worldofpeace_ changed the topic of #nixos-dev to: #nixos-dev NixOS Development (#nixos for questions) | NixOS stable: 20.03 ✨ https://discourse.nixos.org/t/nixos-20-03-release/6785 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html | https://r13y.com | 19.09 RMs: disasm, sphalerite; 20.03: worldofpeace, disasm | https://logs.nix.samueldr.com/nixos-dev
tilpner_ has joined #nixos-dev
tilpner has quit [Ping timeout: 246 seconds]
tilpner_ is now known as tilpner
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
tv has quit [Ping timeout: 256 seconds]
Taneb has quit [Quit: I seem to have stopped.]
Taneb has joined #nixos-dev
b42 has quit [Ping timeout: 260 seconds]
b42 has joined #nixos-dev
kalbasit has joined #nixos-dev
orivej has joined #nixos-dev
kalbasit has quit [Read error: Connection reset by peer]
kalbasit has joined #nixos-dev
MichaelRaskin has quit [Quit: MichaelRaskin]
kalbasit has quit [Ping timeout: 258 seconds]
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
orivej has quit [Ping timeout: 240 seconds]
orivej has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.8]
cole-h has quit [Quit: Goodbye]
rajivr has joined #nixos-dev
FRidh has joined #nixos-dev
tv has joined #nixos-dev
FRidh has quit [Quit: Konversation terminated!]
<rnhmjoj> can i get some feedback for PR 88828?
bennofs__ has joined #nixos-dev
bennofs_ has quit [Ping timeout: 256 seconds]
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
phreedom has quit [Remote host closed the connection]
phreedom has joined #nixos-dev
q3k has quit [Ping timeout: 260 seconds]
q3k has joined #nixos-dev
drakonis has joined #nixos-dev
<flokli> domenkozar[m]: niksnut: gchristensen: I'd like to do some more testing around https://github.com/NixOS/nixpkgs/pull/66856. As this is a pretty hefty rebuild, any chance to get a jobset scheduled with this?
<{^_^}> #66856 (by flokli, 47 weeks ago, open): systemd: build with cryptsetup support, add cryptsetup generators
FRidh has joined #nixos-dev
puckipedia has joined #nixos-dev
tv has quit [*.net *.split]
xwvvvvwx has quit [*.net *.split]
evanjs has quit [*.net *.split]
grw1 has quit [*.net *.split]
srhb has quit [*.net *.split]
infinisil has quit [*.net *.split]
makefu has quit [*.net *.split]
lukegb has quit [*.net *.split]
lovesegfault has quit [*.net *.split]
puck has quit [Quit: nya]
puckipedia is now known as puck
lukegb has joined #nixos-dev
lovesegfault has joined #nixos-dev
infinisil has joined #nixos-dev
grw1 has joined #nixos-dev
srhb has joined #nixos-dev
evanjs has joined #nixos-dev
tv has joined #nixos-dev
xwvvvvwx has joined #nixos-dev
makefu has joined #nixos-dev
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
FRidh has quit [Ping timeout: 240 seconds]
<gchristensen> can anyone remind me which types of errors nix-env ignores, which nix-instantiate does not?
FRidh has joined #nixos-dev
<gchristensen> builtins.throw, I think?
<LnL> throw I think, it's abort that's the one which will also fail there IIRC
<gchristensen> cool, thanks!
cole-h has joined #nixos-dev
<infinisil> throw and abort are also the only ones builtins.tryEval can catch
<clever> anoyingly, the unfree error is also silently eaten
<LnL> I think that's intentional so --query continues listing everything else
<LnL> oh you can catch abort?
<clever> LnL: many users have been confused by nix-env -iA nixos.unfree-program just failing silently
<infinisil> LnL: Oh no I meant assert actually
justanotheruser has quit [Ping timeout: 260 seconds]
<infinisil> Not abort
<LnL> just with -i I would assume, but yeah name based install is weird and inconsistent with everything else
<infinisil> > builtins.tryEval (assert false; null)
<{^_^}> { success = false; value = false; }
<infinisil> > builtins.tryEval (abort "foo")
<{^_^}> evaluation aborted with the following error message: 'foo'
<infinisil> > builtins.tryEval (throw "foo")
<{^_^}> { success = false; value = false; }
<LnL> yeah makes sense
<clever> LnL: oh, maybe -i is the problem, not -iA, yeah....
<clever> LnL: the -i is searching, and ignoring errors, so it can keep searching, and then finds nothing...
<LnL> indeed
<LnL> nix install should use attributes and also not use a prefix IMHO
<Valodim> "not use a prefix"?
<clever> Valodim: the nixos. in my above example
<clever> thats the name of a channel from ~/.nix-defexpr/
<LnL> nixpkgs.hello or flake#hello or whatever, just hello
<Valodim> so long term it should have a default flake of sorts?
