gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
lassulus_ has joined #nixos-chat
lassulus has quit [Ping timeout: 252 seconds]
lassulus_ is now known as lassulus
drakonis has quit [Ping timeout: 252 seconds]
drakonis has joined #nixos-chat
MarkRBM_ has joined #nixos-chat
MarkRBM_ has quit [Remote host closed the connection]
MarkRBM_ has joined #nixos-chat
jD91mZM2 has joined #nixos-chat
drakonis has quit [Remote host closed the connection]
jtojnar has quit [Quit: jtojnar]
jtojnar has joined #nixos-chat
kisik21 has joined #nixos-chat
jtojnar has quit [Read error: Connection reset by peer]
jtojnar has joined #nixos-chat
obadz has joined #nixos-chat
__monty__ has joined #nixos-chat
<LnL> TIL man gitremote-helpers 1
jtojnar has quit [Remote host closed the connection]
jtojnar has joined #nixos-chat
mudri has quit [Quit: Connection closed for inactivity]
drakonis has joined #nixos-chat
drakonis has quit [Remote host closed the connection]
MarkRBM_ has quit [Ping timeout: 246 seconds]
<elvishjerricco> I was excited to test out using my new tinc stuff at long range while I was away this weekend. But apparently the power went down for some amount of time, so my desktop and router went down. For some reason, the macbook that I left behind didn't reconnect when the router came back up, and my desktop has an encrypted drive, so neither were available and I couldn't test anything.
<__monty__> Yep, that sounds like what'll happen every time you want to test some cool tech.
<elvishjerricco> I gotta find a way to be able to enter my hard drive password over tinc. I'm thinking I'll just get a router that I can install tinc on, add it to the mesh, then ssh from laptop -> router -> desktop.
<elvishjerricco> since NixOS can enable SSH during stage 1
<elvishjerricco> I could hack tinc to run during stage 1, but that would mean putting a private key on the unencrypted partition. I guess it's paranoid to think that's a problem, but it's the principle :P
drakonis_ has joined #nixos-chat
<andi-> well you'll have an SSH host key in the initramfs if you plan to ssh into the box in stage1..
<__monty__> Add a layer that does key exchange? : )
<andi-> which is either a)unencrypted or b) random on every boot.. choose your pain.
kisik21 has quit [Ping timeout: 252 seconds]
<elvishjerricco> andi-: That's a good point...
<andi-> so I wouldn't type my password into any random ssh server that pretends to decrypt my desktop ;)
<elvishjerricco> andi-: Hm... I guess the router would need to have an unencrypted drive for this to work, so technically that key could be stolen. So I guess the idea is fundamentally breakable
<andi-> how about a UPS?
<elvishjerricco> UPS?
<andi-> uninterruptible power supply
<elvishjerricco> Well it's still nice to have the ability to reboot the desktop remotely. But that could be put on the router so that the router could be encrypted.
<elvishjerricco> Then it's just a matter of somehow verifying the identity of the desktop in stage 1...
<andi-> The thing you want to google is "trusted boot"
<elvishjerricco> Oh, that'll be a fun rabbit hole, I'm sure :P
<elvishjerricco> Thanks
<andi-> elvishjerricco: Finally found what I was searching for: http://osresearch.net/
<elvishjerricco> Oh boy. Lots of reading to do :P
<andi-> THere is also a bunch of good videos on that topic.. the qubes os people are investing in such things :)
<elvishjerricco> Hm, this seems to be at the core of it: https://en.wikipedia.org/wiki/Trusted_Platform_Module
<andi-> yes
<andi-> you always need some trust anchor for these kind of things
<drakonis_> there's a 2.0 now
<elvishjerricco> So in theory, even the boot partition can be encrypted, and you can use TPM to decrypt it?
jD91mZM2 has quit [Quit: WeeChat 2.0]
<elvishjerricco> This looks promising: https://github.com/fox-it/linux-luks-tpm-boot
<andi-> I just sign my grub efi payloads and have removed every other key from my hardware... It still leaves the attack surface of someone breaking the crypto (unlikely) or a backdoor that allows a state entity to disable secure boot..
<andi-> but that also makes the system unbootable without IPMI / Intel AMT / ..
<andi-> s/unbootable/remote unbootable/
<joepie91> this was cooked by somebody at $hackerspace yesterday: https://revspace.nl/kiekjes/view/20180901/P1010647.JPG
<joepie91> it looks, uh
<joepie91> interesting
<gchristensen> anyone have PRs they want merged?
<samueldr> joepie91: gagh?
<joepie91> hahaha
<joepie91> nah, something something Korean
<joepie91> something with tentacles
<clever> gchristensen, infinisil: i had an idea recently, about a new way to handle nixops deploy
<clever> for the first deployment
<{^_^}> nix#2138 (by lheckemann, 16 weeks ago, open): chroot stores via SSH
<clever> infinisil: using the command i gave here, you can boot the nixos installer on anything, format and mount the drives, then just `nix copy` into a remote /mnt/
<clever> infinisil: can you see the advantage of that method?
<infinisil> Um, not entirely getting it heh
<clever> rather then doing an empty nixos-install, booting that, then running nixops deploy against it
<clever> you can just boot the installer, mount things to /mnt/, and then deploy directly into /mnt/
<samueldr> anyone think it's a mistake to merge #45345 without the tests, and open a new PR for tests (which would be backported)?
