ChanServ changed the topic of #nixus to: Nixus is an experimental deployment tool for NixOS systems - https://github.com/Infinisil/nixus - https://logs.nix.samueldr.com/nixus/
veleiro` is now known as veleiro
veleiro has joined #nixus
veleiro has quit [Changing host]
veleiro has quit [Remote host closed the connection]
veleiro has joined #nixus
cole-h has quit [Ping timeout: 265 seconds]
veleiro` has joined #nixus
veleiro has quit [Ping timeout: 256 seconds]
veleiro` is now known as veleiro
veleiro has joined #nixus
veleiro has quit [Changing host]
cole-h has joined #nixus
numkem has joined #nixus
<infinisil> (coming here from #nixos)
<infinisil> numkem: Yeah that would be a submodule
<numkem> yup, your example showed it, thanks!
<numkem> am I mistaken in saying it's more modular since nixus is built with only nix?
peelz has joined #nixus
<infinisil> numkem: Hmm yeah. It's more modular because it's using the NixOS module system for more than just NixOS (to manage multiple machines)
<numkem> infinisil: that's what I was thinking, the last bit of magic I'm not understading is how you managed to make nix-build ssh into machines... runCommand?
<infinisil> The fact that it's built with only Nix is limiting, and that's one thing I intend to change eventually
<numkem> what do you have in mind?
<infinisil> Oh nix-build isn't sshing
<infinisil> You only nix-build the deployment script
<infinisil> Which you then execute
<numkem> haaa, now that makes sense
<infinisil> So a deployment would be `nix-build && ./result` or `$(nix-build)`
<numkem> ok, so no black magic involved
<infinisil> Well, there is some black magic involved, but not regarding that :P
<numkem> sorry, I should have had tried it first but I've been debating on which one to pick between morph/nixus/deploy-rs
<infinisil> Regarding the CLI, I don't know yet, but it's needed for e.g. https://github.com/Infinisil/nixus/issues/26
<numkem> nixus seems to fit the "straight to the point" idea that I'm aiming for
<infinisil> Hmm yeah
<infinisil> It would be possible to remove most of the complexity with rollbacks and secrets, which still leaves a pretty good system, but with most of the buggy parts gone
<infinisil> Well the rollback works
<infinisil> But e.g. you can't Ctrl-C it currently :P https://github.com/Infinisil/nixus/issues/5
<infinisil> And secrets work too, but it depends on some rsync hacks, which aren't super reliable
<infinisil> At the base, nixus allows you to describe and build a number of systems with a single default.nix, including pinning nixpkgs versions, different ones for each machine if necessary
<infinisil> And the whole multi-host abstraction business
<numkem> very interesting
<numkem> now I'm quite split between morph and nixus
<infinisil> numkem: What's the negatives of morph in your opinion?
<numkem> infinisil: I don't think I have any, I've just seen it can do health checks
<numkem> I have yet to use it too so I can't really speak too much right now
<infinisil> I see
<numkem> I'm realy just looking for alternatives to nixops and I like your approach
<numkem> not having a binary is a great asset even if I know it can because a hurdle later
<numkem> infinisil: hum... with nixus, adding support for vault would just be to do the module that adds to it the file right?
<numkem> infinisil: how does nixus handles failures?
<infinisil> numkem: Yeah not having a specific binary is kind of nice
<infinisil> numkem: Nixus is basically just a set of deployment phases, and by default a couple standard phases are added
<infinisil> I'm not sure how vault support would exactly work, but if it can be done with a deployment script, it would just be another phase probably
<numkem> vault read path/to/thing > and so on
<infinisil> Oh, so the vault command would be executed locally, and secrets would be transferred to the remote once read?
<infinisil> numkem: ^
<numkem> infinisil: might be possible to piggy back into the secret storage nixus already has, the content would just come from the vault command
<infinisil> I see
<infinisil> I don't know a whole lot about vault, but wouldn't this be the wrong way to use it?
<infinisil> I thought the whole point was to not have to handle secrets
<infinisil> I'd expect vault support to just transfer a small passphrase/code over, so that the server can authenticate with vault on its side to get all secrets
<numkem> infinisil: or it could use the secret module from nixus to pass over the vault url and token, so the remote machine can execute the command. that seems better
<infinisil> Oh yeah that sounds good. And that can be done with the secret module already, if you store the token at some file path locally
<numkem> infinisil: the real feature would be to have it being used inside templates. So you could put the passwords of things inside of it
<numkem> infinisil: seems like nixops has support for that through a plugin but the documentation is very slim. Just an example
<infinisil> Oh yeah that's not possible with nixus at all actually
<infinisil> And I think with good reason: You don't want secrets to end up in the /nix/store
<infinisil> And that's almost certainly the case if you use `${some-secret}` in your nixus/nixos
<infinisil> config
<infinisil> Which is why Nixus' secret support is based on files and runtime paths, not strings
<infinisil> numkem: (reply ping)
<numkem> infinisil: that's a bummer, having it as a file is a good step but than it would need to be combined without touching the store. wish nix would support that on it's own or have an encrypted enclave of some kind
<infinisil> numkem: So actually what Nixus secret module does is pretty neat
<infinisil> It allows you to use interpolation to refer to the path where the secret is stored, and that is in fact a /nix/store path, allowing it to know when your config depends on a specific secret
<infinisil> However, the /nix/store path is just a symlink to /var/lib/nixus-secrets/...
<infinisil> !
<infinisil> So e.g. this allows you to do `networking.wireguard.interfaces.<name>.privateKeyFile = config.secrets.files.<some-secret>.file`
<infinisil> And `secrets.files.<some-secret>.file = ./local/path/to/secret`
<infinisil> And it Just Works (tm)
<infinisil> Without any secrets ending up in the store, and with only the secrets being copied over if they're actually used, and even with services auto-restarting if a secret config file changes
<infinisil> numkem: Am very excited about these things ^ :)
<numkem> infinisil: absolutely! I am not knowledgeble at all when it comes to nix internals but I wonder what it would take to have a path in the store that would be a gpg encrypted sqlite db that is only available by the trusted user. that would be quite helpful
<infinisil> Yeah I'm not sure about how Nix would handle that either, It's one of the oldest issues: https://github.com/NixOS/nix/issues/8
<infinisil> But for now, I'm actually fairly convinced that Nixus has the best secret handling there is :D
<numkem> infinisil: and I believe you are right!