Re: [Nix-dev] Banning people from the mailinglist?

[Arnold Krille]

Hi,

On Tue, 4 Apr 2017 14:22:48 +0200 Profpatsch  wrote:
> On 17-04-04 10:05am, Matthias Beyer wrote:
> > Can we just ban the (non-constructive) "fuck systemd" people? I 
> > mean... nobody benefits from this kind of behaviour and it creates 
> > frustration all over the place. Nobody gets happy with these kind
> > of messages.
> > 
> > Is there a technical possibility for this?
> 
> Normally these people vent once and then stay quiet;
> if someone starts flamewars on a regular basis
> we should warn them first, and on repetition ban.
> 
> So far that hasn’t happened yet, right?

Maybe the OPs question was not about the same person regularly
starting flamewars but about flamewars about the same topic started
regularly by different people each time?

I don't think a rule of 'flame systemd once and you are out' would do
the community any good, even if the threshold is higher. After all a
critical reminder can make you rethink if you are still on the right
path. Altough I personally tend to shrug off these "I hate
systemd"-topics and notice that another half a year has passed already.

> And maybe these folks will see the light someday. :)

Or "lightd" will be forced upon them? - sorry, couldn't resist.

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] nixos-container networking

[Arnold Krille]

Hi,

I think one of the best resources showing how networking and containers
works, is the tests for containers and networking ;-)
From them I also based my setup which you can see a slightly old
version of at https://github.com/kampfschlaefer/nixconfig.

Also you already found the 13-char limit on container names, which is a
result of the 16-char limit of network interface names in linux and the
devices are vb- or ve- for the containers… I was planning
to add an assertion there but got sidetracked by life and a 3D printer.

Have fun,

Arnold

On Mon, 13 Mar 2017 02:12:12 + Tomasz Czyż 
wrote:
> Hey,
> 
> could anyone using nixos-container (declarative style) share how you
> setup networking?
> 
> I'm trying to setup few containers with private network and http
> proxy at the front. Each container potentially could run application
> on port 80 and I would like to expose them through proxy.
> 
> I tried to set this up with
> 
> privateNetwork=true;
> hostAddress
> localAddress
> 
> and I tried to also run nat on the host with (just to enable outbound
> traffic)
> internalInterfaces = ["ve-+"];
> externalInterfaces = "eth0";
> 
> but no luck.
> My next try will be creating bridge on the host and add containers to
> that bridge. Is that how you do stuff or are better ways of doing
> container networking?
> 
> Tom



signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Wrong tags in nixpkgs

[Arnold Krille]

On Tue, 28 Feb 2017 12:12:43 -0800 Kamil Chmielewski
 wrote:
> Yep, something went wrong, those are tags from my private *channel*.
> I don't how could than happened and how could I remove it from
> upstream?

git push origin :

the : in front of what you want to push marks it as "remove", both for
tags and branches. Of course if you didn't name the official nixpkgs
upstream "origin", you have to replace that ;-)

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Better firewalling in NixOS (PR: 12940)

[Arnold Krille]

Hey all,

I updated my PR for better firewalling once again and you can find it at 
https://github.com/NixOS/nixpkgs/pull/12940. Please give reviews, comments and 
merge if appropriate.

I can't believe its been almost a year since I started that PR. Needless to say 
these changes are part of the growing stack of custom changes I keep rebasing 
onto my personal stable branch.

Have fun,

Arnold
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] nix-bundle: Bundle Nix derivations to run anywhere

[Arnold Krille]

On Mon, 6 Feb 2017 18:33:19 -0600 Matthew Bauer 
wrote:
> GitHub page: https://github.com/matthewbauer/nix-bundle
> 
> I just wanted to post about a little project I've been working on. I'm
> calling it "nix-bundle".
> 
> Basically, what it does is: take a Nix closure, compress it into a
> tarball, and turn that tarball into an executable using "Arx". The
> final result looks like a plain shell script, but actually has a
> tarball closure appended to it. When you run that script, Arx will
> execute "nix-user-chroot" (which is included in the closure) which
> will setup a /nix/ directory, then execute a target executable. All of
> this should work "out of the box" for any Nix derivation folder with a
> valid executable.
> 
> For example, to generate a "hello" bundle:
> 
> ./nix-bundle.sh hello /bin/hello
> 
> "hello" specifies pkgs.hello and /bin/hello specifies the file
> ${pkgs.helloi}/bin/hello to be executed. The output file will just be
> called "hello".
> 
> The result is a "bundle" that can run without Nix being installed! No
> external dependencies are needed because they are all contained within
> the Nix closure.