<LnL> yeah
<Valodim> I definitely agree with the idea, it's just not obvious how to do it
<clever> thats exactly what ~/.nix-defexpr/ is, the default expressions
<clever> nix will recursively search it until it finds either a foo/default.nix or a foo.nix, and then create a foo in a set
<clever> that foo is what you reference with you nix-env -iA foo.hello
<Valodim> oh wow. thanks, TIL :)
<clever> nix-channel then creates a nixos/ that points to a copy of nixpkgs, so nixos/default.nix is the default.nix at the root of nixpkgs
<Valodim> so basically `ln -s /path/to/my/favorite/flake.nix ~/.nix-defexpr` ?
<clever> [clever@amd-nixos:~]$ cat .nix-defexpr/test/foo/default.nix
<clever> import /home/clever/iohk/cardano-develop
<clever> [clever@amd-nixos:~]$ cat .nix-defexpr/test/cardano/default.nix
<clever> import /home/clever/apps/nixpkgs
<clever> with this, i can nix-env -iA foo.hello to use a clone of nixpkgs, or nix-env -iA cardano.something to install something from the default.nix within cardano-develop
<clever> it needs to return either a set, or a function you can auto-call with {} to get a set
justanotheruser has joined #nixos-dev
kalbasit has joined #nixos-dev
ris has quit [Remote host closed the connection]
ris has joined #nixos-dev
ixxie has quit [Quit: Lost terminal]
__monty__ has joined #nixos-dev
<gchristensen> I wonder if preferLocalBuild should add an implicit feature to the derivation like ("local"), and then if someone wants to allow only local-only builds locally, they could add that feature to their local machine
<gchristensen> because right now you can't prevent local builds even with max-jobs=0. the only method I've found is setting the machine's `system` to a bogus type
<LnL> hydra or the remote build stuff also has some weird workarounds for local builds IIRC
<gchristensen> yeah I think you're right, the builtins:local thing, right?
<LnL> oh yeah, might be what I'm thinking of
<matthewbauer> I would think `preferLocalBuild` shouldn't be a hard requirement. I didn't know that it made you do it locally?
<matthewbauer> I was actually wondering yesterday if there was some general heuristic for whether to do a local build.
<matthewbauer> It ends up being whether the time to upload + download something is greater than the speed up from doing a remote build. If we knew the output size of a derivation ahead of time, we could turn it on any time the input size is some constant factor of output size. But output size isn't easy to know ahead of time.
<gchristensen> yea
<gchristensen> which is the purpose of preferLocalBuild -- to tell nix, instead of make a heuristic
<matthewbauer> yeah, but i think there's probably a few cases where you might not realize local is faster. things like compression and building disk images are almost always best to do preferLocalBuild. but i think when you have lots of small derivations, you can occasionally get speed up as well from preferLocalBuild
<matthewbauer> probably because of latency
<matthewbauer> and so if the remote builder is on your lan, you might actually want compression and disk images to use remote since there's less cost
<gchristensen> we're bumping in to this same issue again and again, which is our ability to express what we want isn't sufficiently flexible. for example, I *do* want to distribute building disk images remotely. I also do want to ask remote builders to substitute on their own. my use case isn't yours, though
<gchristensen> the protocol / config isn't so flexible, though, and so the list of what settings should be sent to which remote builder are poorly defined, and so some minimal set has been picked
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
<matthewbauer> hmmm... yeah. i do think there's a universal use case here though - everyone just wants the fastest strategy. there's some concerns with security & how much your builders trust you though.
<gchristensen> for sure
<gchristensen> but we (the daemon) can't really know
rajivr has quit [Quit: Connection closed for inactivity]
<gchristensen> 99 trillion points to domenkozar[m]: https://gsc.io/snaps/d418cacd-59ac-4554-94a7-dc7709a4c5a4.png
alp has joined #nixos-dev
<Valodim[m]> Whoa
<samueldr> I thought he hired someone to work on errors, or is he also working on them?
<samueldr> (kudos to whoever wrote the better errors though!)
<gchristensen> he did, I'm assuming that sending him praise will forward the praise to the right person
justanotheruser has quit [Ping timeout: 246 seconds]
tokudan has quit [Remote host closed the connection]
tokudan has joined #nixos-dev
alp has quit [Ping timeout: 272 seconds]
alp has joined #nixos-dev
FRidh has quit [Quit: Konversation terminated!]
orivej has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-dev
alp has quit [Ping timeout: 272 seconds]
<ashkitten> omg
<ashkitten> gchristensen: holy shit
<ashkitten> domenkozar[m]++
<{^_^}> domenkozar[m]'s karma got increased to 27, that's Numberwang!
<gchristensen> inorite?
