gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<Shados> Heh. The majority of questions I've ever asked on IRC have gotten no answer, primarily due to falling into the category of "no one else here has ever run into the issue, and understandably nobody wants to dig through the code to figure it out". Although... there was one time I asked a ddc-related question on #intel-gfx, and someone responded, believed they knew the issue, then wrote me a kernel patch to fix it, which worked.
<ashkitten> i asked for help with something on the grafana forums a month ago, someone responded and said they'd write a plugin for it, haven't heard from them since
drakonis_ has joined #nixos-chat
Drakonis has quit [Ping timeout: 252 seconds]
cjpbirkbeck has quit [Quit: Quitting now.]
Myhlamaeus1 has quit [Remote host closed the connection]
Drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 252 seconds]
drakonis_ has joined #nixos-chat
Drakonis has quit [Ping timeout: 252 seconds]
endformationage has quit [Quit: WeeChat 2.5]
<eyJhb> samueldr: haha, thanks! :D
Jackneill has joined #nixos-chat
__monty__ has joined #nixos-chat
veske has joined #nixos-chat
<joepie91[w]> Shados: I'm in that same boat :( my usecases are apparently too weird for people to have an answer to them
<Shados> Yep
jackdk has quit [Quit: Connection closed for inactivity]
<Taneb> Recommendations for UK webhosts that'll let me install NixOS for hosting a static website?
<joepie91[w]> Taneb: Inception Hosting
<joepie91[w]> (their KVM VPS services)
<joepie91[w]> Taneb: 18.09 is in the ISO list, you may need to ticket them if you want a newer ISO (though it shouldn't be an issue, usually you can install newer channels from older ISOs anyway)
<Taneb> joepie91[w]: thanks, I'll check them out
<ivan> you can take a host's Debian/Ubuntu install and nixos-infect it
<Taneb> Well, then I'd need to ask for recommendations for UK webhosts that'll let me install Debian/Ubuntu, convert it to NixOS, and host a static website, and that's a more niche question I feel
__monty__ has quit [Ping timeout: 244 seconds]
__monty__ has joined #nixos-chat
<qyliss> I run NixOS on bitfolk
jackdk has joined #nixos-chat
Jackneill has quit [Ping timeout: 244 seconds]
Jackneill has joined #nixos-chat
__monty__ has quit [Ping timeout: 258 seconds]
__monty__ has joined #nixos-chat
<eyJhb> Anyone that have any thoughts, on how to serve a CA you need to download? I would like to disable HTTP completely for the domain that gives the cert (apache server you download it from), and only allow HTTPS connections to it. But some want http -> https redirectcion
<eyJhb> redirection
<ashkitten> why would you not want redirection?
<eyJhb> ashkitten: basically it opens up for people using HTTP instead of HTTPS as "it works", and would allow for MITM.. And, seeing as it is a ca that needs to be installed, it could cause many issues
<ashkitten> that's not how redirection works
<das_j> it's more like TOFU
<ashkitten> if you do a global redirect on the http side, it will only serve the redirect
<das_j> just send a permanent redirect instead of a temporary one
<eyJhb> It is a one time hit
<eyJhb> Chances are they will only use that website once, so assume no previous contact with that domain
<eyJhb> website => domain
<das_j> also send the HSTS Header when the HTTPS connection is established, so the client should never attempt to connect via HTTP again
<eyJhb> We do that, but again, assume the above
<das_j> If you want your domain in the source of the next version of your browser: https://hstspreload.org/
<eyJhb> das_j: nope, that requires all subdomains to serve using HTTPS, which they don't
<eyJhb> There are over 10.000 subdomains
<das_j> there is no excuse for not deploying https
<eyJhb> das_j: there actually is, sadly...
<das_j> do you administrate the subdomains?
<gchristensen> itsatrap.jpg
<eyJhb> Seeing as some things aren't "deployed", but rather test or development
<das_j> reverse proxy them
<eyJhb> Depends on how you define administrate subdomains
<das_j> would yo have to roll out https there? If not, why care about some setups breaking?
