#nixos-systemd on 2020-07-06

00:11 fatjedi has joined #nixos-systemd

00:11 fatjedi has left #nixos-systemd [#nixos-systemd]

00:59 pbb has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]

01:00 pbb has joined #nixos-systemd

07:33 <flokli> gchristensen: GPG btw :-P

09:08 pbb has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]

09:12 pbb has joined #nixos-systemd

11:52 pbb has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]

11:55 pbb has joined #nixos-systemd

12:00 <gchristensen> a shame

14:33 <Mic92> aanderse: https://github.com/Mic92/dotfiles/commit/ce259da0d9b9b0301eb381f2d364e804f2d3ef3d

14:35 <Mic92> My laptop is now converted to nix-sops: https://github.com/Mic92/sops-nix documentation to be written, but I think you get the idea from this commit

14:36 <Mic92> I still hope that nacl box will be a pgp alternative in the future: https://github.com/mozilla/sops/pull/569

14:36 <{^_^}> mozilla/sops#569 (by jvehent, 34 weeks ago, open): NACL BOX master key support

14:36 <Mic92> pgp is just pain. In sops-nix I add wrapper around it to make it usuable.

14:38 <Mic92> or age support: https://github.com/mozilla/sops/pull/688/files

14:43 <gchristensen> nice

14:44 <gchristensen> does the pgp stuff verify a signature? age has not signatures

14:47 <Mic92> gchristensen: sops comes with its own mac: https://github.com/mozilla/sops#message-authentication-code

14:50 <gchristensen> nice

14:51 <Mic92> I can only recommend to watch the sops video. It explains more or less everything about sops

14:55 <gchristensen> yeah I've seen some, it is really cool

15:10 <aanderse> Mic92: awesome!

15:16 <Mic92> Seems like nixos-rebuild has no concept of rolling back if something during activation fails.

15:16 <Mic92> But this would be actually quite usefull to check configuration before restarting any service.

15:16 <Mic92> Many configuration checks cannot be performed in the sandbox.

15:25 <gchristensen> yeah

15:25 <gchristensen> adisbladis and I were looking in to this sort of thing for a two-phase commit protocol for nixops

15:26 <gchristensen> https://github.com/NixOS/nixops/pull/1245

15:26 <{^_^}> nixops#1245 (by grahamc, 17 weeks ago, open): Deploy Targets: Policy/Behavior-free Deployment Hooks (auto-rollbacks, drain events, etc.)

15:49 <gchristensen> anyone know why udev might be unable to configure /dev/ttyS0 when this config is applied: systemd.services.systemd-udevd.serviceConfig.NetworkNamespacePath = "/var/run/netns/foobar";

17:57 <flokli> gchristensen: what are you doing? oO

17:57 <flokli> running systemd-udevd (and only it) in a separate network namespace sounds scary

17:57 <gchristensen> why do you say that? (it has a few other things in there ...)

18:03 <gchristensen> flokli: I've started systemd in a separate netns, leaving all the physical devices in the original one

18:03 <gchristensen> but then dhcpcd, even when running in the original netns, doesn't seem to worke for udev reasons

18:06 <flokli> hmmm… I'd probably run an entire system inside an nspawn container then, not just individual system units…

18:06 <flokli> I'd assume systemd-udevd and pid1 do some sort of communication, and might have some assumptions on seeing similar things

18:06 <flokli> but :shrug:

18:07 <gchristensen> well I need certain pieces to run in the original namespace

18:07 <gchristensen> because I need them to talk to the physical devices

18:07 <gchristensen> right now that is dhcpcd and ssh's .socket unit, though dhcpcd doesn't work yet

18:08 <flokli> I'd just solve this with some routing probably and a veth pair

18:08 <flokli> I'd just leave my main system in the main network namespace

18:08 <gchristensen> yeah... I don't really want to do that, but I know that is the prevailing solution

18:09 <gchristensen> so your concern is systemd-udev and pid1 wanting to talk over a network socket of some sort, causing trouble? might be

18:51 <flokli> gchristensen: I just mean, you're chartering unexplored waters :-)