<Arahael>
This is probably an excellent first task for learning nix expressions. Does one have to add them to the pkgs/top-level/all-packages.nix though?
<Arahael>
Or can they be standalone?
drakonis has quit [Quit: WeeChat 2.2]
<elvishjerricco>
Should authentication keys be generational? I'm looking into alternative ways to manage keys on NixOS, and I'm not sure if rolling back a NixOS system generation should also cause keys to be rolled back. I'm thinking it shouldn't, because with key rotation you always want the newer version of a key. But at the same time, an older generation may need different keys to authenticate with a different set of services.
jasongrossman has joined #nixos-chat
jasongrossman has quit [Remote host closed the connection]
<clever>
Arahael: you can define a custom timer by just setting systemd.services.foo = { script = ''....''; startAt = "nightly"; }; in configuration.nix i believe
<Arahael>
clever: Even simpler - thanks for that. :)
<clever>
`systemctl list-timers` will list every timer, when they last ran, and when they next run
<clever>
and `man systemd.timers` should explain the syntax for startAt
<Arahael>
Awesome, thanks. I intend to use this for scheduled backups.
<Arahael>
Which I think I'll just do with rsync.
<Arahael>
Currently annoyed with dwarf fortress. :)
<clever>
:D
<Arahael>
As I have no brew. :(
<Arahael>
At all.
jasongrossman has joined #nixos-chat
<clever>
i often run into food issues early-game
<Arahael>
Well, I have a still. I have plump helmets. I have *15* idle dwarfs. Some of whom are brewers. I have barrels, I can build barrels, it's all good.
<Arahael>
But somehow, brew just doesn't brew.
<Arahael>
I just got a werewolf now, though, so I suspect the end is near.
<clever>
heh
* Arahael
blinks
<Arahael>
I like this werewolf - somehow, I now have a dwarf brewing.
<Arahael>
Seems a bit of emotional shock was all that was required(!) And well, the dealth of most of my dwarfs.
<joepie91>
lol
<joepie91>
maybe a reduction in numbers cut the knot on who was responsible for brewing?
jcrben has quit [Ping timeout: 244 seconds]
jcrben has joined #nixos-chat
julm has quit [Ping timeout: 244 seconds]
julm has joined #nixos-chat
tilpner has quit [Quit: :wq]
tilpner has joined #nixos-chat
<Arahael>
Maybe.
<Arahael>
In any case, I have *one* dwarf now. Whom I suspect is a were creature now.
<joepie91>
lol
<joepie91>
yeah, having one dwarf will certainly force decisionmaking on responsibilities...
<Arahael>
One *haunted* dwarf.
jasongrossman has quit [Ping timeout: 252 seconds]
pie_ has quit [Ping timeout: 252 seconds]
__monty__ has joined #nixos-chat
dramforever has joined #nixos-chat
jD91mZM2 has joined #nixos-chat
Lisanna has quit [Quit: Lisanna]
Synthetica has joined #nixos-chat
pie_ has joined #nixos-chat
dramforever has quit [Ping timeout: 256 seconds]
<andi->
Nice, ICMP proxy works on Lufthansa WiFi :)
drakonis has joined #nixos-chat
drakonis2 has quit [Ping timeout: 246 seconds]
drakonis has quit [Read error: Connection reset by peer]
drakonis_ has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]
drakonis1 has joined #nixos-chat
drakonis has quit [Ping timeout: 264 seconds]
<sphalerite>
andi-: aaaaah had I known!
<sphalerite>
jD91mZM2: did you see that people did stuff using rnix at the nixcon hackday?
sir_guy_carleton has joined #nixos-chat
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-chat
drakonis has joined #nixos-chat
<jD91mZM2>
sphalerite: I just saw the nixdoc project, and it makes me warm and fuzzy :D
<tazjin>
jD91mZM2: thanks for making rnix btw, it was perfect for this tool!
<jD91mZM2>
tazjin: Thanks for using it! I don't usually make projects that are either useful or that people use, and it feels good! Let me know if there's anything about it I can change
<jD91mZM2>
I have a confession btw: The stable branch had a small parsing bug with inherits because of an oversight I made when fixing lifetime errors, but it's now fixed
<jD91mZM2>
So if you've pinned a specific commit hash you may want to update that
<tazjin>
good to know - doc generation currently doesn't do anything with inherits, but I'm gonna update it anyways!
