#nixos-chat on 2018-09-02

2018-04-19 20:36 gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat

02:07 lassulus_ has joined #nixos-chat

02:09 lassulus has quit [Ping timeout: 252 seconds]

02:09 lassulus_ is now known as lassulus

03:06 drakonis has quit [Ping timeout: 252 seconds]

03:09 drakonis has joined #nixos-chat

03:09 MarkRBM_ has joined #nixos-chat

03:19 MarkRBM_ has quit [Remote host closed the connection]

03:40 MarkRBM_ has joined #nixos-chat

05:03 jD91mZM2 has joined #nixos-chat

05:11 drakonis has quit [Remote host closed the connection]

10:20 jtojnar has quit [Quit: jtojnar]

10:29 jtojnar has joined #nixos-chat

10:48 kisik21 has joined #nixos-chat

12:28 jtojnar has quit [Read error: Connection reset by peer]

12:28 jtojnar has joined #nixos-chat

12:35 obadz has joined #nixos-chat

13:05 __monty__ has joined #nixos-chat

14:13 <LnL> TIL man gitremote-helpers 1

14:45 jtojnar has quit [Remote host closed the connection]

14:47 jtojnar has joined #nixos-chat

15:39 mudri has quit [Quit: Connection closed for inactivity]

15:42 drakonis has joined #nixos-chat

16:05 drakonis has quit [Remote host closed the connection]

16:28 MarkRBM_ has quit [Ping timeout: 246 seconds]

17:21 <elvishjerricco> I was excited to test out using my new tinc stuff at long range while I was away this weekend. But apparently the power went down for some amount of time, so my desktop and router went down. For some reason, the macbook that I left behind didn't reconnect when the router came back up, and my desktop has an encrypted drive, so neither were available and I couldn't test anything.

17:24 <__monty__> Yep, that sounds like what'll happen every time you want to test some cool tech.

17:27 <elvishjerricco> I gotta find a way to be able to enter my hard drive password over tinc. I'm thinking I'll just get a router that I can install tinc on, add it to the mesh, then ssh from laptop -> router -> desktop.

17:28 <elvishjerricco> since NixOS can enable SSH during stage 1

17:29 <elvishjerricco> I could hack tinc to run during stage 1, but that would mean putting a private key on the unencrypted partition. I guess it's paranoid to think that's a problem, but it's the principle :P

17:29 drakonis_ has joined #nixos-chat

17:29 <andi-> well you'll have an SSH host key in the initramfs if you plan to ssh into the box in stage1..

17:30 <__monty__> Add a layer that does key exchange? : )

17:30 <andi-> which is either a)unencrypted or b) random on every boot.. choose your pain.

17:30 kisik21 has quit [Ping timeout: 252 seconds]

17:31 <elvishjerricco> andi-: That's a good point...

17:33 <andi-> so I wouldn't type my password into any random ssh server that pretends to decrypt my desktop ;)

17:36 <elvishjerricco> andi-: Hm... I guess the router would need to have an unencrypted drive for this to work, so technically that key could be stolen. So I guess the idea is fundamentally breakable

17:36 <andi-> how about a UPS?

17:36 <elvishjerricco> UPS?

17:37 <andi-> uninterruptible power supply

17:37 <elvishjerricco> Well it's still nice to have the ability to reboot the desktop remotely. But that could be put on the router so that the router could be encrypted.

17:38 <elvishjerricco> Then it's just a matter of somehow verifying the identity of the desktop in stage 1...

17:39 <andi-> The thing you want to google is "trusted boot"

17:40 <elvishjerricco> Oh, that'll be a fun rabbit hole, I'm sure :P

17:40 <elvishjerricco> Thanks

17:44 <andi-> elvishjerricco: Finally found what I was searching for: http://osresearch.net/

17:48 <elvishjerricco> Oh boy. Lots of reading to do :P

17:50 <andi-> THere is also a bunch of good videos on that topic.. the qubes os people are investing in such things :)

17:57 <elvishjerricco> Hm, this seems to be at the core of it: https://en.wikipedia.org/wiki/Trusted_Platform_Module

17:57 <andi-> yes

17:57 <andi-> you always need some trust anchor for these kind of things

18:04 <drakonis_> there's a 2.0 now

18:12 <elvishjerricco> So in theory, even the boot partition can be encrypted, and you can use TPM to decrypt it?

