<abathur> oh, hmm!
<abathur> so, I took the time to find my only working USB drive to clean-install big sur on this spare macbook
<abathur> tried to install Nix, and it helpfully reminded me why I had been trying to get big sur set up in the first place--because someone on discourse had reported an install failure related to `apfs.util -B` being missing
<abathur> so, on my current catalina system, the help for apfs.util -B is `-B : bootstrap the root filesystem`
<abathur> it looks like it's the only that is dropped, but there are 4 new options!
<abathur> -X set=yes|no path : set/unset embedded xattr max size enforcement on volume specified by 'path'
<abathur> -z path : make the file at path exempt from copy-on-write semantics for snapshots'
<abathur> -z path : make the file at path exempt from copy-on-write semantics for snapshots'
<abathur> oops
<abathur> -E path : drop the extents for 'path' from the first snapshot
<abathur> -t stitches and creates synthetic objects on root volume group
<abathur> which reminded me just a little of the code-review suggestion to use `apfsctl synthetic folder nix` in https://github.com/NixOS/nix/pull/3212#discussion_r413942504
<abathur> searching through the executable with xxd for strings related to stitch, synthetic, or firmlink turning up some prospects...
<abathur> "failed to stitch firmlinks and/or create synthetics for root volume (%x)"
<thefloweringash> from my notes a couple of months ago, you'll also run need to change `xpath` -> `xpath -e`
<thefloweringash> I also wrote down "sw_vers" and "arch" but didn't elaborate on what was required there
<abathur> "%s:%d: inode %lld already in stitched list" (but I see this in my copy on catalina too)
<abathur> sw_vers is probably the version identification issue that's already open
<abathur> not sure about arch
<thefloweringash> oh, I didn't see that issue, liked, favorited and subscribed
<abathur> are you on a real kit?
<abathur> may explain the arch note :]
<thefloweringash> FRidh: that commit (36cf2373a01) does not build for me, same error: `parsetexi/api.c:28:10: fatal error: 'libintl.h' file not found`
<thefloweringash> heh, that might have been it
philr has joined #nix-darwin
<abathur> it smells like `apfs.util -t` will do what we were using -B for, I added an arbitrary name to /etc/synthetic.conf, ran it, and it created the path
xcmw has joined #nix-darwin
<antifuchs> I really would love to find out how the root volume&data container get set up. It seems quite special in Catalina (imaging the root volume images the data volume too, etc)
<antifuchs> (also, funny how I don't have an apfs.util on this catalina installation but there's a manpage for it)
<abathur> it's hiding, you probably have it
<abathur> /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util
<abathur> I've hoped they'll either make it possible or we'll figure out how to create a /nix volume and add it to the right volume group/role for it to share the system filevault key without needing anything else
<antifuchs> yeah that would be ideal!
mog- has joined #nix-darwin
mog has quit [Ping timeout: 246 seconds]
mog- is now known as mog
<abathur> oh huh
<abathur> I didn't even think to look until you couldn't find apfs.util, but it looks like there's more stuff in this package in big sur than on catalina by a bit
<abathur> new things on the big-sur side are apfs_boot_util, apfs_checkdigest, apfs_checkseal, apfs_systemsnapshot
<abathur> Usage: /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs_boot_util (1|2) Executes the mount phase designated by the number provided.
xcmw has quit [Ping timeout: 260 seconds]
xcmw has joined #nix-darwin
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
disasm has quit [Ping timeout: 240 seconds]
disasm has joined #nix-darwin
<antifuchs> Oooooh
xcmw has joined #nix-darwin
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
__monty__ has joined #nix-darwin
hke has quit [Ping timeout: 260 seconds]
hke has joined #nix-darwin
eraserhd has quit [Quit: WeeChat 2.9]
rummik has quit [*.net *.split]
rummik has joined #nix-darwin
disasm has quit [Ping timeout: 264 seconds]
disasm has joined #nix-darwin
xcmw has joined #nix-darwin
eraserhd has joined #nix-darwin
philr has quit [Ping timeout: 240 seconds]
<abathur> meh, the number of small version differences accumulating here, probably need to write little shim functions for some of these commands to keep the main processes focused
<abathur> apfs.util flag change, xpath now requires an -e flag to mark queries
aterius has joined #nix-darwin
<aterius> Hmm, I just switched from single to multi user install and I'm getting the `error: unable to download 'https://github.com/LnL7/nix-darwin/archive/master.tar.gz': Problem with the SSL CA cert (path? access rights?) (77)` issue. Seems like this has been reported on a lot, but the instructions for setting the environmental variable in launchctl don't seem to address the problem
<LnL> you probably don't have cacert installed anymore
<LnL> nix-env -q -p /nix/var/nix/profiles/default
<LnL> our openssl looks in the default profile for the cert bundle and the daemon has an empty environment (ie no NIX_SSL_CERT_FILE) because of launchd
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<aterius> Is that the wrong cacert?
