| 7 Jan 2025 |
|  Unit 1721344 [polygon] (it/its, es/ihr) changed their display name from polygon& (it/she) to Unit 1721344 [polygon] (it/she). | 19:38:46 |
|  Renato Trevisan set a profile picture. | 21:58:32 |
| 11 Jan 2025 |
|  @10leej:matrix.org left the room. | 18:45:37 |
| 13 Jan 2025 |
|  phaer left the room. | 13:11:52 |
| 14 Jan 2025 |
|  schrobingus set a profile picture. | 19:42:40 |
|  @rcouto:matrix.org left the room. | 20:12:30 |
| 15 Jan 2025 |
|  lotallia joined the room. | 10:03:28 |
| lotallia | Hey everyone, I'm just starting out working with Colmena so I might be missing something but, does anyone know of a good way around the either expose root to ssh or non-interactive sudo requirement of Colmena?
Both exposing root and allowing sudo without authentication are security risks I'd rather not take, so that's not gonna work for me. The only real route I see is to modify the privilege escalation command so that you could provide a password non-interactively, unless there is some kind of ssh agent forwarding wizardry that I have yet to try. However I don't know how you'd provide a password in a way that doesn't leave the password in plaintext on the target device or encrypted but decrypt-able by a key located on the target.
I've looked through the issues on the GitHub page and anything I saw that references this issue reaches mostly the same conclusions I have, so how are you guys dealing with this? Is it just not worth the pain to fight this battle? | 10:51:42 |
 dmoonfire | Using a decent key size with public key only logins for root is pretty secure. You only emit an authorized keys on the remote and, depending on settings, you need to use ssh-add to unlock it before deploying. | 13:07:33 |
 dantefromhell | Yeah this issue bugs me too...
AFAIU colmena runs ssh non-interactive hence anything that would require you to enter infos into an SSH session just fails.
There's `pam_ssh_agent` which can be configured to authorize sudo prompts via SSH keys & remotely by accessing the ssh agent on the client side.
https://www.teaparty.net/technotes/yubikey-sudo-ssh.html looks like a fairly decent write-up (minus the Yubikey which just gets added to the SSH agent).
Not sure if that's good enough for your scenario. | 14:47:13 |
|  pistache changed their profile picture. | 22:06:41 |
| pistache changed their profile picture. | 22:07:25 |
| lotallia | This is pretty much exactly what I was looking for! I've done something similar in the past so I think this could work I'll play around with it and see if it works in practice. | 22:48:51 |
| lotallia | You bring up a good point if I can't get the pam_ssh_agent to do it I'll likely relax my hangup with this one | 22:54:28 |
| 16 Jan 2025 |
| dantefromhell | In reply to @lotallia:matrix.org
This is pretty much exactly what I was looking for! I've done something similar in the past so I think this could work I'll play around with it and see if it works in practice. I'm also curious but dont have the time to investigate/ collaborate on it right now. Please report any results back if you can 🙏 | 15:15:01 |
| 17 Jan 2025 |
|  Frédéric Christ changed their display name from Frédéric Christ (DECT 5915) to Frédéric Christ. | 08:11:14 |
| lotallia | The last few days got super busy so I actually haven't had a chance to really look at this I plan on doing so later today but as I'm in the middle of a massive rewrite of my nix config any change means putting out several smaller fires first. I will report back once I have something to report :) | 18:05:39 |
| 20 Jan 2025 |
|  @oliverpool:envs.net joined the room. | 10:17:17 |
| @oliverpool:envs.net | For anyone interested, I just published a blog article regarding setting up Colmena, with passwordless reboot (with full-disk-encryption).
https://log.pfad.fr/2025/fde-nixos-colmena-passwordless-reboot/ | 11:15:15 |
| @oliverpool:envs.net | (I would be interested to know if the step scp -r user@remote: /etc/nixos/ ./host-a correct is for the setup. If yes, it would probably make sense to update the documentation) | 11:17:02 |
| @oliverpool:envs.net | (I would be interested to know if the step scp -r user@remote: /etc/nixos/ ./host-a is correct, for the initial setup. If yes, it would probably make sense to update the documentation) | 11:17:21 |
|  n0emis left the room. | 11:17:25 |
| @oliverpool:envs.net | (I would be interested to know if the step scp -r user@remote: /etc/nixos/ ./host-a is correct, for the initial setup. If yes, it would probably make sense to update the official documentation) | 11:17:29 |
|  @solomon:cofree.coffee left the room. | 17:44:52 |
| 21 Jan 2025 |
|  lanice joined the room. | 19:25:43 |
| 22 Jan 2025 |
|  marshmallow changed their profile picture. | 06:52:00 |
| 26 Jan 2025 |
|  @mel05saq:inphima.de joined the room. | 14:57:35 |
|  Quentin Le Guennec joined the room. | 17:27:16 |
| Quentin Le Guennec | Hello, I can't get my remote builder to work with colmena. I added "ssh://quentin@xxx x86_64-linux ~/.ssh/quentin-offen" to my machinesFile but colmena still complains about not being able to build linux things:
error: a 'x86_64-linux' with features {} is required to build '/nix/store/zszyc30901qn2b7kqx6wwp0hxbwm9kzl-haskell-generic-builder-test-wrapper.sh.drv', but I am a 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}
| 17:29:00 |
| 27 Jan 2025 |
|  Florian joined the room. | 11:17:24 |
