<asymmetric>
i'm looking at the fetch-instance-ssh-keys.bash script, and trying to understand how the keys have to be added as metadata
<asymmetric>
this is for a non-nixops project, so i'm trying to reverse engineer
asymmetric has joined #nixops
meh` has joined #nixops
<asymmetric>
ah i see, it's `root:$key-type $key-material $user@host`
avaq_ has joined #nixops
avaq has quit [Ping timeout: 252 seconds]
pbb has joined #nixops
cole-h has joined #nixops
avaq_ has quit [Ping timeout: 260 seconds]
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixops
Baughn has joined #nixops
<Baughn>
What's the current state of the art on sharing cluster access to a team?
<Baughn>
Aka, I'd like to put the nixops database in a git repository or something... but from what I can tell, doing so doesn't really *work* at present.
<Baughn>
...stepping back. We have five machines we want to run NixOS on, and two people who'll be managing them. I've considered cooking something up with nixos-rebuild --target-host, but *ideally* I'd like to use nixops for this.
<clever>
Baughn: the solution i always recommend, is to share a central machine where the database lives, everybody will just ssh in and `screen -x`
<Baughn>
It might be an option, but we'd prefer not to pay for an extra machine just for rare deployments.
<clever>
it could just be another user on an existing box
<clever>
it can deploy to localhost
<Baughn>
If we do that, then `nixops reboot` is going to fail badly. :)
<clever>
properly educate the admins to `--exclude $hostname`
<Baughn>
I mean. We do actually want to reboot all of them.
<clever>
you can reboot that one box the old way, `sudo reboot`
<Baughn>
After running nixos-rebuild boot?
<clever>
after the `nixops deploy`
<Baughn>
The reason why I want to reboot the machine is because the deploy, on its own, would break the system.
<Baughn>
Sorry. I don't want to waste your time. I've *tried* running nixops on the same machine, and it works fine for the most part, but there are edge conditions this can't deal with. I might as well use nixos-rebuild and cook my own in that case.
<Baughn>
I'd really, really prefer if I can run this from my own desktop.
<clever>
what edge cases didnt it handle? iohk has several machines running like that
<Baughn>
Unlocking the filesystem / pushing keys on boot, for instance.
<Baughn>
So what I'm really looking for is some way to store the nixops database on e.g. EC2.
<clever>
yeah, having / encrypted, isnt really going to play nicely, when nixops is on /
<clever>
but what do you really gain from encryption / on AWS?
<Baughn>
The *machines* aren't on AWS.
<Baughn>
AWS is far too expensive.
<clever>
ah
<Baughn>
(They're actually at WebNX)
<Baughn>
And encrypting root is just kind of a gimme. We can, hence we should.
<Baughn>
Granted, I haven't checked if nixops supports this scenario yet. But if it doesn't, I can fix that.
<Baughn>
...so.
<Baughn>
It'll be interesting to see if anyone else chimes in, but so far it sounds like the answer is that nixops can't handle this scenario.