| 14 Oct 2022 |
 Zhaofeng Li | In reply to @ronixx:matrix.org
able to connect shell via Oracle Cloud Shell but direct ssh is not working
and websites are hosted on server also showing down but containers are running fine
You need to see what's going on via the serial console. Try looking at the network configs, firewall, and stuff. | 02:35:31 |
 roshan | byteio.in 🌷 | this is my config https://yaso.su/UDwGxzpq | 03:54:42 |
| roshan | byteio.in 🌷 | i have open ports from Oracle Account for instance. | 03:55:10 |
| roshan | byteio.in 🌷 | 
Download image.png | 03:55:29 |
| roshan | byteio.in 🌷 | Ports are also showing opened in Serial Console | 03:56:45 |
| Zhaofeng Li | Remove boot.isContainer = true; (it's not a container) and include oci-common.nix from this PR | 19:50:19 |
| Zhaofeng Li | But still from the serial console, can you try whether networking is working? Check ip , do some pings/traceroutes/etc | 19:51:16 |
| 15 Oct 2022 |
|  Otavio Salvador joined the room. | 11:36:35 |
| 16 Oct 2022 |
 Linux Hackerman | colmena is breaking with lazy-trees nix:
colmena apply --on sol boot
warning: unknown setting 'structured-drv-logs'
warning: Git tree '/home/linus/deploy' is dirty
[INFO ] Using flake: git+file:///home/linus/deploy
warning: unknown setting 'structured-drv-logs'
warning: Git tree '/home/linus/deploy' is dirty
warning: will not write lock file of flake 'path:/tmp/nix-shell.NZrVap/colmena-assets-A0gZ3E' because it has an unlocked input ('git+file:///home/linus/deploy')
[INFO ] Enumerating nodes...
warning: unknown setting 'structured-drv-logs'
error: cannot call 'getFlake' on unlocked flake reference 'path:/tmp/nix-shell.NZrVap/colmena-assets-A0gZ3E', at «string»:1:29 (use --impure to override)
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1
| 12:39:27 |
| Linux Hackerman | I think this is an intentional breaking change on the Nix side | 12:39:38 |
| Linux Hackerman | oh right, this is only a problem with dirty trees though | 12:41:17 |
| Zhaofeng Li | Right, need to take a look. There are some more breaking changes regarding path: flakes that I noticed:
$ nix flake metadata --json
warning: Git tree '/home/zhaofeng/Git/fleet' is dirty
error: lock file contains unlocked input '{"lastModified":1665862219,"narHash":"sha256-VPPLMapU8HtCjb54WDKsnjTjyB3YYXkgxEtzf5Xyqx0=","type":"git","url":"file:///home/zhaofeng/Git/Jovian-NixOS"}'
(use '--show-trace' to show detailed location information)
| 20:26:56 |
| Zhaofeng Li | * Right, need to take a look. There are some more breaking changes regarding path: flakes that I noticed with lazy-trees:
$ nix flake metadata --json
warning: Git tree '/home/zhaofeng/Git/fleet' is dirty
error: lock file contains unlocked input '{"lastModified":1665862219,"narHash":"sha256-VPPLMapU8HtCjb54WDKsnjTjyB3YYXkgxEtzf5Xyqx0=","type":"git","url":"file:///home/zhaofeng/Git/Jovian-NixOS"}'
(use '--show-trace' to show detailed location information)
| 20:27:12 |
| Zhaofeng Li | * Right, need to take a look. There are some more breaking changes regarding git+file:// flakes that I noticed with lazy-trees:
$ nix flake metadata --json
warning: Git tree '/home/zhaofeng/Git/fleet' is dirty
error: lock file contains unlocked input '{"lastModified":1665862219,"narHash":"sha256-VPPLMapU8HtCjb54WDKsnjTjyB3YYXkgxEtzf5Xyqx0=","type":"git","url":"file:///home/zhaofeng/Git/Jovian-NixOS"}'
(use '--show-trace' to show detailed location information)
| 20:28:12 |
| 18 Oct 2022 |
|  Shyim joined the room. | 09:01:40 |
| Shyim | Hey,
How would you handle secrets? 🤔 | 09:01:57 |
| Linux Hackerman | Personally I have them checked into my deployment repo, encrypted with GPG, and use a little module to abstract over decrypting them | 09:02:55 |
| Linux Hackerman | https://gist.github.com/lheckemann/3f4f3ce05521f4ace32bddce0b66e189 | 09:03:16 |
 @v:meowy.tech | I use https://github.com/serokell/vault-secrets, but other popular options are sops-nix (https://github.com/Mic92/sops-nix) and git-crypt (https://github.com/AGWA/git-crypt) | 09:03:58 |
| Linux Hackerman | then for example I have
secrets.loki-password.user = "promtail";
services.promtail.configuration.clients = [ { ...; password_file = config.secrets.loki-password.path; } ];
| 09:04:34 |
| Linux Hackerman | and it decrypts the secret from secrets/$hostname/loki-password.gpg and copies it over at deployment time | 09:05:05 |
| Shyim | Linux Hackerman: So I need the private gpg key on the machine right? :D | 09:05:44 |
| Linux Hackerman | the advantage of this approach is that the secrets can theoretically not get copied to the nix store (in practice they do, because I use Flakes) | 09:05:53 |
| Linux Hackerman | Shyim: only on the machine from which you're deploying | 09:06:01 |
| Shyim | AHHH. cool | 09:06:43 |
| Linux Hackerman | but I think I'll be switching to agenix or sops-nix at some point in the future, partly because this approach is colmena-specific and I'm not sure I want to stick with colmena | 09:06:57 |
| Linux Hackerman | and partly because the secrets are persisted unencrypted on the target machines' disks, which I'd also prefer not to do | 09:07:26 |
| Shyim | I currently join ssh and just do nixos-rebuild so. tbh: I don't care if it's in nix store. I just don't want to have them on Github publicly accessible as my nix files are public :D | 09:08:14 |
| Linux Hackerman | both agenix and sops-nix copy the encrypted secrets to the store as part of the system closure, and they're encrypted to a key that lies on the machine (often the SSH host key) to be decrypted only to a ramfs at runtime | 09:08:37 |
| Linux Hackerman | then again, having both the encrypted secrets and the unencrypted SSH host key on disk isn't much different from having the unencrypted secrets on disk I guess | 09:09:27 |
