<infinisil>
Nixops is really not designed around statelessness, so I'm not sure how much I'd want to rely on that
<adisbladis>
infinisil: We're getting there =)
<gchristensen>
that sounds like FUD, infinisil
<adisbladis>
There is a lot of misconceptions around NixOps and it's statefulnes around
<infinisil>
Okay correction: I * feel* like nixops is not designed around statelessness
<adisbladis>
Personally I think we are very close to getting to stateless by default
<infinisil>
Nice that sounds great
<emily>
infinisil: guessing "provisioning" is out of scope for nixoses?
<emily>
like, the more one-time setup stuff
<adisbladis>
But really, if you want something that provides more value than `nixos-rebuild --target-host` you need to keep state around
<infinisil>
emily: I would like to add it eventually!
<emily>
(except it's rarely just only one time in practice...)
<emily>
I wonder how the auto-rollback would interact with the fact that my server reboots need manual intervention
<emily>
(ssh to give disk encryption password)
<emily>
(that would be nice to automate more too, admittedly)
<emily>
I guess as long as timeouts are generous enough it'd be fine
<infinisil>
You can configure the timeout
<infinisil>
successTimeout
<emily>
adisbladis: I'm curious as to your reasoning for that
<emily>
since I don't think state would really be necessary for any of the usecases I have
<emily>
I mean, NixOS itself doesn't need any state for generations...
<gchristensen>
it does
<adisbladis>
Sure it does?
<infinisil>
I guess there's always going to be state. Either it's in nix files for evaluation time, or in the target hosts filesystem at runtime
<infinisil>
Or I guess with nixops in e.g. A local sqlite database
<gchristensen>
gotta get that info somehow
<cole-h>
Example state that NixOS keeps: uid/gid map (IIRC)
<gchristensen>
and the decisions are trade-off around UX and automation
<adisbladis>
cole-h: Yep
<adisbladis>
(Which I think is a bit unfortunate, but it is what it is)
parsley936 has quit [Quit: Leaving]
<infinisil>
I would kind of like to implement static uids by default with an /etc/nixos/ids.nix
<infinisil>
But I feel like that's a bit too much for the average user
<infinisil>
The interface would have to be flawless
<emily>
ok, let me clarify: switching generations doesn't use external state in the same way nixops does
<emily>
like, the state is derived from the state of the running system
<adisbladis>
Not always
<emily>
cole-h: yeah but I want to kill that, so... :p
<adisbladis>
Keys for example are also state
<emily>
right. I agree secrets need special handling
<cole-h>
Really, any handling...
<emily>
but those don't necessarily need to be nixops-specific mutable state either since there are lots of secret handling options, everything from storing encrypted stuff in git to fancy server-based vault setups?
<adisbladis>
emily: Let's take the encryped links support (basically mesh vpn) from nixops 1.7 for example
<emily>
(why does nixops implement a mesh VPN when wireguard already exists...?)
<adisbladis>
emily: This predates wireguard
<qyliss>
NixOps predates Wireguard, I assume
<emily>
fair enough, I didn't know how old 1.7 was :p
<emily>
though it still feels like rather heavy functionality for a deployment tool
<adisbladis>
Also "use wireguard" is a giant handwave
<adisbladis>
How do you get keys on to your system ?
<adisbladis>
systems*
<adisbladis>
And establish IPs for each of the remotes you want to connect
<adisbladis>
And you don't want to query each remote for their keys every time you deploy
<adisbladis>
This kind of state is useful to have locally or at least semi-locally
<infinisil>
How do you get private keys to the systems with nixops?
<adisbladis>
infinisil: Basically scp
<adisbladis>
We've very recently switched to rsync, but that's an implementation detail
<infinisil>
Ah so it treats it like a normal secret
<adisbladis>
My point is that state is not something to stay away from at all costs
<adisbladis>
There is a good point to certain state
<infinisil>
Hm, I guess a reason to e.g. keep each machines public key locally is that you can do deploys even when some are down
<samueldr>
be in control of your state, know what is your state surface
<adisbladis>
samueldr: be water my friend
<samueldr>
wet?
<adisbladis>
samueldr: I believe it's a quote by Bruce Lee
<adisbladis>
infinisil: Yes :)
<infinisil>
But then I guess public keys might be good to keep in a nix/json file (perhaps autogenerated)
<adisbladis>
infinisil: Congrats. You've reinvented NixOps state ;)
<infinisil>
Hm, the problem with an sqlite db is just that you can't commit it publicly
<adisbladis>
infinisil: That's what the state backends PR addresses
<adisbladis>
Or, you mean in a git repo?
