| 28 Dec 2024 |
 Justinas Stankevičius | * I think you need to have colmena as an input to your flake, then add colmena.nixosModules.deploymentOptions as shown in this comment: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1047199551 | 14:58:32 |
 dmoonfire | And that was the last bit I needed. Thank you so very much 💙, that was definitely a frustrating eight days that I would have never had figured out with your help. Hopefully 25.04 won't be as painful. | 20:59:12 |
| 29 Dec 2024 |
|  Bonus changed their display name from Bonus to Bonus (p4team, 7128). | 12:09:22 |
| Bonus changed their display name from Bonus (p4team, 7128) to Bonus. | 12:52:36 |
| 30 Dec 2024 |
|  schrobingus joined the room. | 09:23:46 |
|  raitobezarius changed their display name from raitobezarius (DECT: 3538 / EPVPN 2681) to raitobezarius. | 16:27:22 |
|  Tommy changed their display name from Tommy (3841) to Tommy. | 19:25:09 |
| 31 Dec 2024 |
|  phaer changed their display name from phaer (8650 at 38c3) to phaer. | 19:23:59 |
| 1 Jan 2025 |
|  kevinpthorne joined the room. | 06:48:07 |
| kevinpthorne | Hi all - new to Nix generally and using colmena for remote deployment after generating system images for bootstrapping. I am running into an issue with either colmena, the nix store, or somewhere else. Running nix build '.#nixosConfigurations.my-config... in my flake works, but colmena build --on my-config doesn't. The stacktrace from colmena was similar to an issue that I resolved in a previous commit, making it look like some source was out of date. Any ideas? | 06:52:38 |
|  NixOS Moderation Botchanged room power levels. | 14:26:27 |
| 4 Jan 2025 |
|  Tammi (ey/em) joined the room. | 01:13:36 |
| 6 Jan 2025 |
|  @jh-devv:matrix.org changed their display name from Sofie 🏳️⚧️ to jh-devv. | 19:00:33 |
| @jh-devv:matrix.org changed their display name from jh-devv to Sofie Halenius 🏳️⚧️. | 19:01:14 |
| @jh-devv:matrix.org changed their display name from Sofie Halenius 🏳️⚧️ to Sofie 🏳️⚧️. | 19:03:21 |
| 7 Jan 2025 |
|  Unit 1721344 [polygon] (it/its, es/ihr) changed their display name from polygon& (it/she) to Unit 1721344 [polygon] (it/she). | 19:38:46 |
|  Renato Trevisan set a profile picture. | 21:58:32 |
| 11 Jan 2025 |
|  @10leej:matrix.org left the room. | 18:45:37 |
| 13 Jan 2025 |
| phaer left the room. | 13:11:52 |
| 14 Jan 2025 |
| schrobingus set a profile picture. | 19:42:40 |
|  @rcouto:matrix.org left the room. | 20:12:30 |
| 15 Jan 2025 |
|  lotallia joined the room. | 10:03:28 |
| lotallia | Hey everyone, I'm just starting out working with Colmena so I might be missing something but, does anyone know of a good way around the either expose root to ssh or non-interactive sudo requirement of Colmena?
Both exposing root and allowing sudo without authentication are security risks I'd rather not take, so that's not gonna work for me. The only real route I see is to modify the privilege escalation command so that you could provide a password non-interactively, unless there is some kind of ssh agent forwarding wizardry that I have yet to try. However I don't know how you'd provide a password in a way that doesn't leave the password in plaintext on the target device or encrypted but decrypt-able by a key located on the target.
I've looked through the issues on the GitHub page and anything I saw that references this issue reaches mostly the same conclusions I have, so how are you guys dealing with this? Is it just not worth the pain to fight this battle? | 10:51:42 |
| dmoonfire | Using a decent key size with public key only logins for root is pretty secure. You only emit an authorized keys on the remote and, depending on settings, you need to use ssh-add to unlock it before deploying. | 13:07:33 |
 dantefromhell | Yeah this issue bugs me too...
AFAIU colmena runs ssh non-interactive hence anything that would require you to enter infos into an SSH session just fails.
There's `pam_ssh_agent` which can be configured to authorize sudo prompts via SSH keys & remotely by accessing the ssh agent on the client side.
https://www.teaparty.net/technotes/yubikey-sudo-ssh.html looks like a fairly decent write-up (minus the Yubikey which just gets added to the SSH agent).
Not sure if that's good enough for your scenario. | 14:47:13 |
|  pistache changed their profile picture. | 22:06:41 |
| pistache changed their profile picture. | 22:07:25 |
| lotallia | This is pretty much exactly what I was looking for! I've done something similar in the past so I think this could work I'll play around with it and see if it works in practice. | 22:48:51 |
| lotallia | You bring up a good point if I can't get the pam_ssh_agent to do it I'll likely relax my hangup with this one | 22:54:28 |
| 16 Jan 2025 |
| dantefromhell | In reply to @lotallia:matrix.org
This is pretty much exactly what I was looking for! I've done something similar in the past so I think this could work I'll play around with it and see if it works in practice. I'm also curious but dont have the time to investigate/ collaborate on it right now. Please report any results back if you can 🙏 | 15:15:01 |
