| 10 Aug 2021 |
 David Arnold (blaggacao) | So that the host can claim enrollment via a one-time short lived join token. | 02:44:42 |
| David Arnold (blaggacao) | But yeah, one step below that would probably sit the pregen approach. 😁 | 02:46:10 |
| David Arnold (blaggacao) | * But yeah, one step "below" that would probably sit the pregen approach. 😁 | 02:46:30 |
 @kraftnix:matrix.org | I like the pregen approach and use it as much as possible, getting around the chicken and egg problem is not always fun though | 02:47:20 |
| David Arnold (blaggacao) | The only downside: a concrete identity is long lived. | 02:48:07 |
| David Arnold (blaggacao) | But I have no idea how a short-lived but attested identity would be able to work with agenix & co 😁 | 02:48:57 |
| David Arnold (blaggacao) | Like "encrypt to certificate that claims decryption access via some an attribute" | 02:51:14 |
| David Arnold (blaggacao) | * Like "encrypt to certificate that claims decryption access via some cert attribute" | 02:51:27 |
| David Arnold (blaggacao) | Or just against the CommonName? | 02:52:01 |
| David Arnold (blaggacao) | Or the first DNS entry? | 02:52:34 |
| David Arnold (blaggacao) | (which I think is how https currently works?) | 02:52:53 |
| David Arnold (blaggacao) | That would be actually neat, because it a) saves some "rekeying" and b) would allow to declare secrets ahead of time. | 02:54:03 |
| David Arnold (blaggacao) | But I have no idea at all, if that is technically within the realm of possibilities. | 02:54:27 |
| David Arnold (blaggacao) | * That would be actually neat, because it a) saves some "rekeying" and b) would allow to declare secrets ahead of time. (by dns name) | 02:54:47 |
| David Arnold (blaggacao) | It isn't. | 02:57:50 |
 @timdeh:matrix.org | In reply to @blaggacao:matrix.org
I still have the vision to boostrap and manage cryptographic host identity through an identity attestor such as Spiffe/spire or step ca you may want to float this by manveru, as he was brainstorming earlier today how to bootstrap the on prem cluster | 03:21:18 |
| @timdeh:matrix.org | sorry, didn't mean to kill your conversation 😅 | 03:24:39 |
| @kraftnix:matrix.org | so the test is failing because you can't use the standard machine.start() testing framework because the host is NixOS
nix-repl> :b Flake.checks.x86_64-linux.customTestFor-NixOS-attempt
error: builder for '/nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv' failed with exit code 1;
last 5 log lines:
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:2:12 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:5:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:6:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:7:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:9:6 undefined name 'machine'
For full logs, run 'nix log /nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv'.
error: 1 dependencies of derivation '/nix/store/yl5v5rcxv9k1ddjx40dl60hbm9ss6kyg-vm-test-run-attempt.drv' failed to build
I can get the test working if I add change it to NixOS.start() or if in the machine config I add networking.hostName = lib.mkForce "machine";, is there any other way to access the actual hostname easily without this override?
| 03:25:47 |
 @gtrunsec:matrix.org | let me test it | 03:27:35 |
| @kraftnix:matrix.org | this test integration is amazing though, i know what i'll be doing for the next few days now. | 03:39:27 |
| @kraftnix:matrix.org | i have some configs that involve a lot of internal networking + firewalling, this will be so useful for making sure i don't break previously working things | 03:40:47 |
| David Arnold (blaggacao) | In reply to @kraftnix:matrix.org
so the test is failing because you can't use the standard machine.start() testing framework because the host is NixOS
nix-repl> :b Flake.checks.x86_64-linux.customTestFor-NixOS-attempt
error: builder for '/nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv' failed with exit code 1;
last 5 log lines:
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:2:12 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:5:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:6:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:7:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:9:6 undefined name 'machine'
For full logs, run 'nix log /nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv'.
error: 1 dependencies of derivation '/nix/store/yl5v5rcxv9k1ddjx40dl60hbm9ss6kyg-vm-test-run-attempt.drv' failed to build
I can get the test working if I add change it to NixOS.start() or if in the machine config I add networking.hostName = lib.mkForce "machine";, is there any other way to access the actual hostname easily without this override?
So there is an implementation error to say the lest upstream in that fqdn != hostname != node name | 04:14:43 |
| David Arnold (blaggacao) | For example you can't meaningfully run tests for bastion.example.com and basyion.local wired together in the same network. | 04:15:39 |
| David Arnold (blaggacao) | * For example you can't meaningfully run tests for `bastion.example.com` and `bastion.local` wired together in the same network. | 04:15:47 |
| David Arnold (blaggacao) | * For example you can't meaningfully run tests for `bastion.example.com` and `bastion.local` wired together in the same network (without implementing that work around). | 04:16:23 |
| David Arnold (blaggacao) | What's worse, python identifier can't have dashes. So the set of legal hostnames is not RFC1035(?) compiant. Just for tests. | 04:17:13 |
| David Arnold (blaggacao) | * What's worse, python identifier can't have dashes. So the set of legal hostnames (= dns label) is not RFC1035(?) compliant. Just for tests. | 04:17:27 |
| David Arnold (blaggacao) | I find that pretty egocentric of the nixos test framework. | 04:17:52 |
| David Arnold (blaggacao) | * So there is an implementation error to say the least upstream in that `fqdn != hostname != node name` | 04:18:19 |
| David Arnold (blaggacao) | I think a pervasive solution would be machines["<fqdn>"] | 04:19:35 |
