Logs: liberachat/#haskell
| 2021-08-22 16:17:22 | × | nate1 quits (~nate@108-233-125-227.lightspeed.sntcca.sbcglobal.net) (Ping timeout: 252 seconds) |
| 2021-08-22 16:17:26 | <maerwald> | can't something later in your expression re-enable the postfix service? |
| 2021-08-22 16:17:43 | × | Guest|58 quits (~Guest|58@77.213.94.23) (Client Quit) |
| 2021-08-22 16:17:56 | <dminuoso> | Sure. And if I really wanted to assert its off, I can just set `services.postfix.enable = lib.mkForce false` |
| 2021-08-22 16:17:58 | <maerwald> | my point being: if it's declarative, there'd be only *one* possible place |
| 2021-08-22 16:18:08 | <dminuoso> | well |
| 2021-08-22 16:18:11 | <dminuoso> | there is one possible place |
| 2021-08-22 16:18:14 | <dminuoso> | its that exact option. |
| 2021-08-22 16:19:15 | <dminuoso> | And nixos doesnt have easy escape hatches here - but since the server description resides on a git repository, you cant trivially violate it |
| 2021-08-22 16:19:18 | × | wroathe quits (~wroathe@user/wroathe) (Ping timeout: 250 seconds) |
| 2021-08-22 16:19:48 | <maerwald> | sure, puppet, propellor, etc etc |
| 2021-08-22 16:19:48 | <dminuoso> | i.e. you cant log into the server and break that promise without the next deployment undoing your change completely |
| 2021-08-22 16:19:52 | <maerwald> | nothing new |
| 2021-08-22 16:19:55 | <dminuoso> | sure |
| 2021-08-22 16:20:05 | <dminuoso> | puppet achieves similar things, propellor Im not familiar with |
| 2021-08-22 16:20:30 | <dminuoso> | But with puppet it's rather a piece of software that tries to control some existing plain linux |
| 2021-08-22 16:20:54 | <maerwald> | that's good, because it gives me more options to choose from different ecosystems |
| 2021-08-22 16:20:56 | <dminuoso> | With nixos, /etc/systemd/system is a symlink to a store path, which is on a readonly mount |
| 2021-08-22 16:21:03 | <dminuoso> | You cant trivially screw around with that while logged in to the server |
| 2021-08-22 16:21:12 | <dminuoso> | maerwald: absolutely! |
| 2021-08-22 16:21:19 | <dminuoso> | if that's your requirement, then nixos is definitely not for you |
| 2021-08-22 16:21:34 | <maerwald> | since I don't consider NixOS security focussed at all, I wouldn't really use it for deployment in the first place |
| 2021-08-22 16:21:36 | <dminuoso> | for us, we want the opposite: we want to assert that the git repository is the true and complete description of the server. |
| 2021-08-22 16:22:40 | <dminuoso> | And yeah, nixos doesnt get us there all the way - at the end you cant if you want to have any local state. Say, a server has local logs, and the system declaration is obviously not covering that |
| 2021-08-22 16:22:57 | <dminuoso> | Or you might have a database, or maybe the fail2ban database |
| 2021-08-22 16:23:33 | × | stef204 quits (~stef204@user/stef204) (Quit: WeeChat 3.2) |
| 2021-08-22 16:24:02 | <dminuoso> | maerwald: yeah, the security perspective isnt ideal - but honestly, with most distributions it relies on active maintainers that just donate their free time to rapidly push updates. |
| 2021-08-22 16:25:31 | → | stef204 joins (~stef204@user/stef204) |
| 2021-08-22 16:25:44 | <maerwald> | yeah, caring about security in devops isn't a nice job |
| 2021-08-22 16:26:28 | × | stef204 quits (~stef204@user/stef204) (Client Quit) |
| 2021-08-22 16:26:38 | <dminuoso> | Honestly, if you care about security, you have to subscribe to CVE updates yourself, and then take the flag yourself. |
| 2021-08-22 16:26:46 | <maerwald> | that's why I'm also not convinced of stackage as a concept and much rather have rolling freeze files |