<eyJhb> Wouldn't work in this case, assume university with student projects
<das_j> oh
<das_j> oooohhhh
<eyJhb> If it was a company, like, you could just say "screw you"
<das_j> so no HSTS for you
<eyJhb> So basically.. Cannot do HSTS preload, cannot use permanent redirect (seeing as it is properly a one hit), currently using HSTS header when you have accessed the HTTPS site once
<das_j> you CAN do a permanent redirect
<eyJhb> My main concern is people linking to the http version, and just thinking "hey it works, so I use this one"
<eyJhb> But that wouldn't mitigate a initial attack
<das_j> yep
<das_j> that's the way the web works
<eyJhb> I would much rather just call people idiots, use https, on this single domain
<eyJhb> But I really really wish we could do HSTS preload..
<eyJhb> Next best thing would be to send the HSTS header for all subdomains/domains we can
<das_j> yes
<das_j> close enough
<das_j> closest you can probably get
<eyJhb> Yeah...
<eyJhb> Have anybody experienced browsers who inteperate a HSTS header on a subdomain to be global? I am getting some mixed signals when reading about it
<eyJhb> e.g. foo.bar.com -> hsts header, would enfoce it on then bar.com or *.bar.com
ma27 has joined #nixos-chat
veske has quit [Quit: This computer has gone to sleep]
Jackneill has quit [Ping timeout: 245 seconds]
Jackneill has joined #nixos-chat
__monty__ has quit [Quit: leaving]
<joepie91[w]> eyJhb: there is an includeSubdomains flag that controls this
ma27 has quit [Quit: WeeChat 2.4]
jackdk has quit [Quit: Connection closed for inactivity]
<das_j> Oof, rsync is really nice. I just wanted to copy files from smb to a thumbdrive. Turns out, it cannot write the permissions (exfat). So what would rsync do? Correct! Copy 20GB into my RAM (took about an hour) and then notify me it cannot write anything and die
<das_j> Thanks for that
<gchristensen> oops
<gchristensen> this is way beyond the acceptable rate of nopes-per-sentence If your Linux distribution is using Wayland as the X server (e.g. Ubuntu 17.10, Fedora 25), the installer run as root may fail with "java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11GraphicsEnvironment". To fix this, you must first allow the root user to access the X server, by running this command (from your user account,
<gchristensen> not root) prior to running the installer as root: xhost +SI:localuser:root
* samueldr googles on bing how to delete another user's irc message
<gchristensen> :D
<gchristensen> I used to have a nix expression for this thing... I can't find it though :(
<gchristensen> it is this insane shell script
<das_j> Protip: xhost +
<das_j> Disables all access control
<das_j> who needs that anyway
<gchristensen> nonono
<colemickens> Software that is being updated to work in a Wayland desktop, but is still packaged as a standalone Java installer. I probably don't want to know.
<eyJhb> joepie91[w]: you might have misread, I didn't want it to include subdomains
<colemickens> favorite self-hostable RSS readers... go!
<adisbladis> rss2email
<gchristensen> I wish I had kept this dang nix expression
<averell> tt-rss, it's bad, but still best?
<gchristensen> somebody was asking for my oxygen expression... I wish i knew who
<das_j> ttrss
<das_j> best rss reader ever
<das_j> maintainer is the nicest person I know
<ar> is it still in php?
<das_j> yep
<das_j> frontent in dojo
<das_j> or is it dijit?
<colemickens> HAM[ 4 18:18:09 ] SEA[ 4 09:09:09 ] TOP[ 4 11:11:09 ]
<joepie91[w]> das_j: avatar says it all really
<colemickens> weird.
