gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
JasonGrossman has quit [Remote host closed the connection]
JasonGrossman has joined #nixos-chat
JasonGrossman has quit [Ping timeout: 264 seconds]
JasonGrossman has joined #nixos-chat
jtojnar has quit [Read error: Connection reset by peer]
JasonGrossman has quit [Ping timeout: 260 seconds]
dmc is now known as cd
cd is now known as cmd
cmd is now known as cd
JasonGrossman has joined #nixos-chat
jtojnar has joined #nixos-chat
lassulus_ has joined #nixos-chat
lassulus has quit [Ping timeout: 268 seconds]
lassulus_ is now known as lassulus
pie_ has quit [Ping timeout: 260 seconds]
JasonGrossman has quit [Remote host closed the connection]
JasonGrossman has joined #nixos-chat
Guanin has quit [Ping timeout: 240 seconds]
Guanin has joined #nixos-chat
JasonGrossman has quit [Ping timeout: 240 seconds]
Lisanna has quit [Quit: Lisanna]
jasongro` has joined #nixos-chat
<sphalerite> Anyone know a self-hostable or P2P system for syncing pictures between devices? I'm currently using syncthing to have my phone automatically push photos to my laptop, and when I'm running out of space I move them to another directory on my laptop so they get deleted on my phone
<sphalerite> but I'd like to be able to access old photos on my phone as well, and just have it fetch them on-demand from my laptop
<sphalerite> I think google photos does something like that but that's nonfree
<jasongro`> I use Android Debug Bridge. Old Skool.
<sphalerite> that's worse than syncthing :p
<jasongro`> Probably much worse.
<jasongro`> Previously I was cat-ing the pictures in hex and typing the hex into a new file on my laptop.
<sphalerite> sure you were
<jasongro`> Right.
<jasongro`> One good thing about that method is that it allowed for semantic compression.
<jasongro`> E.g. a 20 MB photo of a cat can be compressed down to two bytes: :3
<sphalerite> hahaha
MichaelRaskin has quit [Quit: MichaelRaskin]
<sphalerite> "In some Linux distributions, for example Gentoo,[19] Tux greets the user during booting with multi-processor systems displaying multiple images of Tux, one for each processor core."
<sphalerite> That could look interesting on the aarch64 community box
<sphalerite> army of penguins
<jasongro`> :-> :-> :-> :-> :-> ...
jasongro` has quit [Quit: ERC (IRC client for Emacs 26.1)]
JasonGrossman has joined #nixos-chat
atu has joined #nixos-chat
jD91mZM2 has joined #nixos-chat
atu has quit [Ping timeout: 264 seconds]
<adisbladis[m]> sphalerite: Haha I have seen cases where you dont have much sceen space left because of all the penguins
<sphalerite> I imagine with 96 cores they wouldn't even fit on the screen
<manveru> tiny penguins to the rescue :)
atu has joined #nixos-chat
<JasonGrossman> Penguin eggs, maybe.
atu has quit [Ping timeout: 276 seconds]
atu has joined #nixos-chat
<joepie91> sphalerite: the traditional solution for that particular visualization problem is to stack them with an offset so that they overlap :)
<sphalerit> joepie91: does it do that though?
<JasonGrossman> That raises the problem of which penguin gets to be on top.
<joepie91> sphalerit: no idea!
<joepie91> but it's possible and cheap to implement :P
<joepie91> hmmm
<joepie91> what are people's opinions here about Prometheus for monitoring/metrics?
<sphalerit> True
<sphalerit> Fits in with the greek mythology theme. A++
<joepie91> lol
<joepie91> that must be why they picked the name
<joepie91> so that it fits in with half the population's server naming schemes
<joepie91> okay, so I think I'm settling on Prometheus
<joepie91> documentation looks very promising (designers of the system clearly have a good handle on the various ways in which workloads are structured and might want to be reported), apparently it works well in practice too, and it integrates with grafana
<joepie91> system also seems to be designed to be completely agnostic towards the data source
<joepie91> push vs. pull metrics, works with applications in any language including as external monitoring, and so on
<joepie91> plus, properly open-source and explicitly points out that unlike influxdb, it doesn't charge for 'enterprise' features :P
<infinisil> joepie91: prometheus is the nixos service with the most options, something like 230 of them..
