red[evilred] has quit [Quit: Idle timeout reached: 10800s]
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-chat
<colemickens>
Nice, this thread breaking down how many things are going to silently break from Google spending a day bouncing emails as "this address does not exist".
<infinisil>
Oof, I don't think aoc day 15 part 2 is possible in Nix..
<infinisil>
I believe that requires mutable lists to be anywhere as efficient as it needs to be
<colemickens>
cole-h: sorry it was HN and I thought better of it. Apparently many systems are built to immediately drop gmail users if they get back a "no mailbox" message from google
<infinisil>
How about this: builtins.mutableArrayLoop 1000 0 (get: set: exit: if get 0 == 10 then exit else set 0 (get 0 + 1))
<infinisil>
This could initialize a mutable array with 1000 0's, then repeatedly calling that function to determine whether modifications still want to be made, or whether it should exit
<infinisil>
It returns the final array
<colemickens>
Has anyone heard of FossHost? They have quite a list of sponsors and supported projects, and seemingly have ARM hardware. Not sure if NixOS (Foundation) would qualify
<energizer>
from their /about page it looks like they provide a 4GB-RAM vps
<energizer>
im sorta skeptical that it's worth applying for a grant of that size
<colemickens>
oh lort I made my pi made
<colemickens>
% sudo reboot => Failed to talk to init daemon.
<colemickens>
oh, TIL reboot -f
Jackneill has joined #nixos-chat
Jackneill has quit [Max SendQ exceeded]
Jackneill has joined #nixos-chat
andi- has quit [Ping timeout: 258 seconds]
<elvishjerricco>
There were a couple of people using FoundryVTT; do you all use the music playlists feature, and if so, where do you get your tracks from?
<danderson>
one big avenue of attack would be the kernel. In nspawn containers, the kernel is shared between host and container
<danderson>
and I _think_ uid 0 in the container is the same as uid 0 on the host
<danderson>
so you inherit some root-only kernel privileges, and you could use those to do harm to the system
<lovesegfault>
Oh, that's interesting!
<danderson>
other than that, I'm looking at my own nixos containers
<danderson>
and they're pretty vanilla nspawn runs
<danderson>
the container does get /nix/store mounted into it, read-only
<danderson>
as well as stuff like the nix daemon socket
<danderson>
if you configure your container with private networking, it'll pass that in, otherwise it'll inherit the host network namespace
<danderson>
that's another way root in the container could do harm, actually: if you didn't isolate the network, root in the container could so stuff like bind to a ton of ports to trigger a DoS (port exhaustion) on the host
<lovesegfault>
Oh, right
<danderson>
or try to bind itself to :443 and either trick remote users into thinking they're accessing a legit web server, or exploit race conditions like you restart the host webserver and oops the container yoinks the port and serves its own things
LnL has joined #nixos-chat
<danderson>
(pretty loud attack, as they go, but stuff like that)
<lovesegfault>
Right, and pretty bad regardless
<danderson>
the contrast to docker-ish containers is mostly that nixos/nspawn containers are more "build your own". They're not as bulletproof out of the box, but as a result they're more flexible in what you can do with them
<danderson>
Comparing to docker containers, the main diffs: docker isolates the network stack by default, and it also installs seccomp and apparmor syscall filters, which lock away a bunch of "risky" kernel APIs from the container
<danderson>
That makes it much harder for root in the container to find a way out (although still not impossible, they still share a kernel)
<lovesegfault>
The only perfect isolation is another machine :P
<lovesegfault>
air-gapped
<danderson>
Then if you want to go completely nuts on the security side, there's stuff like Firecracker and gVisor, which run full on virtual machines to isolate the container from the host
<lovesegfault>
