<drakonis>
i'm not sure if i understand the point of that
<samueldr>
so you can extend your configuration
<gchristensen>
this is super exciting because it means I can include 2 different types of a system in to one netboot image, and then switch after boot based on some criteria
<samueldr>
you make your base configuration, then extend.clone with some option you don't want to run daily
<drakonis>
ah i see.
<gchristensen>
samueldr: oh heck yeah, could include some Docker stuff in there
<samueldr>
like e.g. run nouveau by default, nvidia proprietary in "game mode"
<samueldr>
#45345 is where this was revived for grub
<gchristensen>
apparently early on in my nixops 2->3 testing I accidentally'd my statefule :)
<aminechikhaoui>
scary :) we do uploads of encrypted statefile backups to S3 at work which turned out to be super useful when things get messed up
<gchristensen>
nice
<gchristensen>
aminechikhaoui: what if you could do ... { my-machine.deployment = { targetEnv = "ec2"; accessKeyId = { provider = "vault"; engine = "iam"; role = "deployer"; }; }; }
<aminechikhaoui>
hm neat !
<gchristensen>
what if { provider = "vault" ... } allowed nixops to accept secret providing plugins
<aminechikhaoui>
solves keys rotation which we're almost not doing
<gchristensen>
:)
<aminechikhaoui>
"secret providing plugins" as in what /run/keys currently does ?
<aminechikhaoui>
or you're just looking at things like iam user/roles for now ?
<gchristensen>
nah, just that the ec2 plugin, digitalocean, packet, etc. can all have this same "provider" interface, and then a Vault plugin can be written... or a `pass` plugin could be written
<aminechikhaoui>
oh yeah that would be really cool
<gchristensen>
though maybe, deployment.keys.my-secret.text = { provider = "pass"; name = "my-pass-entry"; }
<aminechikhaoui>
vault would be the coolest :D
<gchristensen>
I've been running a laptop-local Vault for the past bit. it has been a lot of fun :)
<aminechikhaoui>
but ideally /run/keys would be some sort of fuse fs that talks directly to vault instead of the deploy server ?
<gchristensen>
that is a whole can of worms that we're probably nowhere near ready to solve, hehe
<aminechikhaoui>
as /run/keys would then be updated automatically instead of sending keys only during deploys
<gchristensen>
yeah
<gchristensen>
that would be super nice
Church- has joined #nixos-chat
<aminechikhaoui>
but yeah secret management is a can of worms :-)
<gchristensen>
yup
<gchristensen>
for now my main interest is in not having these EC2 / Packet credentials in my env or in my nix expressions
<aminechikhaoui>
yeah good first step
<gchristensen>
cool :D
<aminechikhaoui>
I really hate that the AWS keys are years old sometimes for nixops which has pretty wide set of permissions usually
<aminechikhaoui>
so that would make it much better
<gchristensen>
yeah, that is pretty scary
<gchristensen>
samueldr: this nesting.clone stuff is actually weird. `ln -s $i $out/fine-tune/child-$childCount"
<samueldr>
I haven't actively used it, only tested the PR
<gchristensen>
I was expecting, well, erm, names
<samueldr>
tell that to nbp about a year ago :)
<gchristensen>
if I did, I would expect him to say "you're 9 years late, bud."
<gchristensen>
also, being able to refer to their activation script via `nesting.clone.subtypename.activate` would be gravy
<gchristensen>
okay I'm heading to bed, g'night y'all!
Church- has quit [Ping timeout: 260 seconds]
Church- has joined #nixos-chat
drakonis has quit [Remote host closed the connection]
drakonis has joined #nixos-chat
drakonis has quit [Read error: Connection reset by peer]
endformationage has quit [Ping timeout: 255 seconds]
waleee-cl has quit [Quit: Connection closed for inactivity]
drakonis has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.7.1]
<samueldr>
:/ from what I'm reading, it looks like samsung phones have a phone-home-based unlock that's a bit worse in some ways than xiaomi's
<samueldr>
less worse: it doesn't require you to register to do it
<samueldr>
worse: if you change the sim card, there is an adroid-based service, seemingly named vaultkeeper, that will reset that state
<samueldr>
which, from some reading, might even lock you out of a custom flashed system :|
<samueldr>
and this is a system that's added on top of the existing FRP and similar systems
<samueldr>
looks like it's on phones from 2017 onwards
<samueldr>
wondering if any have experience with it here
<samueldr>
some more reading, knoxguard could be another keyword
cole-h has quit [Quit: WeeChat 2.7.1]
cole-h has joined #nixos-chat
neeasade has quit [Ping timeout: 240 seconds]
cole-h has quit [Ping timeout: 260 seconds]
KeiraT has quit [Ping timeout: 240 seconds]
malSet has quit [Read error: Connection reset by peer]
malSet has joined #nixos-chat
veske has joined #nixos-chat
sphalerite has quit [Quit: WeeChat 2.6]
sphalerite has joined #nixos-chat
madjar has joined #nixos-chat
sphalerite has quit [Quit: WeeChat 2.7.1]
sphalerite has joined #nixos-chat
sphalerite has quit [Client Quit]
sphalerite has joined #nixos-chat
__monty__ has joined #nixos-chat
veske has quit [Quit: This computer has gone to sleep]
<clever>
samueldr: i dont know how it worked exactly, but my dads samsung s3 was configured (via corp policy stuff) to auto-encrypt the sd card, any sd card
<clever>
samueldr: so inserting any card into the phone basically ruined all data :P
<pie_[bnc]>
what does your dad even do
<pie_[bnc]>
actually im pretty sure i asked before
<clever>
pie_[bnc]: xray machine repair
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
waleee-cl has joined #nixos-chat
KeiraT has joined #nixos-chat
veske has joined #nixos-chat
veske has quit [Client Quit]
endformationage has joined #nixos-chat
malSet has quit [Read error: Connection reset by peer]
malSet has joined #nixos-chat
malSet has quit [Read error: Connection reset by peer]
malSet has joined #nixos-chat
malSet has quit [Read error: Connection reset by peer]
malSet has joined #nixos-chat
malSet has quit [Quit: Quit.]
