| 10 Aug 2021 |
 @kraftnix:matrix.org | in scope for bud wrapped yeet? | 02:37:10 |
| @kraftnix:matrix.org | at least my bud if i get around to it, although i shouldn't need to provision machines for a while so it would mostly be for fun | 02:38:14 |
 David Arnold (blaggacao) | Hm, yeah maybe a bud format-host or something. Since the exact command might be a bit pesky to remember | 02:39:06 |
| David Arnold (blaggacao) | * Hm, yeah maybe a `bud format-host` or something. Since the exact `ssh` command with all bells and whistles might be a bit pesky to remember | 02:39:45 |
| David Arnold (blaggacao) | Btw., bud gained a bud burn which basically helps identify the removable media that you want to flash an iso to. | 02:40:53 |
| David Arnold (blaggacao) | Like the /device/sdaX part for dd that you better get right 😁😆 | 02:41:32 |
| David Arnold (blaggacao) | * Like the `/dev/sdaX` part for `dd` that you better get right 😁😆 | 02:41:44 |
| @kraftnix:matrix.org | yeah, also at least for my setup I need some info back from the host, so format-host to create a new ./hosts entry would be quite useful and interactive as a devos install process. some bits of state that are somewhat required if I want to go from nothing to fully deployed during install would be to pregen root ssh keys so agenix secrets can be provisioned during install | 02:41:57 |
| David Arnold (blaggacao) | I still have the vision to boostrap and manage cryptographic host identity through an identity attestor such as Spiffe/spire or step ca | 02:44:10 |
| David Arnold (blaggacao) | So that the host can claim enrollment via a one-time short lived join token. | 02:44:42 |
| David Arnold (blaggacao) | But yeah, one step below that would probably sit the pregen approach. 😁 | 02:46:10 |
| David Arnold (blaggacao) | * But yeah, one step "below" that would probably sit the pregen approach. 😁 | 02:46:30 |
| @kraftnix:matrix.org | I like the pregen approach and use it as much as possible, getting around the chicken and egg problem is not always fun though | 02:47:20 |
| David Arnold (blaggacao) | The only downside: a concrete identity is long lived. | 02:48:07 |
| David Arnold (blaggacao) | But I have no idea how a short-lived but attested identity would be able to work with agenix & co 😁 | 02:48:57 |
| David Arnold (blaggacao) | Like "encrypt to certificate that claims decryption access via some an attribute" | 02:51:14 |
| David Arnold (blaggacao) | * Like "encrypt to certificate that claims decryption access via some cert attribute" | 02:51:27 |
| David Arnold (blaggacao) | Or just against the CommonName? | 02:52:01 |
| David Arnold (blaggacao) | Or the first DNS entry? | 02:52:34 |
| David Arnold (blaggacao) | (which I think is how https currently works?) | 02:52:53 |
| David Arnold (blaggacao) | That would be actually neat, because it a) saves some "rekeying" and b) would allow to declare secrets ahead of time. | 02:54:03 |
| David Arnold (blaggacao) | But I have no idea at all, if that is technically within the realm of possibilities. | 02:54:27 |
| David Arnold (blaggacao) | * That would be actually neat, because it a) saves some "rekeying" and b) would allow to declare secrets ahead of time. (by dns name) | 02:54:47 |
| David Arnold (blaggacao) | It isn't. | 02:57:50 |
 @timdeh:matrix.org | In reply to @blaggacao:matrix.org
I still have the vision to boostrap and manage cryptographic host identity through an identity attestor such as Spiffe/spire or step ca you may want to float this by manveru, as he was brainstorming earlier today how to bootstrap the on prem cluster | 03:21:18 |
| @timdeh:matrix.org | sorry, didn't mean to kill your conversation 😅 | 03:24:39 |
| @kraftnix:matrix.org | so the test is failing because you can't use the standard machine.start() testing framework because the host is NixOS
nix-repl> :b Flake.checks.x86_64-linux.customTestFor-NixOS-attempt
error: builder for '/nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv' failed with exit code 1;
last 5 log lines:
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:2:12 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:5:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:6:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:7:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:9:6 undefined name 'machine'
For full logs, run 'nix log /nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv'.
error: 1 dependencies of derivation '/nix/store/yl5v5rcxv9k1ddjx40dl60hbm9ss6kyg-vm-test-run-attempt.drv' failed to build
I can get the test working if I add change it to NixOS.start() or if in the machine config I add networking.hostName = lib.mkForce "machine";, is there any other way to access the actual hostname easily without this override?
| 03:25:47 |
 @gtrunsec:matrix.org | let me test it | 03:27:35 |
| @kraftnix:matrix.org | this test integration is amazing though, i know what i'll be doing for the next few days now. | 03:39:27 |
| @kraftnix:matrix.org | i have some configs that involve a lot of internal networking + firewalling, this will be so useful for making sure i don't break previously working things | 03:40:47 |
