L3[03:31:57] <Amanda> %choose be good or halucinate more

L4[03:31:58] <MichiBot> Ama​nda: I sense some "halucinate more" in your future!

L5[03:41:10] <Amanda> Okay, hallucinated one more chapters, now zzzmews

L6[03:41:14] <Amanda> Night girls

L8[05:00:25] <Izzy> is unpacking a zip into the appropriate location enough for MultiMC and derivatives, or do I have to manually import the pack?

L9[05:20:55] <Ocawes​ome101> izzy: unzipping should be enough?

L10[05:21:09] <Izzy> aight cool

L11[05:21:17] <Izzy> am deploying my modpack to client machines with ansible :3

L12[05:22:03] <Forec​aster> if it's just a regular modpack unpacking is fine

L13[05:22:38] <Forec​aster> if it's a pack that was exported from multimc there may be additional settings that wouldn't get included if you don't import it, but I'm not sure

L14[05:22:57] <Izzy> it's a MMC pack with a pre-launch hook for packupdate

L15[05:23:07] <Izzy> but that's all specified in the files in the zip

L16[05:23:11] <Izzy> guess I'll just have to try it huh

L17[05:23:36] <CompanionCube> %tonkout

L18[05:23:37] <MichiBot> I'm sorry Compan​ionCube, you were not able to beat Va​ur's record of 6 hours, 13 minutes and 29 seconds this time. 6 hours and 6 seconds were wasted! Missed by 13 minutes and 22 seconds!

L19[05:23:47] <CompanionCube> damn

L21[10:39:22] <stephan48> Izzy: https://prismlauncher.org/wiki/getting-started/command-line-interface/ -> option "-I" - might be worth changing to prismlauncher if this helps you

L22[12:09:50] <Izzy> stephan48: saw that in --help locally, will poke at it

L23[12:31:47] <Forec​aster> %tonkout

L24[12:31:48] <MichiBot> Holy box full of caps Batman! Forec​aster! You beat Va​ur's previous record of 6 hours, 13 minutes and 29 seconds (By 54 minutes and 42 seconds)! I hope you're happy!

L25[12:31:49] <MichiBot> Forec​aster has stolen the tonkout! Tonk has been reset! They gained 0.007 tonk points! plus 0.006 bonus points for consecutive hours! (Reduced to 50% because stealing) Current score: 1.23131824. Position #2 Need 0.05068037 more points to pass Va​ur!

L28[15:31:20] <redston​eparkour> %tonk

L29[15:31:21] <MichiBot> Geez! redston​eparkour! You beat Forec​aster's previous record of <0 (By 2 hours, 59 minutes and 33 seconds)! I hope you're happy!

L30[15:31:22] <MichiBot> redstoneparkour's new record is 2 hours, 59 minutes and 33 seconds! redstoneparkour also gained 0.00299 tonk points for stealing the tonk. Position #12. Need 0.21199595 more points to pass sp​okr!

L35[16:43:23] <Amanda> %choose waves or continue blindly updating stuff to see what breaks

L36[16:43:23] <MichiBot> Ama​nda: A nearby lamp replies "waves".

L37[16:43:27] <Amanda> sounds good

L39[17:16:22] <Amanda> %p

L40[17:16:25] <MichiBot> Ping reply from Ama​nda 0.51s

L43[17:47:25] <Amanda> Speaking of, I should really update more of my debian VMs

L44[19:00:18] <CompanionCube> %tonkout

L45[19:00:20] <MichiBot> Zoinks! Compan​ionCube! You beat redston​eparkour's previous record of 2 hours, 59 minutes and 33 seconds (By 29 minutes and 25 seconds)! I hope you're happy!

L46[19:00:21] <MichiBot> Compan​ionCube has stolen the tonkout! Tonk has been reset! They gained 0.003 tonk points! plus 0.002 bonus points for consecutive hours! (Reduced to 50% because stealing) Current score: 1.03230625. Position #4 Need 0.10779156 more points to pass Ocawes​ome101!

L47[19:08:27] <stephan48> Amanda: unattended-upgrade with a force "touch /run/reboot-required" is your friend.

L48[19:09:31] <stephan48> sadly i still have not managed to figure out a way to stuff tangds crypto into a HSM(via pkcs11, looks to be impossible based on the primitives they use) or even most of my FDEd machines would autoreboot.

L49[19:09:50] <Amanda> stephan48: I'm in the process of upgrading from 11->12

L50[19:10:09] <stephan48> uhh

L51[19:10:16] <stephan48> does the answer change /much/? :P

L52[19:10:43] <Amanda> Does unattended-upgrade handle major releases?

