| 22 Oct 2024 |
 nh2 | * Ah, the version can actually be overriden by the caller:
class EC2Connection(AWSQueryConnection):
def __init__( ... api_version=None ...)
https://github.com/boto/boto/blob/8fac1878734c5ac085b781f619c70ea4b6e913c3/boto/ec2/connection.py#L86
So nixops can easily use it without having to modify boto.
It calls boto.ec2.connect_to_region() with just passes on all kwargs to the EC2Connection constructor.
| 01:29:54 |
| nh2 | Looking for boto.config.get in turn suggests that we may not need to change any code at all, as these versions can be controlled from the outside with a config file:
http://boto.cloudhackers.com/en/latest/boto_config_tut.html#details
Indeed this has the desired effect on that function:
BOTO_CONFIG=<(echo '[Boto]\nec2_version = 2016-11-15')
| 01:44:12 |
| nh2 | * Looking for boto.config.get in turn suggests that we may not need to change any code at all, as these versions can be controlled from the outside with a config file:
http://boto.cloudhackers.com/en/latest/boto_config_tut.html#details
Indeed setting this environment variable this has the desired effect on that function:
BOTO_CONFIG=<(echo '[Boto]\nec2_version = 2016-11-15')
| 01:44:31 |
| nh2 | Arian: It worked, the machine deployed. Thanks a lot for your help!
https://github.com/benaco/nixops/commit/de0b958b37030c4b4b78e3e69908ad0700d6ae57
I answered the StackOverflow.
| 02:44:06 |
| 23 Oct 2024 |
 commiterate | Met with EIC today, apparently they already have a Go re-implementation of the AuthorizedKeysCommand Bash scripts specifically for macOS.
It's just closed source still and they haven't expanded it to cover Linux and Windows.
They'll need to evaluate the differences between my implementation and theirs to figure out what to do next. No expected date though. | 01:15:13 |
| commiterate | Fixed the implementation to do the signature checking for EIC stuff.
I'll leave it up to EIC's eval on whether they want to keep the EC2 Key Pair stuff (since that's vulnerable to MITM). | 05:06:13 |
| commiterate | That openssl dgst line was definitely what I was missing. Each public key block has a bunch of metadata comments (think of this as a header), the public key line, and a base64-encoded SHA-256 + RSA-PSS signature. This signature is for the metadata comments + public key line.
Since that's signed by an EIC signer cert which rolls all the way up to an Amazon CA, it's protected from spoofing.
| 05:09:02 |
| commiterate | * That openssl dgst line was definitely what I was missing. Each public key block has a bunch of metadata comments (think of this as a header), the public key line, and a base64-encoded SHA-256 + RSA-PSS signature. This signature is for the metadata comments + public key line.
Since that's signed by an EIC signer cert which rolls all the way up to an Amazon root cert, it's protected from spoofing.
| 05:09:37 |
|  @luna-null:matrix.org changed their display name from Autumn to luna-null. | 09:49:18 |
| 25 Oct 2024 |
|  lholh joined the room. | 03:54:55 |
|  shift joined the room. | 12:51:26 |
|  xenos76 joined the room. | 13:58:52 |
|  @niclasoverby:beeper.com joined the room. | 13:59:32 |
| 26 Oct 2024 |
|  dbalan joined the room. | 09:49:21 |
| 27 Oct 2024 |
 Arian | there is EIC support for MacOS? | 13:25:01 |
| dbalan | Arian: 👋 Is your nixcon slidedeck up somewhere? | 13:36:29 |
| Arian | https://arianvp.github.io/nixcon2024/slides/reveal.js-master/ | 13:43:10 |
| Arian | added the link to pretalx as well | 13:44:42 |
| dbalan | In reply to @arianvp:matrix.org
https://arianvp.github.io/nixcon2024/slides/reveal.js-master/ thx! | 13:50:55 |
| dbalan | Do you have any strategy for rolling back stateful services, if the activation fails for a new config? | 13:55:30 |
| Arian | Currently not. We manually rollback the instances through grub. But I want to look at automatic boot assessement features that were added to NixOS recently to automate this | 14:32:02 |
| Arian | e.g. reboot into previous boot entry if health check fails | 14:32:10 |
|  Ilan Joselevich (Kranzes) joined the room. | 16:24:21 |
| commiterate | There is apparently. | 17:40:23 |
| commiterate | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html
If you launched your instance using a later version of Amazon Linux, macOS Sonoma, macOS Ventura, macOS Monterey, or Ubuntu, it comes pre-installed with EC2 Instance Connect, and therefore you do not need to install it yourself.
| 17:41:15 |
| commiterate | There should be nothing stopping them for Windows as well since OpenSSH supports Windows. My re-implementation should support it (can generate the AuthorizedKeysCommand exec as a .exe) | 18:55:37 |
| commiterate | * There should be nothing stopping them for Windows as well since OpenSSH supports Windows. My re-implementation should support it (can generate the AuthorizedKeysCommand exec as a .exe and I'm only using the Go crypto library) | 18:55:47 |
| commiterate | * There should be nothing stopping them for Windows as well since OpenSSH supports Windows. My re-implementation supports it (can generate the AuthorizedKeysCommand exec as a .exe and I'm only using the Go crypto library) | 18:56:02 |
| 28 Oct 2024 |
|  @karstenpedersen:matrix.org joined the room. | 09:52:06 |
| Arian | https://www.youtube.com/watch?v=0yb05mq9lLM is basically my whole talk in 2 minutes . | 10:18:28 |
