adisbladis changed the topic of #nixops to: NixOps related talk | logs: | NixOps 2.0 planning call 2021-02-05 15:00 UTC
cole-h has quit [Ping timeout: 240 seconds]
avaq has joined #nixops
<asymmetric> i'm looking at the fetch-instance-ssh-keys.bash script, and trying to understand how the keys have to be added as metadata
<asymmetric> this is for a non-nixops project, so i'm trying to reverse engineer
asymmetric has joined #nixops
meh` has joined #nixops
<asymmetric> ah i see, it's `root:$key-type $key-material $user@host`
avaq_ has joined #nixops
avaq has quit [Ping timeout: 252 seconds]
pbb has joined #nixops
cole-h has joined #nixops
avaq_ has quit [Ping timeout: 260 seconds]
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixops
Baughn has joined #nixops
<Baughn> What's the current state of the art on sharing cluster access to a team?
<Baughn> Aka, I'd like to put the nixops database in a git repository or something... but from what I can tell, doing so doesn't really *work* at present.
<Baughn> ...stepping back. We have five machines we want to run NixOS on, and two people who'll be managing them. I've considered cooking something up with nixos-rebuild --target-host, but *ideally* I'd like to use nixops for this.
<clever> Baughn: the solution i always recommend, is to share a central machine where the database lives, everybody will just ssh in and `screen -x`
<Baughn> It might be an option, but we'd prefer not to pay for an extra machine just for rare deployments.
<clever> it could just be another user on an existing box
<clever> it can deploy to localhost
<Baughn> If we do that, then `nixops reboot` is going to fail badly. :)
<clever> properly educate the admins to `--exclude $hostname`
<Baughn> I mean. We do actually want to reboot all of them.
<clever> you can reboot that one box the old way, `sudo reboot`
<Baughn> After running nixos-rebuild boot?
<clever> after the `nixops deploy`
<Baughn> The reason why I want to reboot the machine is because the deploy, on its own, would break the system.
<Baughn> Sorry. I don't want to waste your time. I've *tried* running nixops on the same machine, and it works fine for the most part, but there are edge conditions this can't deal with. I might as well use nixos-rebuild and cook my own in that case.
<Baughn> I'd really, really prefer if I can run this from my own desktop.
<clever> what edge cases didnt it handle? iohk has several machines running like that
<Baughn> Unlocking the filesystem / pushing keys on boot, for instance.
<Baughn> So what I'm really looking for is some way to store the nixops database on e.g. EC2.
<clever> yeah, having / encrypted, isnt really going to play nicely, when nixops is on /
<clever> but what do you really gain from encryption / on AWS?
<Baughn> The *machines* aren't on AWS.
<Baughn> AWS is far too expensive.
<clever> ah
<Baughn> (They're actually at WebNX)
<Baughn> And encrypting root is just kind of a gimme. We can, hence we should.
<Baughn> Granted, I haven't checked if nixops supports this scenario yet. But if it doesn't, I can fix that.
<Baughn> It'll be interesting to see if anyone else chimes in, but so far it sounds like the answer is that nixops can't handle this scenario.
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixops
aminechikhaoui has joined #nixops
meh` has quit [Ping timeout: 240 seconds]