gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<andi-> Does anyone here have a pijul nest account that works? I wrote two patches for carnix (rust editions & feature name quoting) that I'd like to contribute but I haven't gotten the signup mail in many months... :/
LnL has quit [Ping timeout: 244 seconds]
<gchristensen> I do andi-
pie__ has joined #nixos-chat
endformationage has quit [Ping timeout: 272 seconds]
pie___ has quit [Ping timeout: 250 seconds]
<elvishjerricco> TIL macOS can use a samba share for Time Machine. It's not very clever about it though. It just creates a sparse image file and formats it to HFS+.
<elvishjerricco> So now I'm trying to get my Linux machine to be discovered via bonjour/avahi over tinc so that my MacBook can automatically connect and backup no matter where I am. But first I want to make sure it doesn't get discovered on the local network (just in case there's issues with the same service being discovered on two separate networks).
<elvishjerricco> Would have thought `services.avahi.interfaces = [];` would be all I'd need, but it's still being discovered on the local net (the tinc net is currently disabled on the MacBook for testing's sake)
<iqubic> hello
<clever> elvishjerricco: i have a bookmark somewhere on setting up timemachine...
<clever> had, its missing now
<elvishjerricco> Luckily, `pkgs.sambaMaster` is just barely new enough :P No one's updated the samba packages in quite some time except minor security updates.
<elvishjerricco> Tried to do it myself but... patch files got the best of me
drakonis has quit [Quit: WeeChat 2.3]
jackdk has quit [Ping timeout: 245 seconds]
MichaelRaskin has quit [Quit: MichaelRaskin]
ninjin has joined #nixos-chat
ninjin has quit [Ping timeout: 256 seconds]
LnL has joined #nixos-chat
<tilpner> elvishjerricco: I've had more success statically registering the addresses of other tinc-connected devices
<tilpner> Specifically via one of the versions of https://github.com/tilpner/nur-packages/blob/master/modules/auto-tinc.nix
<tilpner> It currently used dnsmasq, but that's not such a good decision either. The previous version just /etc/hosts appropriately, and that works well if you all you need are hosts
<tilpner> The previous version (/etc/hosts) didn't support *.somehost.local -> somehost.local, so that's why I tried dnsmasq
<tilpner> But that doesn't work with tinc clients I can't use NixOS to deploy to (like Android devices), so I plan to host a DNS server on the entry system instead
<tilpner> (But if you decide my approach is bad, and you get avahi working, please ping?)
jasongrossman has joined #nixos-chat
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
__monty__ has joined #nixos-chat
jasongrossman has joined #nixos-chat
<sphalerite> elvishjerricco: any reason not to use netatalk?
<sphalerite> tilpner: I have the DNS thing set up myself, can share if you're interested
<tilpner> Yes, please do share :o
sdier has joined #nixos-chat
<sphalerite> tilpner: will do after lunch :p
<infinisil> Aw yeah, nix garbage collection finished with "314272 store paths deleted, 130521.82 MiB freed"
<__monty__> /wg 11
jasongrossman has quit [Ping timeout: 246 seconds]
<sphalerite> infinisil: I've never GC'd on my work laptop which I got in October :D
<sphalerite> going to be fun when I do
<sphalerite> (don't tell anyone about my laziness with the types :D)
<tilpner> Thank you, and don't worry, your secret is safe with me (and anyone else who downloaded the tar)
jasongrossman has joined #nixos-chat
ninjin has joined #nixos-chat
sphalerite has quit [Ping timeout: 268 seconds]
sphalerite has joined #nixos-chat
* lejonet downloads the tar and spreads it on github
<elvishjerricco> sphalerite: What would be the advantage of netatalk here?
