<lovesegfault>
gchristensen: Can I use NixOps if I need to go through a jump host to access my machines?
<lovesegfault>
A coworker had said it didn't work, but I know he only tried the old NixOps
lovesegfault has quit [Ping timeout: 260 seconds]
lovesegfault has joined #nixos-chat
<lovesegfault>
Damn internet
<samueldr>
~51000 people lost power right before supper time, in these trying times, in my city
<cole-h>
I can't imagine
<samueldr>
in a non-pandemic situation... it wouldn't be that big of a deal
<samueldr>
all restaurants are closed, only takeouts, and the power failure hits all restaurants that do takeouts in that zone without power!
<samueldr>
the good news is it happened at the distribution center, so most of them will get their power fixed at the same time, but that's also when equipment that was about to break breaks
<cole-h>
Wow
waleee-cl has quit [Quit: Connection closed for inactivity]
<julm>
lovesegfault: I guess you can put a ProxyCommand in a Host block in your ~/.ssh/config
<lovesegfault>
julm: there's a ProxyCommand? I use ProxyJump
<julm>
lovesegfault: ah. right. ProxyJump looks better to proxy with ssh
<julm>
so nixops should be using whichever you specify in your ~/.ssh/config
<julm>
what you can't currently do AFAIK is to specify another config file or another ssh binary to nixops when installed from nixpkgs (because it overrides PATH to use it's own openssh derivation)
<lovesegfault>
Yeah, I think that was my coworker's complaint, that it completely ignored his ssh config
<julm>
cole-h: are you using pinentry-curses? if yes, be sure to export GPG_TTY=$(tty) and gpg-connect-agent updatestartuptty /bye in your shell's rc file
<cole-h>
Thanks, but I do indeed have that in my config. The problem is that, for whatever reason, enabling ssh support in my gpg-agent is busted. If I disable it, I can still authenticate my SSH subkey; if it's enabled, I never get a prompt
<julm>
lovesegfault: AFAIK, nixops'ssh does use ~/.ssh/config
<lovesegfault>
Oh?
<julm>
cole-h: does this command list your SSH key: gpg-connect-agent 'keyinfo --ssh-list'
<cole-h>
Indeed it does. Probably because I've already authenticated recently.
<julm>
AFAIK, it will list it there as soon as you've added it with ssh-add
<julm>
cole-h: I guess a good way to locate the problem is to put log-file and debug-all or just debug-pinentry in your gpg-agent.conf
<julm>
then pkill gpg-agent
<julm>
depending on the problem, you may try no-allow-external-cache, or specifying a pinentry-program
<cole-h>
I do actually use a pinentry program. It uses gnome3 if the requesting app isn't a terminal, and ncurses if it is
lovesegfault has quit [Ping timeout: 272 seconds]
lovesegfault has joined #nixos-chat
<ashkitten>
ugh lol, adding a gpu to my computer changed my ethernet interface name
<ashkitten>
which is apparently because of iommu groups
<cole-h>
"predictable interface names"
<cole-h>
Biggest joke of the 21st century
ZaraChimera has joined #nixos-chat
lovesegfault has quit [Quit: WeeChat 2.8]
<ashkitten>
predictable as long as your hardware doesnt change, i guess
<ashkitten>
which also applies to moving an adapter to a different usb port
<ashkitten>
or adding a gpu
<ashkitten>
ughhhhh sway wont start if i even have the nvidia module loaded
<ashkitten>
i have nvidia_modeset and nvidia_drm blacklisted
<ashkitten>
"--my-next-gpu-wont-be-nvidia" im literally only using this gpu for cuda you heck
<{^_^}>
error: syntax error, unexpected ',', expecting ')', at (string):293:107
<sphalerite>
ValidPathInfo::fingerprint — store path, nar hash, nar size and references
<andi->
sphalerite: ^
<sphalerite>
yeah
<sphalerite>
so once again I don't understand why we need drvs to be involved :/
<sphalerite>
because the path depends entirely on the drv...