<das_j> joepie91[w]: yep
<das_j> it's a really close representation of his personality
Drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 258 seconds]
<joepie91[w]> das_j: in a way, I like that that meme got appropriated
<joepie91[w]> makes it really easy to filter out 50% of the people you don't want to interact with, on first sight
Drakonis has quit [Ping timeout: 252 seconds]
<eyJhb> pie_: oh boy do I have something for you - nc 165.22.27.164 777
Jackneill has quit [Remote host closed the connection]
* pie_ connects, whatches his computer get reverse pwned
<eyJhb> pie_: yes! There is also a website on 8081, but it is actually a public known challenge from some other CTF
<eyJhb> I just use it for testing :p
<pie_> eyJhb, i like how help is not listed but if you send help it doesnt error :p
<eyJhb> Haha, true! It might be me who overlooked that in the original :p
<eyJhb> Fyi. I do not expect you to want to solve it, unless you are somewhat bored and love doing binary exploitation :p
<pie_> well, i got nothin
<pie_> my best guess is one of these fields might be overflowable but i'unno
<eyJhb> Have you looked at the source on the website pie_ ?
<pie_> i did lots of screaming into prompt but nothing broke
<pie_> oh i thought that was unrelated
<eyJhb> Ahh, sorry :% No the source is available there
<samueldr> I always feel that having access to the source so easily is like cheating :)
<samueldr> oof
<pie_> for some poeople source starts at the binary :P
<eyJhb> samueldr: well.. You could also extract the source, buuuut.. I would say it would take some extra time finding out where :p
<samueldr> even the binary
<pie_> ye
<eyJhb> Or.. Extract the bin
<eyJhb> I will not hide it, I .. Hate.. Binary.. Stuff..
<eyJhb> I spent waaay too much time on them
<samueldr> like your other CTF where I was going at it entirely blind and was attacking the wrong language :)
<eyJhb> And then they are just like "Ohh you needed to do 1+1"
<pie_> i prefer binary, but i somehow always end up doing the web challenges :I
<pie_> it seems easier i guess
<eyJhb> samueldr: my `ask nicely`, or my AWESOMEZ CALCULATORZ? :p
<eyJhb> pie_: web?
<samueldr> hmm, calculator IIRC
<pie_> "wrong language"
* pie_ proceeds to ask the computer in plain english
<samueldr> I saw that the server ran in python, so I tried attacking python :)
<samueldr> hoped for some eval() like thing in python
<eyJhb> Makes sense, many did that! But having source to command injection would be ez pz most of the time.. Or... I say that and remember FB CTF...
<eyJhb> Yeah, most did!
<eyJhb> pie_: you will not get far using that in this one :p
<pie_> i just figured bash is the stereotypical injection so eh
<samueldr> well, I assumed that way for the python one if it was an easy one, or that the "firewall" was thought to protect enough :)
<pie_> im yet to see code injection on anything else
<pie_> except object deserialization vulns, which i still cant do myself
<pie_> maybe ive done _one_ challenge with php deserialization
<samueldr> maybe less so since then, but like... oh no that makes me feel old... fifteen years ago php development practices (mostly from newbies) was fraught with injections
<samueldr> I remember the one website with index.php?file=something.php
<eyJhb> „I found a command injection in some php/cgi not so long ago
<samueldr> where I could point to a plaintext php source output ending with PHP on another server and have injection running :)
<eyJhb> I wrote to them about it, and got a email a couple of minutes later saying the fixed it..
<samueldr> (I warned the owner beforehand that it was problematic)
<pie_> ehh rfi is different :D
<eyJhb> They just `rm -rf $site` :p
<samueldr> rfi is not that much different :)
<samueldr> it's an eval in sheep's clothing
<eyJhb> rfi => remote file inclusion?
<samueldr> I assumed so
<pie_> i guess
<colemickens> Google makes me so angry these days.
<pie_> havent really thought of it that way, but on the other hand i dont makemy imports user controllable either so
<samueldr> radio france internationale?
<pie_> maybe i didnt need to
<colemickens> Try to find the repo for "nix-prefetch" with google. Drives me absolutely nuts.