18:20 jD91mZM2 has quit [Quit: WeeChat 2.0]

18:23 <elvishjerricco> This looks promising: https://github.com/fox-it/linux-luks-tpm-boot

18:30 <andi-> I just sign my grub efi payloads and have removed every other key from my hardware... It still leaves the attack surface of someone breaking the crypto (unlikely) or a backdoor that allows a state entity to disable secure boot..

18:31 <andi-> but that also makes the system unbootable without IPMI / Intel AMT / ..

18:31 <andi-> s/unbootable/remote unbootable/

18:31 <joepie91> this was cooked by somebody at $hackerspace yesterday: https://revspace.nl/kiekjes/view/20180901/P1010647.JPG

18:31 <joepie91> it looks, uh

18:31 <joepie91> interesting

18:31 <gchristensen> anyone have PRs they want merged?

18:32 <samueldr> joepie91: gagh?

18:32 <samueldr> http://memory-alpha.wikia.com/wiki/Gagh

18:33 <joepie91> hahaha

18:33 <joepie91> nah, something something Korean

18:33 <joepie91> something with tentacles

19:44 <clever> gchristensen, infinisil: i had an idea recently, about a new way to handle nixops deploy

19:45 <clever> for the first deployment

19:45 <clever> https://github.com/NixOS/nix/issues/2138

19:45 <{^_^}> nix#2138 (by lheckemann, 16 weeks ago, open): chroot stores via SSH

19:45 <clever> infinisil: using the command i gave here, you can boot the nixos installer on anything, format and mount the drives, then just `nix copy` into a remote /mnt/

19:49 <clever> infinisil: can you see the advantage of that method?

19:50 <infinisil> Um, not entirely getting it heh

19:51 <clever> rather then doing an empty nixos-install, booting that, then running nixops deploy against it

19:51 <clever> you can just boot the installer, mount things to /mnt/, and then deploy directly into /mnt/

19:51 <samueldr> anyone think it's a mistake to merge #45345 without the tests, and open a new PR for tests (which would be backported)?

19:51 <{^_^}> https://github.com/NixOS/nixpkgs/pull/45345 (by vmandela, 2 weeks ago, open): nixos/install-grub: include child configs in grub menu

19:51 <samueldr> oops, meant for -dev

19:52 <samueldr> y'all with your on-topic discussion in the off-topic channel ;)

19:52 <clever> lol

19:52 <LnL> xD

19:53 <infinisil> clever: Oh cool, that might just work :O

19:53 <infinisil> So just getting a minimam NixOS running first to do the actual deploy when that's running?

19:53 <clever> this lets you skip that step :P

19:55 <clever> basically, mount everything under /mnt as normal, `nix-build '<nixpkgs/nixos>' -A system ; nix copy --to ssh://root@targetremote-store=local?root=/mnt/ ./result`

19:55 <clever> and now the entire nixos is in /mnt as normal (ish)

19:56 <clever> mkdir /mnt/etc/ ; touch /mnt/etc/NIXOS ; nix-env --set /nix/store/foo -p /nix/var/nix/profiles/system --store local?root=/mnt/

19:56 <joepie91> samueldr: I can post more tentacles, if that helps...

19:56 <clever> nixos-enter --root /mnt --command "/nix/store/foo/bin/switch-to-configuration boot"

19:56 <joepie91> :P

19:57 <clever> infinisil: nix-build (or nixops) to build the nixos, nix copy to push it over, mkdir and touch to defeat the "its not nixos" safeties, nix-env to make nixos-enter happy, and nixos-enter to run things in a chroot

19:57 <clever> infinisil: and finally, switch-to-configuration boot, to install the bootloader

19:57 <infinisil> clever: Ah, so the destination only needs a working nix?

19:57 <infinisil> initially

19:57 <clever> yeah, and that working nix can be in a ramdisk

19:58 <clever> i tested this lastnight, with a freshly formatted /mnt/

19:58 <infinisil> Neato

20:00 <clever> infinisil: the hardest part was written a uefi configuration.nix without nixos-generate-config

20:02 <clever> infinisil: as for how you get nix, you have the choice between kexec, not-os, and others

20:25 <elvishjerricco> clever: Side note, is there a difference between referencing a chroot store with `/foo` vs `local?root=/foo`?