<ryantm> domenkozar++
<{^_^}> domenkozar's karma got increased to 28
alp has joined #nixos-dev
<timokau[m]> Is the ofBorg eval down again gchristensen cole-h? 40 minutes seems unusally long, still "Checking out new Paths"
<timokau[m]> Nevermind, just moved on
<timokau[m]> Literally the moment I hit send. It was slacking off and noticed that I was ratting it out
<gchristensen> :)
justanotheruser has quit [Ping timeout: 246 seconds]
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
justanotheruser has joined #nixos-dev
<Mic92> How can get all derivations from an recursive attrset? In particular I want to get that for hydraJobs so I can extend nix-build-uncached
<infinisil> Mic92: Could use lib.collect
<infinisil> lib.collect lib.isDerivation
<Mic92> infinisil: did I mention recursive?
<Mic92> ah it is
<infinisil> Indeed
<Mic92> Sweet
<Mic92> infinisil: since you are also in the deployment buisness now, you might be interested in https://github.com/Mic92/sops-nix
__monty__ has quit [Quit: leaving]
<colemickens> I am very interested in that.
<colemickens> That looks great at first glance. Better than what I'd been imagining rigging up for KV integration and using stuff that's already built/tested.
<infinisil> Mic92: Neat
<Mic92> I already got access to GCP credits so I can integrate GCP KMS. If someone would sponsor me AWS KMS or Azure Key vault I would implement it as well.
<infinisil> Mic92: So if I understood this correctly: The idea is to check each deploy hosts public key into the git repo. sops then generates the secrets.yaml file with all secrets encrypted with all the public keys separately. The file gets transferred to each host, which can then decrypt the secrets
<Mic92> infinisil: yes. The sops file can be transferred manually or added to the nix store. One could also have shared private keys, which may scale better with a large number of homogen servers.
<Mic92> I will finish the documentation over the next days and add some more examples
<infinisil> Mic92: I guess there isn't a distinction of which machine can access which secrets?
ixxie has joined #nixos-dev
<infinisil> Oh I guess you can have a separate secrets.yaml file for each host
<Mic92> yes
<colemickens> For the cloud providers, I assume you'll integrate on the vm/identity side too right?
<Mic92> This is what services like GCP KMS is for
<Mic92> It's already implemented in sops itself. I just need to add the right config options/environment variables.
<colemickens> I can get you access to an Azure subscription, but I'm also down to take a crack at it right now. DM me if you want me to make you admin on a subscription for a while.
<Mic92> The smallest VM for a few hours is probably all I need.
<infinisil> Hm, I guess sops-nix could even be added to nixpkgs
<Mic92> I want to collect some users before that though to see if I got the interface right.
<Mic92> Most of my time spent until now was on fixing the horrible GPG UX.
<colemickens> Mic92: You'll want access to the sub so you can touch KV/RBAC, etc. I don't mind, is your usual commit email your Microsoft account email?
<colemickens> I can leave a prebooted VM too
<Mic92> colemickens: no. its joerg.msn@higgsboson.tk but I changed it to joerg.msn@thalheim.io (it will take ages though before they will process this address change).
<Mic92> I suppose I need to access this RBAC stuff.
<cole-h> Mic92: Does sops only work on .yaml or .json files? e.g. no encrypted extensionless files?
<Mic92> cole-h: Yes. Files can be treated as binary files. They will be put into a json file and unpact as is: https://github.com/Mic92/dotfiles/blob/master/nixos/turingmachine/secrets/krb5.keytab
<cole-h> Oh no way! That's one of the reasons (if not the only reason) why I went with git-crypt over it... I might have to re-evaluate it, thanks!
<cole-h> https://github.com/mozilla/sops#encrypting-binary-files Oh hey, if I had read the whole README, I would have known lol.
<colemickens> Mic92: You should be able to see the subscription in the portal/cli (there's a shell.nix with the CLI in nixos/maintainers/scripts/azure-new) and you should be able to `ssh cole@52.156.129.54` with your github key.
<Mic92> colemickens: works.
<Mic92> colemickens: I think I will have a look into this again next weekend. Should I turn of the VM?
<colemickens> Mic92: sure, it's no sweat if you forget. Worst case scenario the quota runs out and resets on the 23rd.
<Mic92> colemickens: I am not seeing the subscription yet in the azure portal.
<colemickens> I don't know if you have to accept an invitation to the Active Directory instance. It said it sent invites to you.
<Mic92> ok
<Mic92> I check my emails
<colemickens> And then after accepting, you might need to switch the directory you're on, in the portal, between the console and bell icons in the top right, is a Directory/Subscription filter.
<Mic92> works now
<Mic92> colemickens: I suppose when it's stopped it only costs for the disk space?
<colemickens> Yes. And to be specific, in Azure you have to make sure to Stop via Portal/CLI/API. Shutting down the instance doesn't deprovision it.
<Mic92> Done that
<cole-h> colemickens++
<{^_^}> colemickens's karma got increased to 31
<Mic92> colemickens: is this some free tier credits you got there?
<colemickens> I mean, Mic92++ really. I did the easy part.
<{^_^}> Mic92's karma got increased to 30
<cole-h> As easy as it is, it still needed doing :)