<samueldr> oof
<pie_> colemickens, mood
<Ralith> colemickens: ddg has some special casing for github repos
<joepie91[w]> I really wonder what Google changed
<joepie91[w]> it's only the past few months that I've started seeing people complain about it everywhere
<pie_> probably doesnt help that they have to do something about all the seo spam
<pie_> or rather, idk if they are doing anything about that but
<colemickens> Funny, I typed "ddg" into Google right after the failed search and just about hit the roof. Maybe it's because I'm traveling too and they're doing some extra fuc... functional stuff to my queries, but WOW this is useless.
<samueldr> hm what, google for nix-universal-prefetch has a dang astro-turfer "gitmemory.com" site before my own repo :/
<colemickens> wait, there's nix-universal-prefetch in addition to just nix-prefetch :S
<samueldr> yeah
<pie_> wut
<samueldr> my repo isn't even in the first few pages, but the astro turfing one yeah
<colemickens> Can I make it output the revision for a tag too?
<samueldr> wow, even with quotes
<pie_> samueldr, its just a better site obviously
<samueldr> >> The output is only of the hash when it works, allowing it to be (ab)used in an automated manner.
<pie_> hmmmm
<colemickens> I finally got nix-prefetch to work with my overlay setup, and I can get it to find the sha256 for "master", but I can't get the tool to ouput an actual commit revision along with sha256 for a tag like "master".
<samueldr> this basically co-opts a nix instantiation to just try and do the fetch
<eyJhb> pie_: but you get the most fun that way?! Make your inputs user controlled!!
<eyJhb> I want LFI and RFI
<Ralith> colemickens: duckduckgo, if you were still wondering
<samueldr> outputting the hash would "not be feasible" considering this is meant to run *any* FOD output
<colemickens> Does the same thing, afaik ^
<samueldr> (in mine)
<samueldr> different approaches
<samueldr> at least, at the time it was developed
<samueldr> I haven't looked into that fetcher since the initial announce
<colemickens> I think it's a similar pattern, based on the readme, and when I think through it, it's not actually resolving the tag itself.
<colemickens> I think I just need to keep my bits of logic to determine revision from tag, and then I can use `nix-prefetch` or try yours.
<samueldr> mine will not do anything else than transmit options to the fetcher
<colemickens> (and I think some generic code for that task already exists in a nix-related project/repo somewhere too, but at this rate rewriting will be faster than finding it)
<samueldr> and wait for the hash
<samueldr> (though I did add -E support which is not documented yet)
<colemickens> Right, afaict that's what nix-prefetch does to. It just shoves "master" in the URL that gets fetched and then waits to see what pops out the fetcher error.
<colemickens> It will be curious to see what happens when a cargo lock hash changes, etc. :P
<samueldr> colemickens: what do you mean?
<colemickens> I'd like to be able to automate updating packages in my overlay to master, but I like to keep them actually pinned for reproducability.
<samueldr> >> It will be curious to see what happens when a cargo lock hash changes
<colemickens> Right now I have it mostly automated by manually writing out a metadata.nix that each package uses to pull in rev/sha256.
<colemickens> But the Cargo packages need extra attention sometimes to update the cargoSha256 hash as well.
<colemickens> It would be ideal to be able to automatically update that as well, but ultimately it probably requires the same sort of workflow.
<joepie91[w]> bad hot take of the week
<colemickens> lawl
<colemickens> I thought they gave up on that anyway
Myhlamaeus1 has joined #nixos-chat
<joepie91[w]> heh
<eyJhb> samueldr: what script do you use for screenshots?
<samueldr> an horrible mess
<samueldr> custom
<samueldr> which ends up rsyncing to a dumb folder to my dumb server :)
<eyJhb> So... Basically.. scrot and then rsync?
<samueldr> kind of
<samueldr> it initially aimed to do more
<samueldr> so it has some way unneeded bits
<eyJhb> From 1 to 10, how much do I want to see that mess?
