| 24 Nov 2025 |
|  Vinetos joined the room. | 16:50:03 |
| 4 Dec 2025 |
|  @onur-ozkan:matrix.org joined the room. | 04:20:23 |
| 6 Dec 2025 |
|  P J joined the room. | 07:43:09 |
| 7 Dec 2025 |
|  William Sewell changed their display name from William Sewell to W. | 00:30:02 |
| 11 Dec 2025 |
|  suua joined the room. | 16:09:32 |
|  TG × ⊙ joined the room. | 19:53:02 |
| 15 Dec 2025 |
 Sandro 🐧 | Would be nice if someone could look at https://github.com/NixOS/nixpkgs/pull/427694 | 16:07:34 |
| 19 Dec 2025 |
 Arian | I dont think this does what you think it does? If a derivation could leak this information from the host builder we have a vulnerability -- not a feature | 09:58:00 |
| Arian | Oooh wait. It disables sandboxing | 09:58:08 |
| Arian | This is a terrible idea imo | 09:58:21 |
| Arian | Feels like it's way better to attach this as OCI metadata outside of nix build sandbox after doing the build | 09:59:36 |
| Arian | Leaking this into the build sandbox feels cursed | 09:59:46 |
| Arian | I really don't like this. closureInfo is already a nightmare for reproducibility and this just makes it even worse ._. | 10:03:18 |
| Arian | Though maybe a generic mechanism for this *is* useful. I guess our ISO images have the same issue of shipping nix store paths without provenance information | 10:04:05 |
| Arian | And all the store paths in it are "ultimately" trusted | 10:04:28 |
|  Frédéric Christ changed their display name from Frédéric Christ to Frédéric Christ (back on 02.01.). | 15:15:32 |
| Sandro 🐧 | Please write feedback into the PR, please 🙈 | 17:05:49 |
| 22 Dec 2025 |
|  n joined the room. | 06:23:43 |
|  kiara left the room. | 11:10:05 |
| 27 Dec 2025 |
|  xentec changed their display name from xentec to xentec | metal1nk@39c3. | 22:47:00 |
| 28 Dec 2025 |
|  kalbasit joined the room. | 05:54:37 |
| kalbasit | lillecarl: How does easykubenix compare with nixidy? | 06:14:49 |
 lillecarl | @kalbasit:matrix.org nixidy is a more complete deployment solution. easykubenix should be compared to "kubenix" which nixidy uses to render manifests. My intention is to maybesoonishsoleday™️ make easykubenix compatible with nixidy as "easyApplication" or something. I don't like kubenix codegen. | 16:14:30 |
| kalbasit | Got it, makes sense | 19:43:40 |
| kalbasit | lillecarl: I do have another question: Do you recommend a solution for remote builds on Kubernetes? I have a cluster running on bare metal and I want to leverage for remote builds instead of using my old laptop for that. | 19:44:32 |
| lillecarl | @kalbasit:matrix.org nix-csi enables you to tag nodes as builders, it's pretty barely tested but it works. It completely bypasses resourc constraints.
It works by using the in-cluster cache pod as SSH jump box into the nodes which can run builds.
It'll be developed further :)
| 19:48:37 |
| kalbasit | Do you have a manifest (yaml) I can use to give it a try; sort of a demo or whatever you have on your end?
| 19:49:29 |
| lillecarl | I'll get back to you about that :) | 20:00:31 |
| 29 Dec 2025 |
| kalbasit | Happy holidays btw! | 01:40:54 |
| lillecarl | @kalbasit:matrix.org I've been thinking about how to architect the in-kube building. The way it works now is pretty dumb since you can't constrain it properly. My current idea is to use a Deployment for building that mounts the same hostPath (optionally maybe) as the DaemonSet. I'll have to verify that I can make sure builds run in the Deployment instead of talking to the Nix daemon running in the DS. I've also been considering if I should stop running nix daemon altogether since it's effectively a single user system anyways. nix-csi is privileged.
I'd love to hear ideas. Im pretty sure I'll dump "dinix" and run multiple containers like Kube wants you to too. I'm aiming for 1.0 Q1 where all the things not just work, but work "like they should". Building in Kubernetes won't be as good as nixbuild.net but it'll be good enough ™️
| 14:59:49 |
