<abathur>
so, I took the time to find my only working USB drive to clean-install big sur on this spare macbook
<abathur>
tried to install Nix, and it helpfully reminded me why I had been trying to get big sur set up in the first place--because someone on discourse had reported an install failure related to `apfs.util -B` being missing
<abathur>
so, on my current catalina system, the help for apfs.util -B is `-B : bootstrap the root filesystem`
<abathur>
it looks like it's the only that is dropped, but there are 4 new options!
<abathur>
-X set=yes|no path : set/unset embedded xattr max size enforcement on volume specified by 'path'
<abathur>
-z path : make the file at path exempt from copy-on-write semantics for snapshots'
<abathur>
-z path : make the file at path exempt from copy-on-write semantics for snapshots'
<abathur>
oops
<abathur>
-E path : drop the extents for 'path' from the first snapshot
<abathur>
-t stitches and creates synthetic objects on root volume group
<abathur>
searching through the executable with xxd for strings related to stitch, synthetic, or firmlink turning up some prospects...
<abathur>
"failed to stitch firmlinks and/or create synthetics for root volume (%x)"
<thefloweringash>
from my notes a couple of months ago, you'll also run need to change `xpath` -> `xpath -e`
<thefloweringash>
I also wrote down "sw_vers" and "arch" but didn't elaborate on what was required there
<abathur>
"%s:%d: inode %lld already in stitched list" (but I see this in my copy on catalina too)
<abathur>
sw_vers is probably the version identification issue that's already open
<abathur>
not sure about arch
<thefloweringash>
oh, I didn't see that issue, liked, favorited and subscribed
<abathur>
are you on a real kit?
<abathur>
may explain the arch note :]
<thefloweringash>
FRidh: that commit (36cf2373a01) does not build for me, same error: `parsetexi/api.c:28:10: fatal error: 'libintl.h' file not found`
<thefloweringash>
heh, that might have been it
philr has joined #nix-darwin
<abathur>
it smells like `apfs.util -t` will do what we were using -B for, I added an arbitrary name to /etc/synthetic.conf, ran it, and it created the path
xcmw has joined #nix-darwin
<antifuchs>
I really would love to find out how the root volume&data container get set up. It seems quite special in Catalina (imaging the root volume images the data volume too, etc)
<antifuchs>
(also, funny how I don't have an apfs.util on this catalina installation but there's a manpage for it)
<abathur>
I've hoped they'll either make it possible or we'll figure out how to create a /nix volume and add it to the right volume group/role for it to share the system filevault key without needing anything else
<antifuchs>
yeah that would be ideal!
mog- has joined #nix-darwin
mog has quit [Ping timeout: 246 seconds]
mog- is now known as mog
<abathur>
oh huh
<abathur>
I didn't even think to look until you couldn't find apfs.util, but it looks like there's more stuff in this package in big sur than on catalina by a bit
<abathur>
new things on the big-sur side are apfs_boot_util, apfs_checkdigest, apfs_checkseal, apfs_systemsnapshot
<abathur>
Usage: /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs_boot_util (1|2) Executes the mount phase designated by the number provided.