<sphalerite> elvishjerricco: it speaks AFP, which is more "native"
<sphalerite> not sure if there are actually any real benefits though :p
<sphalerite> <tangent> Would be really cool to have time machine implemented with zfs snapshots server-side
<elvishjerricco> sphalerite: macOS speaks SMB just fine I believe. The issue is more with the avahi/bonjour part
<elvishjerricco> sphalerite: I'm guessing Apple will move Time Machine to a snapshot based thing if they can ever get it working on APFS (which supports snapshots)
<elvishjerricco> Otherwise, I had the idea of using gchristensen's macOS VM hypervisor concept with VFIO and a zvol to get ZFS features on macOS, but it's proving more complicated than it's worth :P
<sphalerite> :D
<LnL> the way timemachine currently works is really scary
<elvishjerricco> LnL: Why's that?
<LnL> it's a hack built ontop of the hfs+ journal
<elvishjerricco> How so?
<elvishjerricco> sphalerite: Oh, AFP is apparently deprecated :P
<sphalerite> oh lol
<sphalerite> never mind me then :D
<sphalerite> is SMB the new recommended standard, or..
<sphalerite> ?
<__monty__> Why are we looking at APFS? Will nix soon need its 9 quintillion file limit?
<__monty__> : >
<sphalerite> nah we have zfs for that
<elvishjerricco> Apple's already using APFS for automatic local snapshots, with the Time Machine interface governing it. It's actually really nice for non-IT people, while essentially being zfs snapshot under the hood.
<elvishjerricco> Plus APFS encryption is pretty crazy. It allows per-file and even per-extent keys. I really really hope they open source APFS.
endformationage has joined #nixos-chat
<__monty__> I'm honestly pretty surprised all this encryption by default stuff hasn't caused massive outrage about data-loss yet.
<sphalerite> Apple has the keys lol
<__monty__> Is it just the apple fanboyism or is it actually not a big deal?
<__monty__> What?
<__monty__> So it's not encryption at all?
<gchristensen> I doubt they have the keys ...
<gchristensen> __monty__: why would encryption cause outrage around data-loss?
<__monty__> gchristensen: Because you can't access the drive if your device bricks? People have terrible backup hygiene and the T2(1?) chip makes it really hard to recover anything from the drive.
<gchristensen> Apple has trained its users to take backups with TimeMachine (which really is good from a UX perspective)
<sphalerite> also iCloud
<__monty__> I'd expect most apple users to only have a macbook at best though. That doesn't seem like a reliable backup target to me, no matter the ease with which you can set it up.
<sphalerite> iCloud.
<gchristensen> sorry, your expectations and my experience don't match, so I think I have to disagree
<andi-> Most mac users I know are also using time machine.. If the official one or a compatible linux based device doesn't matter for the argument.
<andi-> and I must agree that it is a great UX and other OSs didn't manage to do the same... Anyone using Windows Backups on their workstations? ;)
<elvishjerricco> __monty__: Can't any APFS disk be decrypted just by the user passphrase?
<__monty__> elvishjerricco: As I understand it, without that T1(2?) chip, no.
drakonis has joined #nixos-chat
<__monty__> gchristensen: So you're experience is most apple users have 1. more than one computery apple device and 2. all use time machine?
<gchristensen> not more than one apple computer, but a backup target
<elvishjerricco> __monty__: Oh, just looked at the T2 security document. The actual keys are encrypted using UID/GID secret to the T2 chip. This is so that decrypting the disk requires the T2 chip which can protect against brute force attacks on weak passwords
<elvishjerricco> That's something I'd like to see configurable, but doesn't bother me
<gchristensen> like a plug-in USB disk, or a networked TimeMachine device
<__monty__> elvishjerricco: But this is the problem. For most people basically *anything* going wrong with their computer means losing this T2 chip. And I'm giving them the benefit of the doubt in ripping out the SSD here, mind you.
<gchristensen> oh you can't remove the ssd anyway
<elvishjerricco> Anything? Most problems are very nonfatal. Are you only referring to fatal problems?
<__monty__> gchristensen: That gets us back to backup hygiene. Plugging in an external disk is something people are likely to put off.
<gchristensen> well, they don't
<gchristensen> so
<gchristensen> you're really trying to make a problem here that I haven't seen
<elvishjerricco> gchristensen: I do think it's a problem that out of the box, losing the T2 does mean you lose your data. Apple should offer encrypted iCloud Time Machine. Maybe it's not a common problem, but it is a problematic default
<__monty__> What? Who's trying to create a problem? I'm merely sharing my surprise that there (seemingly) is no problem. I'm highly skeptical of your statements that there is no problem because basically every apple user does regular time machine backups.
