#nixops on 2020-03-30

2019-08-31 02:51 samueldr changed the topic of #nixops to: NixOps related talk | logs: https://logs.nix.samueldr.com/nixops/

01:34 DigitalKiwi has quit [Quit: quite.]

01:35 DigitalKiwi has joined #nixops

02:09 DigitalKiwi has quit [Quit: quite.]

02:09 DigitalKiwi has joined #nixops

05:02 <DigitalKiwi> what's the difference between what goes in the MachineState and MachineDefinitions?

05:03 <DigitalKiwi> there aren't as many of the settings in the MachineDefinition as there are in MachineState and i don't know why

05:26 lordcirth_ has quit [Remote host closed the connection]

05:27 lordcirth_ has joined #nixops

05:30 bhipple has quit [Remote host closed the connection]

05:30 <clever> DigitalKiwi: i think MachineDefinitions is what was defined in the deployment files, and gets translated from nix->xml->python

05:30 <clever> DigitalKiwi: and MachineState is what then manages state, and will deploy based on the latest definition

06:08 <DigitalKiwi> ok makes sense. thanks

06:20 lordcirth_ has quit [Remote host closed the connection]

06:21 lordcirth_ has joined #nixops

06:53 lordcirth__ has joined #nixops

06:54 lordcirth_ has quit [Read error: Connection reset by peer]

07:33 lordcirth__ has quit [Remote host closed the connection]

07:33 lordcirth__ has joined #nixops

08:14 lordcirth__ has quit [Read error: Connection reset by peer]

08:14 lordcirth__ has joined #nixops

08:19 lordcirth__ has quit [Read error: Connection reset by peer]

08:20 lordcirth__ has joined #nixops

13:14 nix-build has joined #nixops

13:15 {^_^} has quit [Read error: Connection reset by peer]

13:15 Cadey has quit [Ping timeout: 240 seconds]

13:17 Cadey has joined #nixops

14:04 lordcirth__ has quit [Read error: Connection reset by peer]

14:33 gleber_ has joined #nixops

15:45 monokrome has quit [*.net *.split]

15:45 monokrome has joined #nixops

15:48 aanderse has quit [Ping timeout: 246 seconds]

15:52 craige has quit [Ping timeout: 264 seconds]

15:53 craige has joined #nixops

16:46 aanderse has joined #nixops

16:53 nuncanada has joined #nixops

16:57 <gchristensen> adisbladis: nice work here: https://github.com/NixOS/nixops/pull/1270

16:57 <nix-build> nixops#1270 (by adisbladis, 21 hours ago, open): Add support for non-root deployments

16:58 <adisbladis> Thanks :)

16:58 <adisbladis> I'm not 100% about this https://github.com/NixOS/nixops/pull/1270/files#diff-e88498e41138501b84492ac034bed264R52

16:58 <adisbladis> I don't really like that !root implies agent forwarding

16:59 <adisbladis> For my use case that's required, but you may use some other privelege escalation method that doesn't

16:59 <adisbladis> And agent forwarding comes with some risks

16:59 <gchristensen> I agree, I am not keen on that

17:00 <adisbladis> deployment.forwardAgent ?

17:00 <gchristensen> that should probably be its own tunable, or even fall back to ssh_config

17:00 <adisbladis> That could also help with https://github.com/NixOS/nixops/issues/1150

17:00 <gchristensen> I'm going to make some lunch, back shortly

17:00 <nix-build> nixops#1150 (by Nekroze, 45 weeks ago, open): Bastion/Jump host support

17:01 <gchristensen> what does morph do here?

17:01 <adisbladis> Good question :)

17:14 <adisbladis> They ask for sudo password

17:15 <adisbladis> Which we can't, we don't even allocate a tty

17:15 <gchristensen> wow what

17:32 <adisbladis> I'm leaning towards just making forwarding a separate configurable

17:33 <adisbladis> And as a separate follow-up we could relatively easily solve https://github.com/NixOS/nixops/issues/1150 too I think

17:33 <nix-build> nixops#1150 (by Nekroze, 45 weeks ago, open): Bastion/Jump host support

17:33 <gchristensen> it is quite hard actually

17:33 <gchristensen> because we use TCP ports as a hint for "is it up?"