<jD91mZM2>
It'd probably effect all outputs that use inherits. Had to hurry pushing the branch earlier which is why I missed running tests and was away when the CI failed
<jD91mZM2>
tazjin: Impressive! Should I still bump them whenever I can?
<tazjin>
yeah, I think it'd be nice for the next release, I had to patch `carnix` locally to get it to generate the package set using git deps
<sphalerit>
jD91mZM2: no, not yet
<jD91mZM2>
sphalerit: I improved the help page a little, which is why I brought it up
<sphalerite>
jD91mZM2: I don't really understand the point of timer2. Why not just run a second instance of xidlehook?
<sphalerite>
or alternatively allow an arbitrary number of timers in a single instance?
drakonis_ has joined #nixos-chat
drakonis1 has quit [Ping timeout: 250 seconds]
<jD91mZM2>
sphalerite: I somewhat agree to that, but running multiple xidlehooks is less efficient. The feature is ported from xautolock's --killer stuff. Supporting an arbitrary amount of timers may be a good idea.
<jD91mZM2>
The thing is additional timers are separated as in they don't have notifiers and similar. So it'd be confusing to just allow --timer "thing" --timer "other thing". But --additional-timer or something is definitely a good idea
<sphalerit>
jD91mZM2: then probably each timer should have a trigger/untrigger thing
<sphalerit>
jD91mZM2: allowing the notifier to just be implemented as its own timer too
<sphalerit>
More uniformity all round
drakonis_ has quit [Ping timeout: 252 seconds]
<jD91mZM2>
sphalerit: More good ideas, although the notifier is specified in seconds and the timer is specified in minutes. I guess specifying resolution is also a possibility
<sphalerite>
jD91mZM2: do they really need to be in different units?
<jD91mZM2>
sphalerite: Sadly yeah, pinging the X11 API for the idle time too often is a bad idea
<jD91mZM2>
So you're only ever guaranteed to be within one unit late in any resolution
<jD91mZM2>
Well yeah you want xidlehook sleeping as much as possible
<jD91mZM2>
Not pinging X11 for the idle time every second
drakonis_ has quit [Ping timeout: 252 seconds]
<sphalerite>
sure, but it doesn't need to
<jD91mZM2>
sphalerite: What brilliant API have I missed?
drakonis1 has quit [Read error: Connection reset by peer]
<sphalerite>
not an API
<sphalerite>
just, given the example I wrote above for example, surely you could start off by sleeping 120s?
<sphalerite>
or (120-idletime)s
<jD91mZM2>
But the canceller
<sphalerite>
should probably be caused by X activity, not polling for idle time decrease, I guess?
<sphalerite>
that way it sleeps until the time has come to do another thing or X input wakes it up
<jD91mZM2>
No API for detecting any wakeup
drakonis_ has joined #nixos-chat
<jD91mZM2>
as far as I can find
<sphalerite>
well, what kind of events cause a wakeup?
<sphalerite>
key presses and mouse events, right? I'm pretty sure there's an API for getting those ;)
<jD91mZM2>
Can you get all events globally in X11?
<gchristensen>
xev can
<jD91mZM2>
Oh, cool! Good! Let's just hope there's nothing that causes an idle difference that can't be checked with events
<jD91mZM2>
Like for example keypresses... xev doesn't seem to let me log keypresses
<jD91mZM2>
(with -root)
<gchristensen>
sphalerite: I'm annoyed that you piqued my interest in an aarch64 laptop :P
<sphalerite>
gchristensen: :D (writing from my aarch64 laptop right now)
<sphalerite>
jD91mZM2: xinput test can get key events
<sphalerite>
gchristensen: sooooo will you? ;)
<sphalerite>
jD91mZM2: so by the looks of it there are two ways to do it — either you get input events from the currently focused window, or from the input device
<gchristensen>
sphalerite: I'm not sure I want to take on fixing aarch64 stuff, and remote building for all the servers I manage
<jD91mZM2>
sphalerite: If I do do this, I feel like we're going to end up finding some other way to cause an idle change that doesn't trigger any events
<sphalerite>
gchristensen: there's honestly not much fixing to do. And remote building for..
<sphalerite>
?
