| 15 Jan 2025 |
 matthewcroughan | guess the application needs to report that state via something else like a socket | 19:52:11 |
| matthewcroughan | or I could make my own program that returns 1 until there is a OSC pong/return from the UDP port on | 19:52:49 |
| matthewcroughan | * or I could make my own program that returns 1 until there is a OSC pong/return from the UDP port | 19:52:52 |
 @lily:lily.flowers | In reply to @matthewcroughan:defenestrate.it
Is there a nixos test function for wait_for_open_port that uses udp instead of tcp i mean you can wait_until_succeeds a command that checks ss -ul output for bind, like https://github.com/NixOS/nixpkgs/blob/f4120b8ab4abd21b8f0c3002e3ed22869ed2c646/nixos/tests/armagetronad.nix#L156 | 20:05:07 |
| matthewcroughan | nice! | 20:07:52 |
| matthewcroughan | is there a machine.succeed that takes a user id argument yet? | 20:08:08 |
| matthewcroughan | or a username arg | 20:08:12 |
| matthewcroughan | to run cmds as users in the vm test | 20:08:16 |
 hellwolf | is there way to limit diskspace a build uses? | 21:01:09 |
 Emma [it/its] | on that note, i'd be cool if there was a way to know an estimate of build closure size before building | 21:05:04 |
| Emma [it/its] | ie. as something in the meta section or whatever, would prevent quite a lot of "out of disk space" -> gc -> start over cycles for me | 21:05:36 |
| hellwolf | also, what exactly does nix limit, in terms of network access?
also, what does this statement mean:
except that fixed-output derivations do not run in private network namespace to ensure they can access the network
| 21:10:50 |
| hellwolf | * also, what exactly does nix limit, in terms of network access?
and what does this statement mean:
except that fixed-output derivations do not run in private network namespace to ensure they can access the network
| 21:11:01 |
 mjm | fixed-output derivations are things like fetchers: derivations where the hash of the output must be known ahead of time | 21:26:12 |
| mjm | so they are allowed to access the network since we can verify what they produce is exactly what we expect | 21:26:39 |
| hellwolf | but it could be an unlimited download in an edge case? | 21:29:06 |
| mjm | i don't think anything is limiting the size of the download. there's nothing intercepting the network activity afaik | 21:30:20 |
| hellwolf | context: I am trying to convince people behind play.haskell.org that nix can do the same thing for sandboxed builds, and better. | 21:31:09 |
| hellwolf | since I am porting it to my use case, and I try to use nix there. | 21:31:27 |
| hellwolf | so the disk space and network access restriction is what I am after. | 21:31:39 |
| hellwolf | * so the definitive answers to disk space and network access restriction is what I am after. | 21:31:45 |
| hellwolf | currently, that service has its own ad-hoc solution of using bubblewrap/systemd etc. | 21:32:24 |
| mjm | afaik nix does nothing to try to restrict disk space in a build. and network access restriction is all-or-nothing. | 21:39:00 |
| mjm | idk if nix is actually a good fit for something like a code playground | 21:39:11 |
| hellwolf | could you elaborate? what would be the main issue? | 21:43:59 |
| mjm | it just doesn't seem built for that particular task is all | 21:44:14 |
| mjm | it makes use of a sandbox to enforce its own constraints, but i don't think it really exposes the sandbox as a product feature in the way a code playground would want to use it | 21:45:30 |
| hellwolf | right.
the thing is, that playground is not necessarily written with any magic neither. as far as I can tell, what nix provides as it is already on par if not better | 21:55:55 |
 @magic_rb:matrix.redalder.org | In reply to @hellwolf:matrix.org
right.
the thing is, that playground is not necessarily written with any magic neither. as far as I can tell, what nix provides as it is already on par if not better For the playground as much as i hate to say it use OCI or bubblewrap | 21:58:45 |
| @magic_rb:matrix.redalder.org | You can build the OCI rootfs with Nix, but using nix builds is uh, not great | 21:59:01 |
