<gchristensen>
that contains the whole boot chain up until mounting your disks, and then you're on your own
<elvishjerricco>
gchristensen: Ohhh right. Yea I'm not a fan of having to build a whole new massive image just to change kernel params
* andi-
ponders if supportin LUKS in gummiboot/systemd-boot is easier then the chain of issues he discovered with his Grub version
<elvishjerricco>
I have /boot on ZFS over LUKS. Grub is able to boot from that
<andi->
yeah but not sytemd-boot :-)
<andi->
(if the kernel is encrypted)
<gchristensen>
elvishjerricco: on one hand I agree, on the other hand, eh, 20mb.
<elvishjerricco>
fair enough
<gchristensen>
my understanding is grub can handle zfs, but poorly at certain dataset sizes.
<elvishjerricco>
really? I'll have to watch out for that...
drakonis has joined #nixos-chat
<gchristensen>
clever: maybe you have info on that
<clever>
gchristensen: my undestanding, is that grub had trouble if /nix/store/ was over a certain size
<clever>
so you had to set a copy kernels flag, to force nixos to copy them to /boot/ even if its on the same dataset as /nix/store/
<elvishjerricco>
clever: Any idea why that was happening? Or a github issue or anything/
<elvishjerricco>
?*
<clever>
and the limit was more about dir child counts, rather then byte size
<clever>
i think its since been fixed
<clever>
but i dont trust grub with zfs, because of all the other things it lacks
<clever>
so i always use an ext4 /boot/
<elvishjerricco>
clever: Other things like what?
<gchristensen>
just guessing, but maybe fanciness like compression / dedup / etc support
<clever>
it doesnt support the b-tree indexes in directory listings
<clever>
so it cant quickly scan a dir for a child
<clever>
and has to instead iterate over every single child
* clever
eyes /nix/store again
<clever>
it also doesnt support the journal and rollback
<clever>
so if you have an improper shutdown, grub will just read the corrupt data, rather then recovering
iqubic has quit [Ping timeout: 250 seconds]
<colemickens>
protip, it helps to get your math right when doing fancy stupid overlapping FS stuff
<gchristensen>
oops what happened? :)
<colemickens>
put a LUKS volume at the end of my drive, but bad sector math means that I put it roughly in the middle of an NTFS partition that I filled with data last night. Turns out I have a bad superblock now, go figure.
<colemickens>
as it turns out 420M sector offset is not sufficient when the existing partition ends at 600M sectors. I honestly have no idea how I messed this up this badly.
<colemickens>
Luckily they were historical archives that aren't really important, still feels bad.
<gchristensen>
oh mann
<clever>
colemickens: probably would help to let the kernel do the offset for you, via /dev/sdaX
<colemickens>
Yeah, I said "fancy stupid stuff" for a reason. :|
<clever>
the ext2/3/4 fs, doesnt have to match the partition size
<clever>
resize2fs can shrink an fs, or just extend the partition and dont resize2fs it
jackdk has quit [Remote host closed the connection]
jackdk has joined #nixos-chat
<colemickens>
clever: hm, I thought I was following, but I'm not sure where you're headed with that.
<clever>
hiding your luks volume in unused space, inside a partition
<clever>
between the end of an ext4, and the end of a partition
<colemickens>
interesting. That way the disk looks fully partitioned at first glance.
<colemickens>
another nice bit of indirection, I like it.
<clever>
the only way to find that, is to know exactly how much overhead ext4 has, and compare `df -h` to `fdisk -l`
<clever>
or to destructively run resize2fs, and see how much df -h grew
<colemickens>
I might write/script this up (so that I can maybe have someone sanity review it and/or unit test it) and try it again since this whole drive can probably just be blanked.
<clever>
"well, there was a 2gig luks volume at the end"
<clever>
WAS being the key word :P
<colemickens>
clever: surely ext4 is keeping some metadata on its size somewhere that you could compare to what the part table says?
<clever>
debug2fs may show that
<clever>
*looks*
<colemickens>
well, I even had the partition boundary protecting me, had I done basic math right
<clever>
/dev/sda2 on /boot type ext4 (rw,relatime)
<colemickens>
like, it's not even hard math, it's multiply by 512, subtrace two numbers and I still got it wrong
<clever>
/dev/sda2 146341888 147390463 1048576 512M 83 Linux
<clever>
> 1048576 * 512 / 1024 / 1024
<clever>
512
<{^_^}>
512
<clever>
exactly 512mb
<clever>
finding the next util...
