| 18 Oct 2022 |
 @v:meowy.tech | In reply to @linus:schreibt.jetzt
then again, having both the encrypted secrets and the unencrypted SSH host key on disk isn't much different from having the unencrypted secrets on disk I guess the various permissions on the file also matter, the nix store is world readable but the ssh host key probably isnt | 09:10:16 |
 Linux Hackerman | right, but none of these approaches make the unencrypted secrets world-readable | 09:10:36 |
| Linux Hackerman | that's definitely off the table for me ^^ | 09:10:56 |
| @v:meowy.tech | My setup with a hashicorp vault is probably overkill, but when set up it does work quite nicely I have to say | 09:11:40 |
| Linux Hackerman | I kind of want to have something like that but I also don't want to set it up and maintain it x) | 09:12:05 |
 Shyim | I feel that too xD | 09:12:33 |
| Shyim | more services more pain | 09:12:42 |
| Linux Hackerman | Some services are pretty painless to maintain. Vault is not "some services" as far as I can tell ^^ | 09:13:21 |
| Shyim | :D | 09:13:41 |
| Shyim | so then I go to test this out. I have at work a benchmark cluster of 10 vps with ansible and it hurts setting up that always. So hope with colmena it will be better :D | 09:14:20 |
| Linux Hackerman | oof | 09:14:52 |
| Linux Hackerman | Do they need to be long-lived? It may be more convenient to build disk images and use those rather than maintaining long-lived stateful servers | 09:15:26 |
| Linux Hackerman | at that scale | 09:15:36 |
| Shyim | and randomly apt-get servers are down. or some weird ansible modules fail to install | 09:15:39 |
| @v:meowy.tech | In reply to @linus:schreibt.jetzt
Some services are pretty painless to maintain. Vault is not "some services" as far as I can tell ^^ Yeah it can take a bit of fiddling to get right, also the need to unlock the vault manually after a restart can be a bit of a bother | 09:15:48 |
| Shyim | It's just for benchmarking for 2 hours. automated in ci. Testing that the software scales | 09:16:23 |
| @v:meowy.tech | I maintain quite a few NixOS configurations with colmena without too much issue, it is definitely one of the better deployment tools for bigger sets of machines in my experience | 09:20:39 |
| @v:meowy.tech | 
Download image.png | 09:20:41 |
| Linux Hackerman | "null" is that the actual hostname? | 09:21:01 |
| @v:meowy.tech | In reply to @linus:schreibt.jetzt
"null" is that the actual hostname? yeah it is haha, it's my laptop | 09:21:10 |
| Linux Hackerman | I'm going to write the deployment tool of my dreams one day | 09:23:14 |
| Linux Hackerman | Or possibly extend deploy-rs to become the deployment tool of my dreams | 09:24:21 |
| @v:meowy.tech | deploy-rs is nice but it was far too slow for my use case, switched to colmena from it | 09:24:54 |
| Linux Hackerman | oh really? What was slow about it? | 09:25:02 |
| Linux Hackerman | I'm surprised because deploy-rs works with flakes a bit better so you should be getting more from the eval cache. AFAIU. | 09:25:40 |
| @v:meowy.tech | Yeah but it builds/evaluates/deploys all the configs sequentially so with a lot of machines it just took an extremely long time | 09:27:08 |
| Linux Hackerman | oh really? Didn't know that | 09:27:36 |
| @v:meowy.tech | there is this open issue on deploy-rs at least: https://github.com/serokell/deploy-rs/issues/46 | 09:30:56 |
| Shyim | I almost deployed. It fails now to build the man-cache. Did anyone had this issue before? I did run just build with my server config :D | 10:23:06 |
| @v:meowy.tech | what's the error? | 10:40:37 |
