| 6 Dec 2025 |
|  P J joined the room. | 07:43:09 |
| 7 Dec 2025 |
|  W changed their display name from William Sewell to W. | 00:30:02 |
| 11 Dec 2025 |
|  suua joined the room. | 16:09:32 |
|  TG × ⊙ joined the room. | 19:53:02 |
| 15 Dec 2025 |
 Sandro 🐧 | Would be nice if someone could look at https://github.com/NixOS/nixpkgs/pull/427694 | 16:07:34 |
| 19 Dec 2025 |
 Arian | I dont think this does what you think it does? If a derivation could leak this information from the host builder we have a vulnerability -- not a feature | 09:58:00 |
| Arian | Oooh wait. It disables sandboxing | 09:58:08 |
| Arian | This is a terrible idea imo | 09:58:21 |
| Arian | Feels like it's way better to attach this as OCI metadata outside of nix build sandbox after doing the build | 09:59:36 |
| Arian | Leaking this into the build sandbox feels cursed | 09:59:46 |
| Arian | I really don't like this. closureInfo is already a nightmare for reproducibility and this just makes it even worse ._. | 10:03:18 |
| Arian | Though maybe a generic mechanism for this *is* useful. I guess our ISO images have the same issue of shipping nix store paths without provenance information | 10:04:05 |
| Arian | And all the store paths in it are "ultimately" trusted | 10:04:28 |
|  Frédéric Christ (back on 02.01.) changed their display name from Frédéric Christ to Frédéric Christ (back on 02.01.). | 15:15:32 |
| Sandro 🐧 | Please write feedback into the PR, please 🙈 | 17:05:49 |
| 22 Dec 2025 |
|  n joined the room. | 06:23:43 |
|  kiara left the room. | 11:10:05 |
| 27 Dec 2025 |
|  xentec | metal1nk@39c3 changed their display name from xentec to xentec | metal1nk@39c3. | 22:47:00 |
| 28 Dec 2025 |
|  kalbasit joined the room. | 05:54:37 |
| kalbasit | lillecarl: How does easykubenix compare with nixidy? | 06:14:49 |
 lillecarl | @kalbasit:matrix.org nixidy is a more complete deployment solution. easykubenix should be compared to "kubenix" which nixidy uses to render manifests. My intention is to maybesoonishsoleday™️ make easykubenix compatible with nixidy as "easyApplication" or something. I don't like kubenix codegen. | 16:14:30 |
| kalbasit | Got it, makes sense | 19:43:40 |
| kalbasit | lillecarl: I do have another question: Do you recommend a solution for remote builds on Kubernetes? I have a cluster running on bare metal and I want to leverage for remote builds instead of using my old laptop for that. | 19:44:32 |
| lillecarl | @kalbasit:matrix.org nix-csi enables you to tag nodes as builders, it's pretty barely tested but it works. It completely bypasses resourc constraints.
It works by using the in-cluster cache pod as SSH jump box into the nodes which can run builds.
It'll be developed further :)
| 19:48:37 |
| kalbasit | Do you have a manifest (yaml) I can use to give it a try; sort of a demo or whatever you have on your end?
| 19:49:29 |
| lillecarl | I'll get back to you about that :) | 20:00:31 |
| 29 Dec 2025 |
| kalbasit | Happy holidays btw! | 01:40:54 |
| lillecarl | @kalbasit:matrix.org I've been thinking about how to architect the in-kube building. The way it works now is pretty dumb since you can't constrain it properly. My current idea is to use a Deployment for building that mounts the same hostPath (optionally maybe) as the DaemonSet. I'll have to verify that I can make sure builds run in the Deployment instead of talking to the Nix daemon running in the DS. I've also been considering if I should stop running nix daemon altogether since it's effectively a single user system anyways. nix-csi is privileged.
I'd love to hear ideas. Im pretty sure I'll dump "dinix" and run multiple containers like Kube wants you to too. I'm aiming for 1.0 Q1 where all the things not just work, but work "like they should". Building in Kubernetes won't be as good as nixbuild.net but it'll be good enough ™️
| 14:59:49 |
| kalbasit | Back in 2022 at my previous company what I ended up doing was an overnight Job that builds an EBS volume "the cache" and create a snapshot of it. Then every CI job that needs the Nix store would request an EBS volume based on the latest snapshot available and it takes 10 to 30 seconds for that to become available (not a problem for a 20-40 minute job at the time... Maybe this could be implemented in a similar way? At my home I run a Proxmox with TrueNAS and a couple of clusters; All clusters use democratic-csi to mount iscsi volumes and support for ZFS snapshots does exist although I have not tested create a volume from a snapshot but it could be possible. hostPath does not work for me because I use Talos and it doesn't allow hostPath without having a non ephemeral volume (which I do have on 2 out 13 workers nodes specifically for cnpg to run on SSDs instead of spinners via iscsi)...
| 19:42:02 |
| kalbasit | * Back in 2022 at my previous company what I ended up doing was an overnight Job that builds an EBS volume "the cache" and create a snapshot of it. Then every CI job that needs the Nix store would request an EBS volume based on the latest snapshot available and it takes 10 to 30 seconds for that to become available (not a problem for a 20-40 minute job at the time...) Maybe this could be implemented in a similar way? At my home I run a Proxmox with TrueNAS and a couple of clusters; All clusters use democratic-csi to mount iscsi volumes and support for ZFS snapshots does exist although I have not tested create a volume from a snapshot but it could be possible. hostPath does not work for me because I use Talos and it doesn't allow hostPath without having a non ephemeral volume (which I do have on 2 out 13 workers nodes specifically for cnpg to run on SSDs instead of spinners via iscsi)...
| 19:42:44 |