<andi->
Where exactly are drvs bugging you?
<sphalerite>
because they shouldn't be necessary to safely substitute paths from untrusted machines
<sphalerite>
so no nix modification should be required. AFAIU.
<andi->
I'll have to take another look at that... Might true if I just create a fake URL that carries all the information I need
<andi->
sphalerite: what that would probably nolonger allow is having someone that has an identical output from a different derivation. It kills the content adressability
<__monty__>
Wouldn't basing it on the derivation prevent that too? Cause they're different?
<sphalerite>
andi-: content addressability is a different story — there you no longer need a signature to verify that the path has the right contents, and for CA derivations you'll need a revised signature scheme anyway
<andi->
I am not talking about the RFC for CA derivations or the new experiemntal feature
<andi->
The changes to nix that I proposed allowed me to go from the hash of a nar file to a drv file. That means if I have any drv locally that produces that path I can just serve it. Without that you have to have built the exact same drv on the machine you want to substitute from.
<sphalerite>
right, so drvs or fixed-output outputs?
<sphalerite>
andi-: do you though? Different drvs can produce the same output paths, so you just need any drv that produces the path that you want…
<sphalerite>
well you know that I guess
<andi->
Yeah, and when someone asks your substituter for that nar file you have to figure out which store path that content hash comes from.
<andi->
And that is where my changes were required
<sphalerite>
but what's the use in being able to substitute something you don't have a drv for?
<andi->
Think about a whitespace only change in a buildPhase
<andi->
or a (long / intermediary) build that produces the very same output as a previous version of that build
<andi->
You increase the chances of getting a cache hit on a nearby node.
<sphalerite>
oooh ok.
<sphalerite>
Do we have many of those?
<andi->
I don't know... I wanted to check that a while ago (when I was in munic and was experimenting with graph databases, if you reember)
<{^_^}>
#74253 (by andir, 18 weeks ago, merged): stdenv: make symlinks that refer to the same output relative
<sphalerite>
ooh
<__monty__>
Hmm, I'm pretty lost. How does basing the content hash on the derivation help with content-addressability?
<andi->
You are probably really lost. I am not proposing that :-)
<andi->
I think I should maybe write a blog post about the idea...
<__monty__>
Yes, I'm in the woods and I'm out of breadcrumbs.
<andi->
My main problem was generating a nar file from a nar output hash. Nix records that in it's database. You just can't query it at the moment. The idea was to query for a (list of) derivation(s) that produced this nar/file hash. Any of those could then be used to lookup the local store path. With that store path you can generate the nar file through nix-store --export $path and just serve it.
<andi->
__monty__: ^ does that clear up a few things?
<__monty__>
Serving only the output of that one derivation?
<sphalerite>
andi-: what about storePath = getStorePathWithHash("76e0c0e473b68688f344a84ca139fde30baed4bfd380c997e68b047ef058df56").first(); `nix-store --export $storePath`?
ZaraChimera has quit [Quit: Going offline, see ya! (www.adiirc.com)]
<andi->
sphalerite: that is what I am doing. Just tried to write it less verbose :-)
<andi->
something in practice is the hash
<sphalerite>
andi-: no, mine doesn't involve a drv ;)
<andi->
sphalerite: you'll have to do the same lookup underneath
<sphalerite>
I don't see how. SELECT path FROM ValidPaths WHERE hash = "sha256:76e0c0e473b68688f344a84ca139fde30baed4bfd380c997e68b047ef058df56" LIMIT 1;
<andi->
mhhm
<sphalerite>
That might need a nix modification actually
<sphalerite>
but no drvs
<andi->
Yeah, most of this work is now >1y old.. I havent really looked at those pieces since. Memory gets fuzzy: D
<sphalerite>
andi-: oh, but that uses the binary cache cache db, not the store db..?
<andi->
sphalerite: IIRC I did look at both... I had a reason for that.. maybe worth revisiting all of that
<andi->
sphalerite: looks like the other could work just as well... still requires some kind of modification to NIx to be able to access that DB from somewhere else :/
<andi->
I don't want to run this process as root on the current system (there is no real need) but sqlite demands that as otherwise you can't open the databases..
