| 14 Oct 2022 |
 Zhaofeng Li | But still from the serial console, can you try whether networking is working? Check ip , do some pings/traceroutes/etc | 19:51:16 |
| 15 Oct 2022 |
|  Otavio Salvador joined the room. | 11:36:35 |
| 16 Oct 2022 |
 Linux Hackerman | colmena is breaking with lazy-trees nix:
colmena apply --on sol boot
warning: unknown setting 'structured-drv-logs'
warning: Git tree '/home/linus/deploy' is dirty
[INFO ] Using flake: git+file:///home/linus/deploy
warning: unknown setting 'structured-drv-logs'
warning: Git tree '/home/linus/deploy' is dirty
warning: will not write lock file of flake 'path:/tmp/nix-shell.NZrVap/colmena-assets-A0gZ3E' because it has an unlocked input ('git+file:///home/linus/deploy')
[INFO ] Enumerating nodes...
warning: unknown setting 'structured-drv-logs'
error: cannot call 'getFlake' on unlocked flake reference 'path:/tmp/nix-shell.NZrVap/colmena-assets-A0gZ3E', at «string»:1:29 (use --impure to override)
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1
| 12:39:27 |
| Linux Hackerman | I think this is an intentional breaking change on the Nix side | 12:39:38 |
| Linux Hackerman | oh right, this is only a problem with dirty trees though | 12:41:17 |
| Zhaofeng Li | Right, need to take a look. There are some more breaking changes regarding path: flakes that I noticed:
$ nix flake metadata --json
warning: Git tree '/home/zhaofeng/Git/fleet' is dirty
error: lock file contains unlocked input '{"lastModified":1665862219,"narHash":"sha256-VPPLMapU8HtCjb54WDKsnjTjyB3YYXkgxEtzf5Xyqx0=","type":"git","url":"file:///home/zhaofeng/Git/Jovian-NixOS"}'
(use '--show-trace' to show detailed location information)
| 20:26:56 |
| Zhaofeng Li | * Right, need to take a look. There are some more breaking changes regarding path: flakes that I noticed with lazy-trees:
$ nix flake metadata --json
warning: Git tree '/home/zhaofeng/Git/fleet' is dirty
error: lock file contains unlocked input '{"lastModified":1665862219,"narHash":"sha256-VPPLMapU8HtCjb54WDKsnjTjyB3YYXkgxEtzf5Xyqx0=","type":"git","url":"file:///home/zhaofeng/Git/Jovian-NixOS"}'
(use '--show-trace' to show detailed location information)
| 20:27:12 |
| Zhaofeng Li | * Right, need to take a look. There are some more breaking changes regarding git+file:// flakes that I noticed with lazy-trees:
$ nix flake metadata --json
warning: Git tree '/home/zhaofeng/Git/fleet' is dirty
error: lock file contains unlocked input '{"lastModified":1665862219,"narHash":"sha256-VPPLMapU8HtCjb54WDKsnjTjyB3YYXkgxEtzf5Xyqx0=","type":"git","url":"file:///home/zhaofeng/Git/Jovian-NixOS"}'
(use '--show-trace' to show detailed location information)
| 20:28:12 |
| 18 Oct 2022 |
|  Shyim joined the room. | 09:01:40 |
| Shyim | Hey,
How would you handle secrets? 🤔 | 09:01:57 |
| Linux Hackerman | Personally I have them checked into my deployment repo, encrypted with GPG, and use a little module to abstract over decrypting them | 09:02:55 |
| Linux Hackerman | https://gist.github.com/lheckemann/3f4f3ce05521f4ace32bddce0b66e189 | 09:03:16 |
 @v:meowy.tech | I use https://github.com/serokell/vault-secrets, but other popular options are sops-nix (https://github.com/Mic92/sops-nix) and git-crypt (https://github.com/AGWA/git-crypt) | 09:03:58 |
| Linux Hackerman | then for example I have
secrets.loki-password.user = "promtail";
services.promtail.configuration.clients = [ { ...; password_file = config.secrets.loki-password.path; } ];
| 09:04:34 |
| Linux Hackerman | and it decrypts the secret from secrets/$hostname/loki-password.gpg and copies it over at deployment time | 09:05:05 |
| Shyim | Linux Hackerman: So I need the private gpg key on the machine right? :D | 09:05:44 |
| Linux Hackerman | the advantage of this approach is that the secrets can theoretically not get copied to the nix store (in practice they do, because I use Flakes) | 09:05:53 |
| Linux Hackerman | Shyim: only on the machine from which you're deploying | 09:06:01 |
| Shyim | AHHH. cool | 09:06:43 |
| Linux Hackerman | but I think I'll be switching to agenix or sops-nix at some point in the future, partly because this approach is colmena-specific and I'm not sure I want to stick with colmena | 09:06:57 |
| Linux Hackerman | and partly because the secrets are persisted unencrypted on the target machines' disks, which I'd also prefer not to do | 09:07:26 |
| Shyim | I currently join ssh and just do nixos-rebuild so. tbh: I don't care if it's in nix store. I just don't want to have them on Github publicly accessible as my nix files are public :D | 09:08:14 |
| Linux Hackerman | both agenix and sops-nix copy the encrypted secrets to the store as part of the system closure, and they're encrypted to a key that lies on the machine (often the SSH host key) to be decrypted only to a ramfs at runtime | 09:08:37 |
| Linux Hackerman | then again, having both the encrypted secrets and the unencrypted SSH host key on disk isn't much different from having the unencrypted secrets on disk I guess | 09:09:27 |
| Linux Hackerman | the next-level thing would be to add a TPM and measured boot into the setup, but I'm nowhere near getting there lol | 09:10:05 |
| @v:meowy.tech | In reply to @linus:schreibt.jetzt
then again, having both the encrypted secrets and the unencrypted SSH host key on disk isn't much different from having the unencrypted secrets on disk I guess the various permissions on the file also matter, the nix store is world readable but the ssh host key probably isnt | 09:10:16 |
| Linux Hackerman | right, but none of these approaches make the unencrypted secrets world-readable | 09:10:36 |
| Linux Hackerman | that's definitely off the table for me ^^ | 09:10:56 |
| @v:meowy.tech | My setup with a hashicorp vault is probably overkill, but when set up it does work quite nicely I have to say | 09:11:40 |
| Linux Hackerman | I kind of want to have something like that but I also don't want to set it up and maintain it x) | 09:12:05 |