<clever>
[root@amd-nixos:~]$ debugfs /dev/sda2
<clever>
debugfs 1.44.4 (18-Aug-2018)
<clever>
debugfs: show_super_stats
<clever>
Block count: 131072
<clever>
Block size: 4096
<clever>
> 131072 * 4096 / 1024 / 1024
<{^_^}>
512
<clever>
colemickens: yep, that matches the partition size perfectly
<clever>
that also tells you what offset to start your luks at
<colemickens>
nice
<colemickens>
heh, I think a partition with a shrunked FS inside might be more suspicious than just some unpartitioned space on the disk though?
<clever>
depends on how closely they look at things
<clever>
some may not notice the shrunken fs, and just assume its fs overhead
<clever>
Filesystem Size Used Avail Use% Mounted on
<clever>
/dev/sda2 488M 95M 358M 22% /boot
<clever>
df claims its 488mb
<clever>
thats 24mb off!
<colemickens>
I was just going to say, it's unexciting and stored next to my Trezor so presumably they'd just be interested in the Trezor and leave my backups, lol
<clever>
they will just assume, its fs overhead, if they dont know this low level stuff
<pie_>
ugh im probably interested in the scroll but tired
* pie_
copies it for later
<colemickens>
The NixOS challenge has turned into writing a autounattend.xml for Windows now
<colemickens>
someone save me from myself
<gchristensen>
oh jeeze
<colemickens>
I'm having a pretty cool weekend. I was on Win10 insiders and upgraded my "Storage Space" to a version that Win10 stable can't read.
<colemickens>
Didn't realize until I'd recustomized Windows again. So instead of re-upgrading, migrating data and re-installing again, I've been codifying my Windows tweaks as a powershell script.
<colemickens>
with autounattend.xml + the script I should be able to get pretty close to my ideals. NixOS still puts it to shame, of course.
* colemickens
shouldn't admit to these amateur-hour mistakes on my real name handle.
<gchristensen>
LOL no worries :)
iqubic has joined #nixos-chat
jasongrossman has joined #nixos-chat
LnL has quit [Quit: exit 1]
<gchristensen>
hrm. since my / starts empty on each boot, root doesn't have any channels and I can't nixos-rebuild switch --upgrade :D
<iqubic>
Your / starts empty?!?! Where does your data live?
<gchristensen>
I have a filesystem for /nix, /boot, and /home
<iqubic>
And why doesn't root have any channels?!?!
<gchristensen>
NixOS is perfectly happy enough to start with an empty /, as long as /nix has the stuff it needs
<iqubic>
What sort of bizarre nixos spin are you running?
<gchristensen>
and root doesn't have any channels because channels are tracked in each user's home directory, and root's home directory is erased on every boot
<gchristensen>
uhh... I decided to do some wacky stuff last week :)
<clever>
line 75 and 79 tell it to trust the hash of the cert
<clever>
line 78 is optional, it embeds the entire cert into the ipxe binary
<samueldr>
I was thinking into investigating petitboot... just because I like doing things differently; considering the kernel can boot as EFI stub, if petitboot can work as an embedded initrd, I guess it can do a fine job as a bootloader for secure boot
<clever>
some targets are NIC boot roms, that are very tight on space
<clever>
so ipxe supports downloading the cert at runtime, and basing all trust on the fingerprint inside the cert
<samueldr>
and I think it supports EXTLINUX configs, so maybe nixos already works with it
<clever>
and line 65 is also optional and can be used seperately, but in this case, is vital to security
<clever>
65 replaces the default script ipxe runs on boot
<lopsided98>
clever: have you tried keytool to change the certs on your desktop?
<clever>
and line 67 permanently enables requring signatures
<clever>
gchristensen: i found a neat util on the wine appdb for ventrilo
<clever>
gchristensen: it used root and evdev, to sniff the keyboard for the PTT key, then it used the x11 api to fake A being pressed/released, directing the event to the ventrilo window
<gchristensen>
wow!