<infinisil> NixOS options i mean
<joepie91> infinisil: yeah, noticed that :P
<joepie91> also probably a good sign in terms of level of support
<joepie91> whee, my amazon package arrived
<joepie91> *finally*
<infinisil> Is it? The options could have been added 5 years ago and never touched since then
<infinisil> (I can't check rn)
<joepie91> yeah, because it means that somebody was invested enough into prometheus that it was worth writing 230 options :P
<joepie91> it's not a certainty ofc, but still a good sign
<joepie91> okay, time to replace the wheels on my desk chair
<infinisil> I remember there being a PR which would have added like 700 options.. I guess they were auto-generated
<sphalerite> joepie91: I was thinking nix, hydra etc :p
<joepie91> ahh, lol
<gchristensen> joepie91: push vs pull? no, prometheus is _all_ pull. they have a push proxy thing, but it doesn't work necessarily how you wish it would.
<gchristensen> and it isn't part of prom core
atu has quit [Ping timeout: 240 seconds]
<joepie91> yeah, aware that it's a proxy
<joepie91> in what way doesn't it work how you'd want?
atu has joined #nixos-chat
<gchristensen> "The Pushgateway is explicitly not an aggregator or distributed counter but rather a metrics cache. It does not have statsd-like semantics. The metrics pushed are exactly the same as you would present for scraping in a permanently running program."
<gchristensen> so your short running jobs can't increment a counter for example
<gchristensen> so the push gateway isn't really appropriate for anything that runs more frequently than the scrape frequency
<gchristensen> to be clear on my position, prom is pretty good (and I like it) for jobs which are good with a pull-style metrics aggregation
<gchristensen> if you need push, you probably instead want to write to statsd and have prom scrape statsd
<joepie91> ah, that wasn't obvious from the docs
<gchristensen> I was bit by that too
pie_ has joined #nixos-chat
<sphalerite> I don't need to use locate to search my 130GB ~, because storage nowadays is fast enough that find is fast enough. What a time to be alive.
<jD91mZM2> Meanwhile my weekly (incremental) backup of 15GB takes at least an hour...
<jD91mZM2> I'm using a HDD though, not a Super Sonic Drive
<jD91mZM2> (SSD)
<sphalerite> an incremental backup that has to scan all the data I presume?
<sphalerite> Go team zfs! :D
<infinisil> zfs \o/
<jD91mZM2> Woah zfs fixes that too?
<jD91mZM2> Gosh darn it I really need to get zfs
<sphalerite> zfs makes incremental snapshots near-instantly
<sphalerite> You can't take advantage of its stored hashes with something like borg AFAIK
<jD91mZM2> Can you upload 'em anywhere, like S3?
<sphalerite> zfs send serialises a snapshot
<sphalerite> which you can stick in a file or whatever
<sphalerite> zfs send can also serialise the changes from one snapshot to another, but at that point you need to be more careful about how you store it so you don't lose some of the dependencies
<jD91mZM2> You can store a snapshot of the filesystem inside the filesystem? :thinking:
<jD91mZM2> I really wish I could just click a button and have ZFS. I don't wanna format all my stuff again (luckily less of a problem with nix - but still a problem)
<sphalerite> yeah
<gchristensen> zfs snapshots aren't backups until you've restore them to another machine
<sphalerite> that reminds me, I should do one of my occasional-far-too-infrequent backups
<sphalerite> gchristensen: of course. jD91mZM2 seems to realise that since they were asking about S3 :)
<gchristensen> yeah, but "<jD91mZM2> You can store a snapshot of the filesystem inside the filesystem?" may give the wrong impression to the other people here
<sphalerite> jD91mZM2: backing up my home dir — 130GB as mentioned, last backed up 11 days ago, data transferred ~1GB, time taken not sure but it just finished
<jD91mZM2> OOh wait I missed "zfs send serialized a snapshot"
<sphalerite> (I started it just after my "that reminds me" message)
<jD91mZM2> I thought you meant you could serialize it to a file on the disk heh
<sphalerite> well you can
<sphalerite> zfs send writes to stdout. Up to you to pipe it into a file or whatever else
<jD91mZM2> Oh. Then how am I giving the wrong impression to people gchristensen?
<sphalerite> it doesn't generally make sense :p
<sphalerite> jD91mZM2: oh right it took 37 seconds
<jD91mZM2> What backup tool are you using?