| 2021-08-22 16:27:07 | <maerwald> | I used to bump our freeze file every 2 weeks |
| 2021-08-22 16:27:09 | <dminuoso> | maerwald: at least nixos has that for you. |
| 2021-08-22 16:27:34 | <maerwald> | nixpkgs uses stackage |
| 2021-08-22 16:27:39 | <dminuoso> | for haskell, yeah |
| 2021-08-22 16:27:59 | <dminuoso> | I was thinking about regular packages and libraries |
| 2021-08-22 16:28:19 | <maerwald> | yeah, that was a docker container and the binary was built with a max 2 old freeze file |
| 2021-08-22 16:28:20 | <dminuoso> | For haskell, Im thinking if we go down that way, we'll end up using haskell.nix |
| 2021-08-22 16:28:25 | <maerwald> | *weeks |
| 2021-08-22 16:28:44 | <dminuoso> | That way we'd have plain old cabal hackage semantics again, with respect to updates |
| 2021-08-22 16:28:53 | <dminuoso> | As long as we regularly bump nixpkgs, which I guess we should want anyway |
| 2021-08-22 16:31:07 | → | merijn joins (~merijn@83-160-49-249.ip.xs4all.nl) |
| 2021-08-22 16:31:09 | <dsal> | Lycurgus: I'm using nixos on all my "production" linux machines. It's the easiest thing to build and replace at the moment, with no leftover junk I have to compete with. |
| 2021-08-22 16:31:19 | <maerwald> | I much prefer to build static binaries and put them in minimal containers that are heavily syscall restricted, are read-only filesystem etc |
| 2021-08-22 16:32:14 | <Lycurgus> | dsal, i note ur scare quotes |
| 2021-08-22 16:32:20 | <dminuoso> | maerwald: One last thing that I really love about nixos: |
| 2021-08-22 16:32:45 | <dsal> | Lycurgus: Yeah, I just mean for my personal production systems, not my work systems. Work is k8s stuff right now. |
| 2021-08-22 16:32:49 | <dminuoso> | It's how Im generally not afraid of system updates. If something breaks, I know I can completely rollback and not have stuff leaked from the update. |
| 2021-08-22 16:33:15 | <dminuoso> | The only other solution that has this type of "rollback" is if you're fleeting containers |
| 2021-08-22 16:33:20 | <maerwald> | dminuoso: cardanos daedalus (frontend, wallet backend and node) are started via nix expressions btw. I've thought how that'd look like with docker locally, but I believe that would suck. So that might be an interesting use case for nix indeed. |
| 2021-08-22 16:33:23 | <Lycurgus> | the toughest things for humans are simple things it seems once they get on a jag with this or that concept |
| 2021-08-22 16:33:30 | <maerwald> | Because starting docker stuff on a users machine is not good practice |
| 2021-08-22 16:34:01 | <dminuoso> | maerwald: My experience with docker has been pretty poor. The way it screws with the local firewall to implement its networking is absolutely scaring to me. |
| 2021-08-22 16:34:06 | <dminuoso> | And it's very error prone |
| 2021-08-22 16:34:10 | <maerwald> | yes, its broken |
| 2021-08-22 16:34:36 | ← | jakalx parts (~jakalx@base.jakalx.net) (Error from remote client) |
| 2021-08-22 16:34:47 | <maerwald> | it's like windows CI... restart it a couple times until it succeeds |
| 2021-08-22 16:35:11 | <maerwald> | but the point is: containers are cattle. If they misbehave, shoot them and respawn. |
| 2021-08-22 16:35:25 | <maerwald> | don't pet them |
| 2021-08-22 16:35:32 | <dminuoso> | We're currently running on centos, and on about 1/3 of the machines we run docker containers on, we've had to spend days to debug and make horrible hotfixes in iptables |
| 2021-08-22 16:35:56 | <dminuoso> | Maybe nobody else runs centos + docker? I dont know, but Im surprised that apparently nobody else has these extreme problems |
