20 Feb 2024 |
mkg20001 | maybe, maybe not. didn't really check much, but /run/current-system was missing, so it could be that we'd need to link another script when the option is set | 16:53:49 |
mkg20001 | to fix activation being ran | 16:54:06 |
adamcstephens | it breaks /run/current-system? that sounds bad. i thought switch-to-configuration managed that | 16:56:10 |
mkg20001 | so I found the issue, it's fixed in https://github.com/NixOS/nixpkgs/pull/290288 | 22:15:39 |
adamcstephens | In reply to @mkg20001:mkg20001.io so I found the issue, it's fixed in https://github.com/NixOS/nixpkgs/pull/290288 Would you be willing to write test cases for both? | 22:23:00 |
mkg20001 | In reply to @adam:robins.wtf Would you be willing to write test cases for both? building and running an image with initrd.systemd.enable is enough? then ill add that | 22:27:40 |
adamcstephens | Yeah. Though I’m wondering if we should be explicit in the legacy case as there’s talk of deprecating it | 22:29:21 |
mkg20001 | once nixos as a whole switches we should simply follow i think | 22:37:14 |
adamcstephens | Then for now just another image with it enabled is good enough | 22:41:47 |
adamcstephens | * Then for now just another image with systemd init enabled is good enough | 22:42:01 |
mkg20001 | added test | 22:44:47 |
23 Feb 2024 |
adamcstephens | https://github.com/NixOS/nixpkgs/pull/290570 | 01:53:41 |
adamcstephens | Any thoughts on forcing people to use nftables with incus? | 19:15:30 |
hexa | even the nixos firewall uses nft these adys | 19:19:19 |
hexa | * even the nixos firewall uses nft these days | 19:19:21 |
hexa | and what does forcing even mean | 19:19:30 |
hexa | everyone can lib.mkForce whatever they want | 19:19:43 |
adamcstephens | (networking.firewall.enable && !networking.nftables.enable) && virtualisation.incus.enable | 19:25:38 |
adamcstephens | throw an error if that evaluates to true | 19:25:52 |
adamcstephens | * networking.firewall.enable && !networking.nftables.enable && virtualisation.incus.enable | 19:25:58 |
adamcstephens | is that too aggressive of a change? :) | 19:28:49 |
hexa | what would be the motivation? | 19:30:39 |
adamcstephens | incus manages its own firewall rules, and it's easier to support a single integration | 19:39:05 |
adamcstephens | the motivation comes from at least one user who switching to nftables just fixed the issue https://github.com/lxc/incus/issues/525 | 19:39:38 |
adamcstephens | specifically this comment: https://github.com/lxc/incus/issues/525#issuecomment-1961862060 | 19:40:22 |
adamcstephens | (there are two users for some reason in this issue) | 19:40:30 |
hexa | yeah, then just assert with a link to documentation, why this has become necessary maybe | 19:40:35 |
adamcstephens | if you're curious, here's an nftable dump from my test machine https://paste.sr.ht/~adamcstephens/28d559730979803b0b1372e200d1013c1a783a4f | 19:42:19 |
24 Feb 2024 |
mkg20001 | myself i just add all the interfaces to trustedInterfaces and that fixes that | 03:52:51 |
mkg20001 | we could have a named set in nftables and patch incus to append its own interfaces to that | 03:53:24 |