<samueldr> and I still want to re-do it with a slimmer approach, but that one (still) just works so I haven't taken the time
<samueldr> it's not *that* bad, but I'm not proud of it
<eyJhb> Can I see? I am curious now
<samueldr> while the repo's initial commit is 2 years old, it's way older than that
<samueldr> like 2014
<samueldr> at the very least
<eyJhb> I got SOOO confused by that URL for some reason
<eyJhb> It has samueldr in it and screenshot ,so I immediately thought it was you website.. So the presented gitlab gui was confusing
<samueldr> it initially was intended to allow choosing how it uploaded, and actions to do with the url
<samueldr> it works, but is not nice
<eyJhb> Well. IT would basically be nice if you just removed the things you don't use, as far as I can see at least
<samueldr> the dropbox bit was from before they changed the public folders
<samueldr> yeah, not so bad, but needlessly verbose for what it does
<eyJhb> Before they changed how?
<samueldr> initially the Public folder hierarchy was directly available at predictable urls online
<samueldr> so drop the file at the right location, slap your dropbox userid in front, there you have it
<samueldr> now it's all shared special urls nonsense
<samueldr> and they _removed_ the old scheme
<samueldr> breaking so many links
<eyJhb> I think it stilll.. somewhat works like the old way, or am I completely wrong?
<samueldr> I don't think it does anymore, unless they re-added it lately
<samueldr> I stopped using dropbox entirely at that point
<eyJhb> Yeah, you need to manually want to share it
<eyJhb> I just use Dropbox for the automatically upload of images.. And me not having to worry about loosing them
<jD91mZM2> I love how nix is so powerful you can make your configurations easily... configurable. I just made a nix configuration read from `my-overrides.nix`, if present, to automatically override the source of a bunch of derivations to each local alternative, stripped out of binaries automatically. I especially like how you can give your own friendly error with `throw`
<jD91mZM2> ... and that's my daily nix praise lol, I'm going to bed
kraem has quit [Ping timeout: 258 seconds]
<joepie91[w]> jD91mZM2: amen?
<joepie91[w]> :P
kraem has joined #nixos-chat
zimbatm_ has joined #nixos-chat
zimbatm has left #nixos-chat ["Kicked by @appservice-irc:matrix.org : issued !quit command"]
zimbatm_ is now known as zimbatm
<jD91mZM2> joepie91[w]: Indeed. By the way, I took your advice and am no longer using a VPN! Hooray for saved money :)
<jD91mZM2> Oh, ah of course, I almost forgot
<jD91mZM2> joepie[w]++
<jD91mZM2> joepie91[w]++ you saw nothing
<{^_^}> joepie91[w]'s karma got increased to 1
<eyJhb> I feel like someone is manually writing in names? :p
<jD91mZM2> Haha yeah, I'm on phone as I shut my computer down for the night
<joepie91[w]> jD91mZM2: \o/
<eyJhb> joepie91[w]: still more than me!
<eyJhb> Testing/debugging CI is really one thing I hate.. But having Docker in Docker in Docker I hate even more
<andi-> oh yeah.. building docker images with docker to run them in the very same CI to run docker...
<eyJhb> It is more like.. the CI is running Docker, and I am running a Golang docker container inside that CI Docker , where I need to test my Golang which uses Docker to spin up containers
<jD91mZM2> $ git commit --fixup HEAD
<jD91mZM2> fixup! fixup! fixup! Fix CI
<eyJhb> The joys of being the only one.. Squash and force push :p
<eyJhb> Might work now !
Drakonis has joined #nixos-chat
drakonis1 has joined #nixos-chat
jackdk has joined #nixos-chat
kraem has quit [Ping timeout: 268 seconds]
kraem has joined #nixos-chat
<manveru> btw, can someone recommend a nice NAS for home usage? or should i just hook up a rpi?
* ivan spots 50,000 closed PRs on nixpkgs
<gchristensen> nice, ivan!
kraem has quit [Read error: Connection reset by peer]
<Ralith> a rpi seems unlikely to scale well for NAS use
<Ralith> depends on your requirements
<gchristensen> manveru: my "NAS" is just an old desktop with a bunch of drives.
kraem has joined #nixos-chat
<manveru> nothing fancy, mostly for backups...