xcmw has quit [Ping timeout: 260 seconds]
xcmw has joined #nix-darwin
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
disasm has quit [Ping timeout: 240 seconds]
disasm has joined #nix-darwin
<antifuchs>
Oooooh
xcmw has joined #nix-darwin
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
__monty__ has joined #nix-darwin
hke has quit [Ping timeout: 260 seconds]
hke has joined #nix-darwin
eraserhd has quit [Quit: WeeChat 2.9]
rummik has quit [*.net *.split]
rummik has joined #nix-darwin
disasm has quit [Ping timeout: 264 seconds]
disasm has joined #nix-darwin
xcmw has joined #nix-darwin
eraserhd has joined #nix-darwin
philr has quit [Ping timeout: 240 seconds]
<abathur>
meh, the number of small version differences accumulating here, probably need to write little shim functions for some of these commands to keep the main processes focused
<abathur>
apfs.util flag change, xpath now requires an -e flag to mark queries
aterius has joined #nix-darwin
<aterius>
Hmm, I just switched from single to multi user install and I'm getting the `error: unable to download 'https://github.com/LnL7/nix-darwin/archive/master.tar.gz': Problem with the SSL CA cert (path? access rights?) (77)` issue. Seems like this has been reported on a lot, but the instructions for setting the environmental variable in launchctl don't seem to address the problem
<LnL>
you probably don't have cacert installed anymore
<LnL>
nix-env -q -p /nix/var/nix/profiles/default
<LnL>
our openssl looks in the default profile for the cert bundle and the daemon has an empty environment (ie no NIX_SSL_CERT_FILE) because of launchd
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<aterius>
I see, is there a way to set NIX_SSL_CERT_FILE to fix this? `/etc/ssl/my-certificate-bundle.crt` doesn't exist for me, and setting it to the cacert in the nix store isn't working
<LnL>
that's what I get when I trace curl with NIX_SSL_CERT_FILE unset
<aterius>
I tried this but it doesn't seem to fix anything `sudo launchctl setenv NIX_SSL_CERT_FILE /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
<LnL>
you'd have to restart the daemon, but I'm not certain what exactly that influences
<aterius>
Yes, I tried restarting the daemon. I assumed that would point the nix daemon to the correct cert
<LnL>
can you reproduce with openssl/curl? that's probably easiest to debug
<aterius>
I can't install nix managed curl since it gives the same error
__monty__ has quit [Quit: leaving]
<LnL>
right, try sudo opensnoop -n nix-daemon and then install something
<LnL>
the certificates get loaded after openssl.cnf
<aterius>
It's definitely looking for a non-existent cert
<LnL>
if that's not in the daemon plist you probably didn't unload it
xcmw has joined #nix-darwin
<aterius>
It's not in the plist
<LnL>
launchd is similar to systemd in that regard it keeps everything in memory so just changing files doesn't do anything unless they are loaded/unloaded
<aterius>
Ah, I thought I reloaded things correctly when I wiped my single user install
<LnL>
launchctl print system/org.nixos.nix-daemon
<LnL>
that shows the in memory representation IIRC
<abathur>
ah, I bet I know why this feels familiar; there were some lines in the script domenkozar uses to install Nix for github actions CI that fiddle with it
<abathur>
but I found I didn't need them when doing the same work on travis-ci; I think he needed to do it explicitly because it doesn't run `source "/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"` (instead it uses a GH-specific echo idiom for modifying the environment)
<abathur>
hmm
<abathur>
I wonder if this is like the inverse problem? :)
<aterius>
So, I modified the plist and nix-env -iA now works, but still get errors on my user profile when I try to update channels/install nick darwin
<aterius>
* So, I modified the plist and nix-env -iA now works, but still get errors on my user profile when I try to update channels/install nix-darwin
<aterius>
Manually set NIX_SSL_CERT_FILE in the daemon start file to point at the ca-bundle.crt
<aterius>
Manually setting it in my user profile works too
<abathur>
LnL I hadn't read this before https://nixos.org/manual/nix/stable/#sec-nix-ssl-cert-file and I'm not quite sure how to interpret it against the next section--do you know Nix-daemon always need NIX_SSL_CERT_FILE on macOS, or does it only need it to account for a https-intercepting MITM as 7.1 describes?
<abathur>
is your profile sourcing the script I listed above?
<LnL>
because of that reinstalling nix when nix-darwin was installed without starting a clean terminal causes this
<aterius>
I swear my terminal was clean haha, I did multiple restarts after each step
<abathur>
did you restore the old rc/profile files?
<abathur>
the backup copies, whatever it appends
<LnL>
since the nix-darwin environment sets NIX_SSL_CERT_FILE in bashrc and friends
<abathur>
".backup-before-nix" it looks like
<aterius>
Yep
<LnL>
abathur: as for the cert bundle, it's required for everything that uses ssl, but the override is just relevant for cases where custom certs are used
<LnL>
eg. company internal proxies and stuff
<LnL>
that's also what the etc ssl option on nixos/nix-darwin enables for all nix based tools
<abathur>
I've wished for a while we could figure out a reliable uninstall idiom, but tricky to get right given cases like this with ecosystem tools that slightly tilt expectations
<LnL>
yeah, this is even more tricky since you can't really influence the parent shell environment
<abathur>
maybe a better place to start is whether a single script can effectively enumerate and check all of the known hurdles to a *clean* clean-install, dunno
<abathur>
like a linter, but for settings/cruft known to cause problems? :)
<LnL>
there's nix doctor
<LnL>
validating the cert bundle isn't unreasonable, but determining the cause or repairing it is rather tricky