#nix-darwin on 2018-02-17

00:00 <puffnfresh> I've passed that but a verbose build is saying "cannot find machines file '/etc/nix/machines'"

00:00 <puffnfresh> "got 0 remote builders"

00:01 <LnL> I think nix also honours SSH_OPTS but that would require a reload of the daemon

00:02 <LnL> hmm, maybe that needs to exist for the build hook get triggered?

00:02 <LnL> I've only used it on machines that already have distributed builds configured

00:05 <LnL> as for the manual, the release notes are kind of up to date https://hydra.nixos.org/build/69335529/download/1/manual/#ssec-relnotes-2.0

00:06 <LnL> be sure to look at the commits mentioned they usually contain a decent amount of context

00:10 <puffnfresh> thanks

00:11 <puffnfresh> I can't get --builder to parse any machines

00:11 <puffnfresh> always says "got 0 remote builders"

00:11 <LnL> oh!

00:11 <LnL> on master?

00:11 <puffnfresh> yes

00:12 <LnL> yeah dhess found a bug

00:12 <LnL> --builders 'ssh://user@host x86_64-linux ~/.ssh/id_rsa 4'

00:12 <puffnfresh> that doesn't work neither :(

00:12 <LnL> hrm

00:13 <puffnfresh> oh wait that does!

00:13 <puffnfresh> yay thanks LnL , I must have done something different

00:14 <puffnfresh> oh no I had --builders --builders 'ssh://something' :(

00:14 <puffnfresh> so Nix just did something different

00:15 <LnL> there's also ssh-ng, that almost works for build-remote with https://github.com/NixOS/nix/pull/1713

00:16 <LnL> that uses the remote store implementation so you get decent logging from it

00:21 <puffnfresh> I'm going to have to put some printlns into Nix :(

00:31 <puffnfresh> it'd be good if Nix abstracted away the ssh part

00:31 <puffnfresh> e.g. "give me a pipe"

00:32 <puffnfresh> pretty sure that's 90% of what it comes down to in the end, right?

00:37 <puffnfresh> ohhhhh the problem is the daemon doesn't know about the --builder

00:38 <puffnfresh> the setting comes from the daemon

00:59 <puffnfresh> LnL: looks like Nix 2.0 can't talk to Nix 1.11 remotes, is that true?

00:59 <puffnfresh> https://github.com/NixOS/nix/issues/1860

01:24 philr has joined #nix-darwin

02:02 philr has quit [Quit: WeeChat 2.0.1]

03:39 <prooftechnique> If I'm getting "file system sandbox blocked stat" for dylibs, is this related to the fixDarwinDylibs thing, or am I hitting something else? Seems to mainly be blowing up on CoreFoundation, which seems to be a bit of sore spot, though I'm not picking up much context from the issue threads I've been finding

03:55 jrolfs has quit [Ping timeout: 268 seconds]

05:00 philr has joined #nix-darwin

05:52 johnw has quit [Quit: ZNC - http://znc.in]

06:41 jrolfs has joined #nix-darwin

07:36 johnw has joined #nix-darwin

09:27 <LnL> did you enable sandboxing?

09:56 <LnL> puffnfresh: yeah, you’ll also need a 2.0 daemon

10:07 zzamboni has joined #nix-darwin

10:09 zzamboni has quit [Client Quit]

10:20 <puffnfresh> LnL: yeah bugger, this is being problematic

10:20 <puffnfresh> I wrote a script:// plugin

10:20 <puffnfresh> can specify a script to run for "remote" builds

10:21 <puffnfresh> can actually implement the SSH store using it

11:22 jrolfs has quit [Ping timeout: 256 seconds]

11:40 jrolfs has joined #nix-darwin

11:57 zzamboni has joined #nix-darwin

12:00 philr has quit [Ping timeout: 264 seconds]

12:03 dredozubov has quit [Ping timeout: 260 seconds]

12:05 dredozubov has joined #nix-darwin

12:05 zzamboni has quit [Quit: Leaving.]

14:26 sphalerite has left #nix-darwin ["User left"]

14:31 philr has joined #nix-darwin

15:08 cransom has quit [Quit: WeeChat 1.7]

15:44 <nikivi> https://hastebin.com/juhepoyuru.pl

15:44 <nikivi> What would be alternative to this command on mac?

15:44 <nikivi> And these two https://hastebin.com/ifadibavos.bash

16:09 <LnL> none of that is platform specific, but nix-install isn't a thing

16:54 philr has quit [Ping timeout: 248 seconds]

17:56 cransom has joined #nix-darwin

18:19 zzamboni has joined #nix-darwin

18:56 zzamboni has quit [Quit: Leaving.]

18:57 cransom has quit [Quit: WeeChat 2.0]

18:57 cransom has joined #nix-darwin

19:01 jrolfs has quit [Ping timeout: 268 seconds]

19:01 nnkd has joined #nix-darwin

19:05 <nnkd> hi all, does anyone have a short explanation of what the build users are for in a multi-user nix installation?

19:11 jrolfs has joined #nix-darwin

19:14 <LnL> nix will use those users when building a package locally

19:16 <LnL> in order to allow multiple potential untrusted users to build software nix needs an unprivileged user to run clang or whatever

19:17 <nnkd> is that so said untrusted users cannot put some arbitrary object they claim is the build output into the nix store?