<clever>
because wine doesnt support the x11 PTT api's
<clever>
wine can only detect the PTT key when any wine window has focus
<clever>
gchristensen: i just noticed, i have 960gig used on my nas /
<clever>
gchristensen: what would your trick have eaten? lol
<colemickens>
I'm trying to replicate your wiped root with BTRFS :)
<colemickens>
After the recent ZoL stuff I've been re-scared off of ZFS on Linux
<colemickens>
and my applications are uncritical enough that I can sacrifice to the btrfs gods when it comes to it
<colemickens>
the nice thing about making mistakes as often as I do is learning good habits and hygiene around backups (laugh-to-keep-from-crying emoji goes here)
<clever>
of note, a lot of apps keep state in /var/
<clever>
toxvpn, mysql, postgres, plex
<disasm>
yeah, /var on a server is pretty important to have a separate zfs mount for :)
<clever>
disasm: funnily enough, chrome tried to delete all my tabs over the weekend, i had to zfs rollback $HOME by ~48 hours to recover them
<disasm>
lol, a light floating window manager :) I thought the whole point of light window managers is to not have to use the mouse as much? :)
<clever>
disasm: then i discovered, i forgot to commit my latest changes for devops-1131!
<clever>
and rollbacks are one-way
<disasm>
clever: yikes!
<clever>
ive already retyped those changes, and have since moved ~/iohk/ to its own dataset
<clever>
so its isolated from $HOME rollbacks now
<disasm>
smart :)
<clever>
i also enabled dedup
<clever>
so git worktrees are even cheaper
<disasm>
nice :)
<clever>
its also cheaper to let cardano dump chains into ~/iohk/ now
<disasm>
yeah, my new laptop said it shipped last week, but when I got back, it still says awaiting shipment in fedex, so I don't have it yet, but I'm planning on setting up the new laptop much more organized (since I'll have 1 TB of disk to work with)
<clever>
but now i'm trying to figure out why / on my nas, has 960gig used
jasongrossman has quit [Remote host closed the connection]
jasongrossman has joined #nixos-chat
<jasongrossman>
like NixOS for three reasons:
<jasongrossman>
1. It's elegant.
<jasongrossman>
2. It has good rollbacks.
<jasongrossman>
And, most importantly, 3. It's so much fun when a big channel update works.
<Arahael>
And 4. Much nicer dependency management and checking.
<jackdk>
5. Good community, fast reviews and merges
<jasongrossman>
I'll accept those, yes.
<colemickens>
I'm sort of at a loss. Windows unattend.xml only allows specifying disks and partitions in incrementing index numbers.
<colemickens>
nothing specific, no partlabels or uuids. Apparently you can't even rely on ordering between install/removable media and (maybe-)disks. So I don't really know how you can generically automate it at all, really. It seems dependent on machine, harddrive config, possibly the usb used, etc.
endformationage has quit [Quit: WeeChat 2.3]
<jasongrossman>
colemickens: I feel your pain.
jackdk has quit [Ping timeout: 268 seconds]
iqubic has quit [Ping timeout: 250 seconds]
<colemickens>
clever: in justdoit, why do you add the script to "System.build.justdoit"? Is there something you can by it being a property on system.build ?
jasongrossman has quit [Read error: Connection reset by peer]
MichaelRaskin has quit [Quit: MichaelRaskin]
<sphalerite>
my guess would be convenience for building just the script
hedning has joined #nixos-chat
jasongrossman has joined #nixos-chat
jasongrossman has quit [Ping timeout: 258 seconds]
jasongrossman has joined #nixos-chat
jasongrossman has quit [Read error: Connection reset by peer]
jasongrossman has joined #nixos-chat
jasongrossman has quit [Ping timeout: 252 seconds]
<sphalerite>
joepie91++ your rant on VPN services just came in handy again
<{^_^}>
joepie91's karma got increased to 4
jasongrossman has joined #nixos-chat
jasongrossman has quit [Remote host closed the connection]
jasongrossman has joined #nixos-chat
<joepie91>
\o/
jasongrossman has quit [Remote host closed the connection]
jasongrossman has joined #nixos-chat
Taneb has joined #nixos-chat
jasongrossman has quit [Remote host closed the connection]
__Sander__ has quit [Quit: Konversation terminated!]
averell has quit [Remote host closed the connection]
averell has joined #nixos-chat
Guest83973 has joined #nixos-chat
Guest83973 is now known as LnL
ottidmes has joined #nixos-chat
<gchristensen>
joepie91: that article about your hackerspace is great
<joepie91>
indeed :D
<joepie91>
so is the hackerspace :P
<Taneb>
Almost makes me want to move to the Hague
<gchristensen>
joepie91: what was your involvement w.r.t. the initial creation of it?