<elvishjerricco> fwiw, very few of my friends do responsible backups. But most of them aren't mac users and we're all early 20's kids :P (and in fact the ones that do backup are mac users)
<__monty__> People used to complain about data-loss even without FDE so I'm surprised that adding not only FDE but an extra hardware component that makes it even more inconvenient to recover a drive has seemingly put a stop to people complaining about data-loss.
Guanin has joined #nixos-chat
<__monty__> I suspect it's marketing or something. "Lost your data? Well it's your own damn fault for not enabling time machine."
<elvishjerricco> __monty__: Fwiw, the margin between "i broke my T2 chip" and "i broke my whole SSD" is not that big. It's not likely that one becomes unrecoverable and the other doesn't.
<__monty__> I guess I was looking at it from an optimistic "people will attempt to fix things themselves and be outraged if it turns out they can't," angle. Maybe all these mac users are fine with losing the data for weeks to send their device to apple support.
<elvishjerricco> __monty__: I don't think it's reasonable to generalize to "all these mac users." Hence my wishing the T2 UID/GID component were optional.
<elvishjerricco> That said, I do think there are sufficient ways to work with the issue to not be a problem.
<__monty__> "All these mac users" is all mac users that have FDE and lost access to their data in this case.
drakonis has quit [Quit: WeeChat 2.3]
<elvishjerricco> __monty__: Right, I'm suggesting that that class of people doesn't necessarily all agree on whether or not they like the T2 chip.
<elvishjerricco> Hence, it'd be good for its key components to be optional
<elvishjerricco> Though I guess it really doesn't matter since the SSD isn't removable
<elvishjerricco> per gchristensen's point.
<__monty__> It's just that I expected some of those that don't like it to speak up. And some media outlets to pick up on it.
<gchristensen> there have definitely been unhappy users
<elvishjerricco> It has made the rounds
<elvishjerricco> There was a whole issue with the T2 when people realized linux didn't have a driver for it. Got a lot of blame for being "literally impossible to install linux on" (even though it's really just a driver issue)
<__monty__> Maybe I'm naive but if it's so quiet I haven't heard about it then nearly everyone around me hasn't either.
<elvishjerricco> It's been pretty minor
<__monty__> -.- The linux/mac intersection is not exactly a lot of people.
<elvishjerricco> surprisingly many actually.
<elvishjerricco> Of programmers who use macOS, a surprisingly large number of them dual boot Linux
<elvishjerricco> (in my experience)
<__monty__> I was expecting outcry outside of the linux/developer/techsavvy bubble.
<elvishjerricco> People outside that bubble likely aren't aware there's anything to outcry about.
<gchristensen> their imacs even raid0 two SSDs together and still
<elvishjerricco> Most people don't even turn on encryption and I'm pretty sure it's off by default.
<gchristensen> I think it is on?
<elvishjerricco> Is it? Now I need to check :P
<gchristensen> "Though the SSD in computers that have the Apple T2 Security Chip is encrypted, you should turn on FileVault so that your Mac requires a password to decrypt your data."
<__monty__> I laud apple for the steps they've taken to encrypt people's data btw. I'm not trying to bash apple for this (except for the T2 chip that just seems really annoying). I'm just surprised they haven't been publicly attacked over it.
<gchristensen> is the T2 really very different from a TPM?
<__monty__> Say what you want encryption brings a decrease of UX with it.
<elvishjerricco> gchristensen: Huh. That link confuses me. I'll have to re-read the macOS security guide. It sounds like it's always encrypted but the keys are accessible through the T2?
<elvishjerricco> gchristensen: TPM provides measured booting. T2 has nothing of the sort
<elvishjerricco> But yea they provide similar sealing capabilities
<gchristensen> well think of it this way, SSDs are essentially 100% always encrypted with the key stored on the disk
<elvishjerricco> How's that?