17:34 <adisbladis> Ah, I didn't think of that

17:34 <adisbladis> Regardless forwardAgent is an easy addition that doesn't break that model

17:34 <gchristensen> maybe we shouldn't, though, maybe we should just connect

17:35 <gchristensen> i also wonder about terraform's model for configuring how to connect to a device

17:35 <adisbladis> gchristensen: deployment.forwardAgent sounds good to you ?

17:36 <gchristensen> I wonder a bit if creating a bunch of optinos like this means we're not understanding the problem right, but other than that it sounds okay -- I want to take a look at terraform's config though

17:47 <aminechikhaoui> adisbladis we have the same need for agent forwarding @work :/

17:47 <aminechikhaoui> btw rootless nixops won't work out of the box right ? you need to be a trusted-user in nix.conf I would guess

17:57 <adisbladis> aminechikhaoui: Yes, you need to be trusted.

17:57 <gchristensen> on that note I find it very uncomfortable that the bastion uses agent forwarding for Git operations

17:59 pbb has quit [Remote host closed the connection]

18:00 pbb has joined #nixops

18:05 pbb has quit [Excess Flood]

18:09 pbb has joined #nixops

18:14 <gchristensen> adisbladis: https://www.terraform.io/docs/provisioners/connection.html

18:21 <adisbladis> gchristensen: Ok

18:21 <adisbladis> Hm

18:23 <adisbladis> Anyway, I made agent forwarding configurable

18:24 <aminechikhaoui> what does terraform use connection for ? I thought it only does provisioning

18:25 <adisbladis> aminechikhaoui: They have a concept of "provisioners" which SSHs in to set things up

18:25 <adisbladis> You're supposed to hand off to some config management tool after the provisioning

18:25 <aminechikhaoui> yeah I always though terraform doesn't handle that at all

18:25 <aminechikhaoui> cool

18:26 <aminechikhaoui> thought*

18:26 <gchristensen> very poorly

18:27 <aminechikhaoui> so... there can be a nix provisioner :D

18:27 <aminechikhaoui> is this new i.e newer than your nixos-terraform experiments gchristensen ?

18:28 <gchristensen> we really don't want ot use terraform for its provisiner

18:28 <gchristensen> more thinking we can model our configuration after its own

18:29 <aminechikhaoui> seems https://www.terraform.io/docs/provisioners/local-exec.html can run a nix-copy-closure, nixops is always nicer of course but just thinking of this for e.g Azure

18:29 <aminechikhaoui> yeah totally unrelated questions to nixops

18:35 <adisbladis> All checks green on https://github.com/NixOS/nixops/pull/1270

18:35 <nix-build> nixops#1270 (by adisbladis, 23 hours ago, open): Add support for non-root deployments

18:40 <gchristensen> nice

18:40 <gchristensen> will look :P

18:40 <gchristensen> sorry, a couple things took precedent

18:40 <adisbladis> I'm not in a hurry or anything :)

18:53 <gchristensen> I mean, maybe we sohuld just stop checking if the port is open

19:12 <adisbladis> gchristensen: I'd be happy to do that in another PR

19:12 <adisbladis> I think we need to add some retry logic around SSH to make that work

19:12 <gchristensen> yeah

19:13 <gchristensen> and we should talk to aszlig about that too

19:16 <adisbladis> Considering that there is always a "master" socket created I think it can be quite elegant =)

19:17 <gchristensen> oh?

19:17 <adisbladis> gchristensen: We only have to retry when creating the master socket and assume we have a working socket when executing commands

19:22 aszlig has joined #nixops

21:12 syd has joined #nixops

21:28 syd has quit [Remote host closed the connection]