<{^_^}> https://github.com/NixOS/nixpkgs/pull/45345 (by vmandela, 2 weeks ago, open): nixos/install-grub: include child configs in grub menu
<samueldr> oops, meant for -dev
<samueldr> y'all with your on-topic discussion in the off-topic channel ;)
<clever> lol
<LnL> xD
<infinisil> clever: Oh cool, that might just work :O
<infinisil> So just getting a minimam NixOS running first to do the actual deploy when that's running?
<clever> this lets you skip that step :P
<clever> basically, mount everything under /mnt as normal, `nix-build '<nixpkgs/nixos>' -A system ; nix copy --to ssh://root@targetremote-store=local?root=/mnt/ ./result`
<clever> and now the entire nixos is in /mnt as normal (ish)
<clever> mkdir /mnt/etc/ ; touch /mnt/etc/NIXOS ; nix-env --set /nix/store/foo -p /nix/var/nix/profiles/system --store local?root=/mnt/
<joepie91> samueldr: I can post more tentacles, if that helps...
<clever> nixos-enter --root /mnt --command "/nix/store/foo/bin/switch-to-configuration boot"
<joepie91> :P
<clever> infinisil: nix-build (or nixops) to build the nixos, nix copy to push it over, mkdir and touch to defeat the "its not nixos" safeties, nix-env to make nixos-enter happy, and nixos-enter to run things in a chroot
<clever> infinisil: and finally, switch-to-configuration boot, to install the bootloader
<infinisil> clever: Ah, so the destination only needs a working nix?
<infinisil> initially
<clever> yeah, and that working nix can be in a ramdisk
<clever> i tested this lastnight, with a freshly formatted /mnt/
<infinisil> Neato
<clever> infinisil: the hardest part was written a uefi configuration.nix without nixos-generate-config
<clever> infinisil: as for how you get nix, you have the choice between kexec, not-os, and others
<elvishjerricco> clever: Side note, is there a difference between referencing a chroot store with `/foo` vs `local?root=/foo`?
<elvishjerricco> Anyway that does sound awesome. You can even reuse `nixos-install` with its `-s` argument. Dunno if that's better or not
<elvishjerricco> er, --system. Dunno where I thought up -s
<clever> elvishjerricco: does nixos-install -s expect the given storepath to be in the host store?
<elvishjerricco> Not sure. But I meant doing it after `nix copy` anyway. Reusing `nixos-install` just avoids having to deal with `nixos-enter` or `switch-to-configuration` manually.
<clever> yeah
<elvishjerricco> I guess you'd want `--no-channel-copy` and `--no-root-passwd` too
vdemeester has joined #nixos-chat
<gchristensen> do we have any Polish speakers?
<gchristensen> tazjin: ping! :)
mudri has joined #nixos-chat
<tazjin> gchristensen: I can assist with a whole bunch of Germanic languages, but not polish, sorry :)
<gchristensen> oh hrm it was someone else I was thinking about
<gchristensen> someone is looking for a way in to the NixOS community but I believe speaks very little-to-no English
<joepie91> gchristensen: I know somebody who speaks both Polish and English but idk if they can help
<joepie91> I can ask, if I can get hold of them
<joepie91> (unless it's like, "need it now", in which case I probably can't get hold of them in time :P)
<gchristensen> nah
<gchristensen> it would only work if it was an existing community member
<andi-> someone registered #nixos-pl
<andi-> name is xaxes`
<andi-> inactive for 3y -.-
<samueldr> I was about to say
<gchristensen> I forget their nick, but I confuse thoughtpolice and this other person who lived in Poland
kisik21 has joined #nixos-chat
<infinisil> I have 8 cores, and I need to compile about 10000 haskell packages
<infinisil> I'll use --max-jobs 3 and --cores 2 for that
<infinisil> Then I always should have 2 cores free to not have a super laggy machine :)
<andi-> start it & take a nap? ;-)
<samueldr> hm, wit how nix sets `nice` few builds cause issues here
<infinisil> samueldr: I even set the nice value to something less important than the default, but it still lags
<joepie91> infinisil: wouldn't you be better off with --max-jobs 6 and --cores 1?
<joepie91> given that not all packages can be built in a multi-threaded manner (unless that's different for Haskell)
<joepie91> so you'd get better utilization running everything single-core
<infinisil> joepie91: I find that a lot can be built with multiple cores
<samueldr> though, I don't do haskell compilations, maybe the exhert pressure where nice doesn't have effect
<joepie91> infinisil: even then, seems like any nonzero amount of single-threaded packages would make single-core compilation a better option
<joepie91> since you already naturally have 10k independent tasks to distribute across cores
<infinisil> They aren't independent though
<infinisil> And it's not 10000, it's more like 500 :P
<infinisil> Only three packages (and their dependencies)
<infinisil> And I think there are a couple tight spots in the dependency chain
<joepie91> ah, right :P
<infinisil> 6x1 would be inefficient in those tight spots, and 1x6 would be inefficient because a lot of packages can't use 6 cores at once. So I think something inbetween would be best
<infinisil> Would be nice if Nix could manage this a little better
obadz has quit [Ping timeout: 240 seconds]
obadz has joined #nixos-chat
kisik21 has quit [Ping timeout: 245 seconds]
<__monty__> Is the slow down because of memory pressure maybe?
aszlig has quit [Quit: Kerneling down for reboot NOW.]
aszlig has joined #nixos-chat
MarkRBM_ has joined #nixos-chat
drakonis_ has quit [Remote host closed the connection]
hl` has joined #nixos-chat
hl has quit [Ping timeout: 240 seconds]
hl` is now known as hl