* elvishjerricco doesn't know much about SSD internals
<gchristensen> SSDs have a random encryption key kept in its firmware, "secure erase" on an SSD is just "regenerate that encryption key"
<sphalerite> __monty__: I'd say "my laptop was stolen and then the thieves emptied my bank account" is a better UX than "my laptop was stolen" ;)
<elvishjerricco> Oh. Didn't know that was standard
<gchristensen> yea
<sphalerite> __monty__: err, other way round
<gchristensen> so the T2 does the same I guess
<elvishjerricco> Yea. Sounds like if you pretend T2 is just a builtin part of the SSD, then it's ultimately the same as just having a normal passphrase-encrypted disk
<gchristensen> well so SSDs turned out to be riddled with vulns allowing easy extraction of the key
<gchristensen> so apparently the T2 encrypts the same way the SSD does, no passphrase needed, just needs the key in the T2
<gchristensen> apparently, optionally, a passphrase can be added
<elvishjerricco> gchristensen: Right, so it's effectively unencrypted out of the box. But turning on filevault entangles the key with users' passphrases
<gchristensen> yeah I imagine so
<sphalerite> hot take: the T2 is kind of like a built-in yubikey.
<elvishjerricco> Thus: It's either unencrypted or just passphrase encrypted. Not significantly different from standard laptop disks
<elvishjerricco> sphalerite: Which defeats the purpose of yubikey :P
<elvishjerricco> I guess it only defeats the authentication purpose of yubikey. The T2 does do a good job of keeping keys and encryption algorithms off the main CPU/memory, which lowers the surface area of vulnerabilities.
<elvishjerricco> That is one thing TPM doesn't really do at all
<gchristensen> also presumably difficult to tamper with
<sphalerite> elvishjerricco: huh, TPM doesn't?
<elvishjerricco> sphalerite: Using TPM directly for encryption is... ill-advised. They're generally super slow. You generally just seal the actual encryption key with it. Then when you boot, you unseal it with TPM and keep it in main memory for the kernel to do all the crypto
<sphalerite> ah right
<elvishjerricco> You also can't just give the TPM a key and say "Hey, I'm gonna forget this key now. Remember it for me so I can ask you to encrypt stuff with it later."
<elvishjerricco> so no multi-key encryption using the TPM itself
<gchristensen> yikes
<sphalerit> ah
<elvishjerricco> Yea the TPM is really mostly about securing the boot process, not isolating crypto entirely like the T2
<gchristensen> so is the T2 more like an HSM
<elvishjerricco> What's HSM?
<clever> hardware security module
<elvishjerricco> Sounds like it, given the synopsis
<elvishjerricco> Plus a bunch of secure boot firmware
<gchristensen> https://www.yubico.com/products/yubihsm/ this is really cool btw if youre in the market for an hsm
<joepie91> gchristensen: proprietary though :/ as far as I can tell
<gchristensen> are there OSS HSMs?
drakonis has joined #nixos-chat
<joepie91> gchristensen: nitrokey afaik
<joepie91> oh
<joepie91> "Nitrokey HSM is based on SmartCard-HSM and therefore contains proprietary components of other vendors."
<joepie91> :(
<elvishjerricco> Note: Using that for disk encryption would limit you to the bandwidth of the key.
<etu> joepie91: Nitrokey doesn't have an HSM (in their regular USB keys at least)
<__monty__> How does a yubikey compare to hardware wallets for cryptocurrencies?
<elvishjerricco> Hm. Is there a HSM device mapper for linux? Would be cool to encrypt a disk without ever giving the key to the kernel.
<gchristensen> no idea
<gchristensen> tilpner: I did eventuall yswitch to zfsunstable after taking some snapshots
<elvishjerricco> gchristensen: What'd you switch to zfsUnstable for?
<gchristensen> so I could test linux 4.20 to see if it fixed GPU problems on the dell xps 9380 (it does)
<elvishjerricco> gchristensen: i thought it was 5.0 that didn't work with ZFS stable
<gchristensen> 4.20 too
drakonis has quit [Quit: WeeChat 2.3]
Guanin has quit [Ping timeout: 258 seconds]
<__monty__> How do flatpak/snap handle security updates? I ask here because a common criticism of nix is it requires rebuilding the world for a security update.