<gchristensen>
the many servers I deploy to :)
<sphalerite>
oooh right
<sphalerite>
deploy from a server? :D
<jD91mZM2>
sphalerite: Seems to rely on either optional extensions, or mouse events and periodic wakeups
<jD91mZM2>
I need to go to bed now, see you tomorrow. I think getting around the polling is going to be a bumpy ride that's not really worth it. Maybe I'm just lazy making up excuses, but it feels hacky to rely on only specific events causing an idle change. Especially since keyboard events are a part of xinput and not x11 directly.
<sphalerite>
jD91mZM2: XScreenSaver is an optional extension too
<jD91mZM2>
TIL
<drakonis>
today is a cursed day
<jD91mZM2>
I definitely should add some kind of better timer system like you suggested, but we'll also need some resolution like --resolution seconds or something
<sphalerite>
in practice it's goign to be available because when did you last see an X server that wasn't Xorg, and I'm fairly sure the same applies for xidle
<sphalerite>
yeah that would be nice
<sphalerite>
also is there a good way to contact you when you're not on IRC?
<jD91mZM2>
I'm always online on discord :)
<jD91mZM2>
jD91mZM2#1033
<sphalerite>
but meeeh nonfree :(
<jD91mZM2>
I use a chromium window with --app
<jD91mZM2>
Also in the redox os mattermost
<jD91mZM2>
or finally email, which I can PM
<sphalerite>
hmmmm ok
<sphalerite>
yeah email is good to have :D
<sphalerite>
cheers! And good night :)
<jD91mZM2>
I have never heard of xidle, but it seems like the answer to my prayers! Will take a look tomorrow :)
jD91mZM2 has quit [Quit: WeeChat 2.2]
<gchristensen>
speaking of which, does anyone have their computer properly auto-locking when they close the lid?
<__monty__>
sphalerite: I always abuse the memo system. Most people have it set up to email them when memo'ed ; )
<sphalerite>
gchristensen: plasma users, I guess? :D
<Ralith>
gchristensen: I think that's a logind thing, perhaps?
<sphalerite>
gchristensen: but thanks for the reminder, I wanted to get that working too
<gchristensen>
yeah :) I got distracted by sleep-then-hibernate support
<srk>
cool, wonder how well that works
<gchristensen>
same
<srk>
I think I was suprised to see it happen once with fedora few years ago
<gchristensen>
"Logind (part of systemd) can be configured to emit events on in response to the lid being closed, sleeping, the power button being pressed, etc.These events though, are simple D-Bus events, and don't actually run anything. You need some form of wrapper to listen to these events, and run you screen lockers, etc."
<Ralith>
there's certainly something listening by default on my config, since I had to explicitly turn sleep off myself
<gchristensen>
yeah I think they meant it just in the context of lockers? not sure
snajpa has quit [Remote host closed the connection]
<drakonis>
so, what now?
<zimbatm>
be can build it, don't ask about documentation though :p
snajpa has joined #nixos-chat
<zimbatm>
anyone has some VC money to throw at NixOS?
<drakonis>
i didn't know if i wanted to interrupt the conversation from earlier with the ibm buys red hat comment
<drakonis>
what's next?
<drakonis>
who's going to be the next big thing
* gchristensen
couldn't remember the "buildPhase" attr for stdenv...
<snajpa>
zimbatm: why would you want VC money? getting VC money == selling away your ideas *and* your soul...
<snajpa>
zimbatm: I think we've all got a solid base to do a nice distributed business upon, we don't have to centralize under big VC money
<snajpa>
that way no IBM can buy us :D
<Ralith>
the trick is to get VC money for something you don't actually care about
<drakonis>
bootstrap your business
<snajpa>
drakonis: that can be done without VC
<snajpa>
VC is about playing fast&loose
<drakonis>
yes
<drakonis>
that's the whole plan
<drakonis>
VC isn't exactly conductive to a long lasting business
<snajpa>
drakonis++
<{^_^}>
drakonis's karma got increased to 1
<drakonis>
you'd be home with the folks at barnacles and lobsters
<drakonis>
i'll go play the drinking game with the HN post regarding the buy out
<snajpa>
I think this has opened up an incredible opportunity where to get employees for our businesses guys :D
<drakonis>
i'll get drunk instantly
<drakonis>
its going to enable poaching lots of red hat developers
<snajpa>
if you can still find any solid guys there...
<snajpa>
from what I know from Brno, all the true hackers are long gone
<snajpa>
and there's only guys with mortgages left :D
<drakonis>
brno?
