| 9 Apr 2022 |
 Amanda (she/her) | If not, I can just revert the lock update | 13:43:44 |
| Amanda (she/her) | With flakes the inputs become part of the source code, so usual source code workflows apply | 13:45:00 |
 tilpner | I have considered that, but it seems odd to have add-on tasks outside of hydra for something that hydra could already do in legacy mode | 13:46:40 |
| tilpner | Also, I'd like much lower git-push-to-deployed latencies than would be possible with even hourly nix flake update timers | 13:47:45 |
| Amanda (she/her) | Flakes are meant to provide more reproducibility. I suppose hydra could have a mode to do the git updates for you, but that seems out of scope | 13:47:50 |
| tilpner | I understand automatic updates don't exactly fit the design of flakes, but this reems to be a recurring problem:
- https://www.reddit.com/r/NixOS/comments/js5fxv/using_hydra_with_flakes_without_lock/
- https://www.reddit.com/r/NixOS/comments/negjsu/people_who_use_nix_flakes_for_their_system_config/
| 13:48:21 |
| Amanda (she/her) | They don't just "not exactly" fit, they're pretty much antithetical | 13:49:15 |
| Amanda (she/her) | The idea with flakes is you can pull a git repo, and get exactly the same output no matter when you do it | 13:49:52 |
| tilpner | and I appreciate that property for manual builds and deployments, it's just with hydra where it becomes a problem for automatic deployments :) | 13:50:53 |
| tilpner | sure, I could whip up a small webhook receiver to automatically forward pushed in one repo to flake updates in another, but that feels very inelegant | 13:52:08 |
| Amanda (she/her) | You probably don't want stuff changing it from under you for automatic deployments, see: node and the recent "protestware" package updates | 13:52:08 |
| Amanda (she/her) | * You probably don't want stuff changing out from under you for automatic deployments, see: node and the recent "protestware" package updates | 13:52:25 |
| tilpner | I have two flakes, one for the system definitions, and one for an application. If I push a new commit to the application, I'd like hydra to build and check it, and then deploy it | 13:53:17 |
| tilpner | That would work fine even in flakes mode, if it were a monorepo. As both repos are under my control, I'm not worried about malicious package updates, though of course these automatic updates should be selective | 13:54:50 |
| tilpner | I suppose I could configure hydra to execute a script after a build of the application repo finishes, which pushes a commit to the systems repo to trigger a deployment of that | 13:57:20 |
| tilpner | (https://github.com/NixOS/hydra/pull/1103 would be neat for that) | 13:59:03 |
| tilpner | I don't need changes to the application to trigger rebuilds of the system in this instance, as I can poll-deploy the latest evaluation of the application to a separate nix profile and restart the corresponding systemd service. But that's not a general solution, and wouldn't support e.g. keeping a nixos module for the application in the application flake, because the system flake jobset couldn't automatically update itself to use that new module | 14:06:19 |
| tilpner | (Yes, keeping and automatically applying a nixos module from an application module is a security issue if different sets of people have access to the application and system repositories) | 14:07:39 |
| tilpner | * (Yes, automatically applying a nixos module from an application module is a security issue if different sets of people have access to the application and system repositories) | 14:15:18 |
 @grahamc:nixos.org | we should merge that PR | 18:58:40 |
| 10 Apr 2022 |
 @ulrikstrid:matrix.org | If I want to start playing with hydra, is it best to setup everything on the same machine and then add more builders later? | 12:47:49 |
| tilpner | I don't know about best, but running hydra without remote builders is perfectly fine | 12:48:33 |
| @ulrikstrid:matrix.org | Best was the wrong word, easiest is what I was looking for 😅 | 12:49:16 |
| @ulrikstrid:matrix.org | Maybe another stupid question, can I have the project config separate from the repo I'm building? | 12:49:56 |
| tilpner | that said, I do have localhost registered as a remote builder, just... a local remote builder :P | 12:50:31 |
| tilpner | what do you mean by project config? | 12:51:32 |
| @ulrikstrid:matrix.org | What and how to build a project, I'm not sure about the wording of hydra | 12:52:06 |
| tilpner | The "what projects to build" can be configured declaratively in a jobsets repository: https://hydra.nixos.org/build/172143314/download/1/hydra/plugins/declarative-projects.html | 12:53:59 |
| tilpner | But I don't think that's what you meant, as the non-declarative jobset configuration wouldn't be part of the repo anyway | 12:54:20 |
| @ulrikstrid:matrix.org | So to simplify: can I build any repo with a nix configuration? | 12:55:08 |
