veleiro has quit [Remote host closed the connection]
veleiro has joined #nixus
cole-h has quit [Ping timeout: 265 seconds]
veleiro` has joined #nixus
veleiro has quit [Ping timeout: 256 seconds]
veleiro` is now known as veleiro
veleiro has joined #nixus
veleiro has quit [Changing host]
cole-h has joined #nixus
numkem has joined #nixus
<infinisil>
(coming here from #nixos)
<infinisil>
numkem: Yeah that would be a submodule
<numkem>
yup, your example showed it, thanks!
<numkem>
am I mistaken in saying it's more modular since nixus is built with only nix?
peelz has joined #nixus
<infinisil>
numkem: Hmm yeah. It's more modular because it's using the NixOS module system for more than just NixOS (to manage multiple machines)
<numkem>
infinisil: that's what I was thinking, the last bit of magic I'm not understading is how you managed to make nix-build ssh into machines... runCommand?
<infinisil>
The fact that it's built with only Nix is limiting, and that's one thing I intend to change eventually
<numkem>
what do you have in mind?
<infinisil>
Oh nix-build isn't sshing
<infinisil>
You only nix-build the deployment script
<infinisil>
Which you then execute
<numkem>
haaa, now that makes sense
<infinisil>
So a deployment would be `nix-build && ./result` or `$(nix-build)`
<numkem>
ok, so no black magic involved
<infinisil>
Well, there is some black magic involved, but not regarding that :P
<numkem>
sorry, I should have had tried it first but I've been debating on which one to pick between morph/nixus/deploy-rs
<numkem>
nixus seems to fit the "straight to the point" idea that I'm aiming for
<infinisil>
Hmm yeah
<infinisil>
It would be possible to remove most of the complexity with rollbacks and secrets, which still leaves a pretty good system, but with most of the buggy parts gone
<infinisil>
And secrets work too, but it depends on some rsync hacks, which aren't super reliable
<infinisil>
At the base, nixus allows you to describe and build a number of systems with a single default.nix, including pinning nixpkgs versions, different ones for each machine if necessary
<infinisil>
And the whole multi-host abstraction business
<numkem>
very interesting
<numkem>
now I'm quite split between morph and nixus
<infinisil>
numkem: What's the negatives of morph in your opinion?
<numkem>
infinisil: I don't think I have any, I've just seen it can do health checks
<numkem>
I have yet to use it too so I can't really speak too much right now
<infinisil>
I see
<numkem>
I'm realy just looking for alternatives to nixops and I like your approach
<numkem>
not having a binary is a great asset even if I know it can because a hurdle later
<numkem>
infinisil: hum... with nixus, adding support for vault would just be to do the module that adds to it the file right?
<numkem>
infinisil: how does nixus handles failures?
<infinisil>
numkem: Yeah not having a specific binary is kind of nice
<infinisil>
numkem: Nixus is basically just a set of deployment phases, and by default a couple standard phases are added
<infinisil>
I'm not sure how vault support would exactly work, but if it can be done with a deployment script, it would just be another phase probably
<numkem>
vault read path/to/thing > and so on
<infinisil>
Oh, so the vault command would be executed locally, and secrets would be transferred to the remote once read?
<infinisil>
numkem: ^
<numkem>
infinisil: might be possible to piggy back into the secret storage nixus already has, the content would just come from the vault command
<infinisil>
I see
<infinisil>
I don't know a whole lot about vault, but wouldn't this be the wrong way to use it?
<infinisil>
I thought the whole point was to not have to handle secrets
<infinisil>
I'd expect vault support to just transfer a small passphrase/code over, so that the server can authenticate with vault on its side to get all secrets
<numkem>
infinisil: or it could use the secret module from nixus to pass over the vault url and token, so the remote machine can execute the command. that seems better
<infinisil>
Oh yeah that sounds good. And that can be done with the secret module already, if you store the token at some file path locally
<numkem>
infinisil: the real feature would be to have it being used inside templates. So you could put the passwords of things inside of it
<numkem>
infinisil: seems like nixops has support for that through a plugin but the documentation is very slim. Just an example
<infinisil>
Oh yeah that's not possible with nixus at all actually
<infinisil>
And I think with good reason: You don't want secrets to end up in the /nix/store
<infinisil>
And that's almost certainly the case if you use `${some-secret}` in your nixus/nixos
<infinisil>
config
<infinisil>
Which is why Nixus' secret support is based on files and runtime paths, not strings
<infinisil>
numkem: (reply ping)
<numkem>
infinisil: that's a bummer, having it as a file is a good step but than it would need to be combined without touching the store. wish nix would support that on it's own or have an encrypted enclave of some kind
<infinisil>
numkem: So actually what Nixus secret module does is pretty neat
<infinisil>
It allows you to use interpolation to refer to the path where the secret is stored, and that is in fact a /nix/store path, allowing it to know when your config depends on a specific secret
<infinisil>
However, the /nix/store path is just a symlink to /var/lib/nixus-secrets/...
<infinisil>
!
<infinisil>
So e.g. this allows you to do `networking.wireguard.interfaces.<name>.privateKeyFile = config.secrets.files.<some-secret>.file`
<infinisil>
And `secrets.files.<some-secret>.file = ./local/path/to/secret`
<infinisil>
And it Just Works (tm)
<infinisil>
Without any secrets ending up in the store, and with only the secrets being copied over if they're actually used, and even with services auto-restarting if a secret config file changes
<infinisil>
numkem: Am very excited about these things ^ :)
<numkem>
infinisil: absolutely! I am not knowledgeble at all when it comes to nix internals but I wonder what it would take to have a path in the store that would be a gpg encrypted sqlite db that is only available by the trusted user. that would be quite helpful