<gchristensen> jD91mZM2: you're fine, what you said is fine, just ... good to reiterate.
<sphalerite> jD91mZM2: zfs send + zfs recv
<jD91mZM2> This is amazing
<sphalerite> jD91mZM2: zfs send from the pool on my laptop's SSD, recv into the pool on my external USB HDD
<jD91mZM2> Gonna look at setting zfs up after this summer. Don't want to mess my computer up in case they come up with something for me to do for Redox Summer of Code
<sphalerite> http://ix.io/1dMw is my backup script
<sphalerite> it's a bit clunky but it works
<jD91mZM2> Oh by the way is disk encryption something I should look into as well?
<gchristensen> sphalerite:
<gchristensen> oops
<sphalerite> jD91mZM2: absolutely!
<sphalerite> Personally I'm looking forward to dropping luks and using zfs native encryption, but that isn't stable yet
<jD91mZM2> Will dropping luks be easy to do or will you have to reformat?
<jD91mZM2> The most secret things I have is like my discord token btw heh
<sphalerite> will have to reformat
<jD91mZM2> Will going from 0 encryption + zfs to zfs native require reformatting?
<sphalerite> I mean, I could use zfs encryption within a luks-encrypted pool. But that wouldn't be very useful
<sphalerite> no, that won't
<gchristensen> sphalerite: really!
<sphalerite> gchristensen: :)
<jD91mZM2> Okay so perhaps I should wait with disk encryption. Thanks for all the information!
<gchristensen> ZFS won't go back and compress parts of the tree which already existed, I'm impressed :)
<sphalerite> jD91mZM2: I'd say nowadays any laptop should be encrypted. For desktops it might be a bit less of a concern.
<sphalerite> And are you sure there's nothing other than your discord token you might want to keep secret?
<jD91mZM2> sphalerite: I'm using my laptop as desktop, heh. Only ever being at home with it unless maybe with a friend once a year
<jD91mZM2> My gpg and ssh key are encrypted, as well as my keepass database
<sphalerite> But are you for example persistently logged into github in your browser? :)
<jD91mZM2> Yes all those tokens as well
<sphalerite> how?
<jD91mZM2> I meant those tokens are also vulnerable
<sphalerite> oh right
<joepie91> I'd take that to a further extreme and say that disk encryption is useless for anything that spends most of its time powered on
<gchristensen> and don't forget, encryption prevents modification
<joepie91> it only really works for at-rest encryption
<sphalerite> gchristensen: not universally
<gchristensen> sphalerite: FDE does ...
<jD91mZM2> joepie91: Isn't full-disk encryption lazily unencrypted? Where it's only unencrypted when opening a block?
<jD91mZM2> decrypted*
<joepie91> jD91mZM2: the distinction doesn't matter because whenever it is powered on, the system is always *capable* of unencrypting thins
<joepie91> things*
<joepie91> which means that so is anything that has compromised said system
<jD91mZM2> Oh right I'm an idiot
<sphalerite> gchristensen: it's more nuanced than that — depending on the algorithms in use it may not provide integrity and an attacker can replace your data with garbage undetected
<jD91mZM2> Unless I wanna enter my password every time I open a file
<joepie91> yeah, exactly
<gchristensen> sphalerite: fair enough
<jD91mZM2> My computer is on 12/7 btw :P
<gchristensen> sphalerite: however, I'll take undetected garbage over undetected malware
<sphalerite> very true
<jD91mZM2> So really, what I should do is get encryption for my phone if I haven't
<jD91mZM2> Actually wait no that's also on 24/7
<sphalerite> joepie91: mumble mumble threat model
<joepie91> yeaaaaaahhhhh....
<joepie91> :P
<gchristensen> sphalerite++
<{^_^}> sphalerite's karma got increased to 6
<sphalerite> I'm happy if a reasonably competent attacker who wants to hurt my reputation can't do so without advanced hardware screwery
<sphalerite> In that sense I think FDE does make sense even though my laptops are powered on more or less 24/7 :)
<jD91mZM2> Btw ZFS native won't be full disk encryption, will it?