So instead of pushing docker images around to bring an app into
non-nix-production, we can just push around a tar'ed nix tree? Nice.

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Distributing files between machines in a nixops deployment

[Arnold Krille]

On Sat, 19 Nov 2016 12:10:59 +0100 Marius Bergmann 
wrote:
> Is it possible to declare the distribution of a file (in my case a ssh
> server/client public key) to different machines in a nixops
> deployment?
> 
> I want to create a client keypair on one machine and then authorize
> the public part on several other machines in the deployment. Those
> other machines' public server keys should also be added to the
> known_hosts of the machine logging into them.
> 
> I know I could create all the keypairs on the machine running nixops
> and send both the public as well as the private keys over the
> network, but I would like to find out if there's a way around it.

I think this is one of the things you don't do/want with Nix/NixOps as
this is essentially self-modifying deployment. Which makes the
deployment non-deterministic and unreproducible in the strict sense.
With deployment-/configuration-management systems that have a central
node and database, like chef and puppet can have, you can do such
things. For Nix this is counter-intuitive.

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Proposal: adding fetchapt support to nixpkgs

[Arnold Krille]

On Tue, 25 Oct 2016 04:42:28 + Chuan-kai Lin 
wrote:
> I have been thinking about adding Debian-package-fetching
> functionality (tentatively named fetchapt) into nixpkgs, and I'd like
> to hear your thoughts.
> 
> First, why would anyone want such a thing?
> 
> Nixpkgs retrieves some unfree software (e.g., google-chrome) through
> binary packages in Debian packaging format, through vendor
> repositories (e.g., dl.google.com).  Currently, retrieving the binary
> packages involves manually specifying package version number and hash
> value in a nixpkg. This approach has a few advantages; for example,
> users can look at nixpkg and determine exactly which version of the
> software is being installed.

This is _the_ argument for nix. I think its even the reason why nix was
invented. It gives you reproducible builds, generations, deployments,
machines. All from one git-revision. If you take that away by fetching
the actual software version each time the expression is evaluated, you
loose that. The builds will not be deterministic anymore. So on your
test-system the new chrome release will be stable. But when you finally
approve it for the production environment, the upstream/debian package
will already have changed…

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] /etc/nixos/configuration.nix not versioned?

[Arnold Krille]

Hi,

On Fri, 16 Sep 2016 09:13:27 -0700 Wink Saville 
wrote:
> As a newbie I was playing around and last night I rolled back to an
> older configuration and realized that the configuration.nix file
> didn't rollback. I can now realize that configuration.nix has nothing
> to do with booting or running the system and it only builds the
> system.
> 
> But at the moment I have 20 variations of my system in
> /boot/loader/entries/* but only the "latest"
> /etc/nixos/configuration.nix. So how are people managing
> configuration.nix files and keeping them 'synchronized' with /boot/**/
> in particular /boot/loader/entries/* ?
> 
> What I've just done is put /etc/nixos into a git repository, but that
> puts the burden on me to keep it synchronized with the
> /boot/loader/entries. Hopefully there is a better way.

/etc/nixos/configuration.nix (and the files included there) is the one
place that nix can not manage for you. It could save a copy somewhere
within the activated profile. But it can not modify/move the file
itself.

Consider this:
* You have a working configuration
* You change configuration.nix
* You build the new config and switch to it (temporarily with
  'nixos-rebuilt test')
* You realize something is not working as expected and roll back to the
  next older version for the moment.
Now when nixos moves the configuration for you, you will be back to the
state before you started the config changes. You have no way of going
forward again and especially no way of modifying the forward
configuration and fixing it. Because its not there anymore…

What I am doing[1] is:
* there is /etc/nixos/nixconfig/ directory which is actually a git
  checkout.
* /etc/nixos/configuration.nix basically imports everything from within
  that nixconfig//default.nix
* the nixconfig also has nixpkgs as submodule in git and uses that as
  source instead of any channels.

That way I have full control over which configuration should be
running. And also about which version of the nixpkgs is used.
I can run tests on the system-config before pushing the config to
master and rebuilding my server(s) into a non-working state.
I have master, staging and story-branches and can test the next
nixos-release in the tests of my systems before applying it to the
actual machines.

