<infinisil>
Aw man, I wrote a neat systemd service + socket I can use to view the webcam of my laptop, a la livestreaming on demand
<infinisil>
It's really cool
<gchristensen>
oh cool
<infinisil>
But it's totally insecure..
<infinisil>
The only thing I have it limited to right now is the ips that can connect
<infinisil>
It's set to a 192.168.*.* IP right now, which means that if I go into some random wifi network, somebody else could just start my webcam and watch it..
<infinisil>
Which I don't like!
<gchristensen>
haha
<gchristensen>
minor problem
<samueldr>
listen to local only and ssh in to stream?
<infinisil>
samueldr: Ohh, you gave me a good idea
<gchristensen>
tieronezero?
drakonis1 has joined #nixos-chat
<infinisil>
I have all my machines connected through openvpn
<infinisil>
And I can restrict the socket to only listen on the vpn interface
<samueldr>
zerotier != network security :) only a way to discover afaiui
<samueldr>
(but I think when it tunnels it tunnels securely)
<gchristensen>
zerotier encrypts all its traffic unless you say no
<gchristensen>
:o just did a kernel compile in 5min..!
<samueldr>
even locally? (maybe probably so)
<gchristensen>
like if we're on the same LAN? yeah
<infinisil>
Because then traffic would leave my house, go to my server in germany, and return
<infinisil>
I don't mind the leaving and returning part, but I don't like unnecessary internet roundtrips
<infinisil>
It should be local
* gchristensen
motions seductively towards zerotier
<infinisil>
I'll do the ssh thing!
<infinisil>
Oh I can use unix sockets then instead of a network one
<infinisil>
Neat
<gchristensen>
nice
<gchristensen>
I did that recently for my keyboard injection software
<infinisil>
Ugh but then I need to set up some folder to put it in
<infinisil>
Trying to keep things simple
<gchristensen>
temp?
<infinisil>
When I ssh to the machine it needs to find the file
<infinisil>
Guess I'll use /run/cam/socket and tmpfiles to set up /run/cam
<infinisil>
Ah no, RuntimeDirectory :)
<infinisil>
Oh, can't have RuntimeDirectory for systemd socket definitions
<infinisil>
Actually I think I can, trying it out..
<gchristensen>
yesss nix-build my kernel is at 2min30s
<samueldr>
oooh
<samueldr>
any particular reason for slimming the kernel?
<gchristensen>
I'm playing with some VMs, and got tired of the enormous recompiles
<gchristensen>
but it is kernelBaseConfig = "allnoconfig", and the "common config" patched out
<gchristensen>
I can't seem to convince nix to produce vmlinux instead of bzimage
<gchristensen>
hmmm maybe I can't easily convince Nix to produce vmlinux directly?
<samueldr>
I've had similar annoying problems with mobile-nixos; our manual-config.nix for the kernel (which generic ends up calling) derives kernelTarget from platform, which isn't exactly right for what I'm doing either
<gchristensen>
interesting
<samueldr>
I have to re-do the whole kernel building infra of it, but right now I'm using overrideAttrs on linuxManualConfig and override installTargets to include whatever I need for it to work
<gchristensen>
hmmm
<elvishjerricco>
Hm. TIL iOS's emergency SoS mode (press lock button five times fast) is a little less secure than lost mode ("find my iPhone"). The former drops the master key from memory, as well as the key for all files in a certain data protection class. But it doesn't drop the key for the class that is default for third party app data. Apps can easily opt in to the more secure class. But in order to let them continue running in
<elvishjerricco>
the background while in SoS mode, the key for that class still needs to be in memory. Lost mode, by contrast, kills all apps, so it is able to drop that key.
pie__ has joined #nixos-chat
pie___ has quit [Ping timeout: 245 seconds]
jasongrossman has quit [Ping timeout: 246 seconds]
jasongrossman has joined #nixos-chat
<infinisil>
Finally did it (almost), I now have a window that exists on all xmonad workspaces, and it starts floating (not tiled) in the right position from the start
<jasongrossman>
Your dog will be delighted.
endformationage has quit [Ping timeout: 246 seconds]
<elvishjerricco>
gchristensen: You've used Time Machine over netatalk, right? If so, did you ever get unacceptably slow transfer speeds?
<elvishjerricco>
I've been tinkering with this for a while now and I'm starting to think I need to give up on it and look for a solution that was actually designed to work over the network.
<joepie91>
ldlework: fancy!
cbarrett has joined #nixos-chat
<ma27>
infinisil: in case you remember the discussion from last wednesday about config options in nixos modules where you referenced https://github.com/NixOS/nixpkgs/pull/56345: I personally think that in case of openssh we actually want more config options to provide strict validation. The main intention of this PR was to make it much harder to screw openssh config up as a revert with broken ssh can be quite
<{^_^}>
#56345 (by Ma27, 1 week ago, open): nixos/sshd: implement support for `Match` groups
<ma27>
painful.
