| 23 Oct 2021 |
 David Arnold (blaggacao) | Btw, does anybody want to prep a PR do ditch git-crypt? 😎🙂 | 21:02:44 |
 b12f | probably impossible without hacking into the bootloader setup stuff from nixos. We're looking at putting the kernel into an unencrypted partition, this way we can ditch the keyfiles altogether. Only personal data will be encrypted then | 21:06:28 |
 @teutat3s:pub.solar | In reply to @blaggacao:matrix.org
I wonder if that would even be possible? Afaik, agenix is injecting itself into stage2, correct me if I'm wrong. But it would be interesting to know if there is a way to get early boot support for decrypting. the current problem is rather that the activation hooks agenix uses run after the bootloader setup / update step. that's why it's trying to copy the keyfile into the initrd when agenix didn't even have a chance to decrypt it yet | 21:07:41 |
| b12f | teutat3s asked the agenix dev for advice
https://github.com/NixOS/nixpkgs/blob/57961d2b838cc31fa4ce89641b6a8db544a8471a/nixos/modules/system/activation/switch-to-configuration.pl#L61
| 21:08:36 |
| b12f | we'd have to somehow hook in there, but I don't see my nix knowledge reaching that far :P | 21:09:18 |
| David Arnold (blaggacao) | The @installBootLoader@ can come from different places, afair. | 21:11:48 |
| @teutat3s:pub.solar | in our case it would be grub https://github.com/NixOS/nixpkgs/blob/5605b561ce51d3e6b5a56566d6e58fe3e5b36970/nixos/modules/system/boot/loader/grub/grub.nix#L726 | 21:12:26 |
| David Arnold (blaggacao) | Just saw initialRamdiskSecretsAppender... | 21:14:56 |
| David Arnold (blaggacao) | Maybe an agenix grub module need to be written? | 21:16:28 |
| b12f | Perhaps. A hook that can start services before the bootloader init might be more general-purpose though | 21:37:19 |
| b12f | You'd need health or ready checks however, the complexity could become too big to justify the effort | 21:38:05 |
 genadij.udarov | Hey, I'm very new to nixos, let alone devos. I've stumbled upon a note[1] in the documentation: It is convenient to have the template living at /etc/nixos so you can simply sudo nixos-rebuild switch from anywhere on the system, but it is not required.
So my question is, how would this work? Should I place contents of devos/* in /etc/nixos/, or should I add the devos folder to /etc/nixos/devos and refernce it somehow from /etc/nixos/configuration.nix?
Btw, thanks for awesome work on Devos, I love it!
[1] https://devos.divnix.com/start/from-nixos.html
| 21:48:11 |
| b12f | Ive got my repository at `~/Workspace/os` and then symlink the directory to /etc/nixos | 21:50:04 |
| b12f | Works really well | 21:50:09 |
| genadij.udarov | So rm -rf /etc/nixos && ln -s /some/where /etc/nixos, right? Thanks for a quick reply! | 21:51:13 |
| David Arnold (blaggacao) | genadij.udarov the not-so-irrelevant difference between devos and "traditional" nixos is that devos uses flakes. Flakes are repositories. Repositories live in two places: remote & your local checkout. | 22:17:54 |
| David Arnold (blaggacao) | Where you choose to place a local checkout doesn't matter at all. | 22:18:11 |
| David Arnold (blaggacao) | ~/Workspace/devos is good. Or just ~/devos. | 22:18:46 |
| David Arnold (blaggacao) | I organize my local checkputs like so:
~/src/github.com/blaggacao/...
| 22:19:11 |
| David Arnold (blaggacao) | I use ghq for that, but since recently there is a tool called gst (ghost) in nixpkgs that does the same but a little better still (havn't had the chance to switch, yet). | 22:20:06 |
| David Arnold (blaggacao) | How does the devos repo know to which host to deploy to, you might ask. | 22:20:48 |
| David Arnold (blaggacao) | deploy-rs does it via the IP of that host. | 22:21:05 |
| David Arnold (blaggacao) | (& ssh) | 22:21:16 |
| genadij.udarov | Makes sense. My main confusion was how to run nixos-rebuild switch from any dir (which was mentioned in the docs I've linked) | 22:21:51 |
| David Arnold (blaggacao) | Oh, you'd be able to run bud ... (ask bud --help). | 22:23:10 |
| David Arnold (blaggacao) | (within the devshell of that repo) | 22:23:20 |
| David Arnold (blaggacao) | Currently those are "smart" wrappers. Unfortunately, they are not yet ported to deploy-rs to have the benefit of a unified and easy to maintain /explain codepath. | 22:24:08 |
| genadij.udarov | Yeah, I'm able to run that.
Is the statement It is convenient to have the template living at /etc/nixos so you can simply sudo nixos-rebuild switch from anywhere on the system, but it is not required. outdated? | 22:24:31 |
| David Arnold (blaggacao) | Yes! Definitly! Please do your first PR 😆 | 22:25:07 |
| genadij.udarov | Removing that line would be enough, right? | 22:25:42 |
