| 1 Dec 2022 |
 @ask-yourself:matrix.org | I was just a bit confused how to do that. | 20:53:04 |
 Zhaofeng Li | nix shell github:zhaofengli/colmena should get you in a shell that has the unstable colmena. To add it to your config, add inputs.colmena.url = "github:zhaofengli/colmena"; and insert colmena.packages.${system}.colmena to devShell/systemPackages. | 20:55:36 |
| @ask-yourself:matrix.org | Ok doing this now. And then once I'm unstable the command is just colmena apply-local? | 20:56:26 |
| Zhaofeng Li | colmena apply --sudo with deployment.privilegeEscalationCommand set in the config. | 20:56:59 |
| @ask-yourself:matrix.org | Ahhh, ok right. | 20:57:09 |
| @ask-yourself:matrix.org | Sorry lots of parts.. :P | 20:57:15 |
| @ask-yourself:matrix.org | I'll try this out. | 20:57:24 |
| @ask-yourself:matrix.org | Ok, now it's working perfectly. Thank you. :) | 22:50:00 |
 Linux Hackerman | In reply to @zhaofeng:zhaofeng.li
Does doas git work? I suspect in such a case doas will do PATH resolution? | 22:51:12 |
| @ask-yourself:matrix.org | In reply to @linus:schreibt.jetzt
I suspect in such a case doas will do PATH resolution? Yes. | 22:51:48 |
| Linux Hackerman | so doas sh -c git might be a better test | 22:52:02 |
| @ask-yourself:matrix.org | ~/Test λ doas sh -c git
sh: line 1: git: command not found
| 22:52:40 |
| Zhaofeng Li | In reply to @linus:schreibt.jetzt
I suspect in such a case doas will do PATH resolution? Aha, TIL | 22:56:45 |
| 2 Dec 2022 |
| @ask-yourself:matrix.org | For some reason my current config will build locally (on any of my machines) but will not push to my remote machine. It complains about lacking valid signatures. This is the line causing the issue (if I remove it I can push config to any machine): https://gitlab.com/IsaacBrown92/dotfiles/-/blob/main/modules/rofi/default.nix#L18 | 12:43:43 |
| @ask-yourself:matrix.org | inherit (config.lib.formats.rasi) mkLiteral;
| 12:44:06 |
| @ask-yourself:matrix.org | Could anybody clarify why this is happening? | 12:44:21 |
| @ask-yourself:matrix.org | In the NixOS server the had me run nix store verify --all, which outputted:
.dotfiles on main [!?] ⊥ nix store verify --all
path '/nix/store/4nhcx0ndfa374cgvi6x9sg73prmxmc04-publicsuffix-list-2021-09-03' is untrusted
path '/nix/store/y1hybm8h1kln0hg06c42m4g1wsblc0ig-freefont-ttf-20120503' is untrusted
path '/nix/store/ah9gyp7rxak9ig2q829myn6172jn302f-hack-font-3.003' is untrusted
path '/nix/store/dbn507rrsmgmdxwknhb3554nmkl0kvgi-gyre-fonts-2.005' is untrusted
path '/nix/store/jcqky5xbknabz7wn5p90qk0g9s031yzb-nixos-22.05.2764.0ba2543f8c8' is untrusted
| 12:44:46 |
| @ask-yourself:matrix.org | But after that they were not sure where to go. They said it wasn't an eval issue, so I thought maybe it's Colmena? Not sure. | 12:45:13 |
| @ask-yourself:matrix.org | * inherit (config.lib.formats.rasi) mkLiteral;
| 12:45:29 |
 Wanja Hentze | In reply to @zhaofeng:zhaofeng.li
Have you tried `--evaluator streaming`? It makes evaluation actually parallel using nix-eval-jobs. It's not the default yet but may be soon yes, actually that's what made us move from morph to colmena | 13:42:23 |
| Wanja Hentze | brought down eval time from several minutes to a little over one minute, so that's great :) | 13:42:43 |
| Wanja Hentze | what also helped: using disabledModules extensively to blacklist things that we never use | 13:44:44 |
| Wanja Hentze | the streaming evaluator also brought down RAM usage from ~40GB to a little under 10 | 13:45:17 |
| Linux Hackerman | In reply to @ask-yourself:matrix.org
In the NixOS server the had me run nix store verify --all, which outputted:
.dotfiles on main [!?] ⊥ nix store verify --all
path '/nix/store/4nhcx0ndfa374cgvi6x9sg73prmxmc04-publicsuffix-list-2021-09-03' is untrusted
path '/nix/store/y1hybm8h1kln0hg06c42m4g1wsblc0ig-freefont-ttf-20120503' is untrusted
path '/nix/store/ah9gyp7rxak9ig2q829myn6172jn302f-hack-font-3.003' is untrusted
path '/nix/store/dbn507rrsmgmdxwknhb3554nmkl0kvgi-gyre-fonts-2.005' is untrusted
path '/nix/store/jcqky5xbknabz7wn5p90qk0g9s031yzb-nixos-22.05.2764.0ba2543f8c8' is untrusted
That means the path isn't signed by a key listed in trusted-public-keys | 13:52:19 |
| Linux Hackerman | if you deploy as root, you won't have this problem | 13:52:31 |
| Linux Hackerman | as is, you either need to make sure the machine you build on signs its paths (I wrote a little nixos module that does that https://github.com/NixOS/nix/issues/3023#issuecomment-781131502) and that the targets trust the key | 13:53:44 |
| Linux Hackerman | or add your deploy user to trusted-users, which is root-equivalent access | 13:54:03 |
| Linux Hackerman | Why don't you just deploy as root? | 13:54:26 |
| @ask-yourself:matrix.org | Thank you! | 14:00:02 |
| @ask-yourself:matrix.org | Yeah I accidentally removed this line while refactoring: trustedUsers = ["${user}"]; | 14:00:19 |