<joepie91>
gchristensen: of the hackerspace? none
<gchristensen>
aye
<joepie91>
I rolled in later :P
<elvishjerricco>
o_O I'm using `nixpkgs.fetchgit` on a repo with submodules. Not only is it unable to find the rev of a submodule that obviously exists IRL, but it's also referencing `/home/will/.ssh` in the build log. How on earth is it getting my home dir? I thought multi-user nix and especially sandboxing eliminated any chance of that
<Taneb>
elvishjerricco: iirc fetchers can circumvent the sandbox, if they have an expected hash
<elvishjerricco>
Taneb: I know they can get networking, but I'm surprised they can see my home dir
<gchristensen>
yes, they still run as nixbldN -- but do have wider access to the FS
<elvishjerricco>
gchristensen: But why would my home dir path even show up?
<gchristensen>
right, I don't know, that is very bizarre
<infinisil>
My urge to get it has increased substantially
<gchristensen>
oh nice
<sphalerite>
fancy fancy
<sphalerite>
same price = still expensive :')
<sphalerite>
ooh matte 4k screen
<infinisil>
I'm thinking of it as paying for freedom, so I don't mind the price too much
<infinisil>
:P
<infinisil>
And supporting development of FOSS in general
<sphalerite>
yeah…
<sphalerite>
it's just a lot of money
<samueldr>
coreboot!
<samueldr>
that's a given, the next portable computer I get *has* to be based off coreboot and allows flashing it
<gchristensen>
and actually, pricingand specs wise, it competes with a dell xps
<gchristensen>
so while it is a lot of money, there isn't a steep FOSS surcharge on top
<gchristensen>
a bit more expensive, but not hugely so
<infinisil>
Ah nice to know :o
<samueldr>
to me the price looks fine considering the economy of scale
<joepie91>
oh, librem is competitive now?
<samueldr>
(which they probably can't profit from as much)
<joepie91>
this is good news
<gchristensen>
fairly, yeah, joepie91
<__monty__>
samueldr: Not having to include the OS license price means a bit more margin though, no?
<gchristensen>
not $-to-$ competitive, but "yeah, a couple hundred bucks is reasonable" competitive
<__monty__>
Or does Dell do windows
<__monty__>
-less devices.
<joepie91>
well yeah, I did mean the looser definition of flexible
<joepie91>
__monty__: yes
<samueldr>
they do windowsless devices
<joepie91>
eh
<samueldr>
but also, at their scale, the licensing price is probably peanuts?
<joepie91>
the looser definition of competitive*
<joepie91>
I have no idea how I came up with 'flexible'
<joepie91>
samueldr: a few years ago it was ~10-40 EUR per license for large vendors
<samueldr>
"peanuts"
<joepie91>
this is known because you can claim it back in the EU :P
<samueldr>
it's not 250
<__monty__>
samueldr: Why would microsoft give them a volume deal? What else are they gonna put on it, linux?
<samueldr>
ah sure, then, probably 50% of the device price must be windows
<samueldr>
microsoft always had volume pricing schemes
<__monty__>
It was an honest question. Why would they do this? Cheaper than non-bundled I can see but why 1/5 the price?
<samueldr>
hm, honestly a good question
<samueldr>
though those licenses have different terms
<gchristensen>
so they buy 500,000 of them at a time and microsoft gets the money now, instead of buying them just-in-time and microsoft getting the money later
<samueldr>
e.g. linked to a specific unit (device)
<gchristensen>
(money now > money later)
<samueldr>
while a 250$ windows license can be moved freely* (might have issues with too many moves)
<__monty__>
Ok, good reasons. Still, 1/5th?
<joepie91>
__monty__: presumably a big reason is that they can motivate vendors to ship Windows that way
<joepie91>
which helps their market dominance
<joepie91>
Windows licensing fees are almost a formality at this point anyway
<samueldr>
I'm surprised that windows 10 hasn't been made freely available at some level, maybe like home up to XGB of ram or something like that
<samueldr>
(which still is bad, but eh, closed source software is bad)
<samueldr>
upgrades still cost much less than a full blown license
<__monty__>
Oh, yeah, true.
<LnL>
what the hell
<samueldr>
ah, though, windows licenses ARE free for OEMs for limited capabilities devices, e.g. cheap laptops with less than 4GB of ram and "weak" CPUs
<samueldr>
(reportedly)
<gchristensen>
LnL: the gif?