The combination of full system description, full control over the
package state and full testability is what makes my daily work-life
very miserable. Because I have this at home but not at work:-/

Have fun,

Arnold

[1] A bit outdated because my main repo is locally, but
https://github.com/kampfschlaefer/nixconfig has my systems config.


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Two declarative ways to install a package?

[Arnold Krille]

On Fri, 12 Aug 2016 16:15:46 +0200 "Guillaume Maudoux (Layus)"
 wrote:
> I would rather see it as a convenience.
> The package is in your store anyway, so better make it available in
> user shells.

No, only expose what is needed or wanted explicit (explicit is better
then implicit;-)). Just because I want mpd to run on my machine,
doesn't mean I want every user to run its own mpd (and wonder why the
default-port is already in use). For example.

> With mysql for example, having the mysql command in your path is not
> strictly necessary, but it would be really annoying not to have it.
> Forcing users to install it in their own environments could even lead
> to version mismatches.

This largely depends on the package, doesn't it?

For the mysql-service to expose the mysql-commandline tool is a nice
convenience, at the same time exposing the mysqld binary is needless
and allows other apps to use that binary without actually depending on
it. It also allows foes to use it directly from your environment
without dealing specially with nix.

For the nginx-package to expose the nginx-daemon binary to your
environment isa bit useless for the same reasons explained with mysqld
exposed. But are there user-tools for nginx that should be exposed?

Maybe it would be better if there was a mysql and a mysql-server
package and the mysql-service would use the mysql-server itself and
expose the mysql commandline to the environment without exposing the
server binary?

> If exposing a package from its service happens to be annoying (for
> whatever reason),
> may I suggest suggest to pull-request an opt-out option for it ?

For security and sanity reason, it should be opt-in.

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Why nginx config isn't placed into /etc/nginx/nginx.conf?

[Arnold Krille]

On Tue, 9 Aug 2016 19:54:10 +0100 Luca Bruno 
wrote:
> When using Nixos to define my system, I want to use Nixos to define my
> > system. No other 'orchestration' software or (god forbid) any
> > user/admin should change that the imperative way. Only then can I
> > use nix the way its intended to have fully reproducible and
> > revertable states.
> >
> 
> Except that the existing world and software is not reproducible and
> revertable.

But it is, isn't it?

Thanks to Nixos I can set my server back to the system configuration
from four months back. Apart from the user data of course.

Thanks to the fact that my system declaration is in git I can even throw
away all generations apart from the last few and still rebuild my
server as it was four months ago. (Try that with other linux
distributions and any orchestration or configuration management.)

And I am not talking about some imaginary server, but the real existing
hardware under my desk;-)

Thats the beauty of Nixos, it makes the existing software-world
reproducible and revertable.

> >
> > For me the question is not why the nginx.conf is not in /etc/nginx
> > but "why whould I want the nginx.conf in /etc/nginx at all when
> > using Nixos"?
> >
> 
> For the reasons explained above, philosophy apart.

- Arnold

PS: no need to CC me, I am subscribed.


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Why nginx config isn't placed into /etc/nginx/nginx.conf?

[Arnold Krille]

On Tue, 9 Aug 2016 18:06:50 +0100 Luca Bruno 
wrote:
> So, there are few drawbacks with the read-only nginx config as it is.
> Of course, you can at any time run the nginx with an /etc/nginx
> config that you write imperatively, by creating a brand new systemd
> service and disregarding the existing one. After all nginx is quite a
> simple service to run.
> 
> Problems with the current approach:
> 1. Doesn't allow for nginx reload, because the file path changes hence
> nginx needs to be restarted.
> 2. If you are auto-updating the nginx config and reloading it
> automatically after e.g. Consul health checking you are in trouble.
> 
> With /etc/nginx you give up nix rollbacks, but you can do it manually
> with git which is faster than a nixos-rebuild.
> 
> So if you are going to run production stuff and maximize
> availability, I'd suggest to go for imperative /etc/nginx.
> 
> That applies to most of fully declarative services in nixos.
> 
> An alternative would be to still be kind of declarative by creating a
> static /etc/nginx path which symlinks to the read-only config. It all
> depends if nginx follows symlinks or not.
> If it works, it's worth changing the nixos systemd definition of
> nginx for all with this approach.
> Still you will have troubles with 3rd orchestration software
> auto-updating the nginx config file.