<gchristensen>
people with mortgages can be good hackers too X(
<drakonis>
^
* gchristensen
says, conspicuously mortgaged
<drakonis>
so, what happens now?
<snajpa>
gchristensen: did you get your mortgage after or before getting into NixOS? :)
<drakonis>
other than seeing a lot of folks move into other distributions and companies
<snajpa>
drakonis: biggest RH office is currently in Brno, RHEL7 engineering was 50% from Brno, RHEL8 is 100% Brno
<drakonis>
ah i see
<snajpa>
*release engineering
<drakonis>
RHEL8
<gchristensen>
after, but before it was anything to do with my job
<snajpa>
I wouldn't be too scared to take one now :D
<drakonis>
what's the long term plan now
<snajpa>
well, we wait till Dell acquires Canonical
<snajpa>
and then, distributed community-powered world domination?
<snajpa>
(by NixOS ofc I mean)
<drakonis>
not unlikely
<snajpa>
this NixCon really boosted my confidence that we're going in the right direction, trying to actually make some money on top of NixOS
<snajpa>
I mean, it was a nobrainer for low-people-count team and a nonprofit like vpsFree
<snajpa>
but seeing the guys who're able to make living off of NixOS this nicely.. I'm highly motivated to try that too (for me it'll be the embedded market mostly)
<snajpa>
and after talking to a few people there, I'm starting to believe we can even do this without a traditional LTS model (which is the basis of RH & Canonical's income)
<snajpa>
which is something truly amazing (and badly needed in this fast-moving world)
<zimbatm>
snajpa: the plan for the VC money was to fund the open source development and then go bankrupt :p
<snajpa>
I see :D then you need to add 'blockchain' in the pitch at least 3x, and you have a sure thing
<zimbatm>
it *is* a really bad idea :p
<zimbatm>
do a NixICO
<snajpa>
(wasn't that Cardano? :D)
<zimbatm>
yeah Cardano is funding some good nix development already :D
<snajpa>
good to know I lost money on a good cause :D
<zimbatm>
and Haskell as well
<snajpa>
lol omg I shouldn't have looked at current ADA value
* snajpa
goes to get some filtered air...
<zimbatm>
think about Nix and Haskell :)
<snajpa>
yeah... have to learn that Haskell so that I can say I've got all I could from my investment :D
<snajpa>
"learn you a haskell" has been lying on my desk for a while
<snajpa>
*laying
<drakonis>
fund the evolution of nix with that money
<andi->
we just need a way to print nix-coins that people actually want to have for whatever reason to fund the entire nix ecosystem ;-)
aszlig has quit [Quit: System is kerneling down for reboot NOW.]
<snajpa>
drakonis: I bought at $.37 :D
<drakonis>
hah
<snajpa>
so I wouldn't be able to fund much now :D
aszlig has joined #nixos-chat
<gchristensen>
ok, next question, is i3lock any good or is the only good one xscreensaver?
<andi->
works for me, haven't seen much wrong with it
<gchristensen>
iirc most-to-almost-all lockers are not so good
<andi->
doesn't come wit an expiry date :D
<andi->
I have been thinking about reverting to xscreensaver instead but not sure if it is worth it.. I do not need the entire screensaver code.
<gchristensen>
didn't most lockers have trivial bugs like it just switched to a different terminal or something?
<andi->
the KDE locker is supposedly also not to bad - not a single issue or something I heard lately.. whatever that means.
<srk>
xlock used to crash
<andi->
I also read the big rant from the xscreensaver editor from a few years ago.. He has a point.
<srk>
good way to test a screenlocker is to let a cat sleep on your keyboard
<andi->
or just fall asleep on the keyboard.. ;-)
<drakonis>
wasn't there a full pypi packageset?
<andi->
That reminds me to look into the actual screensaver workings.. It always feels very fragile having one process that "protects" the machine
<zimbatm>
maybe switching to wayland will solve the screen locker situation?
<drakonis>
all available pypi packages
<drakonis>
zimbatm: wouldn't that be nice
<andi->
yet another item for the todo list
<zimbatm>
someone packaged sway 1.0beta2 in an overlay, I think I'll try it soon
<maurer>
I just use slock
<zimbatm>
the big nixcon todo list :)
<drakonis>
nur needs more packages
* andi-
types task and is present with the "wizard"..