<gchristensen> yeah, I don't really think that is much of a valid concern
<gchristensen> we can rebuild the whole tree in <24hrs, and that doesn't put us at a disadvantaged when compared to other distro response times
<__monty__> It still sounds like potentially a big deal if you have to update a huge cluster of machines tbh. Comparing transferring a single .so to transferring all of the closures that depend on that .so.
<gchristensen> ah, sure
<__monty__> Especially if all that really changes is that .so, it's an undeniable shortcoming imo. But I didn't really want to talk about that. It's a trade-off everyone has to make for themselves.
<__monty__> I just wonder how flatpak et al compare.
<gchristensen> I'd expect to be similar to docker, and also nix
<__monty__> Since those projects sound like they have somewhat similar goals.
<gchristensen> but I don't know
<gchristensen> I think the CAS RFC is very exciting, it has the opportunity to make updates as small as a single package update
<__monty__> CAS RFC?
<gchristensen> yeah, right now output paths are calculated by the hash of the input. the CAS RFC (17 I think) would add a follow-on step of hashing each output, and renaming each output based on its content
<elvishjerricco> gchristensen: I'm still pretty skeptical of that. Things like to know their output paths at configure time...
<gchristensen> yeah, there are problems to work out
<elvishjerricco> any compressed files, or files that format strings weirdly, will foil any rewrite mechanism
<gchristensen> for sure
<gchristensen> so, right, it may not work in all cases
<gchristensen> but would it work for stdenv stuff? probably so
<elvishjerricco> gchristensen: Fair enough. Would this be a feature that a derivation must opt in to?
<gchristensen> dunno!
<elvishjerricco> That'd be good enough for me
<gchristensen> michaelraskin would of course prefer it be a tristate
<gchristensen> known-good, known-bad, unknown
<elvishjerricco> What would that be for?
<gchristensen> well he's advocated for that tristate in nixpkgs for enabling parallel building
<gchristensen> and I assume he'd argue the same for CAS :)
<elvishjerricco> What's the point though? Don't you essentially have to treat unknown the same as known-bad/
<gchristensen> with a corresponding nix option, you could do automated exploration
<elvishjerricco> Ah ok
<gchristensen> set nix by default assume-tristate-broken=true, but try setting it to false and then rebuild everything and see what works
<elvishjerricco> Yea that's a cool idea
drakonis has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 258 seconds]
<gchristensen> was USB-C a mistake?
<samueldr> the UX of USB-C was: not knowing what the cable or socket does
<samueldr> can I power the device from that one? can this cable do thunderbolt? does it do DP or HDMI alternate mode?
<samueldr> is it usb 2.0, 3.0, 3.1?
<samueldr> because yes: USB-C can be usb 2.0
<gchristensen> no!
<samueldr> tell that to many usb-c toting cellphones
<gchristensen> good grief, I thought the tech support person I was just talking to was just misunderstanding
<samueldr> oh, does it do passive audio?
<gchristensen> oenuthoneuth?
<samueldr> some usb-c -> 3.5mm jack are passive, others have a DAC
<gchristensen> please take me back to USB-A, I promise I won't complain about having to rotate the plug three times
<disasm> interesting
<samueldr> passive needs the host to handle it
<samueldr> active generally is fine IIRC, but I'm not sure how it meshes with 2.0 devices
<disasm> my complaint is the dongles to adapt to usb-a devices :)
<samueldr> fun fact: passive and active cannot be distinguished by the price point
<disasm> on my macbook I had a low profile headset usb plugged in, now I have a 6 inch dongle hanging off my laptop
<gchristensen> I have a thunderbolt dock which only works if plugged in to the left side's USB-C ports
drakonis has joined #nixos-chat
<gchristensen> additionally, the BIOS comes configured to not trust Dell's own docks by default so I had to manually authorize the cable and the device. once I do that, if I unplug and replug the USB-A keyboard and mouse my computer will see them, but then the first key I press gets virtually stuck down until I unplug the dock
<disasm> yikes
* samueldr sweats profusely
<samueldr> to be fair, my personal experience with USB-C's horrors is limited, but all research and all experience from people close to me point towards: yes, it was a mistake
drakonis_ has quit [Ping timeout: 252 seconds]
<samueldr> features should have been given clear codes, and be forcibly written on the device themselves, e.g. C:3,TB,DP
<samueldr> you wanted something complicated, well you won't have a good UX without that
<elvishjerricco> I dunno if it was a mistake so much as a bad execution. For most non-IT people it's been a significant improvement.
