Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity crisis after merging with upstream / User "me" is gone #8

Closed
buxel opened this issue Dec 10, 2023 · 7 comments
Closed

Identity crisis after merging with upstream / User "me" is gone #8

buxel opened this issue Dec 10, 2023 · 7 comments

Comments

@buxel
Copy link

buxel commented Dec 10, 2023
edited
Loading

I have followed the system "pom" as a reference for my server. After merging the most recent changes, the user "me“ is gone.

To verify, I checked:

nix-repl> nixosConfigurations.bender.config.users.users.me
error: attribute 'me' missing

       at «string»:1:1:

            1| nixosConfigurations.bender.config.users.users.me
             | ^

i made sure to include it in configurations/<system>/users/me.nix. Is this still WIP and just unfortunate timing?

Luckily, i can still connect as root, so no harm done 😄

Enjoy your weekend!

BTW: don't forget to create postgres extensions to keep immich working!
@suderman
Copy link
Owner

I've had to add support for multiple users, so yeah, big changes occurred.

No longer do I assign a single user = "me"; in my configuration's default.nix. Now each configuration has a users directory with me.nix (along with other users) inside. The contents of each of these files are what used to be in home.nix and are home-manager configuration files per user. Also, each user is only granted elevated permissions (sudo) if they have a matching user key in the secrets/keys directory.

Additionally, I moved my shared configuration out of bootstrap and into configurations/all.

You should also make sure your flake.nix is up to date... that's changed a lot and many of the this.lib helper functions have moved into a default.nix in the project root.

@suderman
Copy link
Owner

BTW: don't forget to create postgres extensions to keep immich working!

I've run their postgres commands, so I think I'm okay. :-) But now I'm wondering about the next big breaking release, since they're changing the database container to something I don't recognize and I haven't resolved if I can keep running my instance of nixpkgs postgres or if I have to migrate everything over. Sigh!

@buxel
Copy link
Author

buxel commented Dec 10, 2023

Oh well, another case of code blindness. I was paying SO close attention to what changed and made sure to replicate everything in a test branch. The only thing i forgot was to git add the "me.nix" file 🤦‍♂️. The price of having everything resolved (pretty cool, tbh) dynamically without hard references i guess.

Immich seems to be a challenge for nixpkgs, too. I've been tracking this issue for a while now and the maintainers are also discussing their options: NixOS/nixpkgs#244803
If the immich-nixos project happens, maybe that is the best option.

@buxel
Copy link
Author

buxel commented Dec 10, 2023

Also, each user is only granted elevated permissions (sudo) if they have a matching user key in the secrets/keys directory.

Would this break if i (plant to) have multiple "@[email protected]" public keys from different client machines? I still haven't warmed up to the idea of copying my private key around. Maybe it is possible to concatenate all public keys into a single "me". That would be pretty clean.

@suderman
Copy link
Owner

Immich seems to be a challenge for nixpkgs, too. I've been tracking this issue for a while now and the maintainers are also discussing their options

It seems like too much trouble to try to package Immich before it's stable. Best compromise I've found is to use their docker images, but orchestrate those containers with Nix's systemd implementation. I've mostly done that, except for the postgres database... which is now causing me grief, whoops!

Would this break if i (plant to) have multiple "@[email protected]" public keys from different client machines?

I think my script that generate the secrets/keys/default.nix would choke on the double @ symbol, since it's not a valid character for an attribute set name. Alternatively, you could just replace the mkAdmins function to not look anything up and always return a list of admin users [ "me" ] (regardless of what public keys are found in that directory).

@suderman
Copy link
Owner

I found someone named diogotcorreia who packaged up pgvecto.rs making my Immich upgrade to 1.91.0 much easier. I also improved my systemd script to ensure all the required postgres extensions are created.

@buxel
Copy link
Author

buxel commented Dec 20, 2023

I found someone named diogotcorreia who packaged up pgvecto.rs making my Immich upgrade to 1.91.0 much easier. I also improved my systemd script to ensure all the required postgres extensions are created.

I also stumbled upon this (later than you). Thanks for staying on top of this 👍

I think my script that generate the secrets/keys/default.nix would choke on the double @ symbol, since it's not a valid character for an attribute set name. Alternatively, you could just replace the mkAdmins function to not look anything up and always return a list of admin users [ "me" ] (regardless of what public keys are found in that directory).

I'll just name them @me_some-machine.pub 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@suderman @buxel