| 2 Dec 2022 |
 @ask-yourself:matrix.org | For some reason my current config will build locally (on any of my machines) but will not push to my remote machine. It complains about lacking valid signatures. This is the line causing the issue (if I remove it I can push config to any machine): https://gitlab.com/IsaacBrown92/dotfiles/-/blob/main/modules/rofi/default.nix#L18 | 12:43:43 |
| @ask-yourself:matrix.org | inherit (config.lib.formats.rasi) mkLiteral;
| 12:44:06 |
| @ask-yourself:matrix.org | Could anybody clarify why this is happening? | 12:44:21 |
| @ask-yourself:matrix.org | In the NixOS server the had me run nix store verify --all, which outputted:
.dotfiles on main [!?] ⊥ nix store verify --all
path '/nix/store/4nhcx0ndfa374cgvi6x9sg73prmxmc04-publicsuffix-list-2021-09-03' is untrusted
path '/nix/store/y1hybm8h1kln0hg06c42m4g1wsblc0ig-freefont-ttf-20120503' is untrusted
path '/nix/store/ah9gyp7rxak9ig2q829myn6172jn302f-hack-font-3.003' is untrusted
path '/nix/store/dbn507rrsmgmdxwknhb3554nmkl0kvgi-gyre-fonts-2.005' is untrusted
path '/nix/store/jcqky5xbknabz7wn5p90qk0g9s031yzb-nixos-22.05.2764.0ba2543f8c8' is untrusted
| 12:44:46 |
| @ask-yourself:matrix.org | But after that they were not sure where to go. They said it wasn't an eval issue, so I thought maybe it's Colmena? Not sure. | 12:45:13 |
| @ask-yourself:matrix.org | * inherit (config.lib.formats.rasi) mkLiteral;
| 12:45:29 |
 Wanja Hentze | In reply to @zhaofeng:zhaofeng.li
Have you tried `--evaluator streaming`? It makes evaluation actually parallel using nix-eval-jobs. It's not the default yet but may be soon yes, actually that's what made us move from morph to colmena | 13:42:23 |
| Wanja Hentze | brought down eval time from several minutes to a little over one minute, so that's great :) | 13:42:43 |
| Wanja Hentze | what also helped: using disabledModules extensively to blacklist things that we never use | 13:44:44 |
| Wanja Hentze | the streaming evaluator also brought down RAM usage from ~40GB to a little under 10 | 13:45:17 |
 Linux Hackerman | In reply to @ask-yourself:matrix.org
In the NixOS server the had me run nix store verify --all, which outputted:
.dotfiles on main [!?] ⊥ nix store verify --all
path '/nix/store/4nhcx0ndfa374cgvi6x9sg73prmxmc04-publicsuffix-list-2021-09-03' is untrusted
path '/nix/store/y1hybm8h1kln0hg06c42m4g1wsblc0ig-freefont-ttf-20120503' is untrusted
path '/nix/store/ah9gyp7rxak9ig2q829myn6172jn302f-hack-font-3.003' is untrusted
path '/nix/store/dbn507rrsmgmdxwknhb3554nmkl0kvgi-gyre-fonts-2.005' is untrusted
path '/nix/store/jcqky5xbknabz7wn5p90qk0g9s031yzb-nixos-22.05.2764.0ba2543f8c8' is untrusted
That means the path isn't signed by a key listed in trusted-public-keys | 13:52:19 |
| Linux Hackerman | if you deploy as root, you won't have this problem | 13:52:31 |
| Linux Hackerman | as is, you either need to make sure the machine you build on signs its paths (I wrote a little nixos module that does that https://github.com/NixOS/nix/issues/3023#issuecomment-781131502) and that the targets trust the key | 13:53:44 |
| Linux Hackerman | or add your deploy user to trusted-users, which is root-equivalent access | 13:54:03 |
| Linux Hackerman | Why don't you just deploy as root? | 13:54:26 |
| @ask-yourself:matrix.org | Thank you! | 14:00:02 |
| @ask-yourself:matrix.org | Yeah I accidentally removed this line while refactoring: trustedUsers = ["${user}"]; | 14:00:19 |
| @ask-yourself:matrix.org | What does it mean for a path to be untrusted? | 14:00:44 |
