Colmena - Public Room Timeline

	Colmena	325 Members
	A simple, stateless NixOS deployment tool - https://github.com/zhaofengli/colmena	111 Servers

Load older messages

Sender	Message	Time
9 Jun 2022
Taeer Bar-Yam	anyway, this works great. thank you :)	19:22:21
10 Jun 2022
	lblasc joined the room.	08:54:46
18 Jun 2022
David Arnold (blaggacao)	Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89? I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream. I think I'm just not ready yet for forking, so I'd appreciate if I can build on those building blocks.	02:10:55
David Arnold (blaggacao)	* Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89? I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream. I think I'm just not ready yet for fully forking, so I'd appreciate if I can build on those building blocks.	02:11:12
David Arnold (blaggacao)	* Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89? I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream. I think I'm just not ready yet for fully forking, so I'd appreciate if I could build on those building blocks.	02:11:26
David Arnold (blaggacao)	* Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89? I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream.	02:11:56
	@atharvaamritkar:matrix.org joined the room.	10:03:38
19 Jun 2022
Zhaofeng Li	In reply to @blaggacao:matrix.org Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89? I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream. Hi sorry, been busy in the past couple of days. Minimizing the eval interface should be fine and I'll review and merge it today.	20:09:17
Zhaofeng Li	Note that the eval interface is still subject to change in the near future, like for the upcoming auto rollback feature as well as https://github.com/zhaofengli/colmena/pull/96	20:09:18
David Arnold (blaggacao)	Since using deploy-rs, I never used the auto-rollback feature. But this is probably less a fault of the rollback fearure amd more of the systemd-mediated choreographed (not orchestrated) reconciliation loop.	20:49:17
David Arnold (blaggacao)	(i'm alluding at the choreography vs orchestration discussion, here)	20:50:28
21 Jun 2022
	lemmalamma joined the room.	00:04:54
lemmalamma	(New to Colmena and just Nix in general). How do y'all deal with bootstrapping secrets in a Colmena deployment. For example, I have a secret key that I don't want to keep in repo. So every time a developer clones the colmena nix code they would have to get the secret key and create the file on their local machine. I want to split my colmena deploymeny into 2 parts: Bootstrapping secrets. Should only be done by very few people who have access to the secrets. Any other configuration that can be run by anyone and CI. Does this make sense to do?	00:24:45
lemmalamma	* (New to Colmena and just Nix in general). How do y'all deal with bootstrapping secrets in a Colmena deployment. For example, I have a secret key that I don't want to keep in repo. So every time a developer clones the colmena nix code they would have to get the secret key and create the file on their local machine. I want to split my colmena deploymeny into 2 parts: Bootstrapping secrets. Should only be done by very few people who have access to the secrets. Any other configuration that can be run by anyone and CI. They should be able to `colmena apply` without getting secret keys from somewhere else manually. Does this make sense to do?	00:25:36
Linux Hackerman	lemmalamma: colmena stores the secrets unencrypted on the target hosts, so these "unauthorised" users can still fairly trivially get the secret keys by deploying their own code to the machines.	01:03:55
Linux Hackerman	you also don't need to split it into two, since colmena supports using a command to get secrets -- so you can store them together with your deployment, encrypted (with a tool of your choice) to the authorised users.	01:05:11
lemmalamma	In reply to @linus:schreibt.jetzt lemmalamma: colmena stores the secrets unencrypted on the target hosts, so these "unauthorised" users can still fairly trivially get the secret keys by deploying their own code to the machines. This part makes sense. I don't want to enforce access control here. I just want developers who work on infrastructure code's lives easier by not requiring them to set up local secrets manually every time.	01:07:15
lemmalamma	In reply to @linus:schreibt.jetzt you also don't need to split it into two, since colmena supports using a command to get secrets -- so you can store them together with your deployment, encrypted (with a tool of your choice) to the authorised users. What common tools are there?	01:07:32
Linux Hackerman	gpg and age are the two main contenders I'd say	01:07:44
Linux Hackerman	gpg optionally wrapped with pass	01:08:04
Linux Hackerman	there's also sops and sops-nix, but I know too little about it to say if it applies here or not	01:08:48
Linux Hackerman	it's definitely on my list of things to look into one day, because it seems like it can do some nice things	01:09:15
Tim	you can also check out agenix, it is basically sops-nix but with age and I am happily using it, not with colmena yet though.. it is dead simple especially when using the system ssh keys in /etc/ssh/	06:27:34
lemmalamma	In reply to @tiha889a:tu-dresden.de you can also check out agenix, it is basically sops-nix but with age and I am happily using it, not with colmena yet though.. it is dead simple especially when using the system ssh keys in /etc/ssh/ I made sops-nix work for me after a bit of wrangling.	10:11:35
dantefromhell	i'm wondering: is there a collection/ examples of how people use colmena?	12:35:50
dantefromhell	I'm using the colmena from git (commit 9db25bd) with flakes. I'm struggling to understand how to define a hive w/ 2 systems where one is using `nixpkgs/22.05` while the other is using `nixpkgs/unstable` as `pkgs` source.	14:59:43
Jane Jasperous	meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; nodeNixpkgs = { rpi-tv = import nixpkgs-unstable {}; }; ... }```	15:02:05
dantefromhell	In reply to @janejasperous:one.ems.host meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; nodeNixpkgs = { rpi-tv = import nixpkgs-unstable {}; }; ... }``` Thx, yes that works!	15:30:30
dantefromhell	Until I change the `system` in `nodeNixpkgs` to something different than `nixpkgs`. Than I get the error `[ERROR] stderr) error: a 'aarch64-linux' with features {} is required to build '/nix/store/h5ggpshqjbl14pp1qri043d5dk0n2iyc-append-initrd-secrets.drv', but I am a 'x86_64-linux' with features {benchmark, big-parallel, kvm, nixos-test}`	15:32:02
CRTified	In reply to @dantefromhell:matrix.org Until I change the `system` in `nodeNixpkgs` to something different than `nixpkgs`. Than I get the error `[ERROR] stderr) error: a 'aarch64-linux' with features {} is required to build '/nix/store/h5ggpshqjbl14pp1qri043d5dk0n2iyc-append-initrd-secrets.drv', but I am a 'x86_64-linux' with features {benchmark, big-parallel, kvm, nixos-test}` Either use `deploy.buildOnTarget`, enable qemu binfmt emulation or try and get it running using pkgsCross for true cross compilation	15:33:22

Show newer messages

Back to Room ListRoom Version: 6