19:18 <LnL> yes, one of the reasons

19:19 <LnL> on a single user install the build will run as your current user

19:19 <LnL> this is the same user that has write access to the store

19:20 <LnL> and ofcorse your home directory

19:20 jrolfs has quit [Ping timeout: 264 seconds]

19:21 <dhess> LnL: question for you. I have this overlay that adds some useful new types to lib.types: https://github.com/quixoftic/nixpkgs-lib-quixoftic/blob/master/overlays/lib/types.nix

19:21 <nnkd> neat, also out of curiosity why does it create a build user per core rather than a single build user?

19:21 <LnL> so even without sandboxing the build users can't just read your secrets from ~/.config etc.

19:21 <dhess> however the module system's "lib" argument doesn't see them, I think because it directly imports them from that "closed" closure in Nixpkgs

19:22 <dhess> I think I can override that with specialArgs, but I'm not exactly sure how to specify that when importing modules

19:22 <dhess> any ideas?

19:23 <dhess> https://github.com/NixOS/nixpkgs/blob/0c4f2630bd75b5741d05a89c36866fcd28d2e8bd/lib/modules.nix#L62

19:23 <LnL> the daemon will us a user per build, that has some advantages in terms of cleanup

19:23 <dhess> that's where the module system seems to import lib directly from the Nixpkgs tree rather than using pkgs

19:25 <nnkd> I see, cool thanks for the help!

19:25 <LnL> and again security, running everything as the same user would make it possible for something malicious the change another build that's running

19:26 <LnL> on linux there's some stuff that could be done by dynamically creating user namespaces, but there's not really an equivalent on darwin AFAIK

19:27 <LnL> dhess: yeah there's a difference between lib and pkgs.lib

19:27 <nnkd> I saw an issue saying cgroups could be used to track + cleanup a build's processes, but not really possible to do this without a separate user on darwin

19:28 <LnL> the first on is the vanilla nixpkgs used to evaluate the modules

19:28 <LnL> the second is the nixpkgs imported by the module system itself including overlays, etc.

19:30 <LnL> using pkgs.lib for the modules (eg. mkOption) would result in infinite recursion since nixpkgs.overlays is an option :)

19:30 <dhess> LnL: ok, maybe there's not much value in putting the new types in the overlay in that case. Regardless, I will need to override the lib passed to the module system. I think specialArgs is the way to do that, I'm just not clear on where I would do that

19:30 <dhess> LnL: yes and that is precisely what happens when I try to "with pkgs.lib" in a module :)

19:30 <dhess> I can hack it by referring to pkgs.lib.types.myNewType in the modules, but that's gross

19:31 <LnL> yeah, that's the correct way to use them

19:31 <dhess> with pkgs.lib.types... you mean? or by overriding specialArgs?

19:32 <LnL> no pkgs.lib.foo

19:32 <dhess> oh ok

19:32 <dhess> I think I ran into a problem with that as well. Let me see

19:32 <LnL> I think you can also put them in a module argument

19:33 <dhess> yeah I could do that. Right now I'm just passing in pkgs

19:33 <LnL> { config = _module.args.foo = ...; }

19:33 <LnL> then you can use { config, lib, foo, ... }: ... in modules

19:34 <dhess> huh that's a weird syntax

19:34 <LnL> but you can't extend lib.types somehow

19:35 <LnL> err with correct syntax that is :p

19:35 <dhess> LnL: I'm pretty sure you can with specialArgs. I do that in my tests for these new types. https://github.com/quixoftic/nixpkgs-lib-quixoftic/blob/70550d42ce8ab7c7cac577d7e011cb5dedf29322/tests/types/src/modules/default.nix#L12

19:35 <LnL> { config = { _module.args.foo = ...; }; }

19:36 <dhess> But I don't want to make users of these modules have to do that when they want to import them

19:36 <LnL> well yes, outside of the module system you can

19:36 <dhess> right

19:36 <dhess> I could provide a custom import function I guess

19:36 <dhess> anyway just referring to them with pkgs.lib.newType is fine

19:36 <dhess> eventually I will try to upstream them anyawy

19:41 <dhess> thanks for the help

19:45 <dhess> cool that is working

20:11 zzamboni has joined #nix-darwin

20:43 zzamboni has quit [Quit: Leaving.]

20:44 zzamboni has joined #nix-darwin

20:44 zzamboni has quit [Read error: Connection reset by peer]

20:44 zzamboni1 has joined #nix-darwin

21:04 zzamboni1 has quit [Quit: Leaving.]

21:08 zzamboni has joined #nix-darwin

21:31 jrolfs has joined #nix-darwin

21:56 jrolfs has quit [Ping timeout: 240 seconds]

22:06 zzamboni has quit [Quit: Leaving.]

22:09 zzamboni has joined #nix-darwin

22:10 philr has joined #nix-darwin

22:11 zzamboni has quit [Client Quit]

22:14 zzamboni has joined #nix-darwin

22:25 zzamboni has quit [Quit: Leaving.]

22:36 jrolfs has joined #nix-darwin

22:38 nnkd has quit [Quit: Connection closed for inactivity]

22:41 jrolfs has quit [Ping timeout: 264 seconds]

22:52 jrolfs has joined #nix-darwin

23:12 bas_ has joined #nix-darwin

23:12 bas_ has left #nix-darwin [#nix-darwin]

23:38 jrolfs has quit [Ping timeout: 260 seconds]

23:41 jrolfs has joined #nix-darwin

23:45 jrolfs has quit [Ping timeout: 248 seconds]

23:59 philr has quit [Quit: WeeChat 2.0.1]