I was about to say, sounds like if you want security-above-all-else you'd just go with fully isolated VMs
<danderson>
both gvisor and firecracker try to kinda pretend that they're just a docker container, but under the hood they're running as lightweight virtual machines, and doing a whole bunch of work to separate the host from the guest
<danderson>
that comes at performance and manageability costs though. For example, for firecracker you have to give it a disk image to run, you can't just point it at a chroot dir like you can with nspawn
<lovesegfault>
Oh, cool, firecracker is written in Rust :D
<danderson>
so, running nixos-based things inside is uglier
<danderson>
(that might get fixed someday soon with virtio-fs, which lets VMs access a VFS abstraction in the hypervisor - instead of pretending to be a hard disk)
<lovesegfault>
every time I play with virtio-anything it's a disaster :P
<danderson>
at some point in the medium future, I think the perfect setup will be something based on firecracker's virtualization layer (firecracker by itself is kinda too oriented to FaaS systems, but the underlying hypervisor is very nice), combined with virtio-fs and an API similar to the current nixos containers
LnL has quit [Quit: exit 1]
<danderson>
that way you can define sub-machines with Nix, just like any other machine, but it ends up running as a super isolated VM, without having to muck around with constructing disk images and all that nonsense
LnL has joined #nixos-chat
LnL has joined #nixos-chat
LnL has quit [Changing host]
<lovesegfault>
That sounds like a dream honestly
<danderson>
at least, that's my plan once some of the firecracker-based virtualization things mature a bit more :)
<lovesegfault>
:D
<lovesegfault>
I have a bunch of services on different machines I'd love to run inside declarative vm's like that
<lovesegfault>
it's less of a concern now that I use tailscale to connect all the machines
<danderson>
uses the same hypervisor stack as Firecracker, but uses it to build a more traditional VM-like environment
<danderson>
yay Tailscale!
<lovesegfault>
but when they were on the internet it was constant fear
<lovesegfault>
tailscale is the best
<danderson>
mostly I use nixos containers for two reasons: one is to run a subset of a stable machine on nixos unstable, to get access to newer software
<lovesegfault>
cloud-hypervisor looks cool too
<danderson>
so e.g. my NAS runs nixos stable, but I have a nixos container that runs out of unstable, for... I can't remember what daemon I wanted, but something :)
<lovesegfault>
Oh, that's interesting!
<danderson>
and the other major use case I have is when I want to do something horrible to the network stack, I can do it in an isolated little nspawn container
* lovesegfault
runs everything on unstable-small
<danderson>
so, for example, my tailscale dev box is an nspawn container on my laptop, with its own isolated network stack
<danderson>
that way I can break tailscale all I want inside that "machine", without bothering my host tailscaled
<lovesegfault>
this reminds me I need to deploy tailscale 1.2.10 to my boxes
LnL has quit [Remote host closed the connection]
LnL has joined #nixos-chat
<danderson>
I could use docker containers for something similar, but the nice thing about nixos containers is that it's a full system, so I can `machinectl shell dev` and boom, I'm on a shell in my breakable dev box
<danderson>
with all my tools installed and so forth
<lovesegfault>
Right, that's super useful
<lovesegfault>
machinectl shell dev :O
<lovesegfault>
that's amazing
<danderson>
tailscale 1.2.10 doesn't have earth-shattering changes, if you're on 1.2.8 already. Mostly we fixed a bug where it was spamming bad PCP packets and making silly routers log way too much :P
<lovesegfault>
nice :D
<danderson>
the rest is all fixes for a memory corruption bug that only affected windows, and only in whacky corner cases
<danderson>
and if you're going to budget the time... 1.4 might be out soonish
<lovesegfault>
deploys are mostly painless for me these days, one command and it just works :D
<lovesegfault>
is magic dns coming out of beta?