<LnL>
yeah...
<gchristensen>
:D
<infinisil>
I see natural selection can still work
<sphalerite>
joepie91: you can claim it back in the EU?? Shit, had I known!
<samueldr>
I believe it's not EU-specific, but it's done through the OEM vendor and here I haven't been able to claim it; it's (was?) part of the windows EULA
<samueldr>
(though it's been years since I bought something with windows so I don't have recent experience)
<gchristensen>
how do you avoid it?
<gchristensen>
I've been considering buying another laptop just for my consulting work... but, really, hoping someone buys it for me :)
<samueldr>
I don't buy new thing with microsoft
<samueldr>
I still use my 2014 laptop which is surprisingly good for every tasks (and was mightily cheap)
<samueldr>
and the workstation I bought was used (2012-era) so not applicable there
<infinisil>
I'm still using my 2012 MacBook Air, which is slowly falling apart
<joepie91>
samueldr: it's become part of the EULA only because a court in EU mandated it :)
<samueldr>
(and funnily enough, the laptop was bought on the microsoft store at WAY less than elsewhere)
<joepie91>
before that it was just a 'suggestion' I believe
<joepie91>
but vendors wouldn't actually give you back money
<gchristensen>
I didn't think EULAs applied to you, joepie91?
<joepie91>
but now you can just contact your hardware vendor and claim back your license cost by indicating that you don't agree to the EULA and don't want to use it
<joepie91>
gchristensen: sure they do, they just have no special status, they're license agreements like any other
<joepie91>
and so cannot override law etc.
<gchristensen>
ah
<jasongrossman>
I'm still using a 2012 MacBook Pro, and I have two spares for when it breaks.
<gchristensen>
30 minutes in and ... it is annoying.
<__monty__>
Uhm, does that garbage collect except for the most recent 10 generations?
<LnL>
:D
<gchristensen>
it garbage collects everything which doesn't have a GC root
<gchristensen>
it doesn't ever remove generations
<__monty__>
Then what's the dates about?
<gchristensen>
it runs every 10 minutes
<__monty__>
Oh.
<__monty__>
: /
<LnL>
gchristensen: some of the IFD features break when running a gc at the same time
<gchristensen>
yeah
<gchristensen>
... yeah.
<__monty__>
I wish there was an easier way to remove and collect everything but the last x generations.
<__monty__>
I always have to manually list them.
<LnL>
__monty__: nix-store --gc has some flags
<__monty__>
LnL: But that doesn't handle generations, does it? Didn't see something like a --keep 10 flag or something.
<LnL>
--older-than does, but I can't remember what else it can
<__monty__>
LnL: Then I still have to check how old each gen is.
<sphalerite>
I'd quite like a gc that deletes old store paths (determined by registration date)
<clever>
sphalerite: currently, it will prioritize invalid storepaths first, then delete everything in a random order until it hits the quota set by --max-freed
Haskellfant has joined #nixos-chat
lopsided98_ has joined #nixos-chat
nokomprendo has joined #nixos-chat
Taneb has quit [Quit: I seem to have stopped.]
Ralith has quit [Ping timeout: 268 seconds]
siraben has quit [Ping timeout: 268 seconds]
flokli has quit [Ping timeout: 268 seconds]
lopsided98 has quit [Ping timeout: 268 seconds]
cocreature has quit [Ping timeout: 268 seconds]
Haskellfant is now known as cocreature
Ralith has joined #nixos-chat
flokli has joined #nixos-chat
siraben has joined #nixos-chat
jasongrossman has quit [Ping timeout: 246 seconds]
drakonis has joined #nixos-chat
hedning has left #nixos-chat [#nixos-chat]
nokomprendo has quit [Quit: Leaving]
drakonis has quit [Ping timeout: 252 seconds]
tilpner has quit [Ping timeout: 244 seconds]
iqubic has joined #nixos-chat
Synthetica has joined #nixos-chat
<elvishjerricco>
How can I be automatically notified whenever the GHCJS build in nixpkgs becomes broken?
<gchristensen>
are you a maintainer?
<elvishjerricco>
gchristensen: Thought I was. On further inspection, apparently not :P
<gchristensen>
be a maintainer
<samueldr>
were notification re-enabled on hydra?
<elvishjerricco>
gchristensen: That's just `meta.maintainers = [lib.maintainers.elvishjerricco];` right?