<sphalerite>
andi-: yeah, or copy the database to /tmp x)
<sphalerite>
andi-: that's what I always do when I want read access to it :D
<andi->
sphalerite: Yeah, I was thinking of just regulary copying that database.. that felt like a gigantic hack.
<andi->
There is only two ways that this can work realible (without root): Make changes as such as those that I did propose to Nix or make the sqlite interface pluggable.
<andi->
I don't see how we can make a good sqlite pluggable thing.. It is such a leaky abstractions due to SQL just being character strings..
<MichaelRaskin>
Hmmm. So Go/No-Go meeting was a 20-something people meeting just at Meet.Jit.si ? Voice-only, I assume.
<andi->
Some with video IIRC
<gchristensen>
yeah
<gchristensen>
video was pretty rough
<sphalerite>
andi-: alright, thanks very much for your time ^^
<MichaelRaskin>
20Ă— audio on the main public instance is also pretty impressive, actually
<andi->
sphalerite: I am happy we came to (almost) the same conclusions on what is required :) I think I never managed to think it through with someone else before..
<andi->
arrgh. the firefox test on 19.09 now invokes OOM in the VM.. argh
<yorick>
andi-: wait, why is that easier than just generating a new nar file?
<andi->
hu? It is technically creating a new nar file it just doesn't care about how those work. I don't want to implement that code
<sphalerite>
yorick: the issue is knowing what to generate the nar file from :)
<yorick>
sphalerite: I mean, nix-serve already serves nars from a nix store, how does that work?
<kraem>
adisbladis: saw you switched to iwd. how did you solve letting udevd renaming of wlan0 to wlp#s# before iwd grabs the interface?
<kraem>
s/renaming/rename/
<gchristensen>
I think adisbladis is afk for a few days
<kraem>
ah alright, thanks
Jackneill has quit [Ping timeout: 250 seconds]
<eyJhb>
gchristensen: mini vacation?
vesper has quit [Ping timeout: 240 seconds]
immae has joined #nixos-chat
<tilpner>
Argh, monitoring is relentless
<tilpner>
I bet there's a way to make systemd services restart for a day before entering a failed state
<immae>
I think you’ll have to rely on your monitoring for that kind of feature...
* tilpner
serviceConfig.RestartSec = 4 * 60 * 60;
<immae>
That’s the time after which a failed service will try to restart
<tilpner>
That's okay, it can fail. It just can't stay failed for too long, or else monitoring will poke me
<tilpner>
It uses the GH API, and seems to be having problems a lot recently
<immae>
Ah right
<tilpner>
So "retry in 4h" seems fine-ish
<immae>
how often do you run the job?
<tilpner>
Hmm, hourly
<tilpner>
But as long as it succeeds within 12h of GHs API recovering, I don't mind if it's a bit delayed
<immae>
In naemon I have a system where I can say "only notify me when the job is failing for more than X min", so I would basically leave it in failed state and adjust the monitoring (but it may not be what you want)
<__monty__>
May want to enable Persistent= as well if this machine ever powers down.
<tilpner>
alertmanager has that too, but I only added a rule to alert if any systemd service fails
<immae>
ah
<tilpner>
So I don't want to add extra rules for specific services in there
<immae>
Can you filter out some services from the check maybe?
<immae>
Or, you can force the service to be successful (but then you wouldn’t be warned in case of permanent failure)
<tilpner>
I could, but I still want to get notifications if it keeps failing for a long time
<immae>
ok
<tilpner>
(I added a StartLimitBurst and StartLimitInterval, which might do that)
<immae>
I’m not sure that RestartSec will work though, it might leave the service in and erroneous (pending?) state
<tilpner>
Oh, I'm not sure about any of this. I'll see if it works soon though
<immae>
Yes
<immae>
Similar to what I do for backups, you could touch /var/lib/github_last_success at the end of the job and have alertmanager check the last time it was modified (or its content), while the job would always end with success
<immae>
It’s a workaround, but it might be more robust
<gchristensen>
][0987
<gchristensen>
oops
<andi->
interesting password :)
<gchristensen>
lol
<__monty__>
If you set Restart=on-failure, RestartSec= should restart the service when it fails, no?
