 | Nix: Cloud Native | 272 Members |
| 63 Servers |
| Nix: Cloud Native | 272 Members |
| 63 Servers |
| Sender | Message | Time |
|---|---|---|
| 28 Dec 2025 | ||
 kalbasit | lillecarl: I do have another question: Do you recommend a solution for remote builds on Kubernetes? I have a cluster running on bare metal and I want to leverage for remote builds instead of using my old laptop for that. | 19:44:32 |
 lillecarl | @kalbasit:matrix.org nix-csi enables you to tag nodes as builders, it's pretty barely tested but it works. It completely bypasses resourc constraints. It works by using the in-cluster cache pod as SSH jump box into the nodes which can run builds. It'll be developed further :) | 19:48:37 |
| kalbasit | Do you have a manifest (yaml) I can use to give it a try; sort of a demo or whatever you have on your end? | 19:49:29 |
| lillecarl | I'll get back to you about that :) | 20:00:31 |
| 29 Dec 2025 | ||
| kalbasit | Happy holidays btw! | 01:40:54 |
| lillecarl | @kalbasit:matrix.org I've been thinking about how to architect the in-kube building. The way it works now is pretty dumb since you can't constrain it properly. My current idea is to use a Deployment for building that mounts the same hostPath (optionally maybe) as the DaemonSet. I'll have to verify that I can make sure builds run in the Deployment instead of talking to the Nix daemon running in the DS. I've also been considering if I should stop running nix daemon altogether since it's effectively a single user system anyways. nix-csi is privileged. I'd love to hear ideas. Im pretty sure I'll dump "dinix" and run multiple containers like Kube wants you to too. I'm aiming for 1.0 Q1 where all the things not just work, but work "like they should". Building in Kubernetes won't be as good as nixbuild.net but it'll be good enough ™️ | 14:59:49 |
| kalbasit | Back in 2022 at my previous company what I ended up doing was an overnight Job that builds an EBS volume "the cache" and create a snapshot of it. Then every CI job that needs the Nix store would request an EBS volume based on the latest snapshot available and it takes 10 to 30 seconds for that to become available (not a problem for a 20-40 minute job at the time... Maybe this could be implemented in a similar way? At my home I run a Proxmox with TrueNAS and a couple of clusters; All clusters use democratic-csi to mount iscsi volumes and support for ZFS snapshots does exist although I have not tested create a volume from a snapshot but it could be possible. hostPath does not work for me because I use Talos and it doesn't allow hostPath without having a non ephemeral volume (which I do have on 2 out 13 workers nodes specifically for cnpg to run on SSDs instead of spinners via iscsi)... | 19:42:02 |
| kalbasit | * Back in 2022 at my previous company what I ended up doing was an overnight Job that builds an EBS volume "the cache" and create a snapshot of it. Then every CI job that needs the Nix store would request an EBS volume based on the latest snapshot available and it takes 10 to 30 seconds for that to become available (not a problem for a 20-40 minute job at the time...) Maybe this could be implemented in a similar way? At my home I run a Proxmox with TrueNAS and a couple of clusters; All clusters use democratic-csi to mount iscsi volumes and support for ZFS snapshots does exist although I have not tested create a volume from a snapshot but it could be possible. hostPath does not work for me because I use Talos and it doesn't allow hostPath without having a non ephemeral volume (which I do have on 2 out 13 workers nodes specifically for cnpg to run on SSDs instead of spinners via iscsi)... | 19:42:44 |
| 30 Dec 2025 | ||
| lillecarl | @kalbasit:matrix.org My plan is to stay entirely cloud agnostic so AWS is out of the question. I'll have to come up with different solutions for RWO and RWX builds. If you have RWX storage the in-cluster cache and the builders can just share a store but I'll also support non RWX, I have ideas to watch the builder stores and push paths to cache as soon as they're registered in the DB. I'm already patching Nix(Lix) to update "registrationtime" when a path is referenced which makes the GC in nix-csi pretty awesome (nodes keep their paths for an hour, cache for configurable time). By eagerly pushing to cache I think performance will be quite good, in-cluster speeds should be good enough to not matter much. The registrationtime updates are recursive too meaning we keep all deps and build-deps hot always (well once it's implemented :p) | 16:03:46 |
