguous. nix run .#install-secrets does the right thing because it auto-coerces that to (a number of things including) .apps.{archs}.install-secrets. The {arch} it tries during the coercion is based on the host executing nix. Sorry but what is nix cli 2? And is nix run .# install-secrets standard or you meant a particular flake? I'm really interested but I really can't understand what are you talking about | 15:43:25 |
| balsoft | In reply to @aciceri:nixos.dev
Sorry but what is nix cli 2? And is nix run .# install-secrets standard or you meant a particular flake? I'm really interested but I really can't understand what are you talking about install-secrets is not standard | 15:43:48 |
| balsoft | nix cli 2 is the experimental nix-command feature, I suppose | 15:43:59 |
| zrsk | In reply to @balsoft:balsoft.ru
(2) Sadly examples aren't public, but I can provide you with a snippet if you want If it's not a problem and you've a working example at hand I would like to see it. | 15:44:04 |
| balsoft | In reply to @aciceri:nixos.dev
If it's not a problem and you've a working example at hand I would like to see it. { config, pkgs, lib, inputs, ... }: {
vault-secrets.secrets.update-daemon = {
secretsAreBase64 = true;
};
services.update-daemon = {
enable = true;
secretFile = "${config.vault-secrets.secrets.update-daemon}/environment";
agentSetup = ''
export PATH="$PATH":${lib.makeBinPath [ pkgs.openssh ]}
if [[ -z "''${SSH_AGENT_PID:-}" ]] ; then
echo "Starting an ephemeral ssh-agent" >&2;
eval "$(ssh-agent -s)"
fi
cat ${config.vault-secrets.secrets.update-daemon}/private_ssh_key | env SSH_ASKPASS="$(command -v false)" ssh-add -
'';
repos = {
github = {
serokell = {
gemini-infra = {};
pegasus-infra = {};
};
};
};
settings = {
author.email = "operations@serokell.io";
extra_body = "CC @serokell/operations";
};
};
}
| 15:46:07 |
| balsoft | Here's an example | 15:46:15 |
| balsoft | It shows what to do in agentSetup | 15:46:27 |
| zrsk | In reply to @balsoft:balsoft.ru
nix cli 2 is the experimental nix-command feature, I suppose Ahhh, thank you | 15:46:41 |
| zrsk | In reply to @balsoft:balsoft.ru
{ config, pkgs, lib, inputs, ... }: {
vault-secrets.secrets.update-daemon = {
secretsAreBase64 = true;
};
services.update-daemon = {
enable = true;
secretFile = "${config.vault-secrets.secrets.update-daemon}/environment";
agentSetup = ''
export PATH="$PATH":${lib.makeBinPath [ pkgs.openssh ]}
if [[ -z "''${SSH_AGENT_PID:-}" ]] ; then
echo "Starting an ephemeral ssh-agent" >&2;
eval "$(ssh-agent -s)"
fi
cat ${config.vault-secrets.secrets.update-daemon}/private_ssh_key | env SSH_ASKPASS="$(command -v false)" ssh-add -
'';
repos = {
github = {
serokell = {
gemini-infra = {};
pegasus-infra = {};
};
};
};
settings = {
author.email = "operations@serokell.io";
extra_body = "CC @serokell/operations";
};
};
}
Thank you! I'll try it soon | 15:48:20 |
| zrsk | A curiosity: could you send me an example of PR that this process generates, please? | 15:49:54 |
| zrsk | I mean the Github link | 15:50:05 |
| balsoft | Uh, it's quite... Noisy at the moment | 15:50:05 |
| balsoft | I'm working on it right now | 15:50:08 |
| zrsk | What you mean with noisy? | 15:50:33 |
| balsoft | https://github.com/serokell/update-daemon/pull/2 | 15:50:36 |
| balsoft | In reply to @aciceri:nixos.dev
What you mean with noisy? It creates a new commit every time it is ran and there are updates for the repository | 15:50:49 |
| balsoft | Which seemed like a good idea at the time of writing, but turned out not to be | 15:51:00 |
| balsoft | The idea was that humans could push fixes to the same branch, so that changes related to the update are merged together with the update | 15:51:29 |
| balsoft | But unfortunately it just creates a sea of commits, which is rather overwhelming | 15:51:47 |
| balsoft | I'm rewriting it to only create one meaningful commit and then stop updating if there are any human changes on the branch, under the assumption that if humans have pushed something they are going to merge rather soon. | 15:52:29 |
| balsoft | Also, I'll add error reporting (if it fails to update it should create an issue) and gitlab support some time in the future | 15:53:37 |
| balsoft | Currently it has rudimentary "plain git" support, but it can't submit oldschool patches via email or anything like that, it simply pushes changes to a remote branch | 15:54:28 |