<lovesegfault>
I've been using it and it's a life changing improvement
<danderson>
not quite out of beta yet, but it's pretty stable these days so I wouldn't worry about it
<lovesegfault>
it's _so_ nice
<danderson>
I think we're waiting on being able to edit node hostnames in the admin panel before ripping the beta label off
<lovesegfault>
Ah, I hit that recently :P
<danderson>
oh, and fixing the thing of where you have to provide DNS servers in the admin panel to use magicdns
<danderson>
we should be able to use "whatever the OS used to use for DNS servers"
<danderson>
but that turns out to be surprisingly hard to discover on various OSes
<lovesegfault>
here's one for y'all: if you use unbound as your caching resolver locally it doesn't work at all
<lovesegfault>
systemd-resolved works fine though
<lovesegfault>
so I changed to that for now
<danderson>
how does it not work? If you can repro and share your tailscale IP, I can poke at debug logs
<danderson>
I can't think why it wouldn't override, it should be just falling back to messing with /etc/resolv.conf in the worst case
<danderson>
oh, is this on nixos?
* lovesegfault
nods
<lovesegfault>
I just configured unbound to use 100.100.100.100 as my only DNS server though
<danderson>
in that case, it might work if you include pkgs.openresolv in the path of the tailscaled systemd unit
<lovesegfault>
and disabled DNSSEC
<danderson>
I've been meaning to go back and figure out how to make the DNS detection work well on nixos, it's a bit hard because of the many options nixos gives users
<danderson>
lovesegfault: got a nixos config snippet somewhere for how you had unbound set up? I can spin up a nixos container and poke at it
<danderson>
e.g. for tailscale.com's tailscale network, it's "<hostname>.tailscale.com.beta.tailscale.net"
LnL has quit [Quit: exit 1]
LnL has joined #nixos-chat
<lovesegfault>
Right editing config
<danderson>
but yeah, the normal way magicdns is supposed to work, is we reconfigure DNS on the system to point at 100.100.100.100. On nixos that doesn't quite work, because the tools we need aren't in $PATH for the systemd unit
<danderson>
and which tools you need to correctly alter the configuration depends on how you chose to configure nixos (e.g. using openresolv, systemd-resolved, networkmanager, ...)
<danderson>
and I haven't gone back and figured out yet how to make the tailscale module magically adapt to "whichever dns thing the user decided to use"
<lovesegfault>
hmm I wonder how to tell unbound to configure the search domain
<lovesegfault>
maybe it's resolvconf that needs this set?
<danderson>
try networking.search = [ ... ]
<danderson>
I'm guessing the unbound module might not actually touch search paths
<lovesegfault>
Oh, yeah
<lovesegfault>
alright, deploying
<danderson>
does this machine have networkmanager on it, by any chance?
<lovesegfault>
nope
<lovesegfault>
systemd-networkd though
<danderson>
just trying to get a picture of what things are interacting with each other
<danderson>
okay
<danderson>
(on my work todo is to write up a doc of how DNS configuration is an eldritch horror with a dozen too many dimensions, and work out a plan to make it robust)
<lovesegfault>
Ha! here's a cool failure mode:
<lovesegfault>
1. set up magic dns
<lovesegfault>
2. accidentally delete your machine in the tailscale admin panel
<lovesegfault>
3. now you can't use dns on the machine
<lovesegfault>
4. tailscale up fails
<lovesegfault>
:D
<danderson>
hah, uh, yeah
<danderson>
I recommend not doing that :P
<lovesegfault>
guess how I found out
<danderson>
if tailscaled were managing the resolver, `tailscaled --cleanup` would fix that
<danderson>
but since unbound owns the local resolver config... yeah, dunno :/
<lovesegfault>
okay, I'm using unbound now
<lovesegfault>
false alarm, forgot to import the module
LnL has quit [Ping timeout: 268 seconds]
LnL has joined #nixos-chat
<lovesegfault>
now I am
<danderson>
okay, so what's /etc/resolv.conf pointing at now? 127.0.0.1?
<lovesegfault>
yup
<danderson>
and unbound's pointing at 100.100.100.100?
