gchristensen changed the topic of #nixops to: NixOps related talk | logs: https://logs.nix.samueldr.com/nixops/ https://meet.jit.si/NixOpsReview
pbb has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
pbb has joined #nixops
<craige_> Does this configuration that you and clever devised still overwrite configuration.nix for you gchristensen ?
<craige_> I've been using it for a while and just relaised it's not over-writing for me.
<gchristensen> it doesn't overwrite, just breaks nixos-rebuild
<craige_> ah, cool. I misunderstood.
<gchristensen> no worries :)
<craige_> I can confirm it does indeed break it :-)
<craige_> No idea where I got the re-write expectation.
<gchristensen> good:D
<cole-h> gchristensen: In that same file, does system.extraSystemBuilderCmds break store hashes or anything?
<gchristensen> hmm why do you ask?
<cole-h> Oh, I guess the hash is already calculated, to give an $out
<cole-h> Nevermind. Ignore my slightly-intoxicated question :D
<gchristensen> =)
andi- has quit [Ping timeout: 272 seconds]
andi- has joined #nixops
cole-h has quit [Quit: Goodbye]
adisbladis has quit [Remote host closed the connection]
adisbladi has joined #nixops
meh` has joined #nixops
teto has quit [Ping timeout: 260 seconds]
teto has joined #nixops
<kiwiirc> is nixops like an alternative to ansible?
<adisbladi> kiwiirc: You could say that.
adisbladi is now known as adisbladis
<kiwiirc> kool ty
<gchristensen> it is what ansiblewould be if ansible were built for nixos I guess
<kiwiirc> awesome
meh` has quit [Ping timeout: 240 seconds]
<aminechikhaoui> seems someone nuked fetch-ssh-keys which was used by nixops to pass ssh keys
<aminechikhaoui> Tewfik pointed out https://github.com/NixOS/nixpkgs/pull/51566 but I don't think it has any impact on nixops right adisbladis ?
teto1 has joined #nixops
<{^_^}> #51566 (by adisbladis, 1 year ago, merged): GCE OSLogin module: init
<adisbladis> aminechikhaoui: I'm afraid I don't understand. how was fetch-ssh-keys used by nixops? That's a service running on the remote server.
<aminechikhaoui> so for example nixops generates host keys then pass them over to the metadata service through the api https://github.com/nix-community/nixops-gce/blob/d817855da00034387f5a8d942ca043a0cc30c53b/nixops_gcp/backends/gce.py#L596
<aminechikhaoui> and that's how the known_hosts machinery is working
<adisbladis> Ahh, I see
<adisbladis> aminechikhaoui: It should be the same as before then, provided you enable oslogin on your instance
<adisbladis> That's where that magic happens
<aminechikhaoui> hm that seems to handle authorized keys only ?
<aminechikhaoui> not host keys
<aminechikhaoui> also I think the previous fetch-ssh-keys service expected a certain format in the metadata service
<adisbladis> Ahh! I get what you mean now.
<aminechikhaoui> but maybe if oslogin handles host keys as well it can be used somehow
tewfik has joined #nixops
<adisbladis> I haven't touched oslogin since I made that module so my memory is rusty
<adisbladis> But I don't recall seeing any host key handling
<aminechikhaoui> I see, maybe we just need to revive that service then. I don't remember why it had a "TODO remove" which confused the contributor to remove it
<aminechikhaoui> or maybe we should use the same module used by ec2 if it's generic enough
<tewfik> do we need to enable "enable-oslogin" while creating the GCE machine?
<aminechikhaoui> I think that'd be nice to have by default in the image if it enables adhoc addition of ssh keys using the vm metadata
<tewfik> actually like you said Amine we probably need nixops to manage its own ssh keys
<adisbladis> I think the removal was probably the right thing to do, and we should probably move the host key functionality to nixops-gce.
<adisbladis> Unless it's standardised somehow, but I think they're just some nixos specific metadata attributes?
<adisbladis> aminechikhaoui: It does enable exactly that :)
<aminechikhaoui> adisbladis I don't see how we can make it in nixops-gce as this happens early on in the boot process and that's used for the first ssh connection
<adisbladis> Darn it :/
<adisbladis> aminechikhaoui: I don't know what the right call is
<aminechikhaoui> well that's what we do for ec2 so it seems fine to be consistent with that https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-data.nix
<adisbladis> aminechikhaoui: I guess reviving the host key portions of fetch-ssh-keys is OK
<adisbladis> The alternative I think is to let the remote generate it's own host key and then add the appropriate hooks for a plugin to upload a new key before the deploy steps start happening
<adisbladis> I think the latter is much cleaner if possible
<aminechikhaoui> adisbladis how would the upload happen exactly ?
cole-h has joined #nixops
<adisbladis> Over SSH (using the host-generated key)
<cole-h> adisbladis++ Thanks for merging my PR :D
<{^_^}> adisbladis's karma got increased to 101
<cole-h> Only thing I'm missing to be able to just plainly fetchTarball the nixops package is your custom nixpkgs PR <3
<aminechikhaoui> adisbladis but to use ssh you need to trust the host key first, so unless we disable host verification for the upload it won't work right ?
<aminechikhaoui> or not disable just trust whatever the first host key is
<adisbladis> aminechikhaoui: Yes, which we do for the none backend for example
<adisbladis> Or not really disabling, but using TOFU
<aminechikhaoui> the none backend is already trusted I would assume as you generally would have ssh access prior to using nixops
<adisbladis> aminechikhaoui: Maybe fetch-ssh-keys is not so bad after all ^_^
<aminechikhaoui> adisbladis yeah not too bad, just would be nice if it's the same module for both Google/EC2
<aminechikhaoui> not sure how easy, the metadata service is a bit different in both
* aminechikhaoui thinks there should be a cloud standard :p
<adisbladis> aminechikhaoui: Then how do you get vendor lockin?
<aminechikhaoui> :-(
tewfik has quit [Ping timeout: 240 seconds]
nuncanada has joined #nixops
teto1 has quit [Ping timeout: 246 seconds]
energizer_ has joined #nixops
teto1 has joined #nixops
energizer_ is now known as energizer
tokudan[m] has joined #nixops
teto1 has quit [Ping timeout: 272 seconds]
teto1 has joined #nixops
meh` has joined #nixops
teto1 has quit [Ping timeout: 260 seconds]
teto1 has joined #nixops
meh` has quit [Ping timeout: 240 seconds]
teto1 has quit [Quit: WeeChat 2.8]
n3t has quit [Ping timeout: 256 seconds]