| 9 Jun 2022 |
 Taeer Bar-Yam | Oh. Hm... I'm still having the same behaviour (nothing being produced with --keep-result) | 18:47:14 |
 Zhaofeng Li | Hmm, it does create them for me with colmena build | 18:56:13 |
| Taeer Bar-Yam | Aha! It works when using flakes, but not without | 18:57:48 |
| Taeer Bar-Yam | presumably it doesn't know how to find the hive directory in a non-flake build | 18:58:03 |
| Zhaofeng Li | Weird, it should be able to create GC roots with non-flakes (actually we are only testing it in the non-flake path in the end-to-end tests) | 19:00:28 |
| Zhaofeng Li | Just tried and it does work in the non-flakes case | 19:01:47 |
| Taeer Bar-Yam | oh never mind, I see it now. | 19:09:28 |
| Taeer Bar-Yam | I think i might have just been looking in the wrong place | 19:09:37 |
| Taeer Bar-Yam | anyway, this works great. thank you :) | 19:22:21 |
| 10 Jun 2022 |
|  lblasc joined the room. | 08:54:46 |
| 18 Jun 2022 |
 David Arnold (blaggacao) | Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89?
I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream.
I think I'm just not ready yet for forking, so I'd appreciate if I can build on those building blocks. | 02:10:55 |
| David Arnold (blaggacao) | * Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89?
I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream.
I think I'm just not ready yet for fully forking, so I'd appreciate if I can build on those building blocks. | 02:11:12 |
| David Arnold (blaggacao) | * Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89?
I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream.
I think I'm just not ready yet for fully forking, so I'd appreciate if I could build on those building blocks. | 02:11:26 |
| David Arnold (blaggacao) | * Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89?
I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream. | 02:11:56 |
|  wiredhikari joined the room. | 10:03:38 |
| 19 Jun 2022 |
| Zhaofeng Li | In reply to @blaggacao:matrix.org
Hey Zhaofeng Li: would you be willing to consider https://github.com/zhaofengli/colmena/pull/89?
I wanted to continue hacking along on my colmena adoption, but I feel like a tightrope walker without security if I need to deviate too much from upstream. Hi sorry, been busy in the past couple of days. Minimizing the eval interface should be fine and I'll review and merge it today. | 20:09:17 |
| Zhaofeng Li | Note that the eval interface is still subject to change in the near future, like for the upcoming auto rollback feature as well as https://github.com/zhaofengli/colmena/pull/96 | 20:09:18 |
| David Arnold (blaggacao) | Since using deploy-rs, I never used the auto-rollback feature. But this is probably less a fault of the rollback fearure amd more of the systemd-mediated choreographed (not orchestrated) reconciliation loop. | 20:49:17 |
| David Arnold (blaggacao) | (i'm alluding at the choreography vs orchestration discussion, here) | 20:50:28 |
| 21 Jun 2022 |
|  lemmalamma joined the room. | 00:04:54 |
| lemmalamma | (New to Colmena and just Nix in general).
How do y'all deal with bootstrapping secrets in a Colmena deployment. For example, I have a secret key that I don't want to keep in repo. So every time a developer clones the colmena nix code they would have to get the secret key and create the file on their local machine.
I want to split my colmena deploymeny into 2 parts:
- Bootstrapping secrets. Should only be done by very few people who have access to the secrets.
- Any other configuration that can be run by anyone and CI.
Does this make sense to do?
| 00:24:45 |
| lemmalamma | * (New to Colmena and just Nix in general).
How do y'all deal with bootstrapping secrets in a Colmena deployment. For example, I have a secret key that I don't want to keep in repo. So every time a developer clones the colmena nix code they would have to get the secret key and create the file on their local machine.
I want to split my colmena deploymeny into 2 parts:
- Bootstrapping secrets. Should only be done by very few people who have access to the secrets.
- Any other configuration that can be run by anyone and CI. They should be able to
colmena apply without getting secret keys from somewhere else manually.
Does this make sense to do?
| 00:25:36 |
 Linux Hackerman | lemmalamma: colmena stores the secrets unencrypted on the target hosts, so these "unauthorised" users can still fairly trivially get the secret keys by deploying their own code to the machines. | 01:03:55 |
| Linux Hackerman | you also don't need to split it into two, since colmena supports using a command to get secrets -- so you can store them together with your deployment, encrypted (with a tool of your choice) to the authorised users. | 01:05:11 |
| lemmalamma | In reply to @linus:schreibt.jetzt
lemmalamma: colmena stores the secrets unencrypted on the target hosts, so these "unauthorised" users can still fairly trivially get the secret keys by deploying their own code to the machines. This part makes sense. I don't want to enforce access control here. I just want developers who work on infrastructure code's lives easier by not requiring them to set up local secrets manually every time. | 01:07:15 |
| lemmalamma | In reply to @linus:schreibt.jetzt
you also don't need to split it into two, since colmena supports using a command to get secrets -- so you can store them together with your deployment, encrypted (with a tool of your choice) to the authorised users. What common tools are there? | 01:07:32 |
| Linux Hackerman | gpg and age are the two main contenders I'd say | 01:07:44 |
| Linux Hackerman | gpg optionally wrapped with pass | 01:08:04 |
| Linux Hackerman | there's also sops and sops-nix, but I know too little about it to say if it applies here or not | 01:08:48 |
| Linux Hackerman | it's definitely on my list of things to look into one day, because it seems like it can do some nice things | 01:09:15 |