<LnL> nah, that practically doesn't change
<aterius> I see, is there a way to set NIX_SSL_CERT_FILE to fix this? `/etc/ssl/my-certificate-bundle.crt` doesn't exist for me, and setting it to the cacert in the nix store isn't working
<LnL> it shouldn't be looking there
<LnL> 501 35746 curl 6 /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
<LnL> that's what I get when I trace curl with NIX_SSL_CERT_FILE unset
<aterius> I tried this but it doesn't seem to fix anything `sudo launchctl setenv NIX_SSL_CERT_FILE /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
<LnL> you'd have to restart the daemon, but I'm not certain what exactly that influences
<aterius> Yes, I tried restarting the daemon. I assumed that would point the nix daemon to the correct cert
<LnL> can you reproduce with openssl/curl? that's probably easiest to debug
<aterius> I can't install nix managed curl since it gives the same error
__monty__ has quit [Quit: leaving]
<LnL> right, try sudo opensnoop -n nix-daemon and then install something
<LnL> the certificates get loaded after openssl.cnf
<aterius> It's definitely looking for a non-existent cert
<aterius> `/etc/ssl/certs/ca-certificates.crt` doesn't exist
<LnL> ah, that's where nix-darwin puts it
<aterius> Unfortunately I don't have nix-darwin installed yet, since I can't install it without the cert
<LnL> which means you're using a nix-darwin managed service before it's installed somehow
<aterius> I thought I wiped everything
<LnL> <key>NIX_SSL_CERT_FILE</key> <string>/etc/ssl/certs/ca-certificates.crt</string>
<LnL> if that's not in the daemon plist you probably didn't unload it
xcmw has joined #nix-darwin
<aterius> It's not in the plist
<LnL> launchd is similar to systemd in that regard it keeps everything in memory so just changing files doesn't do anything unless they are loaded/unloaded
<aterius> Ah, I thought I reloaded things correctly when I wiped my single user install
<LnL> launchctl print system/org.nixos.nix-daemon
<LnL> that shows the in memory representation IIRC
<aterius> no ssl cert envvar
<LnL> hmm, guess that's not the case :/
<LnL> or maybe that changed at some point
<aterius> No luck, tried wiping everything, restarting my mac, and then reinstalling multi-user and still get ssl issues
<abathur> I feel like I recall this coming up recently, maybe on discourse?