<lovesegfault>
no search though, but that's because I'm using systemd-networkd
<lovesegfault>
let's try just using the full addr
<lovesegfault>
works :D
<danderson>
yeah, that would tell us that magic dns is working correctly once the requests hit our resolver
<lovesegfault>
alright, idk what issue I was hitting before
<danderson>
yup, there we go
<danderson>
so now you just need to persuade nixos to plop your beta.tailscale.net search domain into resolv.conf, and it'll all just work
<lovesegfault>
it's the Domains setting of systemd.network
<danderson>
(and I need to figure out how to make that just work on nixos, without using the hack that works on my system but probably borks other configs)
<JJJollyjim>
tailscale is scary
<JJJollyjim>
the security model weirds me out
<danderson>
What about it? I mean, fair enough, I'm curious what parts though
LnL has quit [Client Quit]
LnL has joined #nixos-chat
LnL has joined #nixos-chat
<danderson>
lovesegfault: anyway thanks, I now have one more cursed DNS configuration to test :D
<lovesegfault>
danderson++
<{^_^}>
danderson's karma got increased to 0b1010
<lovesegfault>
thanks for teaching me all this stuff today :)
<danderson>
glad to help :) Hopefully I can make it all magic enough that you don't need to care again :)
<JJJollyjim>
iirc it's all user-based rather than "this service can talk to this thing"
<JJJollyjim>
like, am i supposed to have an email account for each server?
<danderson>
ah, that's a problem with our docs :). The access control at the lowest layer is based on IPs and ports. Users are shorthand for "the IPs of the authenticated nodes owned by this user"
<danderson>
and for servers, there are ACL tags. When you authenticate a server, you can give it some tags which replace your human identity, and then reference those tags in ACLs.
<lovesegfault>
Hmm, come to think of it I'm not convinced it's possible to do this in a generalized way with networkd under nixos
<JJJollyjim>
oh, iirc when i tried it that was a. in beta, b. only on enterprise plans?
<lovesegfault>
seems like I can't have a blanket domains = [] for all my networks
<danderson>
so for example, my ACL for monitoring goes: "from tag:server to acrux:8086", meaning all machines tagged with "server" can connect to the machine called acrux on port 8086 (influxdb)
<danderson>
yeah, it's still in beta for silly reasons, I should just push it over the finish line. ACLs are currently in the fancy paid plans, but we're not enforcing the paid plans yet, and we've also been talking about just shoving the ACLs into the free plan
<JJJollyjim>
oh and "it is possible to re-tag a node without reauthenticating"
<danderson>
it sucks to sell ourselves as a security product and lock away security features behind paywalls
<JJJollyjim>
that's what really threw me off
<danderson>
yeah, that's a bug rather than by design. Just needs some programming to make that not true.
<JJJollyjim>
sweet
<JJJollyjim>
yeah i'm keen to have another look in future
<danderson>
Fair. Our product right now is very much a work in progress :)
<danderson>
so if you're looking for something really mature, it's not the right time
<JJJollyjim>
i'm happy with rough edges, but not missing security
<danderson>
fair 'nuf :) You can use tailscale without touching the tagging thing, but it's much less convenient, obviously
<JJJollyjim>
cos you need multiple accounts?
<danderson>
no, instead of using usernames in ACLs, you can use the node IPs directly
<JJJollyjim>
ohh
<JJJollyjim>
okay yeah i didn't understand that was possible from the docs at all
<danderson>
the IPs are static once allocated, so you can write old style firewall rules with explicit src<>dst everywhere
<danderson>
it's super annoying to write like that compared to referencing users, groups, and groups of machines... But it's possible
<danderson>
yeah, our docs are super janky on the ACL side
<danderson>
high on the list to fix (but we also have to fix a couple missing features of the ACL compiler first)
<danderson>
anyway, that comes back to: still a young product, with a bunch of rough edges. It takes a bit of dedication to use all the features at the moment :(
<JJJollyjim>
sweet
<lovesegfault>
danderson: got it to work!