<immae>
__monty__: the problem is, if the service is in a failed state, then his monitoring will cry and he doesn’t wan tthat (at least not before 24h)
<tilpner>
I'm not sure
<tilpner>
It's already failed again, but AM is quiet so far
<tilpner>
Main PID: 14220 (code=exited, status=1/FAILURE)
<immae>
what does systemctl status says?
<immae>
say*
<tilpner>
Active: inactive (dead)
<immae>
(without argument)
<tilpner>
Failed: 0 units
<immae>
I suppose AM will take that
cole-h has joined #nixos-chat
<tilpner>
I suspect the next hourly timer activation might reset the StartLimitBurst counter though
<immae>
it might break the "check that it will run at least twice a day" requirement yes
<immae>
but that’s easy to test with a surely-failing job
<__monty__>
Hey, is there a way to specify extra directives for a timer defined with nixos' `startAt`?
<tilpner>
__monty__: startAt is a shortcut for defining a proper timer
<tilpner>
So just create the full timer, and then you can define all you want
<tilpner>
Then you can set systemd.timers.foo.timerConfig = ...;
<tilpner>
(That might work with startAt too, but looks weird)
<tilpner>
immae: Just tested it, it doesn't seem to reset the counter \o/
<immae>
Cool
<samueldr>
hey now, with the nixos support on #nixos-chat >:|
<immae>
samueldr: It’s not nixos specific, it’s about systemd more generally :)
<samueldr>
:)
<tilpner>
immae <3
<tilpner>
<3 immae
<{^_^}>
immae's karma got increased to 11
drakonis has joined #nixos-chat
waleee-cl has joined #nixos-chat
vesper11 has joined #nixos-chat
vesper11 has quit [Read error: Connection reset by peer]
vesper11 has joined #nixos-chat
<eyJhb>
Site to test DNS adblocker on?
<cole-h>
<insert any blogspam site here>
<aleph->
Guess today I finally figure out setting up prometheus
<aleph->
This should be fun
lovesegfault has joined #nixos-chat
<eyJhb>
cole-h: there is none for me atm. not even on my mobile not on wifi
<eyJhb>
Where are they hiding?!
<cole-h>
I'm always at my most stressed right after submitting a PR to any project and waiting for CI to finish x)
<cole-h>
Phew, CI gave me the thumbs up
<aleph->
Man prometheus is taking ages to compile
<yorick>
it shouldn't, it's Go
<aleph->
Hmm odd, why would it spit out: "error reading base template: open templates/_base.html: no such file or directory" when trying to hit the status page...
* aleph-
googles
<aleph->
Oh hey, I see a issue that you reference yorick. Heh
<yorick>
aleph-: should be fixed in nixpkgs
<yorick>
go build just won't cut it
<aleph->
Nod, hmm let me see what version I'm on and what channels I'm using...
<aleph->
Think I'm on 19.09
<aleph->
19.03
<samueldr>
you may want to upgrade that at some point
<colemickens>
hm, is package meta evaluated during a build?
<aleph->
Yeah guess I'll upgrade
<aleph->
Odd, my nixos channel is set to nixos-unstable
<cole-h>
colemickens: 99% sure yes
<aleph->
Can't recall, is downgrading easy?
<colemickens>
cole-h: I don't understand how anything I'm doing works then.
<cole-h>
Oh, sorry I misunderstood
<colemickens>
cole-h: I'm clearly building a pacakge with libturbojpeg as a buildInput despite the problem you pointed out
<cole-h>
Package meta is not evaluated in a build, but it IS evaluated by ofborg
<cole-h>
Sorry ^^;
* colemickens
nods
<colemickens>
okay, glad to hear someone else say it