<samueldr> until the HDMI dongle they're using doesn't work without any kind of error message
<samueldr> and USB-PD is also relatively bad
<gchristensen> "second system" syndrome
<disasm> fyi, this cheapy works great aside from a wayland bug if I unplug while the screen is locked: https://smile.amazon.com/gp/product/B01C316EIK/ref=ppx_yo_dt_b_asin_title_o02__o00_s00?ie=UTF8&psc=1
<disasm> probably not as many ports as your dell dock though, but gives me hdmi, a single usb port and ethernet, which is all I need :)
<disasm> gchristensen: other than your lightning dock, you liking your laptop?
<gchristensen> yeah pretty good
<gchristensen> I'm a full convert to 13" laptops now
<gchristensen> wishing my 15" wasn't
<elvishjerricco> I've never even seriously considered less than 15"
<gchristensen> me too until I started needing to carry it through airports and to EU what-not a few times a year
<disasm> gchristensen: I love how the light under the trackpad flashes yellow when my battery is about to die :)
<gchristensen> oh does it falsh?
<disasm> yeah, I'll be working on something, see the light flash and be like gotta find the charger quick!
<gchristensen> oh cool
<__monty__> I have the same feature on my T400. Whenever the display turns on I need to find the charger, quick!
<gchristensen> hha
<elvishjerricco> what laptop is this?
<disasm> although it also seems to go into a suspend state. I've not made it to the charger a few times and when I plug it in and power on it flickers sway back on and I just login and everything as it was
<disasm> elvishjerricco: new xps 13
drakonis1 has joined #nixos-chat
<gchristensen> disasm: did you see the sleep state fixup in nixos-hardware?
<disasm> checking...
<disasm> ooh, there's a 9380 now :)
drakonis has quit [Quit: WeeChat 2.3]
<colemickens> gchristensen: you mentioned windows support, is there an upstream issue/PR for it?
<colemickens> I randomly just noticed that @volth has a nixpkgs-windows with some commits on it as well. https://github.com/volth/nixpkgs-windows/commits/windows
<colemickens> was curious if those were congruent efforts or if not, if they could/should be.
<gchristensen> I dunno, I use windows as little as possible
<colemickens> I guess your comment was more about cross-compiling.
<gchristensen> as little as possible is already more than I would like :-)
<colemickens> fair enough, a position I sympathize with
drakonis1 is now known as drakonis
ottidmes has joined #nixos-chat
<ottidmes> anyone experience with code reviews on GitHub, it seems that this feature is only supported with PRs, so I might use this method (basically creating a branch and a PR with all code in it): http://astrofrog.github.io/blog/2013/04/10/how-to-conduct-a-full-code-review-on-github/
Moredread[m] has joined #nixos-chat
lopsided98 has quit [Remote host closed the connection]
lopsided98 has joined #nixos-chat
__monty__ has quit [Quit: leaving]
<joepie91> a slightly different kind of outage... Hetzner is currently experiencing support delays, because of their nuremberg location being evacuated over an unexploded WWII bomb...
pie__ has quit [Ping timeout: 250 seconds]
<gchristensen> joy
<LnL> jeeze
<andi-> I blame the Americans!!1 ;)
<gchristensen> at least one other country could have put it there..!
<mdash> if i ever build a datacenter, i'm definitely gonna build it on an unexploded bomb
<andi-> at least hydra isn't there :)