<infinisil>
Yes
<adisbladis>
Are you aware of `nixops export` ?
<infinisil>
Yup
<adisbladis>
I've been doing this for years with nixops export
<infinisil>
And you make sure to strip secrets with jq or so?
<adisbladis>
I don't have secrets in there
<infinisil>
I guess that works then, in this case at least
<adisbladis>
Or in the case of some repos state has been in git-crypt
<infinisil>
Is there any piece of state that should ideally be in on the evaluation host but needs to be kept private?
<adisbladis>
Currently, absolutely
<adisbladis>
NixOps always provisions SSH keys
<adisbladis>
In the future, I hope not =)
<infinisil>
Hm, I guess *ideally* it shouldn't be then?
<adisbladis>
By default, no
<infinisil>
I kind of want to add that we should only talk about state that influences the target hosts deployment system. But the private key used to deploy does that
<infinisil>
(But only delayed by one deployment)
<colemickens>
does anyone happen to use zfs+rsync in nixos? would be curious to see how others have wired it up
<infinisil>
Maybe we should make some big collection of state, how it changes, what it influences, whether it's private, where it should reside, etc.
<colemickens>
sorry, I meant zfs + snapshots + pushing them to rsync.net
<infinisil>
And that for all stateful things
<adisbladis>
infinisil: Step 1 is figuring out what state needs to be persisted
<adisbladis>
The AWS plugin wants to bail out on the memory backend as an example
<infinisil>
Ah yeah, state lifetime
<infinisil>
How and when it's created and when is is destroyed
* adisbladis
should ask his previous employer if he can open source their ethereum nixops deployments
<adisbladis>
They were _awesome_
<infinisil>
And how does it get stored inbetween
<infinisil>
adisbladis: What was so nice about them?
<adisbladis>
infinisil: A private POA (proof of authority) blockchain where I scaled up/down by setting which regions to deploy & number of nodes
<adisbladis>
All key provisioning & cluster state was handled automatically
<infinisil>
Neat
<adisbladis>
It's really too bad they got acquired by $hugecompany :P
<infinisil>
Alright I'm gonna have to take a sleep now. Thanks for some enlightenment on state adisbladis and gchristensen :)
<adisbladis>
o/
<adisbladis>
Nighty
<adisbladis>
And thanks for your poetry2nix work today =)
<MichaelRaskin>
Will merge once ofborg passes. You can backport it earlier if you want…
<viric>
thank you!
__monty__ has joined #nixos-chat
<infinisil>
Cat doesn't like her cat food
<infinisil>
I have a fly in my room
<infinisil>
Combine the two, and you have the fly gone and the cat a little less hungry :P
<MichaelRaskin>
Does cat like eating flies?
<MichaelRaskin>
Or is it more about liking to hunt, and then, well, it is already inside the mouth…
<infinisil>
Probably the latter :P
<eyJhb>
My cat has started hunting for silverfish, which are mostly only out at night.
<eyJhb>
She has gotten the idea that if she stumps on them with her 2.9kg of fluff they might die. Which they do after like 20 stumps. ANd then preceed to try and eat it, which takes additional time... :p But hey, saving on catfood infinisil :p
<infinisil>
Hehe
<MichaelRaskin>
<3kg is a pretty slim cat
<MichaelRaskin>
«try and eat» suggests a risk of failure?
<eyJhb>
THere are some failures yes, she has some trouble actually locating it with her mouth. But that is mostly solved by just licking it till there is a success !
<MichaelRaskin>
Which I guess doubles as washing the floor
ottidmes_ has quit [Quit: Configuring ZNC, sorry for the joins/quits!]
<MichaelRaskin>
I seem to have a few spiders living in some corners of the ceiling. It looks like from time to time they catch something
ottidmes has joined #nixos-chat
<MichaelRaskin>
viric: cherry-picked TBE to 20.03
tokudan has quit [Remote host closed the connection]
tokudan has joined #nixos-chat
<infinisil>
eyJhb: What a fluffer!
slack1256 has joined #nixos-chat
<eyJhb>
infinisil: She is! We have started to give her treats when she uses her scrating post, so that she will associate it with something more positive than when she uses the carpet. Now she has started to expect treats each time..
<infinisil>
Hehe
<eyJhb>
So will scratch a little, and then sit and look at you judging when no treats come in
<srk>
haha
<joepie91>
lol
<srk>
ours use rope thingie and carton boxes lying around
waleee-cl has quit [Quit: Connection closed for inactivity]
<srk>
sisal rope wrapped around a leg of the table :D
<eyJhb>
srk: she sheldom uses the carpet. Mostly when she is happy, followed by sad because... Water :p
<eyJhb>
I have no table legs that can stand that... :(
<srk>
mm, I should build some contraption hanging from the ceiling so they can jump and climb that
<srk>
one is getting a bit fat :D
<eyJhb>
Activity food bowl?