L53[19:10:58] <stephan48> yes and no. *grabs popcorn*

L55[19:11:28] <stephan48> it chugs through all /valid/(as comming from a list of trusted origins) updates

L56[19:11:58] <stephan48> so it should in 9/10 cases just cope with a major upgrade

L57[19:12:03] <Amanda> I see

L59[19:12:19] <Amanda> Seems like the kind of thing I should be doing manually though

L60[19:13:12] <ccnar> oh hello

L61[19:13:38] <ccnar> wow thisis so coooll

L62[19:13:42] <Amanda> Why did you PM me?

L63[19:14:02] <ccnar> idk

L64[19:14:02] <stephan48> YOLO. lets see what breaks.

L65[19:14:17] <ccnar> this thing is sooo cool

L67[19:15:00] <Amanda> stephan48: I mean, in theory it'd be super easy to replace any vm that broke completely, as I've done my best to do as little manually as possible, and automate installing and configuring everything with ansible

L69[19:15:33] <stephan48> well i don't for most of these VMs, thats why i am playing so much with k8s and stuff, to get automation and ci/cd going

L70[19:15:44] <Amanda> But last time I said that I had to do a clean install within 24h which had a major thing that I apparently never automated

L71[19:15:48] <stephan48> most are one off things just to isolate concerns or security boundaries

L72[19:15:53] <stephan48> ohoh

L73[19:16:01] <Amanda> So here's hoping I've been more stringent

L74[19:16:31] <Amanda> ( or I don't just accidentally nuke a VM again )

L75[19:16:49] <stephan48> i have an automatic ansible-pull thingy running through for automating most critical(and security relevant) stuff so they are sane on all VMs

L76[19:17:00] <stephan48> and the show is running!

L77[19:17:23] <Amanda> I've got deploys automated using forgejo actions on my ansible repo

L78[19:17:39] <stephan48> i wanted to avoid having persistent admin credentials around

L79[19:18:33] <Amanda> Almost every secret is pulled in using vault, I could probably do that with the ssh key too instead of using forgejo 's secrets. Though I'd still need it for the vault token

L80[19:18:41] <stephan48> so another side project which will never get finished is a automated ssh-ca which logs and validates requests for things like these automated runs

L81[19:19:16] <stephan48> (ca key stored in hsm, heuristic for detecting when someone tries to grab keys for a vm outside of "normal" times)

L82[19:19:40] <stephan48> (and a way to make sure a ssh-ca cert can only be used once for login and then triggers warnings)

L83[19:20:16] <Amanda> As forgejo doesn't do the nifty thing that GitHub does where each run is given a jwt token you can verify, so nothing to verify just the ci against vault

L84[19:20:21] <stephan48> how does vault handle? read much about it but found it to be too much of a pita so far

L85[19:20:36] <stephan48> yea that is something i hope they add with time

L86[19:21:11] <Amanda> Vault has been pretty stable, I'm using the one me and Alex set up to run for darkdna.net

L87[19:21:38] <Amanda> But we didn't do anything clever like auto-unlocking

L88[19:22:44] <stephan48> i see

L89[19:29:08] <nadja> Amanda: I get the saying when life gives you lemons make lemonade, but … what do you make if a god kitten gives you lemons? <.<

L90[19:29:57] <Amanda> nadja: a swimming-pool hydrolic press channel

L91[19:30:05] <Amanda> Clearly

L92[19:31:06] <Amanda> %choose halucinate or waves

L93[19:31:06] <MichiBot> Ama​nda: Huh, what? "halucinate" I guess, now leave me alone I'm playing Tetris.

L94[19:31:51] <nadja> stephan48: we've been using Vault for a good long while now and it's pretty good at its job. Makes a lot of problems around secrets much easier to deal with

L95[19:32:43] <stephan48> has one of you looked at "bank vaults"? a vault wrapper which apparently provides some more convinience around deployment/auto unlocking?

L96[19:32:49] <Amanda> %choose glass or time or Undergrad or Skeletons

L97[19:32:49] <MichiBot> Ama​nda: "Undergrad", now with 30% fewer deaths caused by negligence!

L98[19:33:17] <Amanda> Haven't heard of that

L99[19:33:42] <nadja> We do initial deployments using Vaults token wrapping

L100[19:33:49] <stephan48> https://github.com/bank-vaults/bank-vaults.dev

L101[19:34:11] <stephan48> can you tell me more?

L102[19:35:35] <nadja> Terraform seals actual secret in a wrapping token which is deployed to vms (and thus persistent in state). Wrapped tokens can only be unwrapped once so the secret only ever get to the vms (or they fail to set up)

L103[19:35:51] <stephan48> https://github.com/bank-vaults/bank-vaults this is what i meant to paste

L104[19:36:28] <stephan48> unwrapped once - how is that ensured?

L105[19:37:30] <stephan48> the VM then get it from metadata/fs and initializes vault without user interaction? or will a user need to do something?