20:26 <elvishjerricco> Anyway that does sound awesome. You can even reuse `nixos-install` with its `-s` argument. Dunno if that's better or not

20:26 <elvishjerricco> er, --system. Dunno where I thought up -s

20:27 <clever> elvishjerricco: does nixos-install -s expect the given storepath to be in the host store?

20:28 <elvishjerricco> Not sure. But I meant doing it after `nix copy` anyway. Reusing `nixos-install` just avoids having to deal with `nixos-enter` or `switch-to-configuration` manually.

20:29 <clever> yeah

20:29 <elvishjerricco> I guess you'd want `--no-channel-copy` and `--no-root-passwd` too

20:39 vdemeester has joined #nixos-chat

21:10 <gchristensen> do we have any Polish speakers?

21:32 <gchristensen> tazjin: ping! :)

21:33 mudri has joined #nixos-chat

21:34 <tazjin> gchristensen: I can assist with a whole bunch of Germanic languages, but not polish, sorry :)

21:34 <gchristensen> oh hrm it was someone else I was thinking about

21:35 <gchristensen> someone is looking for a way in to the NixOS community but I believe speaks very little-to-no English

21:35 <joepie91> gchristensen: I know somebody who speaks both Polish and English but idk if they can help

21:35 <joepie91> I can ask, if I can get hold of them

21:36 <joepie91> (unless it's like, "need it now", in which case I probably can't get hold of them in time :P)

21:36 <gchristensen> nah

21:36 <gchristensen> it would only work if it was an existing community member

21:37 <andi-> someone registered #nixos-pl

21:37 <andi-> name is xaxes`

21:38 <andi-> inactive for 3y -.-

21:38 <samueldr> I was about to say

21:38 <gchristensen> I forget their nick, but I confuse thoughtpolice and this other person who lived in Poland

22:16 kisik21 has joined #nixos-chat

22:32 <infinisil> I have 8 cores, and I need to compile about 10000 haskell packages

22:32 <infinisil> I'll use --max-jobs 3 and --cores 2 for that

22:32 <infinisil> Then I always should have 2 cores free to not have a super laggy machine :)

22:33 <andi-> start it & take a nap? ;-)

22:33 <samueldr> hm, wit how nix sets `nice` few builds cause issues here

22:33 <infinisil> samueldr: I even set the nice value to something less important than the default, but it still lags

22:34 <joepie91> infinisil: wouldn't you be better off with --max-jobs 6 and --cores 1?

22:34 <joepie91> given that not all packages can be built in a multi-threaded manner (unless that's different for Haskell)

22:34 <joepie91> so you'd get better utilization running everything single-core

22:34 <infinisil> joepie91: I find that a lot can be built with multiple cores

22:35 <samueldr> though, I don't do haskell compilations, maybe the exhert pressure where nice doesn't have effect

22:35 <joepie91> infinisil: even then, seems like any nonzero amount of single-threaded packages would make single-core compilation a better option

22:35 <joepie91> since you already naturally have 10k independent tasks to distribute across cores

22:36 <infinisil> They aren't independent though

22:36 <infinisil> And it's not 10000, it's more like 500 :P

22:36 <infinisil> Only three packages (and their dependencies)

22:36 <infinisil> And I think there are a couple tight spots in the dependency chain

22:38 <joepie91> ah, right :P

22:38 <infinisil> 6x1 would be inefficient in those tight spots, and 1x6 would be inefficient because a lot of packages can't use 6 cores at once. So I think something inbetween would be best

22:38 <infinisil> Would be nice if Nix could manage this a little better

22:41 obadz has quit [Ping timeout: 240 seconds]

22:45 obadz has joined #nixos-chat

22:45 kisik21 has quit [Ping timeout: 245 seconds]

22:52 <__monty__> Is the slow down because of memory pressure maybe?

23:18 aszlig has quit [Quit: Kerneling down for reboot NOW.]

23:20 aszlig has joined #nixos-chat

23:31 MarkRBM_ has joined #nixos-chat

23:35 drakonis_ has quit [Remote host closed the connection]

23:50 hl` has joined #nixos-chat

23:52 hl has quit [Ping timeout: 240 seconds]

23:52 hl` is now known as hl