fatjedi has joined #nixos-systemd
fatjedi has left #nixos-systemd [#nixos-systemd]
pbb has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
pbb has joined #nixos-systemd
<flokli> gchristensen: GPG btw :-P
pbb has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
pbb has joined #nixos-systemd
pbb has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
pbb has joined #nixos-systemd
<gchristensen> a shame
<Mic92> My laptop is now converted to nix-sops: https://github.com/Mic92/sops-nix documentation to be written, but I think you get the idea from this commit
<Mic92> I still hope that nacl box will be a pgp alternative in the future: https://github.com/mozilla/sops/pull/569
<{^_^}> mozilla/sops#569 (by jvehent, 34 weeks ago, open): NACL BOX master key support
<Mic92> pgp is just pain. In sops-nix I add wrapper around it to make it usuable.
<gchristensen> nice
<gchristensen> does the pgp stuff verify a signature? age has not signatures
<Mic92> gchristensen: sops comes with its own mac: https://github.com/mozilla/sops#message-authentication-code
<gchristensen> nice
<Mic92> I can only recommend to watch the sops video. It explains more or less everything about sops
<gchristensen> yeah I've seen some, it is really cool
<aanderse> Mic92: awesome!
<Mic92> Seems like nixos-rebuild has no concept of rolling back if something during activation fails.
<Mic92> But this would be actually quite usefull to check configuration before restarting any service.
<Mic92> Many configuration checks cannot be performed in the sandbox.
<gchristensen> yeah
<gchristensen> adisbladis and I were looking in to this sort of thing for a two-phase commit protocol for nixops
<{^_^}> nixops#1245 (by grahamc, 17 weeks ago, open): Deploy Targets: Policy/Behavior-free Deployment Hooks (auto-rollbacks, drain events, etc.)
<gchristensen> anyone know why udev might be unable to configure /dev/ttyS0 when this config is applied: systemd.services.systemd-udevd.serviceConfig.NetworkNamespacePath = "/var/run/netns/foobar";
<flokli> gchristensen: what are you doing? oO
<flokli> running systemd-udevd (and only it) in a separate network namespace sounds scary
<gchristensen> why do you say that? (it has a few other things in there ...)
<gchristensen> flokli: I've started systemd in a separate netns, leaving all the physical devices in the original one
<gchristensen> but then dhcpcd, even when running in the original netns, doesn't seem to worke for udev reasons
<flokli> hmmm… I'd probably run an entire system inside an nspawn container then, not just individual system units…
<flokli> I'd assume systemd-udevd and pid1 do some sort of communication, and might have some assumptions on seeing similar things
<flokli> but :shrug:
<gchristensen> well I need certain pieces to run in the original namespace
<gchristensen> because I need them to talk to the physical devices
<gchristensen> right now that is dhcpcd and ssh's .socket unit, though dhcpcd doesn't work yet
<flokli> I'd just solve this with some routing probably and a veth pair
<flokli> I'd just leave my main system in the main network namespace
<gchristensen> yeah... I don't really want to do that, but I know that is the prevailing solution
<gchristensen> so your concern is systemd-udev and pid1 wanting to talk over a network socket of some sort, causing trouble? might be
<flokli> gchristensen: I just mean, you're chartering unexplored waters :-)