<srk>
trying to feed them at different places and times so she won't eat the food for the other
<srk>
eyJhb: sounds good :)
<eyJhb>
Little food thief!
<eyJhb>
So they get fed on a schedule?
<srk>
I saw a hack on video where guy built a box with the opening just enough for the small one but not the fat one :D
<srk>
yes, they were free fed before but it's no good
slack1256 has quit [Remote host closed the connection]
__monty__ has quit [Quit: leaving]
<ekleog>
Anyone here understand how github projects work? I'm searching for a way to have 4 columns with one github issue search each, and I thought github projects were the thing to use but… finally maybe not? I'm not sure at all, but can't find a way to have the automation actually do that
<ekleog>
(the 4 columns being `is:open a:doc p:low -c:medium -c:hard`, `is:open a:doc p:medium -c:hard`, `is:open a:doc p:high` and `is:open a:doc p:critical`, in all originality)
<abathur>
not asserting I understand how they work, but what isn't working about it? are the columns all showing the same result?
<ekleog>
well, I can't find a way to configure a column to be a saved search
<ekleog>
it looks like project boards work on… a new thing that's notes and independent of issues & PRs? and then there are some very restricted ways to automate note creation? really not sure about that
<gchristensen>
columns aren't saved searches but moved between them based on progress
cole-h has joined #nixos-chat
<ekleog>
hmm… ok, yeah, so it's probably not what I'm looking for indeed then, thank you :/ anyone knows of a good service that offers saved github searches?
<abathur>
I'm not, though I do have a vague premonition I saw something for issue management on HN in the past couple months but now I can't find it
<abathur>
which might just mean my sense of time has collapsed in on itself; are you looking for more than you can do with bookmarks?
<ekleog>
well, if possible I'd like to be able to share that with other people
<lovesegfault>
ekleog: did you see #neobuffer on our slack?
<lovesegfault>
(it's good news)
<ekleog>
lovesegfault: hadn't looked at it, since the beginning of the exams I try to only have a look at highlights during the week-end :p
<ekleog>
(but it looks like great news indeed :D)
<hyperfekt>
emily: you were not joking when you said reimplementing nix... wow.
<emily>
well, it's not like it couldn't benefit from a rewrite in many ways
<lovesegfault>
ekleog: all tests pass with 10,000 iterations too :D
<ekleog>
\o/
<lovesegfault>
pretty amazed, I was 100% ready for some crap to happen
<ekleog>
well, I'd have been sad if my code didn't work in these settings, even though probably not that surprised :p
<lovesegfault>
God bless loom for helping us catch possible bugs early
<ekleog>
well, technically loom didn't catch any bug, so I think I'm just a god of coding :3
<ekleog>
(but yeah, god bless loom for helping us not make bugs anyway :D)
<viric>
MichaelRaskin: tbe works fine. A segfault from time to time but we can play. Thank you!
<MichaelRaskin>
viric: hm, ouch, but yeah, segfaults would need actual debugging
<cole-h>
lovesegfault: 👀 ?
<viric>
too lazy for that
<viric>
restart and it continues at checkpoint
drakonis has joined #nixos-chat
<MichaelRaskin>
Yeah, and there is level select anyway
<MichaelRaskin>
So the loss is bounded by a single level
<ekleog>
grmbl, wanted to do my “github saved search bunch” solution with an html page and iframes, but content security policy prevents it
<ekleog>
maybe someday the browser will be able to have iframes that are actually isolated from the calling page and CSP won't be needed any longer
<MichaelRaskin>
ekleog: It's not _that_ simple
<MichaelRaskin>
Mere isolation of iframes is indeed not enough
<MichaelRaskin>
One also needs a reasonable model for anti-clickjacking etc.
<MichaelRaskin>
Yeah, >reasonable model >web
<ekleog>
I don't see how there could be clickjacking with proper isolation? (proper isolation also includes things like the outer page can't overlay anything on the iframe, and the iframe's browser-defined box is clearly not-missable)
<ekleog>
not like I even remotely hope for that to happen anytime soon
<ekleog>
it'd maybe be faster to implement my own one-page JS app that calls the github api…
<MichaelRaskin>
I think making a box non-missable is… web security-complete problem
<ekleog>
not going to argue with that :)
<MichaelRaskin>
Won't a JS app calling GH API hit yet another security boundary?