<lovesegfault>
unbound + systemd networkd
<danderson>
nice! Domains in networkd + unbound?
<lovesegfault>
nope, let me push it, one moment
<danderson>
k
<danderson>
I'm also curious if you have stuff in `/run/resolvconf` in that setup
<danderson>
(trying to figure out how we could make that config automatic, without interfering with other DNS-altering stuff on the system)
<danderson>
unclear to me why you need that extraConfig bit
* lovesegfault
shrugs
<lovesegfault>
I'm also not sure
<danderson>
this is good though, if it's all interacting with resolvconf, that's something I can make tailscale play with nicely
<danderson>
lovesegfault: curious: what do you get out of using unbound in that config? Why have it as an intermediate instead of pointing straight to 100.100.100.100 ?
<danderson>
(I don't know unbound at all, I'm probably missing something)
<lovesegfault>
danderson: In practice nothing I suppose
<lovesegfault>
this seems to cover most of the needed parts?
<lovesegfault>
(that new module)
<danderson>
yup, looks right
<danderson>
now I just need to figure out how to persuade tailscaled to do that reconfig automagically
<lovesegfault>
Wouldn't it be best to just do that in the NixOS module? (specifically for NixOS, of course)
<lovesegfault>
I imagine that would require a --no-reconfig-dns cli flag to tailscaled
<lovesegfault>
also: what dns server is tailscale running?
<danderson>
so, tailscaled already detects how DNS is configured on linux (resolved, networkmanager, resolvconf, nothing) and can insert its own configuration when magicdns is enabled
<danderson>
the problem is I haven't adjusted the nixos module to make that work, and I have to adapt to all the ways in which nixos users can tweak their DNS settings (e.g. I don't want to force-import NetworkManager into everyone's system if they're not actually using it)
<danderson>
and if you don't want it to reconfigure stuff, there's already `tailscale up --accept-dns=false`
<lovesegfault>
you can (mostly) set module options even when the module is disabled, no?
<danderson>
in this case I have to add utilities to the system that we can shell out to
<lovesegfault>
Ah, I see
<lovesegfault>
yes
<danderson>
so I have to only add them if some network service is active
<danderson>
it's not _hard_, the hardest part is enumerating all the possible ways DNS can get configured :)
<danderson>
being linux, there's half a dozen incompatible ways to do it
<lovesegfault>
:D
<danderson>
and DNS resolvers: it's not any standalone resolver, we intercept and handle DNS queries inside tailscaled
<danderson>
we use Go's miekg/dns package to handle the hard bits of speaking DNS, so mostly it's just about matching records and constructing replies
<danderson>
since magic dns never leaves the machine for resolving names in the tailscale network, there's very little complexity there
<lovesegfault>
so the gist of it is if it's a request for the ip of *.tailscale.net it intercepts and does the right thing™️ but otherwise it forwards?
<danderson>
for forwarded queries, we have our own little forwarder inside tailscaled. Again not super complex, the most elaborate thing it does is a bunch of DNS spoofing protection logic
<danderson>
yup, exactly
<danderson>
when magic dns is enabled, tailscaled intercepts all DNS traffic to 100.100.100.100, handles the magic dns names locally, and forwards the rest to the configured DNS resolver
<lovesegfault>
so there _is_ still value in having a caching resolver locally
<lovesegfault>
for speed
<danderson>
hmm, good point, not sure if we keep a cache
<danderson>
looks like no, no cache
<danderson>
that'd be an easy thing to add, I guess. Just didn't get around to it :)
<danderson>
especially since in modern-ish linux, resolved does that iirc
<danderson>
and similarly networkmanager can be configured to spawn a dnsmasq iirc
<joepie91>
nice, someone actually did the thing that people have been joking about for a decade? inducing radio signals through electromagnetic interference (or so)?