<andi->
*sigh* I was in the process to manage that with nix... must have forgotten it -.-
<maurer>
(slock did have a bug in 2016, but you were only affected by it if your accoung expired or was disabled _while_ your screen was locked)
<maurer>
(or if you were doing some wonky thing with NSS)
<andi->
"X11 on a protocol level doesn’t know anything of screen lockers." is my main concern with the concept :/
<simpson>
It's true.
<gchristensen>
sort of weird that nobody has taught x11 about lockers?
<ivan>
physlock -s
<maurer>
gchristensen: His two objections there is vulnerability from another app with access to your X session looking like a screenlocker, and a screenlocker being unable ot engage
<maurer>
It's not weird, X11 is a protocol, not just a library
<maurer>
if you want X11 to have screenlockers in the protocol (which I still think is of limited utility) you'd need a standards revision
<andi->
I have caught myself killing my screenlocker (xscreensaver, i3lock, and others) from another TTY because at some point all of them misbehaved
<andi->
haven't done so in a good ~2y or so
<gchristensen>
sure
<gchristensen>
don't we have the technology to do a standards revision? :)
<maurer>
Not really. There's not enough active devs and too many implementations
<gchristensen>
ok then we need to ditch it
<maurer>
Why?
<maurer>
I'm not convinced that either of his arguments are something we care about in X11
<gchristensen>
because we can't fix problems in the spec?
<maurer>
So, his two proposed problems are "You gave something untrusted access to your X and got tricked"
<maurer>
which is... silly. Down that road, you need to appify everything lest you get tricked
<simpson>
There's literally an X11 extension called "XFixes" which exists in order to get fixes for stupid broken core protocol.
<maurer>
and "sometimes, a screenlocker can fail to engage if another app is holding a resource"
<maurer>
That second one I suspect we could fix within protocol, it'd just be tricky
<simpson>
The main problem is what to do about various grabs and other stuff, as well as how to deal with the inevitable situation where the screenlocker process freezes and stops responding.
<maurer>
I mean, I'm pretty sure that if the screenlocker is frozen, there's no amount of protocol revisions that can save you
<ivan>
I temporarily switched from physlock to xscreensaver and within a few days my XFS hung my kernel for > 3 minutes causing systemd-logind to hit its watchdog and kill my Xorg restoring an unlocked text VT
<maurer>
(I also don't really think the timeout thing is actually a feature, but I know some folks disagree)
<gchristensen>
ivan: hhhnnnnngggg
<andi->
ivan: you start Xorg from a shell without using `exec`?
<maurer>
(My argument there is that you should be manually locking always, lest you leave a several minute window of vulnerability as you walk away)
<ivan>
andi-: indeed :-)
<andi->
ivan: use exec, please.
<drakonis>
roll homemanager into nixpkgs ty
<simpson>
maurer: Right, and so we have this clash between UX expectations and the realities of the network, and this is exactly the territory where many X11 wishlist items end up.
<ivan>
ah I was doing it wrong back then but I added startx() { exec /usr/bin/startx "$@" } soon after
<gchristensen>
$ function exec() { echo "$@" | rev; }
<gchristensen>
$ exec foo bar
<gchristensen>
rab oof
<Ralith>
X has been known garbage and broken for a long time
<Ralith>
there's a reason wayland exists
<simpson>
But Wayland deliberately disqualified itself early on from being X12.
<ivan>
I use NVIDIA and mozc and xte and easystroke
<simpson>
The reason Wayland exists is that its original author had a series of goofy ideas and was allowed to experiment in their free time by their employer.
<andi->
so whats the solution then? Yet another system/protocol/implementation/extension?
<simpson>
A more sincere decoupling of the systems that draw on the screen from the systems that authenticate, I suppose. Again, it's not obvious, and nobody knows for sure, including the folks who have been working on this for decades.
<andi->
I started writing more wrapper for every application I am using on my machines... I was talking to someone about how to properly isolate X11 using xephyr or whatever.. I fear that it is a short-term mitigation for the next 10-15y :/
<simpson>
X11 predates a lot of modern ideas in security.
<simpson>
TBF the entire concept of GPUs is kind of shitty for security, so it's all a wash.
<gchristensen>
so true
<andi->
I tend to go to extrems but doesn't that apply to all computer related things? It is easy to say everything is broken without actually improving it :/
<gchristensen>
you might be interested in michaelraskin's init
Synthetica has quit [Quit: Connection closed for inactivity]
<andi->
I think I looked at that.. We had the discussion about sandboxing etc.. and he said he had done it