malSet has joined #nixos-chat
<samueldr>
clever: the S3 way too old here :)
malSet_ has joined #nixos-chat
malSet has quit [Ping timeout: 265 seconds]
malSet_ has quit [Ping timeout: 260 seconds]
malSet has joined #nixos-chat
neeasade has joined #nixos-chat
cole-h has joined #nixos-chat
drakonis has joined #nixos-chat
psyanticy has joined #nixos-chat
emily has quit [Ping timeout: 240 seconds]
philipp[m] has quit [Ping timeout: 240 seconds]
dtz has quit [Ping timeout: 256 seconds]
madjar has quit [Quit: Connection closed for inactivity]
alex_giusi_tiri has joined #nixos-chat
lovesegfault has quit [Quit: WeeChat 2.7.1]
wildtrees has joined #nixos-chat
wildtrees has quit [Remote host closed the connection]
wildtrees has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 272 seconds]
lovesegfault has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 246 seconds]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 272 seconds]
psyanticy has quit [Quit: Connection closed for inactivity]
neeasade has quit [Remote host closed the connection]
<samueldr>
I intend to implement something with similar semantics for "boot selection agents"
drakonis has quit [Read error: Connection reset by peer]
KeiraT has joined #nixos-chat
drakonis has joined #nixos-chat
<samueldr>
(and probably implement this one outright for encryption passphrase later on)
drakonis1 has joined #nixos-chat
drakonis has quit [Read error: Connection reset by peer]
drakonis_ has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]
drakonis_ has joined #nixos-chat
<joepie91>
> simple .ini-style file
<joepie91>
why
<{^_^}>
undefined variable 'simple' at (string):284:1
<joepie91>
why pick one of the two most badly-specified formats
<joepie91>
:|
<samueldr>
joepie91: you're in luck, I do not intend to use ini-like in the boot selection
<samueldr>
json, as user-unfriendly it can be, at the very least it's going to work fine for strictly interop
<joepie91>
pick either JSON or TOML
<joepie91>
I don't like TOML for anything more complex than single-depth config, but it can work okay for this sort of usecase
<samueldr>
it's not even intended for user consumption
<joepie91>
samueldr: anyway one major design issue I see with that, is that there's nothing preventing two agents from asking about the same password?
<samueldr>
here I'm 99% sure it's systemd reusing their system
<joepie91>
yeah, JSON is probably fine here
<samueldr>
joepie91: that's exactly what it intend to do
<samueldr>
>> Make sure to hide a password query dialog as soon as a) the ask.xxxx file is deleted, watch this with inotify. b) the ?NotAfter= time elapses, if it is set != 0.
<lovesegfault>
There are so many systemd PRs in the limbo :/
<joepie91>
another issue: it's badly defined whether Echo is to be strictly followed or can be overridden by the agent
<lovesegfault>
it makes it almost seem like systemd is unmaintained
<joepie91>
(I really hope it is the latter)
<samueldr>
"reusing their system" I meant "reusing their parsers"
<samueldr>
joepie91: I tend to agree here, at that point it's more an implementation detail
<joepie91>
samueldr: I don't think the agent is supposed to be the one deleting it?
<samueldr>
that's right
<samueldr>
I assume it's not specified here (it should be) that the other side of the socket deletes it
<joepie91>
right so there is nothing preventing two different agents from responding to the same ask
<joepie91>
there's no locking
<drakonis1>
8944 PRs closed tho
<joepie91>
= problem
<samueldr>
agents may not even be able to write here
<drakonis1>
they all have discussion
<joepie91>
dunno, I guess I just don't have a lot of patience for the tendency of Unix-y userland tools to badly reinvent a database for every new project and utility
<samueldr>
I'm not sure here where there's a database, what's re-invented is IPC AFAICT
malSet has quit [Quit: Quit.]
wildtrees has quit [Remote host closed the connection]
malSet has joined #nixos-chat
wildtrees has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]
drakonis_ has joined #nixos-chat
malSet has quit [Ping timeout: 255 seconds]
malSet has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]