When using Nixos to define my system, I want to use Nixos to define my
system. No other 'orchestration' software or (god forbid) any
user/admin should change that the imperative way. Only then can I use
nix the way its intended to have fully reproducible and revertable
states.

For me the question is not why the nginx.conf is not in /etc/nginx but
"why whould I want the nginx.conf in /etc/nginx at all when using
Nixos"?

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Declarative containers with more veths

[Arnold Krille]

Hi all,

I would like to raise your attention again to this PR of mine:
https://github.com/NixOS/nixpkgs/pull/15496

I have been using this for the last month without problems and it would
be a nice addition to the nixos-containers.

- Arnold

On Thu, 16 Jun 2016 22:52:44 +0200 Arnold Krille <arn...@arnoldarts.de>
wrote:
> Hi all,
> 
> I would like to raise your attention to a PR of mine:
> https://github.com/NixOS/nixpkgs/pull/15496
> 
> It add the ability to give declarative containers more than one veth.
> With this its possible to use containers to connect two host-side
> bridges, for example as firewall/proxy. Or when the container exposes
> its public webinterface on one veth/bridge and has the administrative
> and database access on a second veth/bridge.
> 
> Please review and merge if you see fit, I would like to get that into
> NixOS…
> 
> Have fun,
> 
> Arnold



signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Inconsistency detected by ld.so

[Arnold Krille]

Hi,

sorry for the long delay, holiday got in the way.

On Wed, 6 Jul 2016 17:55:14 +0200 Renato Alves 
wrote:
> Do you by any chance have LD_LIBRARY_PATH set?
> If yes, check if unset'ing it helps.

While I had used LD_LIBRARY_PATH in the past, I do not have it on this
setup. But the problem went away on next user login (without reboot),
so thats that.

Thanks for the tip anyway;-)

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Declarative containers with more veths

[Arnold Krille]

Hi all,

I would like to raise your attention to a PR of mine:
https://github.com/NixOS/nixpkgs/pull/15496

It add the ability to give declarative containers more than one veth.
With this its possible to use containers to connect two host-side
bridges, for example as firewall/proxy. Or when the container exposes
its public webinterface on one veth/bridge and has the administrative
and database access on a second veth/bridge.

Please review and merge if you see fit, I would like to get that into
NixOS…

Have fun,

Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] When creating a bridge interface, the bridge doesn't appear

[Arnold Krille]

did you define anything depending on the bridge? that is did you configure 
anything in networking.interfaces?

- Arnold

Am 15. Juni 2016 02:28:54 MESZ, schrieb Matthew Robbetts 
:
>Hi list,
>
>(I filed an issue at GitHub
>(https://github.com/NixOS/nixpkgs/issues/16230
>), but realized that
>since it’s probably a PEBKAC issue, the mailing list might be more
>suitable. Sorry for the cross-post!)
>
>
>I am configuring a new nixOS system. My machine has two ethernet
>interfaces (enp3s0 and enp4s0) and one wireless interface (wlp5s0). I
>want to bridge the wireless with one of the ethernets, so in my
>configuration.nix I add:
>
>networking = {
>...
>bridges.br0.interfaces = [ "enp4s0" "wlp5s0" ];
>...
>and run nixos-rebuild switch.
>
>I observe in the output that, among other things, a
>/nix/store/z18i1q0r4i2bn0vkpcz45d10nn0628nf-unit-br0-netdev.service/br0-netdev.service
>is created. However, ifconfig does not show the new bridge interface.
>
>If I manually run:
>systemctl start br0-netdev.service
>
>the bridge interface appears.
>
>Probably I am doing something wrong, but I would have expected the
>bridge to appear immediately as a result of nixos-rebuild switch.
>
>Anyone have an opinion?
>
>
>Thanks,
>Matt
>
>
>
>___
>nix-dev mailing list
>nix-dev@lists.science.uu.nl
>http://lists.science.uu.nl/mailman/listinfo/nix-dev

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Importing a .nix.gpg file?

[Arnold Krille]

On Sun, 12 Jun 2016 12:34:21 +0200 Michal Rus  wrote:
> in my nixos-config, I’ve got wifi-passwords.nix.gpg (the rest of the
> config is publicly available), and what I’d like to do is:
> 
> import ./wifi-passwords.nix.gpg;
> 
> Or:
> 
> imports = [ ./wifi-passwords.nix.gpg ];
> 
> … somewhere in configuration.nix. And when issuing `nixos-rebuild
> switch`, GnuPG would be used to decrypt the file.
> 
> How can I achieve that? Was this discussed before (I can’t find any
> mentions)? May I post a feature request in an issue or will it be
> rejected?
> 
> This seems like a useful feature and I have quite a few other uses for
> it besides Wi-Fi passwords. Currently, I’m using gpg manually, though,
> and that’s asking for errors.