| lillecarl | https://github.com/Lillecarl/lix/commit/9ac72bbd0c7802ca83a907d1fec135f31aab6d24 this is the patch for registrationTime repurposed as "last needed time" :) | 16:10:13 |
| 4 Jan 2026 | ||
 xentec changed their display name from xentec | metal1nk@39c3 to xentec. | 03:27:24 | |
| 5 Jan 2026 | ||
 Frédéric Christ changed their display name from Frédéric Christ (back on 02.01.) to Frédéric Christ. | 09:38:41 | |
| 10 Jan 2026 | ||
| lillecarl | kalbasit: I've hit a limitation to running the builds in Kubernetes: Either you run privileged or you disable the sandbox. I added an option that easily configures these settings in tandem for the builders but it doesn't seem to be reasonable to work around. There's user namespaces but they require node configuration which I've banned from nix-csi (it must be deployable everywhere). Other than that it's chugging along nicely 😄 | 18:17:01 |
| lillecarl | * kalbasit: I've hit a limitation to running the builds in Kubernetes: Either you run privileged or you disable the sandbox. I added an option that easily configures these settings in tandem for the builders because it doesn't seem to be reasonable to work around. There's user namespaces but they require node configuration which I've banned from nix-csi (it must be deployable everywhere). Other than that it's chugging along nicely 😄 | 23:50:38 |
| 11 Jan 2026 | ||
 ivan joined the room. | 01:44:53 | |
| 12 Jan 2026 | ||
 jimmie joined the room. | 08:05:53 | |
| jimmie set a profile picture. | 08:12:25 | |
| jimmie changed their display name from zigzen to jimmie. | 08:12:39 | |
 jappie joined the room. | 17:28:21 | |
| 14 Jan 2026 | ||
| lillecarl | kalbasit: Hey you're the ncps guy, nice! I've been wondering why ncps makes it mandatory to re-sign packages rather than serving the key we all already trust? 😄 | 10:45:59 |
 BPub changed their display name from Robert to BPub. | 18:49:26 | |
| 22 Jan 2026 | ||
 Astro changed their display name from Astro to Moved to: @astro:c3d2.de. | 21:39:08 | |
| 23 Jan 2026 | ||
| kalbasit | Yep that is me haha. There's a flag to turn it off. --cache-sign-narinfo=false The flag exists to allow you to use ncps only in your binary cache configuration so you don't have to configure every client you have to trust every upstream cache you configure ncps with; Not to mention that ncps does allow to push nars to it directly. | 02:10:25 |
| kalbasit | https://docs.ncps.dev/user-guide/configuration/reference#security-amp-signing fyi I'm aware the website template sucks, on my list to improve. | 02:10:56 |
| kalbasit | for instance, all of my hosts have only ncps as binary cache (along with cache.nixos.org default) but my ncps is configured to trust the nix-community among other (about 4) upstream servers. does that make sense? | 02:13:42 |
| lillecarl | fwiw I don't mind the site at all except where line breaks are broken. Thanks for the answer, that ncps allows pushing NARs it's a given to add keys. Resigning to act as an intermediary trust makes sense too. I'm gonna test-integrate ncps into nix-csi. I don't wanna do a drive-by but here's a drive-by: did you consitered basic auth for both RO and RW operations (htpasswd)? The current nix-csi cache can be LB served to be used both internally and externally | 05:58:56 |
| lillecarl | kalbasit: Forgot to tag you 😄 | 05:59:42 |
| kalbasit | I did consider authentication but given it's still v0.x I'm trying to focus on the main functionality leaving the authentication to be handled by a reverse proxy or something. At some point, I need to consider authentication mechanism (basic auth, tokens, api keys, etc..) I'm not sure yet. | 06:52:17 |
| lillecarl | kalbasit: Fair, I wish I had such discipline! nix-csi originally: mount closures, nix-csi now: mount closures + storepaths in podspec, integrated LRU cache (patched Nix), distributed building (really just "query apiserver and make "machines" file). | 07:02:51 |
| lillecarl | kalbasit: ncps deployed with nix-csi and easykubenix what do you think? 😄 | 09:11:20 |