<MichaelRaskin>
I mean, the external page is allowed to change its design, so it could try to integrate the box better…
<ekleog>
I'm really only looking to get public issue lists
<ekleog>
but I also really don't want to do JS, so I guess I just won't do it
<MichaelRaskin>
Yes, and?
<MichaelRaskin>
I mean, they probably have something restrictive and generic about cross-origin
<ekleog>
AFAIK github's api is designed to be usable from other contexts
<ekleog>
but maybe not, idk
<ekleog>
I'd really just want a way to curl github with zero privileges and display the contents of a div locally, but…
<MichaelRaskin>
They seem to have increased their love for JS recently
<ldlework>
They own TypeScript
<ldlework>
so yeah
<adisbladis>
Ugh
<adisbladis>
They (GH) also have a recent-ish love affair with dotnet -.-
slack1256 has joined #nixos-chat
<adisbladis>
Sometimes in combination with their love for JS/TS
<adisbladis>
It's.. ehh.. a thing
<ldlework>
I also love .NET so I don't mind
<MichaelRaskin>
Previously I could say they are much better than Gitlab at displaying stuff when JS is disabled. Now they are still better, but the trendline says not for long
<adisbladis>
ldlework: I mind because it makes it near impossible to build purely
<ldlework>
adisbladis: that seemed to be a limitation of just F# right
<adisbladis>
I spent far too much time trying to package & use the github actions runner
<ldlework>
They needed some flag, which was implemented a year or so ago?
<ldlework>
Oh I thought you were talking about Nix.
<ekleog>
looking at curl -i https://api.github.com/repos/Ekleog/yuubind/issues\?labels\=p:critical ; there's access-control-allow-origin: * ; so I think it'd be doable to have the js that does what I want to… except I don't know design
<adisbladis>
I see M$s over engineering creeping in to github
<ldlework>
MS's dev stop is absolutely top-shelf
<ldlework>
stuff*
<ldlework>
i don't at all mind MS continuing to make their dev stuff best it's ever been
<lovesegfault>
cole-h: ?
<lovesegfault>
Oh, segfaults
<lovesegfault>
lol
<cole-h>
What's the cool stuff happening in #neobuffer on your slack? ;^)
<lovesegfault>
cole-h: neobuffer is our cross-process lock-free channel, and I ran the tests on AArch64 and everything worked :D
<lovesegfault>
and I thought it was going to explode
<cole-h>
The best feeling, isn't it. "Take cover!!!! ...oh wait, nothing exploded."
<MichaelRaskin>
No mental issues, just a definitely mental keyboard
<infinisil>
armin: Haha nice
<armin>
i actually got that PCB of the keyboard from some guy from #mechboards on freenode that i met to buy some keycaps from him. it was raining cats and dogs and i had to walk through some village or something. problem was that all the streets had construction sites so reaching his house was quite the issue.
<armin>
ended up quite nice, i'd say he's a goot mate these days
<armin>
s/goot/good/
<armin>
i remember he gave me this zipper bag like thing and was like "no matter how wet your clothes will be, the hardware will survive"
<armin>
well it did
<ashkitten>
holy cow, just found out about interlaced pngs
<ashkitten>
i'm never using non-interlaced pngs again
<armin>
it's quite cool because making preview images from those is fast, amirite?
<ashkitten>
they enable progressive loading
<ashkitten>
so you get a low quality image very quickly
<armin>
yea :D
<ashkitten>
and then it progressively refines as you get more bytes
<armin>
ashkitten: do you like fractals?
<ashkitten>
oh my hell can you make progressive fractals with this
<ashkitten>
armin: your images aren't interlaced png ;-;
<ashkitten>
i'm disappointed
<armin>
ashkitten: yeah, the script i wrote back then to automate the task of rendering on a remote machine didn't include that. my apologies. i'll consider switching that on.
<ashkitten>
:3
<armin>
but yeah for some reason i ended up rendering all these things there, most of them in 4k
<armin>
i have crazy hobbys man
<armin>
i also collect tapedecks
<armin>
no sane person on the planet would collect mechanical keyboards and tapedecks in 2020
<armin>
i think i have 17 mechanical keyboards
<armin>
why would you do this to your life if you were a thinking human?
<armin>
oh i also have over 400 tapes
<armin>
o.O
<armin>
even worse: i also got a minidisc deck and consider buying a reel2reel tape machine
<aleph->
Alright, time to remake the openstack module. I must hate myself this weekend.
<armin>
i hate openstack :(
<armin>
when it works, it works. but when it doesn't...