I will be doing similar stuff soon, until now my config(1) has no
secrets. But once it gets, I will be using git-crypt(2). Only have to
deal with what happens when the import is not working due to encrypted
contents…

But having the encryption in nix itself and maybe even encryption in
the nix store would certainly be desirable.

- Arnold

(1) https://github.com/kampfschlaefer/nixconfig
(2) https://github.com/AGWA/git-crypt


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Custom directories

[Arnold Krille]

On Wed, 25 May 2016 17:26:24 +0300 Daniel Hlynskyi
 wrote:
> Hi. What's canonical Nixos way to specify custom directories?
> 
> I'm playing with containers. Here is excerpt of my config:
> 
>   fileSystems."/media/logs" = { fsType = "ext4";  label = "logs"; };
>   boot.initrd.postMountCommands = ''
> chmod 777 /media/logs
>   '';
> 
>   containers.dwarfs =
> { bindMounts."/media/logs/dwarfs".hostPath = "/media/logs/dwarfs";
>   bindMounts."/media/logs/dwarfs".isReadOnly = false;
>   config =
>{ config, pkgs, ... }:
>{
>  boot.postBootCommands = ''
> chmod 777 /media/logs/dwarfs
>  '';
> 
> I'd like for directory /media/logs/dwarfs to exist, but I don't know
> where to put _the_ mkdir.
> 
> boot.initrd.postMountCommands is not exactly what I want, because I
> need to remount drive or reboot host for changes to apply, but plain
> nixos-rebuild switch doesn't execute postMountCommands.
> 
> Also I'd like to change directory mask in containers without container
> restart (instead of boot.postBootCommands)

Here is how one of my containers has its data dir in a special
partition with special permissions:
https://github.com/kampfschlaefer/nixconfig/blob/master/portal/containers/mpd.nix
Note that the directory is created by systemd before mounting partition.

But maybe the bindMounts of containers need to be extended so they also
create the target directory with the permissions you want. But what
happens when you want a userid for permissions that exists only inside
the container? Current bindmount stuff is outside the container…

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-commits] [NixOS/nixpkgs] 0b0f75: unbound service: do not initialize root cert

[Arnold Krille]

  Branch: refs/heads/release-16.03
  Home:   https://github.com/NixOS/nixpkgs
  Commit: 0b0f759b9361ca18d136e870a94e3088f2d85356
  
https://github.com/NixOS/nixpkgs/commit/0b0f759b9361ca18d136e870a94e3088f2d85356
  Author: Arnold Krille <arn...@arnoldarts.de>
  Date:   2016-05-21 (Sat, 21 May 2016)

  Changed paths:
M nixos/modules/services/networking/unbound.nix

  Log Message:
  ---
  unbound service: do not initialize root cert

When enableRootTrustAnchor is set to false, there is really no point in
initializing the root key before starting unbound.

Fixes #15605.

(cherry picked from commit bf0e745597c5fc9547e41905f0f0354d009f154e)


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits

[Nix-commits] [NixOS/nixpkgs] bf0e74: unbound service: do not initialize root cert

[Arnold Krille]

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixpkgs
  Commit: bf0e745597c5fc9547e41905f0f0354d009f154e
  
https://github.com/NixOS/nixpkgs/commit/bf0e745597c5fc9547e41905f0f0354d009f154e
  Author: Arnold Krille <arn...@arnoldarts.de>
  Date:   2016-05-21 (Sat, 21 May 2016)

  Changed paths:
M nixos/modules/services/networking/unbound.nix

  Log Message:
  ---
  unbound service: do not initialize root cert

When enableRootTrustAnchor is set to false, there is really no point in
initializing the root key before starting unbound.

Fixes #15605.


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits

Re: [Nix-dev] Source URL breakage – please can we improve the determinism

[Arnold Krille]

On Sun, 8 May 2016 18:11:09 +0300 Игорь Пашев 
wrote:
> Can't be nix cache used for this? Source tarballs are kind of
> derivation too. 