<joepie91>
I like that sort of "actually, you can seriously do this" research :)
Dotz0cat has joined #nixos-chat
Dotz0cat_ has quit [Ping timeout: 240 seconds]
<siraben>
I ran a program that let me output AM frequencies via my computer
cosimone has quit [Remote host closed the connection]
cosimone has joined #nixos-chat
Ashy has quit [Quit: WeeChat 3.0]
thibm has quit [Quit: WeeChat 2.6]
cosimone has quit [Read error: Connection reset by peer]
cosimone has joined #nixos-chat
Ashy has joined #nixos-chat
<steveeJ>
are there examples of upstream repositories providing their own nix packages that are used in nixpkgs?
<steveeJ>
I'm wondering whether that's a desirable pattern or not. it certainly has the disadvantage of tying the nix expressions to specific versions of source code, i.e. you can't' do changes to the nix expressions of an older application version
<leonardp>
bbigras: i'll try that, although i'm mildly irritated why you recommend it without ever using it :)
<leonardp>
thanks
<pie_>
red[evilred]: idk anything about interviewing but what i always wish i could ask people is stuff like what you wish you knew when you started, what were unintuitive stumbling blocks, you probably have to lead them up to it though. so hm, i guess questions about shortening the path to success? but also questions about things that are hard to figure out yourself and so are worth inheriting
<pie_>
ofc most people dont spend their lives preparing to answer these questions so eh
<pie_>
and if i told you, id have to kill you :P
<bbigras>
leonardp: yeah sorry. I just remembered hearing about a new svg lib recently.
<siraben>
infinisil: is this based on Okasaki's random access arrays?
<siraben>
Before you know it we're going to have to have finger trees implemented in Nix
<pie_>
red[evilred]: and you know sifting through the mass of information for the good stuff is really hard, otherwise you wouldnt need a mentor (slight non dequitur in there)
<pie_>
*seq
spudly1 has quit [Ping timeout: 240 seconds]
<red[evilred]>
right
<red[evilred]>
in meeting - will bbiab
cosimone has quit [Read error: Connection reset by peer]
<pie_>
red[evilred]: just did some checking against another good -seeming- security guy i fiind on the internet sometimes; https://lobste.rs/s/psw6us/obfuscation_for_security_techniques_for#c_mxcvwj "Note: Passive or active side channel attacks from middle devices might also be an argument here. They’ll happen if software becomes strong enough." i wonder if thats valid for people complaining about cloudflares "security improvements" leaking
<pie_>
metadata :P
<pie_>
(random tangent)
FRidh has quit [Ping timeout: 260 seconds]
FRidh has joined #nixos-chat
zgrep has joined #nixos-chat
<gchristensen>
looks like we're finally getting a bit of snow
* eyJhb
*is totally not jealous*
<gchristensen>
like a meter by friday
<Taneb>
That's a fair bit of snow
<eyJhb>
Still jealous
<eyJhb>
We don't get that much snow here, ever.. And most times it is just a slobby mess
<cransom>
i think the threat of a couple millimeters here was enough to cause the roads to get brined and preemptive closures. though it is wet and icey and freezing over night, so tha thelps
<Taneb>
My partner sometimes spends Christmas and New Year's up in the Alps and I am very jealous of that, there's often lots of snow there
<bbigras>
I prefer snow to ice. I hate icy rain.
<gchristensen>
ice is the scary stuff
<bbigras>
It's a pain to remove from the car and walking in cities is an extreme sport.
<bbigras>
That's in Montréal. I slept there last night.
<eyJhb>
*maybe not the not breaking part, I just saw the snow*
<bbigras>
I didn't grow up in the cities and I didn't know how bad it can be on the sidewalks. I never owned those spiked things you put on your shoes. but I see now why they are a must.
<gchristensen>
and I think montreal's sidewalks are all heated
<bbigras>
what? downtown? surely they are not on the whole island.