<aterius> I searched through everything on discourse and didn't see anything with pertinent solutions 😕
<abathur> hmm
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<aterius> This is without the daemon though
<abathur> hmm, that's a bit old; I hope time isn't warping *that* badly on me
<abathur> perhaps I'm wrong about it being discourse; have you seen this? https://github.com/NixOS/nix/issues/3261
<{^_^}> nix#3261 (by janvogt, 38 weeks ago, open): Problems with multi-user (re)installation of nix on macOS
<abathur> it's been posted in the past few months, and I've been trawling macOS issues for unrelated reasons, so I might have bumped into that
<abathur> *posted _to_ in the last few months
<aterius> Yeah, so this solution doesn't work for me `sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt`
<aterius> Specifically that file doesn't exist, and even if I set it to the /nix/** cert file it doesn't work
<abathur> yeah, the later posts in the thread are probably more likely to help identify what exactly matches up with your case
<abathur> if anything
<aterius> Yeah, I did read through that earlier and tried the solutions, including checking there weren't lingering/invalid plists
<abathur> ok
Gaelan has quit [Quit: ZNC 1.8.0 - https://znc.in]
Gaelan has joined #nix-darwin
<abathur> ah, I bet I know why this feels familiar; there were some lines in the script domenkozar uses to install Nix for github actions CI that fiddle with it
<abathur> but I found I didn't need them when doing the same work on travis-ci; I think he needed to do it explicitly because it doesn't run `source "/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"` (instead it uses a GH-specific echo idiom for modifying the environment)
<abathur> hmm
<abathur> I wonder if this is like the inverse problem? :)
<aterius> So, I modified the plist and nix-env -iA now works, but still get errors on my user profile when I try to update channels/install nick darwin
<aterius> * So, I modified the plist and nix-env -iA now works, but still get errors on my user profile when I try to update channels/install nix-darwin
<aterius> Manually set NIX_SSL_CERT_FILE in the daemon start file to point at the ca-bundle.crt
<aterius> Manually setting it in my user profile works too
<abathur> LnL I hadn't read this before https://nixos.org/manual/nix/stable/#sec-nix-ssl-cert-file and I'm not quite sure how to interpret it against the next section--do you know Nix-daemon always need NIX_SSL_CERT_FILE on macOS, or does it only need it to account for a https-intercepting MITM as 7.1 describes?
<abathur> is your profile sourcing the script I listed above?
<abathur> "/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"
<LnL> oh! I remember now
<LnL> because of that reinstalling nix when nix-darwin was installed without starting a clean terminal causes this
<aterius> I swear my terminal was clean haha, I did multiple restarts after each step
<abathur> did you restore the old rc/profile files?
<abathur> the backup copies, whatever it appends
<LnL> since the nix-darwin environment sets NIX_SSL_CERT_FILE in bashrc and friends
<abathur> ".backup-before-nix" it looks like
<aterius> Yep
<LnL> abathur: as for the cert bundle, it's required for everything that uses ssl, but the override is just relevant for cases where custom certs are used
<LnL> eg. company internal proxies and stuff
<LnL> that's also what the etc ssl option on nixos/nix-darwin enables for all nix based tools
<abathur> I've wished for a while we could figure out a reliable uninstall idiom, but tricky to get right given cases like this with ecosystem tools that slightly tilt expectations
<LnL> yeah, this is even more tricky since you can't really influence the parent shell environment
<abathur> maybe a better place to start is whether a single script can effectively enumerate and check all of the known hurdles to a *clean* clean-install, dunno
<abathur> like a linter, but for settings/cruft known to cause problems? :)
<LnL> there's nix doctor
<LnL> validating the cert bundle isn't unreasonable, but determining the cause or repairing it is rather tricky
<abathur> we can call it a crumber https://en.wikipedia.org/wiki/Crumber
<LnL> a full on declarative installer project would make the most sense I think
<abathur> I won't pretend to have enough perspective to know what the most-effective/least-wasteful layer to tackle it at would be
<LnL> the problem here I'd say is that there a number of ways to configure the cert bundle
<LnL> and to make that work they have to apply early enough, but the installer doesn't really handle anything like that
<LnL> if security.pki is the only way to specify stuff becomes much easier and it's just a matter of getting the installer there in special scenarios
xcmw has joined #nix-darwin
joebobjoe has joined #nix-darwin
<joebobjoe> why is nix-darwin such a pain in the ass holy shit
<joebobjoe> this is the umpteenth time my nix installation has broken
<joebobjoe> what the fuck
<joebobjoe> there is just an empty directory /nix
<joebobjoe> when I do mount -a I get error 66 something about /nix being read-only
<joebobjoe> the whole make a separate volume thing just doesn't work on macos it keeps getting broken
<abathur> heh
<abathur> I've never had mine break
<joebobjoe> I'm using multi-user and that --use-unencrypted-volume option on 10.15
<joebobjoe> it's always gotten broke way before 10.15 too
<joebobjoe> worst software ever
<joebobjoe> I thought brew was bad
<abathur> :]
joebobjoe has quit [Ping timeout: 240 seconds]
<abathur> [:
philr has joined #nix-darwin
joebobjoe has joined #nix-darwin
joebobjoe has quit [Ping timeout: 265 seconds]
<cransom> i haven't had any issues. but i also don't use multiuser