Somehow I was under the impression that the output of
"fetchFromUrl" or "fetchFromGit" was also a result worth storing in the
nix-store. And thus also part of the 'binary'-cache.
Or is that only when configuring a private binary-cache/hydra?

- Arnold


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] environment in systemd services

[Arnold Krille]

Nope, the aws credentials are in the url given in the config file.

I also tried setting serviceConfig with options privateTmp=false and
privateNetwork=false but these options seem to be for a later version
of systemd. I am on stock 15.09 here.

- Arnold

(Before anyone asks, the backup is encrypted and only the public part
of the gpg key is present on the server.)

On Sat, 30 Jan 2016 13:27:52 + zimbatm <zimb...@zimbatm.com> wrote:
> Did you try to pass the AWS keypair trough an environment variable ? I
> don't know it that would fix it but it's a 3rd solution, not having
> access to the right keys.
> 
> On Sat, 30 Jan 2016 at 13:20 Arnold Krille <arn...@arnoldarts.de>
> wrote:
> 
> > Hi all,
> >
> > yes, its the first time I am writing on this list.
> >
> > I am trying to get duply/duplicity to run. When I execute `duply
> > amazon backup` in a root shell, all is well. But I want it to be
> > run regularly by systemd. So I created a service:
> >
> > ```
> > systemd.services.duplyamazon =
> >   {
> > path = [ pkgs.duply ];
> > environment = { LANG = "C"; HOME="/root"; TMPDIR="/tmp"; };
> > script = "duply amazon status";
> > startAt = "Sat 4:10:00";
> >   };
> > ```
> >
> > But when I run that (either by the timer or by `systemctl start
> > duplyamazon`, it fails with very strange python backtrace:
> >
> > ```
> > Jan 30 14:10:08 portal duplyamazon-start[47296]: Using temporary
> > directory /tmp/duplicity-b53bV9-tempdir Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: Backend error detail: Traceback (most
> > recent call last): Jan 30 14:10:08 portal duplyamazon-start[47296]:
> > File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/bin/.duplicity-wrapped",
> > line 1519, in  Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: with_tempdir(main) Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/bin/.duplicity-wrapped",
> > line 1513, in with_tempdir Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: fn() Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/bin/.duplicity-wrapped",
> > line 1354, in main Jan 30 14:10:08 portal duplyamazon-start[47296]:
> > action = commandline.ProcessCommandLine(sys.argv[1:]) Jan 30
> > 14:10:08 portal duplyamazon-start[47296]: File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/commandline.py",
> > line 1062, in ProcessCommandLine Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: globals.backend =
> > backend.get_backend(args[0]) Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backend.py",
> > line 223, in get_backend Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: obj = get_backend_object(url_string) Jan
> > 30 14:10:08 portal duplyamazon-start[47296]: File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backend.py",
> > line 209, in get_backend_object Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: return factory(pu) Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backends/_boto_single.py",
> > line 161, in __init__ Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: self.resetConnection() Jan 30 14:10:08
> > portal duplyamazon-start[47296]: File
> >
> > "/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backends/_boto_single.py",
> > line 187, in resetConnection Jan 30 14:10:08 portal
> > duplyamazon-start[47296]: raise BackendException(err.message) Jan 30
> > 14:10:08 portal duplyamazon-start[47296]: BackendException Jan 30
> > 14:10:08 portal duplyamazon-start[47296]: BackendException: Jan 30
> > 14:10:08 portal duplyamazon-start[47296]: 14:10:08.191 Task 'STATUS'
> > failed with exit code '23'.
> > ```
> >
> > I think its either because it can not access the tmpdir or because
> > it can not access the network. And I don't know whether that is
> > because of some missing environment variables or because of how
> > systemd services have to be 

[Nix-dev] [Fixed?] Re: environment in systemd services

[Arnold Krille]

Hi all,

I kind of fixed it. I played around with the duply config, but that
didn't really change anything.

Then I went back to getting fcron installed and sending emails. And
there I encountered the same problem with the same backtrace with the
empty error message!

So there seems to be something different between the system environment
and roots login shell. So I started not `duply amazon status` but `bash
-l -c "duply amazon status"`, thus running duply in roots login shell.
And now it works! Both when run in cron and when run in its own system
service!

I am not sure if this is the right solution, but at least I got some
backups working now.