__monty__ has joined #nixos-chat
<infinisil>
ma27: Ah yeah, thanks for the input, I might start with an rfs draft today
<aanderse>
infinisil: +1
<aanderse>
or how does that go... infinisil++ ?
<{^_^}>
infinisil's karma got increased to 59
<aanderse>
there we go
<aanderse>
infinisil: it will be interesting to discuss scope
<infinisil>
ma27: does openssh not have any way to check the config before it runs?
<infinisil>
Yeah :)
<aanderse>
what pieces of software are important enough to warrant options, what software should just have a config
<infinisil>
I think this will have to be on a case-by-case basis
<infinisil>
In general
<aanderse>
yeah, for sure, though some sort of criteria should be used as a guiding basis
<infinisil>
Yeah
<aanderse>
ie. whatever process your brain goes through to decide should be outlined
NinjaTrappeur has joined #nixos-chat
<gchristensen>
elvishjerricco: I never did, sorry
jasongrossman has quit [Ping timeout: 252 seconds]
<aanderse>
i can't seem to remember... i'm trying to run a nixos test interactively but it is in a file where there are multiple nixos tests defined, so nix-build nixos/tests/blah.nix -A driver does not work... can anyone remind me what i want to type for a specific test, say called test1
<sphalerite>
Does nayone know a tool for doing unicode normalisation on filenames?
<sphalerite>
__monty__: it doesn't look like that does unicode normalisation
<__monty__>
Guess I don't know what you mean.
<MichaelRaskin>
Unicode normalisation is converting valid but complicated Unicode to a more consistent valid Unicode
<MichaelRaskin>
For example, should e-with-accent be a single Unicode codepoint or e+combining-accent?
jasongrossman has joined #nixos-chat
<MichaelRaskin>
Hm, apparently iconv doesn't provide a cheap interface to normalisation…
<__monty__>
What's the point of it though? Bypassing broken unicode implementations?
<MichaelRaskin>
Well, searching in a normalised Unicode dataset is cheaper
<MichaelRaskin>
And there are more or less no non-broken Unicode implementations in use anyway.
<MichaelRaskin>
And having two files that have the same name represented as different UTF-8 is annoying
<__monty__>
It almost sounds like unicode's not terribly well designed : >
<MichaelRaskin>
It's almost as if Unicode is trying to solve a problem that is impossible to solve consistently, and tries to do it with limited resources and over long enough term that things change underneath anyway
<sphalerite>
^
<sphalerite>
Unicode is pretty good considering the problem it addresses
<sphalerite>
IMHO
<MichaelRaskin>
Unicode is pretty bad, but there is no way resources for a better solution would be allocated. People working on it did a fantastic job personally, and did a great job on maintaining processes, it is just not enough to solve impossible problems.
<__monty__>
But why is there latin small letter e with acute accent *and* combining acute accent + latin small letter e?
<MichaelRaskin>
Because in the initial request it was mandatory that the top-20 encodings have 1-1 translatoin into Unicode?
<__monty__>
Why do all standards have to start with "Please make sure all the crap from old standards still works, tyvm."
<MichaelRaskin>
Because Unicode already had problems with adoption as it was?
<__monty__>
Thanks for explaining the issue though. Another day, another bit of knowledge attained.
<MichaelRaskin>
Case study: IPv6 tried to drop a bit more legacy from IPv4, observe its adoption struggles
<__monty__>
It's not quite the same though, is it? IPv6 required lots of hardware changes so it's not abnormal that it'd be slower.
<MichaelRaskin>
I think to the current day a lot of software still doesn't have full first-class suport for codepoint ≠ glyph in Unicode… so yes, it is not the same, probably worse
jasongrossman has quit [Ping timeout: 250 seconds]
<ma27>
infinisil: there's `sshd -t`, but it also validates the environment (e.g. are host keys set?), so we'd probably have to patch it for our needs. As this is not a critical change, I'd leave this PR open for now and wait for your RFC %)
<__monty__>
Cool projects. Anyone running something like webrecorder? How's disk space requirements?
<MichaelRaskin>
I only save HTML and text rendering (which I then read in an editor), which obviously dosen't have too much of storage requirements
endformationage has joined #nixos-chat
<sphalerite>
__monty__: because human language is the oldest legacy software we have ;)
<sphalerite>
ok, since iconv apparently can't do it, making rsync's --iconv option unhelpful for this, does anyone know a tool that will take a directory hierarchy and run all the filenames through an arbitrary filter?
<das_j>
sphalerite: can rename do this?
<sphalerite>
nope, rename only does simple pattern replacement
<sphalerite>
not even regex
<das_j>
oh
<das_j>
sounds like while read -r path; do mv; done < <(find / -type f)
<sphalerite>
except handling spaces and renaming of parent directories
<das_j>
oh
vikingman has joined #nixos-chat
<das_j>
I'm out
<sphalerite>
something something print0
<sphalerite>
there might be a find option that makes it order them suitably, not sure htough