| 4 Aug 2025 |
 adamcstephens | my current flow is to run a script which bumps my dotfiles and infra repos, and push them to git. If all builds fine, then that night systems will update | 02:55:32 |
 hexa | how will they update? can they self-evaluate? | 02:55:48 |
| adamcstephens | no, they realize the path and switch to it | 02:56:05 |
| hexa | uhhh, can you explain? | 02:56:22 |
| adamcstephens | I've been slowly building a deploy tool for a long time now. It can track store paths for deployment. After build and upload to attic, I post a store path to the service. Then a command in a timer checks the backend, and if there's a newer path will pull it down and switch to it. | 02:59:10 |
| hexa | ah ok π | 02:59:38 |
| hexa | so yeah, if it can just substitute the path and switch into it, that's bueno | 02:59:51 |
| adamcstephens | At work we've implemented the same flow, but using S3 as the backend. Write a structured file to S3 that includes the store path. | 03:00:23 |
| hexa | do you run with fde? | 03:00:48 |
| adamcstephens | At home, yes | 03:00:56 |
| hexa | how do you deal with reboots? | 03:01:08 |
| hexa | https://log.pfad.fr/2025/fde-nixos-colmena-passwordless-reboot/ is something I was going to look into whenever I find the time π | 03:02:41 |
| adamcstephens | I was doing them manually and ssh in to initrd to unlock, but I switched to TPM unlock recently. Less security, but more convenient and means I'm not in the critical path to boot a system. | 03:02:55 |
| adamcstephens | most of my "systems" are VMs though. so even manually every couple weeks for kernel updates wasn't too bad. | 03:04:08 |
| hexa | all my boxes are encrypted, whether they're local or remote doesn't matter π | 03:04:31 |
| adamcstephens | yeah, i encrypt the physical drives | 03:04:47 |
| hexa | so if efi boxes can have unattended reboots via kexec that would be a big deal | 03:05:25 |
| adamcstephens | seems worth a try | 03:05:52 |
| adamcstephens | would be nice if you could provide a one-time key during a "known" reboot | 03:07:59 |
| hexa | exactly | 03:09:05 |
| hexa | but what I need is probably more like β¦ check daily whether running and booted kernel mismatch and do the kexec dance | 03:09:44 |
| hexa | that can use a persistent key to the luks volumes that is root-owned | 03:10:25 |
| hexa | * that could use a persistent key to the luks volumes that is root-owned | 03:10:29 |
| hexa | on lobsters someone wrote | 03:10:51 |
| hexa |
When youβre root user, you can extract the unlocked LUKS main key from RAM and can use that to add a key.
| 03:10:52 |
| hexa | π¬ | 03:11:02 |
| hexa | wondering how easy that is | 03:11:08 |
| adamcstephens |
By default, if systemd-boot is used and no kernel was loaded manually using kexec -l before, systemd will load the kernel specified in the default boot loader entry. For example, to reboot into the newer kernel after a system update, you may simply run:
| 03:11:34 |
| adamcstephens | so if you nixos-rebuild boot, i guess you can just run systemctl kexec | 03:11:54 |
| hexa | lol | 03:12:14 |