<jD91mZM2> (I mean it might be really similar since it's managing all your mountpoints)
<sphalerite> yeah
<joepie91> sphalerite: hardly advanced; one DMA-capable port on your laptop is enough for an attacker to bypass it entirely, and this can be packaged into off-the-shelf tools
<sphalerite> I think some things like the amount of data you're actually storing can be seen without decrypting it for instance. I'm not 100% sure
<sphalerite> joepie91: oh bugger
<joepie91> (assuming no further DMA protections; some systems do provide this, but many don't)
* sphalerite fills USB-C port with glue
<joepie91> hehe
<sphalerite> (ok not really)
<sphalerite> does the stock nixos kernel? :D
<joepie91> USB itself is fine; but USB-C often have Thunderbolt support and that's where your DMA vector is
<joepie91> alternatively, Firewire
<joepie91> as well as any of the external PCI port types
<sphalerite> yeah I have a thunderbolt usb-c port
<joepie91> so basically almost every laptop made in the past 30 years has a DMI-capable port
<joepie91> :P
<joepie91> okay, 20 maybe
<joepie91> errrr
<sphalerite> on my big laptop that is
<joepie91> DMA*
<gchristensen> boot.initrd.luks.mitigateDMAAttacks
<sphalerite> mitigate, not prevent :/
<sphalerite> and it only seems to blacklist firewire stuff, nothing thunderbolty
<joepie91> gchristensen: iirc it's possible on many systems to abuse DMA ports regardless of whether the OS has any sort of driver or support for it
<gchristensen> mitigate, not prevent
<gchristensen> my bios has dma disabled on the ports
<sphalerite> I should probably do that as well. I hope it doesn't break my adapter thing
<gchristensen> and apple hardware won't use a dma device unless apple made it, iirc
<sphalerite> is that cryptographically verified or just trust-the-device-to-identify-itself-correctly though?
<sphalerite> hm, I should probably also actually set up encryption and verified boot on my chromebook :|
<samueldr> though, all that depends greatly on the kind of attacks you want to protect from
<samueldr> e.g. cheap-o FDE will stop a lost laptop from being looked at by an opportunistic thief
<samueldr> (if off or locked hard enough)
<samueldr> bu the moment your adversary knows how things work, it gets much harder
<gchristensen> samueldr: given Apples' commitment to stymie LEO's access to iOS devices, i would guess it is quite well implemented
<samueldr> that was a general statement, not about any specifics :)
<gchristensen> oops
<gchristensen> sphalerite: ^
<samueldr> be mindful of your attack surface, that's what's important. know how an adversary could defeat you and work to prevent anything
<sphalerite> samueldr: I think I'm safe from opportunistic thieves just by virtue of using nixos ;)
<samueldr> dvorak?
<samueldr> that's the last few percent
<samueldr> keyboard-level (cesar cipher) encryption
<jD91mZM2> Security by obscurity
<jD91mZM2> best security
<jD91mZM2> Why have a lockscreen, just open vim
<jD91mZM2> Betcha can't exit that
<samueldr> vim in ex mode (when it started without how to go back to vim)
<sphalerite> samueldr: I don't think dvorak is a caesar cipher, aren't those specifically rotations? As opposed to a general character substitution cipher
<simpson> To log in, please write and commit a 50-line change~
<samueldr> not well-versed enough in the subtleties of encryption schemes, sphalerite you're probably right
<sphalerite> Hell, maybe I could even set a scary hacker-looking lockscreen saying "I'm watching you" and have a chance that the thieves will be scared into giving it back ;)
<sphalerite> security through intimidation
<jD91mZM2> I read that as "security through limitation"
<jD91mZM2> Stole my computer? Too bad, I ripped out all essential parts!
<sphalerite> Too bad, it's a fake laptop! Replaced all the innards with lead to make it extra fun to carry!
