 | Colmena | 321 Members |
| A simple, stateless NixOS deployment tool - https://github.com/zhaofengli/colmena | 109 Servers |
| Colmena | 321 Members |
| A simple, stateless NixOS deployment tool - https://github.com/zhaofengli/colmena | 109 Servers |
| Sender | Message | Time |
|---|---|---|
| 30 Jul 2022 | ||
 Zhaofeng Li | The chunked evaluator is the default, with nix-eval-jobs behind --evaluator streaming. There are still a few usecases nix-eval-jobs doesn't support, like remote builders during evaluation (needed for FOD with foreign architectures, used in mobile-nixos). | 06:47:52 |
| Zhaofeng Li | * The chunked evaluator is the default, with nix-eval-jobs behind --evaluator streaming. There are still a few usecases nix-eval-jobs doesn't support, like remote builders during evaluation (needed for <s>FOD</s>IFD with foreign architectures, used in mobile-nixos). | 06:51:11 |
 Winter (she/her) | In reply to @zhaofeng:zhaofeng.li Oh I missed it since I thought it would pass impure (which is the default for nix-instantiate, so obviously it doesn't), then I saw the comment and thought it was removed or something. For that IFD case, I assume it wouldn't be possible to setup something where we pass remote builders to Nix during eval (if that's possible) if ~~that wording probably doesn't make sense at all 😅~~ | 06:57:19 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.li* Oh I missed it since I thought it would pass impure (which is the default for nix-instantiate, so obviously it doesn't), then I saw the comment and thought it was removed temporarily. For that IFD case, I assume it wouldn't be possible to setup something where we pass remote builders to Nix during eval (if that's possible) if buildOnTarget is true, so that's handled transparently? (that would require either being root on the remote host) ~~that wording probably doesn't make sense at all 😅~~ | 06:57:32 |
| Zhaofeng Li | In reply to @winterqt:nixos.devnix-instantiate already uses remote builders if configured globally, and we will pass --builders if meta.machinesFile is set. The problem is that nix-eval-jobs forcibly disables it due to an outstanding issue. | 07:01:59 |
| Winter (she/her) | I'm wondering if we can construct a builders argument with the data from the machines that have buildOnTarget set as well | 07:03:29 |
| Winter (she/her) | To transparently handle that IFD case | 07:03:38 |
| Winter (she/her) | Without manual configuration ahead of time | 07:03:44 |
| Zhaofeng Li | Yeah, it could work pretty well combined with the recent --eval-store suggestion. | 07:06:10 |
| Zhaofeng Li | The next step is to perform the actual evaluation remotely, but we aren't there yet. | 07:06:55 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.liYeah, I did see that. Is that suggesting using the target machine as the store for eval with that flag? I'm pretty sure that's what they're suggesting, but the "local --eval-store" part is throwing me off. | 07:14:49 |
| Zhaofeng Li | Yeah, it's a bit confusing but I think that's what they meant. | 07:15:59 |
| Zhaofeng Li | In reply to @zhaofeng:zhaofeng.liOk, just tested, and the colmena apply-local --sudo test goal works as it currently stands. The interactive prompts of sudo don't use stdin/out. | 07:26:53 |
| Winter (she/her) | Oh, huh, they... don't? | 07:42:55 |
| Winter (she/her) | Interesting! | 07:43:09 |
| Winter (she/her) | Although, keep in mind that other privilege escalation commands (doas comes to mind) may not give us that luxury. | 07:43:33 |
| Zhaofeng Li | I would assume it's the same, otherwise it won't play well with pipes and be insecure | 07:44:33 |
| Winter (she/her) | Oh, fair point. | 08:03:05 |
| Winter (she/her) | What even is there to use other than stdin/stdout in a console, though? ~~This is obviously magic.~~ | 08:03:36 |
| Winter (she/her) | I'll look into it later, I'm intrigued. | 08:03:44 |
| Winter (she/her) | Zhaofeng Li: That begs the question: why passthrough the profile switch execution, then? Were you under the assumption that it would be needed for ? | 08:04:30 |
| Zhaofeng Li | In reply to @winterqt:nixos.devIIRC it uses /dev/console. There is a flag to make sudo use stdin though | 08:06:51 |
| Zhaofeng Li | In reply to @winterqt:nixos.devNo, it was from way before apply-local was changed to escalate privileges during activation. passthrough() is just a simple way to execute commands with both stdin/stdout piped | 08:08:27 |
| Zhaofeng Li | In reply to @winterqt:nixos.dev* IIRC it uses /dev/console. There is a flag to make sudo use stdin though (edit: it's -S) | 08:10:23 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.liWhy was it needed for the profile switch, out of curiosity? | 08:12:58 |
| Zhaofeng Li | In reply to @winterqt:nixos.devIt was one of the four custom methods that I have to "execute" the command and get back a ColmenaResult. It's just a simple version of Command::status() which needs two layers of checking (the outer Result and the exit code). | 08:22:44 |
 @duponin:alternativebit.fr set a profile picture. | 19:09:28 | |
| 4 Aug 2022 | ||
 bl1nk changed their profile picture. | 04:31:26 | |
| 6 Aug 2022 | ||
 Swiss Routing joined the room. | 22:00:09 | |
| 7 Aug 2022 | ||
| Swiss Routing | Is there any way to do a healthcheck with colmena? I see some other deployment tools support this. All I want to do is make sure that if I push a new config that disables SSH access accidentally, this is caught and rolled back. | 15:37:30 |