| 30 Jul 2025 |
|  yan 💕 joined the room. | 01:42:17 |
 Sandro 🐧 | re: ifstate: speaks something against static compilation? | 18:34:31 |
 Marie | it's python | 18:37:51 |
 𝔇𝔢𝔫𝔎𝔫 | it should be also possible to compile python static. but you are only able to load libs written in plain python. | 19:03:12 |
| 𝔇𝔢𝔫𝔎𝔫 | but why python in initrd? | 19:04:12 |
| Marie | to run ifstate | 19:08:11 |
| 𝔇𝔢𝔫𝔎𝔫 | for configure network, you do not need ifstate. you can do anything with iproute2 except wg, sysctl, ... | 19:28:37 |
 Marcel | yeah, I don't need it, but I am not interested in defining my configuration in tow different formats twice, other than just reusing the configuration from the stage 2 system | 19:30:12 |
| Marcel | (this is about packaging ifstate, everything works already, also initrd, its just about reducing it's addition to the initrd) | 19:31:00 |
| 𝔇𝔢𝔫𝔎𝔫 | so you need network in initrd? | 19:31:08 |
| Marcel | if you have an encrypted systemd which is not directly accessable (e.g. a server in a datancenter) and you wan't to reboot it you someshow need to enter the password - i know. there are thinkgs like ipmi but you cloud also start an sshd in the initrd and connect to it in order to enter the password | 19:32:27 |
| Marcel | see https://wiki.nixos.org/wiki/Remote_disk_unlocking for some background info | 19:33:07 |
| Marcel | * (this is about packaging ifstate, everyth ing works already, also initrd, its just about reducing it's addition to the initrd in terms of size) | 19:34:26 |
| 𝔇𝔢𝔫𝔎𝔫 | There is not secure datacenter. If it is not your hardware, encryption is useless. | 19:34:29 |
| Marcel | its my hardware in a datancenter operator i trust | 19:34:54 |
| Marcel | but i thinks think this is off topic now | 19:35:09 |
| Marcel | * | 19:35:19 |
| 𝔇𝔢𝔫𝔎𝔫 | ah, ok, than it is something different. | 19:35:49 |
| 𝔇𝔢𝔫𝔎𝔫 | so, you have also a sshd in your initrd... | 19:37:53 |
 emily | you can use TPM etc. to get a not-easily-extractable host key prior to decryption | 19:37:54 |
| emily | (and that host key can be only accessible if you are booting a trusted kernel/initrd and nothing funny went on with the bootloader) | 19:38:10 |
 hexa (clat on linux when) | yes, and an unencrypted ssh hostkey | 19:38:14 |
| hexa (clat on linux when) | the threat modelling on this is pretty clear | 19:38:24 |
| emily | well, that's the less effective option :D | 19:38:28 |
| emily | but yes | 19:38:30 |
| emily | we have had support for this in NixOS for years | 19:38:39 |
| hexa (clat on linux when) | right | 19:38:41 |
| 𝔇𝔢𝔫𝔎𝔫 | than you could also install a second system with a full nixos, which will be booted first. than you use containers for the encrypted services. | 19:39:35 |
| hexa (clat on linux when) | the discussion is about bringing parity for network configuration options between the running system and the initrd, no need to question everything from first principles | 19:41:08 |
| 𝔇𝔢𝔫𝔎𝔫 | yes, than you have only one network config | 19:48:42 |