L106[19:37:36] <nadja> By the vault server

L107[19:37:55] <nadja> And its just the vms token for vault

L108[19:38:04] <nadja> We do the vault server by hand

L109[19:38:12] <Ocawes​ome101> apparently ulos 2 needs 640k of RAM now lmao

L110[19:38:28] <Ocawes​ome101> last time i checked it could load on 384k i think

L111[19:38:35] <stephan48> i see. so the "vms token" is the token which the VM needs to access and authenticate itself for fetching secrets in vault?

L112[19:39:03] <stephan48> if that assumption is correct i think i understand what you do(my search for a reference is so far slightly unsuccessfull)

L113[19:39:25] <nadja> Yes

L114[19:40:21] <Amanda> %choose rain box or wait

L115[19:40:21] <MichiBot> Ama​nda: A wizard is never late, and sometimes engages in some "rain box".

L116[19:41:01] <Amanda> Hrm

L117[19:41:43] <Amanda> Sounds good

L120[19:49:29] <stephan48> this describes what nadja said nicely https://medium.com/slalom-build/managing-secrets-using-hashicorp-vault-ed6b9e0375ac https://developer.hashicorp.com/vault/tutorials/secrets-management/cubbyhole-response-wrapping

L121[19:50:06] <stephan48> nadja: I assume based on https://github.com/hashicorp/terraform/issues/12687 that the wrapping stuff is some custom thing(or shell script to be executed) you folks build?

L122[19:50:08] <MichiBot> Title: Terraform should be able to generate wrapped vault secret-ids for servers | Posted by: gtmtech | Posted: Tue Mar 14 15:57:50 UTC 2017 | Status: closed

L123[20:00:43] <nadja> stephan48: I think so, but fuck if I know, it's been a while and I'm not getting up from the couch to check :P

L124[20:00:55] <nadja> jackie: dear, would you be so kind and check? :P

L125[20:01:50] <stephan48> no rush, curious me is just interested in all this stuff

L126[20:03:57] <Forec​aster> the nerve

L129[20:12:18] <nadja> stephan48: I mean remind me tomorrow afternoon or something, then I can look it up probably

L131[20:13:12] <nadja> stephan48: or maybe, ever so maybe, I'll get my lazy ass up from the sofa and physically poke jackie one room over to look it up for me :P

L132[20:13:22] <stephan48> nope!

L133[20:13:42] <stephan48> that would mean - virtually - disturbing the God kitten :P

L134[20:13:56] <stephan48> if i remember i ping you about that if not then it will be so :)

L135[20:30:13] <jackie> gimme a sec to catch up to that conversation ^^'

L136[20:33:21] <jackie> stephan48 nadja: token wrapping is a feature of "normal" vault. We just had some cloudinit based tooling around that for deployement. We recently started migration to puppet for config management which needs client certificates for each VM/Server so for all new VMs we use this certificate to also authenticate against vault instead of the host tokens.

L137[20:34:21] <nadja> Oh yeah, we have like three PKI at this stage. ThisIsFine.jpg

L138[20:34:27] <stephan48> :P

L139[20:34:55] <stephan48> okey if vault supports PKI for login that would somewhat work for me

L140[20:35:12] <nadja> It does

L141[20:35:18] <nadja> Last I checked at least

L142[20:35:22] <jackie> Only thing to keep in mind when using any login method other than "pure" tokens: The login gives you a short lived, renewable token. Any secrets generated by vault (not stored there manually using the kv engine) gets invalidated when the host token expires! So you definitely want to use the vault agent on your VMs to do login + token management for you if you use any secret engine other than the KV store

L143[20:35:42] <stephan48> (despite that technically the client/server certs each VM gets for mutual TLS - which i don't fully use atm except for fetching variables from for ansible-pull - are only accessible for root)

L144[20:36:42] <jackie> yes it does, we are actively using it. Little trick: you can assign the combination CA + Common Name to a so called "identity" and attach vault policies to this identity. That allows you to have per-vm policies (and in general policies are able to use the common name and other fields of the cert as a variable)

L145[20:37:41] <stephan48> nice

L146[20:37:54] <stephan48> thank you for your inputs :)

L147[20:38:54] <nadja> Mutual TLS, such a weird concept :P

L148[20:45:35] <Amanda> ... Either fedi has been quiet, or my pleroma broke

L149[20:45:36] <stephan48> yea actually i just wanted an excuse to play with more certificates. because they are fun.

L150[20:45:59] <stephan48> and now with k8s i have even more fun creating sub-cas with name constraints!

L151[20:47:05] <stephan48> (or rather i am considering giving each host its own sub-ca which is allowed to grant certs for its own name and subhosts under that)

L152[20:48:55] <stephan48> (it would also lend itself somwhat nicely with vault agent/vault pki auth, as i could allow individual apps to authenticate to vault this way)

L153[20:49:28] <stephan48> if vault-agent sinks would support subpolicies(limit a sink further than the token it originates from) that would be awesome

L154[20:49:38] <nadja> stephan48: > certificates > fun

L155[20:49:47] <nadja> You and I have a very different definition of "fun"

L156[20:49:49] <stephan48> LDAP \o/

L157[20:50:07] <nadja> That's not making your case any better!