| 2021-08-22 16:36:13 | <dminuoso> | Because everything Ive seen suggests that it's properly broken |
| 2021-08-22 16:38:57 | × | pretty_dumm_guy quits (trottel@gateway/vpn/protonvpn/prettydummguy/x-88029655) (Quit: WeeChat 3.2) |
| 2021-08-22 16:39:35 | <sm> | Gurkenglas: when a project is too much, stack scripts can work well |
| 2021-08-22 16:47:49 | → | tzh joins (~tzh@c-24-21-73-154.hsd1.or.comcast.net) |
| 2021-08-22 16:49:58 | → | Lorra joins (~Lorra@2001:a61:3ae0:8401:6154:47aa:9ecc:175c) |
| 2021-08-22 16:52:12 | × | Lorra quits (~Lorra@2001:a61:3ae0:8401:6154:47aa:9ecc:175c) (Client Quit) |
| 2021-08-22 16:53:27 | × | gehmehgeh quits (~user@user/gehmehgeh) (Quit: Leaving) |
| 2021-08-22 16:56:41 | → | mnrmnaugh joins (~mnrmnaugh@68.162.206.56) |
| 2021-08-22 16:56:46 | × | mnrmnaugh quits (~mnrmnaugh@68.162.206.56) (Remote host closed the connection) |
| 2021-08-22 16:58:46 | × | alicebudda quits (~alicebudd@cold.passenger.volia.net) (Quit: Client closed) |
| 2021-08-22 17:03:10 | × | favonia quits (~favonia@user/favonia) (Ping timeout: 240 seconds) |
| 2021-08-22 17:03:26 | × | Vq quits (~vq@90-227-195-41-no77.tbcn.telia.com) (Ping timeout: 268 seconds) |
| 2021-08-22 17:04:07 | × | merijn quits (~merijn@83-160-49-249.ip.xs4all.nl) (Ping timeout: 252 seconds) |
| 2021-08-22 17:05:47 | → | xff0x joins (~xff0x@2001:1a81:52ba:f800:27e0:55e3:7826:b52d) |
| 2021-08-22 17:08:43 | → | jakalx joins (~jakalx@base.jakalx.net) |
| 2021-08-22 17:11:24 | × | markpythonicbtc quits (~textual@50.228.44.6) (Quit: My MacBook has gone to sleep. ZZZzzz…) |
| 2021-08-22 17:13:10 | × | haskl quits (~haskl@98.37.78.63) (Changing host) |
| 2021-08-22 17:13:10 | → | haskl joins (~haskl@user/haskl) |
| 2021-08-22 17:14:41 | → | Vq joins (~vq@90-227-195-41-no77.tbcn.telia.com) |
| 2021-08-22 17:15:56 | → | favonia joins (~favonia@user/favonia) |
| 2021-08-22 17:17:22 | × | xff0x quits (~xff0x@2001:1a81:52ba:f800:27e0:55e3:7826:b52d) (Ping timeout: 250 seconds) |
| 2021-08-22 17:18:06 | → | xff0x joins (~xff0x@2001:1a81:52ba:f800:b837:8a9e:e00a:9d36) |
| 2021-08-22 17:19:31 | × | ggvgc quits (~ggVGc@a.lowtech.earth) (Quit: WeeChat 3.1) |
| 2021-08-22 17:19:50 | → | econo joins (uid147250@user/econo) |
| 2021-08-22 17:27:35 | × | keutoi quits (~keutoi@157.47.0.177) (Quit: leaving) |
| 2021-08-22 17:27:56 | → | eggplantade joins (~Eggplanta@108-201-191-115.lightspeed.sntcca.sbcglobal.net) |
| 2021-08-22 17:33:27 | → | ggVGc joins (~ggVGc@a.lowtech.earth) |
| 2021-08-22 17:37:44 | × | oxide quits (~lambda@user/oxide) (Ping timeout: 250 seconds) |
| 2021-08-22 17:41:14 | → | doyougnu joins (~user@c-73-25-202-122.hsd1.or.comcast.net) |
| 2021-08-22 17:41:41 | <sm> | hey all. How do you find out which cabal-install version is required for a given cabal-version (file format) ? |
| 2021-08-22 17:41:55 | <sm> | I want to know which one supports cabal-version 2.2 |
| 2021-08-22 17:41:56 | → | fendor_ joins (~fendor@91.141.64.241.wireless.dyn.drei.com) |
| 2021-08-22 17:42:14 | × | Lycurgus quits (~juan@cpe-45-46-140-49.buffalo.res.rr.com) (Quit: Exeunt) |
| 2021-08-22 17:44:33 | × | fendor quits (~fendor@178.115.66.241.wireless.dyn.drei.com) (Ping timeout: 248 seconds) |
| 2021-08-22 17:45:03 | <sclv> | iirc that far back anything cabal-install 2.2 and above would work (i.e. we had them coupled at that point) |
| 2021-08-22 17:45:21 | <int-e> | sm: looks like cabal-install x.y depends on Cabal x.y since 1.16 |
| 2021-08-22 17:47:40 | × | nrl^ quits (~nrl@209.65.131.194) (Remote host closed the connection) |
| 2021-08-22 17:48:33 | <sm> | thanks |
All times are in UTC.