| 30 Jun 2023 |
 Sandro 🐧 | I would need to clean them up manually, right? | 01:48:04 |
|  fabaff joined the room. | 14:22:47 |
| 1 Jul 2023 |
|  @lotte:chir.rs changed their profile picture. | 09:47:24 |
| 3 Jul 2023 |
|  Nate joined the room. | 18:01:50 |
| 4 Jul 2023 |
|  @tomh:riotchat.de left the room. | 14:26:16 |
| 5 Jul 2023 |
|  @rimuru:gentoo.chat changed their profile picture. | 14:20:06 |
|  AtnNn joined the room. | 18:19:58 |
| 6 Jul 2023 |
|  Hayley joined the room. | 20:16:47 |
| 7 Jul 2023 |
| @lotte:chir.rs changed their profile picture. | 05:36:35 |
| 8 Jul 2023 |
|  d3routr joined the room. | 13:59:18 |
|  @easel:matrix.org joined the room. | 16:30:14 |
| 9 Jul 2023 |
|  hacker1024 joined the room. | 10:53:38 |
| hacker1024 | Hi all, I am trying to make a declarative project. I am trying to wrap my head around the declInput argument. Why do so many projects cat it? | 10:57:41 |
| 10 Jul 2023 |
 @janne.hess:helsinki-systems.de | In reply to @hacker1024:matrix.org
Hi all, I am trying to make a declarative project. I am trying to wrap my head around the declInput argument. Why do so many projects cat it? Depends on what your declInput is. For me it's usually a git repo so it's not cat-table | 06:58:58 |
| @janne.hess:helsinki-systems.de | declInput is what you configure in the "Declarative input type" in the project settings | 06:59:27 |
| hacker1024 | Thanks. But what is the purpose of printing it at build time? Take [this one](https://github.com/dhess/pinpon/tree/f4f984f3a45e4239914c912f489fd37110b65d45/nix/jobsets), for example - the input in spec.json is just the repository. | 07:25:21 |
| @janne.hess:helsinki-systems.de | In reply to @hacker1024:matrix.org
Thanks. But what is the purpose of printing it at build time? Take [this one](https://github.com/dhess/pinpon/tree/f4f984f3a45e4239914c912f489fd37110b65d45/nix/jobsets), for example - the input in spec.json is just the repository. I guess debug things | 08:16:21 |
| @janne.hess:helsinki-systems.de | Btw if you try hard enough, you don't even need nixpkgs in your declarative spec: https://git.helsinki.tools/helsinki-systems/hydra-nixos/-/blob/master/default.nix#L44 | 08:18:02 |
| @janne.hess:helsinki-systems.de | * Btw if you try hard enough, you don't even need nixpkgs in your declarative spec: https://git.helsinki.tools/helsinki-systems/hydra-nixos/-/blob/master/default.nix#L44 - makes it nicer imo because you don't have to fetch/update nixpkgs every time | 08:18:34 |
| hacker1024 | Thanks, that's pretty cool. Another question:
Does Hydra have a way to limit all access to logged in users, or do I need to set up a reverse proxy with authentication? In particular I do not want anyone to be able to view output hashes or access our binary cache. | 23:17:17 |
| hacker1024 | * Thanks, that's pretty cool. Another question:
Does Hydra have a way to limit all access to logged in users, or do I need to set up a reverse proxy with authentication? In particular I do not want anyone to be able to view build logs or output hashes or access our binary cache. | 23:17:38 |
| hacker1024 | * Thanks, that's pretty cool. Another question:
Does Hydra have a way to limit all access to logged in users, or do I need to set up a reverse proxy with authentication? In particular I do not want anyone to be able to view build logs or output hashes, or access our binary cache. | 23:17:44 |
| 11 Jul 2023 |
| hacker1024 | How can I stop Hydra from serving my whole system Nix store as a binary cache? I have the following line in my config, but it seems to have no effect at all.
store_uri = file:///var/cache/hydra/nar-cache?secret-key=/path/to/key&want-mass-query=true&compression=zstd¶llel-compression=true
| 13:25:53 |
 @andreas.schraegle:helsinki-systems.de | I think the answer to both those questions is using a reverse proxy in front of it | 13:44:32 |
| hacker1024 | I've got Caddy set up doing basic auth, but I don't see how I could use that to only serve the specific derivations I'm building in Hydra (excluding other things I have installed in my system)? | 13:45:47 |
| @andreas.schraegle:helsinki-systems.de | ah, I assumed you'd just want to block access to the binary-cache altogether | 13:47:24 |
| hacker1024 | Actually, upon futher inspection, I think I can see why my store_uri is not working:
Jul 11 23:46:29 ulna hydra-queue-runner[6168]: copying path '/nix/store/7bkh0cf19p465g7xx61azjz41j0s75wk-xgcc-12.3.0-libgcc' (148784 bytes, compressed 66.6% in 1 ms) to binary cache
Jul 11 23:46:29 ulna hydra-queue-runner[6168]: error (ignored): error: cannot unlink '/var/cache/hydra/nar-cache/nar/03wkk6rg44cqkvwnam72zhp3npx4adkq9cf7ylh0i0mpwdyabb5k.nar.zst.tmp.6168.2310': No such file or directory
Jul 11 23:46:29 ulna hydra-queue-runner[6168]: while copying/substituting output ‘/nix/store/x19damrys2xs84sl9wk0h5ff5vyg6mjh-libiec61883-1.2.0’ of ‘/nix/store/ypxw5dxdcp8i0626byimgckldy686apr-libiec61883-1.2.0.drv’: error: opening file '/var/cache/hydra/nar-cache/nar/03wkk6rg44cqkvwnam72zhp3npx4adkq9cf7ylh0i0mpwdyabb5k.nar.zst.tmp.6168.2310': Permission denied
I don't understand why this is happening, though - /var/cache/hydra/nar-cache/nar exists and is owned by the hydra user and group.
| 13:48:16 |
| hacker1024 | Ah. hydra-queue-runner runs as the hydra-queue-runner user. | 13:49:37 |
| hacker1024 | * Ah. hydra-queue-runner runs as the hydra-queue-runner user, and the directory only has group read permissions. | 13:52:55 |
| hacker1024 | Hmm. Now the store path is working for building, but my main store still seems to be getting served as a binary cache. | 14:06:57 |