L158[20:50:18] <stephan48> VOIP?

L159[20:51:27] <stephan48> did i tell you about the time i stumbled upon the note titled "poison shelf" in a former jobs storage cabinets?

L160[20:51:41] <nadja> … as long as it's IPv6-based VOIP is actually okay

L161[20:52:19] <stephan48> it had all these nice things on it, VOIP, LDAP, X509, NGINX and few others

L162[20:52:25] <Forec​aster> %tonk

L163[20:52:26] <MichiBot> Woooo! Forec​aster! You beat Compan​ionCube's previous record of <0 (By 1 hour, 52 minutes and 5 seconds)! I hope you're happy!

L164[20:52:27] <MichiBot> Forecaster's new record is 1 hour, 52 minutes and 5 seconds! Forecaster also gained 0.00187 tonk points for stealing the tonk. Position #2. Need 0.04881037 more points to pass Va​ur!

L165[20:53:05] <stephan48> i turned around to my boss and was like... yup i like all of them. the look on his face was priceless when he realized i already passed the probation period and he couldn't get rid of me quick

L166[20:53:12] <stephan48> you mean VOIP without NAT?

L167[20:53:24] <nadja> Yeah

L168[20:56:14] <stephan48> if i now shout "BORING", will i survive the night?

L169[20:56:27] <nadja> … no

L171[21:06:24] <Forec​aster> %sip

L172[21:06:26] <MichiBot> You drink a sans-serif pear potion (New!). Forecaster gains some curse. Forecaster has 1 curse. (Rem. uses: 0)

L173[21:06:35] <Forec​aster> Ohno

L175[21:24:57] <Amanda> %choose stars or cubes

L176[21:24:58] <MichiBot> Ama​nda: "stars" is for cool kids!

L177[21:25:34] <Amanda> It's too hot, I definitely can't be a fool goat kitten

L178[21:25:47] <Amanda> s/fool/cool/

L179[21:25:47] <MichiBot> <Amanda> It's too hot, I definitely can't be a cool goat kitten

L180[22:26:39] <Amanda> stephan48: random thing I feel like venting at you: one thing I'm rather liking about nomad is you just run stuff in it, k8s seems to be leaning heavily into the whole "operator" ideas, which feels wasteful for a small homelab

L181[22:27:06] <stephan48> yes!

L182[22:27:58] <Amanda> Like I kinda hope nomad never steals Cards from k8s

L183[22:28:10] <Amanda> Grr, stupid phone, CRDs

L184[22:28:15] <stephan48> we talked about that 1-2 weeks ago :P k8s is hyper customizeable. to the point in you needing quite indepth knowledge to setup a basic secure cluster with a few ammenities, that will then already eat the resources of 1-2 simple(4-8 core, 4-16 gig) nodes

L185[22:29:04] <Amanda> stephan48: like, the bank vault thing you linked made it come to the forefront of mynmind

L186[22:29:39] <Amanda> Like, they're advertising an operator to run vault, not like a helm chart or something. Feels like an insane level of scale to me

L187[22:29:44] <stephan48> yes, operators are swapping over from openshift, which is a k8s compatible implementation. they heavy promote tahat pattern

L188[22:30:13] <stephan48> that* because apparently in openshift, the only thing being really allowed to do cluster modifications(besides deploying apps) are operators

L189[22:31:34] <Amanda> Its like buying a car assembly line instead of a car to go shopping

L190[22:32:08] <stephan48> buying the car assembly line to design your own car and road network*

L191[22:36:49] <stephan48> (and then loosing interest after 1-2 trips)

L192[23:18:33] <Ocawes​ome101> %tonk

L193[23:18:34] <MichiBot> Dagnammit! Ocawes​ome101! You beat Forec​aster's previous record of 1 hour, 52 minutes and 5 seconds (By 34 minutes and 2 seconds)! I hope you're happy!

L194[23:18:35] <MichiBot> Ocawesome101's new record is 2 hours, 26 minutes and 7 seconds! Ocawesome101 also gained 0.00114 (0.00057 x 2) tonk points for stealing the tonk. Position #3. Need 0.09195043 more points to pass Forec​aster!

L195[23:18:40] <Ocawes​ome101> %sip

L196[23:18:40] <MichiBot> You drink an aligned apple potion (New!). Ocawesome101 recovers some mana.

L197[23:38:30] <Amanda> %choose hallucinate or waves

L198[23:38:31] <MichiBot> Ama​nda: A nearby lamp whispers "hallucinate" such that it's barely audible.