<gchristensen>
> key downtown arteries
<{^_^}>
undefined variable 'downtown' at (string):452:5
<bbigras>
uh I didn't know. It's a great idea (if it works well).
<joepie91>
gchristensen: ah that video is a true classic
<bbigras>
you live in Montréal gchristensen?
<eyJhb>
ANd if it doesn't just melt and freeze again.
<bbigras>
I'm searching but it seems like we don't have heated sidewalks in Montréal. There was a plan to do it on Sainte-Catherine street, but it was abandoned.
<eyJhb>
We had a row at my ex-gfs town, where it was like a little "cup" shape in the road, combined with it being a slight turn... About one person a day got screwed over because of black ice when it was below 0
pie_ has quit [Quit: No Ping reply in 180 seconds.]
pie_ has joined #nixos-chat
<bbigras>
damn
<eyJhb>
Luckily it was a somewhat rural area, so the nearest tractor to get people out was like a yell away
<eyJhb>
And by people I mean car
<eyJhb>
Do not pull people out of stuff with a tractor, that will hurt
<bbigras>
haha
<gchristensen>
oww
<gchristensen>
I thought that video had strange background music ... turns out it was spotify playing nina simone
<gchristensen>
berkshires (MA)
<bbigras>
haha
kalbasit has joined #nixos-chat
<eyJhb>
Any PDF editors for deleting stuff ? (images, equations, etc.) I have tried Okular, Libreoffice (removes the equation, all places), scribus...
<eyJhb>
pdfescape.com apparantly worked
srk has quit [Ping timeout: 240 seconds]
ece has quit [Read error: Connection reset by peer]
kalbasit has quit [Remote host closed the connection]
cole-h has joined #nixos-chat
cosimone has quit [Quit: cosimone]
neeasade has joined #nixos-chat
lejonet has quit [Ping timeout: 256 seconds]
bqv has quit [Quit: WeeChat 2.9]
lejonet has joined #nixos-chat
bqv has joined #nixos-chat
cosimone has joined #nixos-chat
neeasade has quit []
FRidh has quit [Quit: Konversation terminated!]
<Mic92>
I wonder if nvidia will build a SOC similar to the apple M1 laptops. They have both graphics and CPU - having a SOC where both parts can access memory with same latency will boost the performance
<samueldr>
would be interesting to finally see something *for desktop use*<
ixxie has joined #nixos-chat
red[evilred] has quit [Quit: Idle timeout reached: 10800s]
<danderson>
bbigras: yes, along several dimensions. We're working on sharing now to allow nodes to span networks, and I also want to implement multilogin
<bbigras>
danderson: yeah I saw the sharing beta but I wonder if it's the right thing when I would like to access all my work's nodes, all my hobby nodes but not mix them. thanks
<bbigras>
Does sharing work with advertised routes?
<bbigras>
I'm also curious with servers at work, if they should be linked to an email address. Maybe someone asked about this earlier.
<bbigras>
one nice thing with zerotier is being able to join multiple network. multilogin would be fine for personnal vs work but in some case like mine, I like to share a network with friends and I use the same email than for my personnal network.
<danderson>
The sharing is from 1 machine to 1 user, so if you share a personal machine with your work identity, only you can access it using your work identity (unless you share it with more people, of course)
<danderson>
sharing and advertised routes... I'm not sure. I think for v1 we might be removing them but I'd have to check
<danderson>
at some point we want to do that though.
<danderson>
for servers, you should use tagging. `tailscale up --advertise-tags=tag:server,tag:web,...` will replace your human identity with the tags.
<danderson>
then you can use the tags in ACLs.
<danderson>
for your use case wrt. zerotier, there's a data model change we need to do first, so it's taking a while, but we want something like that too. It'll be a bit longer before we can do that though, we're building up slowly.
<bbigras>
nice. thanks. I'm looking forward to see it evolve.