<jD91mZM2> Too bad, I also made it really sticky so you can't let go
<jD91mZM2> Now you can sit there until the police arrives :)
* sphalerite imagines calling police, "yeah this guy stole my box of lead"
<jD91mZM2> I mean that's good, then the police has a... lead... ba dum tss
* jD91mZM2 has to go
jD91mZM2 has quit [Quit: WeeChat 2.0]
eisbaer-north has left #nixos-chat ["WeeChat 2.1"]
atu has quit [Ping timeout: 240 seconds]
<adisbladis[m]> gchristensen: Which is why people have attacked apple laptops through re-flashing apple ethernet devices with malicious firmware
<gchristensen> ooh nice
<samueldr> please plug in this innocuous totally legit apple-branded device :)
* samueldr is looking at the firewire port on the workstation
<gchristensen> for maximum security, throw all your computers in to a lava pit and go live on a boat
<samueldr> boats are a leaky abstraction of a house
<gchristensen> boo
<adisbladis[m]> samueldr: Firewire is old enough that any evil haxxorz wont have the hardware around anymore :D
matthewbauer has joined #nixos-chat
<samueldr> yay using 2012-era workstation hardware
jD91mZM2 has joined #nixos-chat
jD91mZM2 has quit [Ping timeout: 268 seconds]
jD91mZM2 has joined #nixos-chat
jD91mZM2 has quit [Ping timeout: 240 seconds]
jD91mZM2 has joined #nixos-chat
<pie_> quote saved
Sonarpulse has joined #nixos-chat
Drakonis[m] has joined #nixos-chat
Drakonis[m] has quit [Changing host]
Drakonis[m] has joined #nixos-chat
MichaelRaskin has joined #nixos-chat
jD91mZM2 has quit [Quit: WeeChat 2.0]
__monty__ has joined #nixos-chat
<infinisil> Hah, part of youtube is down
<infinisil> All channel pages at least, e.g. https://www.youtube.com/user/CaptainDisillusion
<joepie91> heh
<__monty__> I got that a couple weeks ago, wonder what they're up to.
<joepie91> moving fast and breaking things, probably :)
<__monty__> Is their new mantra "Just push to prod, we'll cross that bridge when we get there."?
<joepie91> lol
<MichaelRaskin> We'll brun the bridge before crossing it
<infinisil> I want a fast and useful youtube client
<infinisil> One that manages subscriptions on its own, so youtube doesn't mess with them
<infinisil> And one that can download the videos so I can watch them offline
<samueldr> is minitube still a thing?
<joepie91> infinisil: don't youtube channels still have RSS feeds
<samueldr> it's uh, it has been previously stated (years ago) as being deprecated then removed
<infinisil> Ah yeah, could hook into that
<samueldr> but they still work ?!?
<samueldr> don't tell youtube
<infinisil> Oh, never mind, it's gonna be removed in a year or so then
<samueldr> https://github.com/flaviotordini/minitube I'm not sure it does subscriptions outside google's control
<infinisil> There's an api though
<samueldr> > Subscribe to YouTube channels and be notified of new videos. No need to login with a YouTube account: more privacy!
<{^_^}> error: syntax error, unexpected WITH, expecting ')', at (string):150:79
<MichaelRaskin> I think youtube-dl can download whole channels
<MichaelRaskin> Maybe one could invent a list of flags that would make it do incremental downloads…
<samueldr> it does skip already downloaded items
<samueldr> and it can continue a cut download
<joepie91> ah yeah, good point
<joepie91> just a youtube-dl cronjob then?
<samueldr> but I don't think it would know about "don't download what I already watched"
<joepie91> lol
<infinisil> I actually created a systemd service that downloads all new videos I add to one of my playlists
<infinisil> Using the youtube api
<infinisil> Wait no
<infinisil> It just uses the playlist as a youtube-dl argument, no api involved
<MichaelRaskin> One would argue that you have watched a video, it is an argument in favour of downloading it before it is removed
<infinisil> MichaelRaskin: Not sure what you're saying
<MichaelRaskin> samueldr said «don't download what I already watched»
<samueldr> MichaelRaskin: I'm thinking about how not everybody is a data hoarder
<samueldr> and how there are some videos which have no rewatch value
<MichaelRaskin> Which is a problem and how we ended up with the problems we have now
<infinisil> I would like to be, but am too lazy to up my storage hah
jtojnar has quit [Remote host closed the connection]
jtojnar has joined #nixos-chat
jtojnar has quit [Remote host closed the connection]
jtojnar has joined #nixos-chat
__monty__ has quit [Quit: leaving]
JasonGrossman has quit [Ping timeout: 264 seconds]
JasonGrossman has joined #nixos-chat
matthewbauer has quit [Ping timeout: 240 seconds]
matthewbauer has joined #nixos-chat
ma27 has quit [Quit: WeeChat 2.0]
ma27 has joined #nixos-chat
jasongro` has joined #nixos-chat
JasonGrossman has quit [Ping timeout: 256 seconds]
matthewbauer has quit [Read error: Connection reset by peer]
matthewbauer has joined #nixos-chat