<aleph->
I'm not the biggest fan, but I also only need a few services
<ashkitten>
i wonder if interlaced pngs could be crafted to progressively display fractals
<aleph->
Just enough for compute, block storage, and dashboard + api
<armin>
ashkitten: they could!
<ashkitten>
like, generative stuff
<armin>
ashkitten: do you know mandelbulber2?
<ashkitten>
that'd be so cool
<ashkitten>
no
<armin>
ashkitten: be sure to try it :)
<armin>
runs PERFECTLY on nixos.
<ashkitten>
meh, not rn
<armin>
if you have time :)
<armin>
it's just a tiny program you can render fractals with
<aleph->
Now if I could only find the old module that we had for openstack...
<aleph->
This would be way easier.
<aleph->
Ah found it I think
<hexa->
openstack … hm, nixos is lacking some proper clustered virtualisation solution :|
<andi->
we had openstack at some point...
<hexa->
i know
<andi->
nobody cared so it got removed
<aleph->
It did
<andi->
everyone is just happy with "the cloud", running your own infra doesn't seem appealing anymore :/
<aleph->
And I remember when it was just you and me in irc heheheh
<aleph->
Not counting the lurkers
<adisbladis>
andi-: It's not that no one cared about openstack
<adisbladis>
It's that the packages were horribly broken
<adisbladis>
Which I guess can be taken as "no one cares"
<aleph->
Yeah they weren't maintained and hardcoded secrets right?
<drakonis>
we have a dozen on irc now
<drakonis>
and one of the users is an admin there
<aleph->
Yep, we do
<aleph->
Did push start using it again?
<drakonis>
a mod rather
<drakonis>
no not yet
<aleph->
Or we taling Irene?
<drakonis>
i should poke about it
<drakonis>
irene yeah
<aleph->
talking*
<aleph->
Ah cool
<aleph->
Yeah who uses is there let me think...
<andi->
I think I marked them insecure and months later removed them because the influx of security issues was just too large and patching them without anyone (that we knew of) that uses them felt stupid.. No way to test it properly.
<infinisil>
There's so many things that are done similarly
<adisbladis>
infinisil: I'm not
<aleph->
You, me, irene, cadey, shapr, sock are the ones I know off the top of my head. Think H_S does it too?
<andi->
infinisil: in his initial talk (GPN 2019, in german) he compared that
<adisbladis>
He hasn't really mentioned Nix at all on his blog
<andi->
we even had a session afterwards where we discussed things nd I got the feelin he didn't graps a bunch of Nix concepts or just didn't want them.
<infinisil>
They even have "Appendix: Could other distributions adopt hermetic packages" in the post
<aleph->
andi-: Yeah that makes sense. I'll probably run it like that mailserver nixos module from a while back. Keep it in my repo and if folks want it, rad
<adisbladis>
Tbh I have trouble taking his posts seriously
<andi->
During the talk there were multiple questions just asking why he didn't use Nix and he said he did use it for some time but ran into $issues..
<adisbladis>
Distri seems to be trading installation speed for runtime performance
<andi->
it also doesn't aim for purity
<infinisil>
Oh and they even have "Appendix A: related work" in the post, without even mentioning Nix...
<infinisil>
Wow
<infinisil>
Oh that's in the one adisbladis linked
<infinisil>
Would be worse in the hermetic packages one
<infinisil>
Well whatever, I don't mind them reusing good ideas or coming up with them on their own, I just won't take them seriously if they don't take Nix seriously
<adisbladis>
I'm really struggling to see how their squashfs on a fuse file system would scale
<adisbladis>
infinisil: Exactly that
<aleph->
Not great, that's for sure
<adisbladis>
That said, a lazy /nix on fuse would be a pretty cool concept :)
<infinisil>
Yeah, wouldn't be the first time we're fantasizing about that
waleee-cl has quit [Quit: Connection closed for inactivity]
<cole-h>
gchristensen: Are you going to share? That looks super tasty :O
<gchristensen>
cole-h: as soon as you get here before it is all gone
<cole-h>
:(
<adisbladis>
andi-: My german is not good enough to keep up in the q&a :P
<cole-h>
Maybe next year...
<andi->
adisbladis: IIRC there was another talk in english about it but no idea when and where
<adisbladis>
The subtitles just makes it harder to understand
<adisbladis>
"We found that for manyworkloads, an optimized FUSE can perform within 5%of native Ext4. However, some workloads are unfriendlyto FUSE and even if optimized, FUSE degrades theirperformance by up to 83%. Also, in terms of the CPUutilization, the relative increase seen is 31%." - https://www.usenix.org/system/files/conference/fast17/fast17-vangoor.pdf