As soon as I add backups to a local disk I will check again if duply
can't run with the system environment…

Have fun,

Arnold

On Sat, 30 Jan 2016 14:34:21 +0100 Arnold Krille <arn...@arnoldarts.de>
wrote:
> Nope, the aws credentials are in the url given in the config file.
> 
> I also tried setting serviceConfig with options privateTmp=false and
> privateNetwork=false but these options seem to be for a later version
> of systemd. I am on stock 15.09 here.
> 
> - Arnold
> 
> (Before anyone asks, the backup is encrypted and only the public part
> of the gpg key is present on the server.)
> 
> On Sat, 30 Jan 2016 13:27:52 + zimbatm <zimb...@zimbatm.com>
> wrote:
> > Did you try to pass the AWS keypair trough an environment
> > variable ? I don't know it that would fix it but it's a 3rd
> > solution, not having access to the right keys.



signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] environment in systemd services

[Arnold Krille]

Hi all,

yes, its the first time I am writing on this list.

I am trying to get duply/duplicity to run. When I execute `duply amazon
backup` in a root shell, all is well. But I want it to be run regularly
by systemd. So I created a service:

```
systemd.services.duplyamazon =
  {
path = [ pkgs.duply ];
environment = { LANG = "C"; HOME="/root"; TMPDIR="/tmp"; }; 
script = "duply amazon status"; 
startAt = "Sat 4:10:00";
  }; 
```

But when I run that (either by the timer or by `systemctl start
duplyamazon`, it fails with very strange python backtrace:

```
Jan 30 14:10:08 portal duplyamazon-start[47296]: Using temporary
directory /tmp/duplicity-b53bV9-tempdir Jan 30 14:10:08 portal
duplyamazon-start[47296]: Backend error detail: Traceback (most recent
call last): Jan 30 14:10:08 portal duplyamazon-start[47296]: File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/bin/.duplicity-wrapped",
line 1519, in  Jan 30 14:10:08 portal duplyamazon-start[47296]:
with_tempdir(main) Jan 30 14:10:08 portal duplyamazon-start[47296]:
File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/bin/.duplicity-wrapped",
line 1513, in with_tempdir Jan 30 14:10:08 portal
duplyamazon-start[47296]: fn() Jan 30 14:10:08 portal
duplyamazon-start[47296]: File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/bin/.duplicity-wrapped",
line 1354, in main Jan 30 14:10:08 portal duplyamazon-start[47296]:
action = commandline.ProcessCommandLine(sys.argv[1:]) Jan 30 14:10:08
portal duplyamazon-start[47296]: File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/commandline.py",
line 1062, in ProcessCommandLine Jan 30 14:10:08 portal
duplyamazon-start[47296]: globals.backend =
backend.get_backend(args[0]) Jan 30 14:10:08 portal
duplyamazon-start[47296]: File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backend.py",
line 223, in get_backend Jan 30 14:10:08 portal
duplyamazon-start[47296]: obj = get_backend_object(url_string) Jan 30
14:10:08 portal duplyamazon-start[47296]: File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backend.py",
line 209, in get_backend_object Jan 30 14:10:08 portal
duplyamazon-start[47296]: return factory(pu) Jan 30 14:10:08 portal
duplyamazon-start[47296]: File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backends/_boto_single.py",
line 161, in __init__ Jan 30 14:10:08 portal duplyamazon-start[47296]:
self.resetConnection() Jan 30 14:10:08 portal duplyamazon-start[47296]:
File
"/nix/store/ap2bv0p5m8napigg7f6yciap4nm61ap8-duplicity-0.7.02/lib/python2.7/site-packages/duplicity/backends/_boto_single.py",
line 187, in resetConnection Jan 30 14:10:08 portal
duplyamazon-start[47296]: raise BackendException(err.message) Jan 30
14:10:08 portal duplyamazon-start[47296]: BackendException Jan 30
14:10:08 portal duplyamazon-start[47296]: BackendException: Jan 30
14:10:08 portal duplyamazon-start[47296]: 14:10:08.191 Task 'STATUS'
failed with exit code '23'.
```

I think its either because it can not access the tmpdir or because it
can not access the network. And I don't know whether that is because of
some missing environment variables or because of how systemd services
have to be configured.

Can anyone try to point me in the right direction?

Thanks in advance,

Arnold


Background: I am currently setting up a new homeserver with NixOS and
therefore I am moving all the currently running services of my ubuntu
based homeserver. Expect more questions from me in the next weeks… ;-)


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev