| 22 Oct 2024 |
 nh2 | That is useful!
I only had the problem on Hetzner dedicated so far.
Upgrade to newer Nixops, be happy everything works.
Next reboot, all machines disappear from the Internet | 01:20:09 |
| nh2 | Since then I add an UDEV rule also to call the one network interface Hetzner gives net0 not matter what | 01:20:46 |
| nh2 | The version is defined here:
https://github.com/boto/boto/blob/8fac1878734c5ac085b781f619c70ea4b6e913c3/boto/ec2/connection.py#L75
APIVersion = boto.config.get('Boto', 'ec2_version', '2014-10-01')
| 01:23:28 |
| nh2 | Now we just apply the nixpkgs wisdom
a sed a day makes the failure go away
and should be good lol
| 01:24:15 |
| nh2 | * Now we just apply the nixpkgs wisdom
a sed a day makes the failure go away
and should be good lol
| 01:24:21 |
 Arian | Horror | 01:27:04 |
| Arian | I'm off to bed | 01:29:05 |
| nh2 | Ah, the version can actually be overriden by the caller:
class EC2Connection(AWSQueryConnection):
def __init__( ... api_version=None ...)
https://github.com/boto/boto/blob/8fac1878734c5ac085b781f619c70ea4b6e913c3/boto/ec2/connection.py#L86
So nixops can easily use it without having to modify boto.
| 01:29:21 |
| nh2 | * Ah, the version can actually be overriden by the caller:
class EC2Connection(AWSQueryConnection):
def __init__( ... api_version=None ...)
https://github.com/boto/boto/blob/8fac1878734c5ac085b781f619c70ea4b6e913c3/boto/ec2/connection.py#L86
So nixops can easily use it without having to modify boto.
It calls boto.ec2.connect_to_region() with just passes on all kwargs to the EC2Connection constructor.
| 01:29:54 |
| nh2 | Looking for boto.config.get in turn suggests that we may not need to change any code at all, as these versions can be controlled from the outside with a config file:
http://boto.cloudhackers.com/en/latest/boto_config_tut.html#details
Indeed this has the desired effect on that function:
BOTO_CONFIG=<(echo '[Boto]\nec2_version = 2016-11-15')
| 01:44:12 |
| nh2 | * Looking for boto.config.get in turn suggests that we may not need to change any code at all, as these versions can be controlled from the outside with a config file:
http://boto.cloudhackers.com/en/latest/boto_config_tut.html#details
Indeed setting this environment variable this has the desired effect on that function:
BOTO_CONFIG=<(echo '[Boto]\nec2_version = 2016-11-15')
| 01:44:31 |
| nh2 | Arian: It worked, the machine deployed. Thanks a lot for your help!
https://github.com/benaco/nixops/commit/de0b958b37030c4b4b78e3e69908ad0700d6ae57
I answered the StackOverflow.
| 02:44:06 |
| 23 Oct 2024 |
 commiterate | Met with EIC today, apparently they already have a Go re-implementation of the AuthorizedKeysCommand Bash scripts specifically for macOS.
It's just closed source still and they haven't expanded it to cover Linux and Windows.
They'll need to evaluate the differences between my implementation and theirs to figure out what to do next. No expected date though. | 01:15:13 |
| commiterate | Fixed the implementation to do the signature checking for EIC stuff.
I'll leave it up to EIC's eval on whether they want to keep the EC2 Key Pair stuff (since that's vulnerable to MITM). | 05:06:13 |
| commiterate | That openssl dgst line was definitely what I was missing. Each public key block has a bunch of metadata comments (think of this as a header), the public key line, and a base64-encoded SHA-256 + RSA-PSS signature. This signature is for the metadata comments + public key line.
Since that's signed by an EIC signer cert which rolls all the way up to an Amazon CA, it's protected from spoofing.
| 05:09:02 |
| commiterate | * That openssl dgst line was definitely what I was missing. Each public key block has a bunch of metadata comments (think of this as a header), the public key line, and a base64-encoded SHA-256 + RSA-PSS signature. This signature is for the metadata comments + public key line.
Since that's signed by an EIC signer cert which rolls all the way up to an Amazon root cert, it's protected from spoofing.
| 05:09:37 |
|  @luna-null:matrix.org changed their display name from Autumn to luna-null. | 09:49:18 |
| 25 Oct 2024 |
|  lholh joined the room. | 03:54:55 |
|  shift joined the room. | 12:51:26 |
|  xenos76 joined the room. | 13:58:52 |
|  @niclasoverby:beeper.com joined the room. | 13:59:32 |
| 26 Oct 2024 |
|  dbalan joined the room. | 09:49:21 |
| 27 Oct 2024 |
| Arian | there is EIC support for MacOS? | 13:25:01 |
| dbalan | Arian: 👋 Is your nixcon slidedeck up somewhere? | 13:36:29 |
| Arian | https://arianvp.github.io/nixcon2024/slides/reveal.js-master/ | 13:43:10 |
| Arian | added the link to pretalx as well | 13:44:42 |
| dbalan | In reply to @arianvp:matrix.org
https://arianvp.github.io/nixcon2024/slides/reveal.js-master/ thx! | 13:50:55 |
| dbalan | Do you have any strategy for rolling back stateful services, if the activation fails for a new config? | 13:55:30 |
| Arian | Currently not. We manually rollback the instances through grub. But I want to look at automatic boot assessement features that were added to NixOS recently to automate this | 14:32:02 |
| Arian | e.g. reboot into previous boot entry if health check fails | 14:32:10 |
