| 4 Aug 2025 |
 adamcstephens | seems worth a try | 03:05:52 |
| adamcstephens | would be nice if you could provide a one-time key during a "known" reboot | 03:07:59 |
 hexa | exactly | 03:09:05 |
| hexa | but what I need is probably more like β¦ check daily whether running and booted kernel mismatch and do the kexec dance | 03:09:44 |
| hexa | that can use a persistent key to the luks volumes that is root-owned | 03:10:25 |
| hexa | * that could use a persistent key to the luks volumes that is root-owned | 03:10:29 |
| hexa | on lobsters someone wrote | 03:10:51 |
| hexa |
When youβre root user, you can extract the unlocked LUKS main key from RAM and can use that to add a key.
| 03:10:52 |
| hexa | π¬ | 03:11:02 |
| hexa | wondering how easy that is | 03:11:08 |
| adamcstephens |
By default, if systemd-boot is used and no kernel was loaded manually using kexec -l before, systemd will load the kernel specified in the default boot loader entry. For example, to reboot into the newer kernel after a system update, you may simply run:
| 03:11:34 |
| adamcstephens | so if you nixos-rebuild boot, i guess you can just run systemctl kexec | 03:11:54 |
| hexa | lol | 03:12:14 |
| hexa | nixos be blessed | 03:12:20 |
| hexa | still needs the prepared initrd | 03:12:31 |
| hexa | if that works I'll give up all my remaining legacy boot boxes | 03:13:02 |
| hexa | which are hetzner vms mostly, because they only do efi for arm | 03:13:27 |
| hexa | ok, so 5 am | 03:13:34 |
| hexa | let that be a tomorrow job? | 03:13:37 |
| adamcstephens | yeah :) | 03:13:41 |
| hexa | π | 03:13:46 |
| hexa | 
Download image.png | 16:33:45 |
| hexa | so everything goes reasonably quick, except the cuda machine π | 16:34:15 |
| adamcstephens | not surprised. i need to split out my runs to be a bit more visible, but it's definitely the cuda packages that take all the time | 16:44:15 |
| adamcstephens | how are you matrixing the configs into jobs? manually? | 16:44:51 |
| hexa | yeah | 16:45:38 |
| hexa | when I created this I didn't find a way to codegen that at runtime | 16:45:52 |
| hexa | name: "Build NixOS configurations"
on:
pull_request:
paths:
- .forgejo/workflows/build.yml
- flake.lock
- '**.nix'
push:
branches:
- master
paths:
- .forgejo/worflows/build.yml
- flake.lock
- '**.nix'
workflow_dispatch:
jobs:
build:
runs-on: native
strategy:
matrix:
host:
- name: eris
system: aarch64-linux
- name: ganymede
system: x86_64-linux
- name: helios
system: x86_64-linux
- name: io
system: x86_64-linux
- name: juno
system: x86_64-linux
- name: meduna
system: x86_64-linux
- name: pallas
system: aarch64-linux
steps:
- uses: actions/checkout@v4
- name: Configure attic cache
run: |
attic login "${{ secrets.ATTIC_CACHE }}" "${{ secrets.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN}}"
- name: Configure Nix-Community CUDA cache
run: |
cachix use nix-community
if: matrix.host.name == 'meduna'
- name: Build system closure
run: |
nix run \
--inputs-from . \
nixpkgs#nix-fast-build \
-- \
--eval-workers 4 \
--systems "${{ matrix.host.system }}" \
--attic-cache "${{ secrets.ATTIC_CACHE }}" \
--no-nom \
--flake ".#nixosConfigurations.${{ matrix.host.name }}.config.system.build.toplevel"
| 16:46:27 |
| adamcstephens | yeah i don't think there is a way | 16:53:28 |
| hexa | if there is prior art we should file a feature request with forgejo | 17:02:51 |
