| 19 Dec 2025 |
 Arian | And all the store paths in it are "ultimately" trusted | 10:04:28 |
|  Frédéric Christ changed their display name from Frédéric Christ to Frédéric Christ (back on 02.01.). | 15:15:32 |
 Sandro 🐧 | Please write feedback into the PR, please 🙈 | 17:05:49 |
| 22 Dec 2025 |
|  n joined the room. | 06:23:43 |
|  @cinerealkiara:matrix.org left the room. | 11:10:05 |
| 27 Dec 2025 |
|  xentec changed their display name from xentec to xentec | metal1nk@39c3. | 22:47:00 |
| 28 Dec 2025 |
|  kalbasit joined the room. | 05:54:37 |
| kalbasit | lillecarl: How does easykubenix compare with nixidy? | 06:14:49 |
 lillecarl | @kalbasit:matrix.org nixidy is a more complete deployment solution. easykubenix should be compared to "kubenix" which nixidy uses to render manifests. My intention is to maybesoonishsoleday™️ make easykubenix compatible with nixidy as "easyApplication" or something. I don't like kubenix codegen. | 16:14:30 |
| kalbasit | Got it, makes sense | 19:43:40 |
| kalbasit | lillecarl: I do have another question: Do you recommend a solution for remote builds on Kubernetes? I have a cluster running on bare metal and I want to leverage for remote builds instead of using my old laptop for that. | 19:44:32 |
| lillecarl | @kalbasit:matrix.org nix-csi enables you to tag nodes as builders, it's pretty barely tested but it works. It completely bypasses resourc constraints.
It works by using the in-cluster cache pod as SSH jump box into the nodes which can run builds.
It'll be developed further :)
| 19:48:37 |
| kalbasit | Do you have a manifest (yaml) I can use to give it a try; sort of a demo or whatever you have on your end?
| 19:49:29 |
| lillecarl | I'll get back to you about that :) | 20:00:31 |
| 29 Dec 2025 |
| kalbasit | Happy holidays btw! | 01:40:54 |
| lillecarl | @kalbasit:matrix.org I've been thinking about how to architect the in-kube building. The way it works now is pretty dumb since you can't constrain it properly. My current idea is to use a Deployment for building that mounts the same hostPath (optionally maybe) as the DaemonSet. I'll have to verify that I can make sure builds run in the Deployment instead of talking to the Nix daemon running in the DS. I've also been considering if I should stop running nix daemon altogether since it's effectively a single user system anyways. nix-csi is privileged.
I'd love to hear ideas. Im pretty sure I'll dump "dinix" and run multiple containers like Kube wants you to too. I'm aiming for 1.0 Q1 where all the things not just work, but work "like they should". Building in Kubernetes won't be as good as nixbuild.net but it'll be good enough ™️
| 14:59:49 |
| kalbasit | Back in 2022 at my previous company what I ended up doing was an overnight Job that builds an EBS volume "the cache" and create a snapshot of it. Then every CI job that needs the Nix store would request an EBS volume based on the latest snapshot available and it takes 10 to 30 seconds for that to become available (not a problem for a 20-40 minute job at the time... Maybe this could be implemented in a similar way? At my home I run a Proxmox with TrueNAS and a couple of clusters; All clusters use democratic-csi to mount iscsi volumes and support for ZFS snapshots does exist although I have not tested create a volume from a snapshot but it could be possible. hostPath does not work for me because I use Talos and it doesn't allow hostPath without having a non ephemeral volume (which I do have on 2 out 13 workers nodes specifically for cnpg to run on SSDs instead of spinners via iscsi)...
| 19:42:02 |
| kalbasit | * Back in 2022 at my previous company what I ended up doing was an overnight Job that builds an EBS volume "the cache" and create a snapshot of it. Then every CI job that needs the Nix store would request an EBS volume based on the latest snapshot available and it takes 10 to 30 seconds for that to become available (not a problem for a 20-40 minute job at the time...) Maybe this could be implemented in a similar way? At my home I run a Proxmox with TrueNAS and a couple of clusters; All clusters use democratic-csi to mount iscsi volumes and support for ZFS snapshots does exist although I have not tested create a volume from a snapshot but it could be possible. hostPath does not work for me because I use Talos and it doesn't allow hostPath without having a non ephemeral volume (which I do have on 2 out 13 workers nodes specifically for cnpg to run on SSDs instead of spinners via iscsi)...
| 19:42:44 |
| 30 Dec 2025 |
| lillecarl | @kalbasit:matrix.org My plan is to stay entirely cloud agnostic so AWS is out of the question. I'll have to come up with different solutions for RWO and RWX builds. If you have RWX storage the in-cluster cache and the builders can just share a store but I'll also support non RWX, I have ideas to watch the builder stores and push paths to cache as soon as they're registered in the DB.
I'm already patching Nix(Lix) to update "registrationtime" when a path is referenced which makes the GC in nix-csi pretty awesome (nodes keep their paths for an hour, cache for configurable time).
By eagerly pushing to cache I think performance will be quite good, in-cluster speeds should be good enough to not matter much.
The registrationtime updates are recursive too meaning we keep all deps and build-deps hot always (well once it's implemented :p)
| 16:03:46 |
| lillecarl | https://github.com/Lillecarl/lix/commit/9ac72bbd0c7802ca83a907d1fec135f31aab6d24 this is the patch for registrationTime repurposed as "last needed time" :) | 16:10:13 |
| 4 Jan 2026 |
| xentec changed their display name from xentec | metal1nk@39c3 to xentec. | 03:27:24 |
| 5 Jan 2026 |
| Frédéric Christ changed their display name from Frédéric Christ (back on 02.01.) to Frédéric Christ. | 09:38:41 |
| 10 Jan 2026 |
| lillecarl | kalbasit: I've hit a limitation to running the builds in Kubernetes: Either you run privileged or you disable the sandbox. I added an option that easily configures these settings in tandem for the builders but it doesn't seem to be reasonable to work around. There's user namespaces but they require node configuration which I've banned from nix-csi (it must be deployable everywhere).
Other than that it's chugging along nicely 😄
| 18:17:01 |
| lillecarl | * kalbasit: I've hit a limitation to running the builds in Kubernetes: Either you run privileged or you disable the sandbox. I added an option that easily configures these settings in tandem for the builders because it doesn't seem to be reasonable to work around. There's user namespaces but they require node configuration which I've banned from nix-csi (it must be deployable everywhere).
Other than that it's chugging along nicely 😄
| 23:50:38 |
| 11 Jan 2026 |
|  ivan joined the room. | 01:44:53 |
| 12 Jan 2026 |
|  jimmie joined the room. | 08:05:53 |
| jimmie set a profile picture. | 08:12:25 |
| jimmie changed their display name from zigzen to jimmie. | 08:12:39 |
|  jappie joined the room. | 17:28:21 |
| 14 Jan 2026 |
| lillecarl | kalbasit: Hey you're the ncps guy, nice! I've been wondering why ncps makes it mandatory to re-sign packages rather than serving the key we all already trust? 😄 | 10:45:59 |
