<ashkitten>
dear networking santa, i've been a very good person this year and for crimbo id really like wireguard mesh networking and automatic local peer discovery
<gchristensen>
hah
<ashkitten>
thanks to the power of ipv6 i can use wireguard with my desktop's globally routable address which i'm uncertain is stable but we'll burn that bridge when we get to it
<ashkitten>
hng, after a few days uptime i start getting "error: unable to fork: Cannot allocate memory" when running nixos-rebuild switch...
<ashkitten>
wow, nix really chews through an entire gig of ram
<ashkitten>
i don't have swap
<ashkitten>
what the heckie, i somehow broke ip forwarding
<ashkitten>
oh
<ashkitten>
dammit
<ashkitten>
i added wireguard peer definitions for each client but it doesn't fall back to the gateway if that device isnt available
<ashkitten>
i was hoping i could have it automatically add and remove routes for devices as they become available to peer
drakonis has quit [Ping timeout: 245 seconds]
drakonis has joined #nixos-chat
vika_nezrimaya has joined #nixos-chat
<sphalerite>
ashkitten: use tinc?
<sphalerite>
ashkitten: someone asked on the tinc mailing list a while back if wireguard could be used as a "backend" for tinc which I think would be really cool
<ashkitten>
hm, okay
<ashkitten>
i started looking for ways to do it with wireguard and tbh this is getting out of hand quickly and i really just want something to work
<ashkitten>
lmao
<sphalerite>
then use tinc :p
<sphalerite>
hm, but adding and removing routes automatically? I don't think it'll do that
<sphalerite>
it will reach not-directly-reachable nodes via whichever nodes are able to reach them though
<ashkitten>
i just want it to give me the fastest path to a thing
<ashkitten>
that's the point i was trying to accomplish with automatic route management
<ashkitten>
if tinc gives me reasonable security and works easily i dont see why not
<sphalerite>
then yeah I think tinc is what you want
<sphalerite>
plus open port 655 (TCP and UDP I think) in the firewall, and define the addresses in networking.interfaces."tinc.your-network-name".ipv[46].addresses
<ashkitten>
what do i need in the host file contents
<sphalerite>
the most important part is having Address for at least one host, and Subnet for all of the hosts you want to be able to communicate through the VPN (probably all of them) :)
<sphalerite>
you also need the public keys, but you need to start tinc before you can get those
drakonis has quit [Ping timeout: 244 seconds]
ashkitten has quit [Ping timeout: 276 seconds]
ashkitten has joined #nixos-chat
<ashkitten>
i just firewalled myself out of my server and had to write a shell one-liner from glowing-bear which was still attached to my weechat relay to get back in
<srhb>
ashkitten: Good job! :P
<ashkitten>
which is not the worst way to figure out that the weakest link in your server's security is your irc client
<srhb>
Yeah :P
<ashkitten>
actually i didnt firewall myself out
<ashkitten>
port 22 was still open
<ashkitten>
i have no idea what happened
<ashkitten>
maybe my routing got screwed as a result of enabling tinc
<ashkitten>
and it couldn't reply
<srhb>
That sounds bad enough.
<srhb>
I try to be very careful with not permanently switching my remotes. Burnt too many times :P
<ashkitten>
i wonder if i had reloaded my irc client would it have not been able to reconnect
<srhb>
I use a modified version of Bas Van Dijks rollback unit most places.
<srhb>
ashkitten: Basically, upon switch, a timer is activated. If I don't run stop-nixos-rollback on the remote, it will roll back the system after 15 minutes
<ashkitten>
that's a good idea
<ashkitten>
i'm gonna bookmark that and get back to this whole thing tomorrow when i have a brain
<srhb>
Braining does get hard after a while. ^^;
<ashkitten>
yep
<ashkitten>
okay, nini
<srhb>
Sleep well :)
<manveru>
hmm, pijul looks neat :)
<joepie91>
srhb: I feel like this would be right at home in morph, as a built-in healthcheck feature
<srhb>
joepie91: Sorry, what would?
<joepie91>
(where morph could also automatically run the stop signal, on a new connection)
<srhb>
Well, I'm going back to work there in a little over a month, so I guess I can put that on my todo... :P
<joepie91>
:)
<srhb>
joepie91: Frankly I think it's enough to have it as an optional module..
<srhb>
Oh, that's probably what you suggested.
<joepie91>
srhb: to fully automate this it would require a change to morph core though, I think? to ensure that the 'stop rollback' command is run over a *new* SSH connection, *after* system switch
<joepie91>
or at least a general-purpose API for providing that guarantee of a new connection and then rolling it into the command-based healthcheck API or something
<srhb>
Agreed.
<srhb>
I don't recall what it does right now.
<joepie91>
srhb: I mean, even if it currently opens a new connection, it would probably be worth it to have an "ensure new connection" flag
<srhb>
Yeah.
<joepie91>
just in case you want to optimize the process in the future without having to uphold a new-connection guarantee for every single check
<srhb>
I think I'd prefer a much more generic way to specify the health checks
<srhb>
Like, what happens from the local machine and out.
<joepie91>
srhb: I actually got caught out by healthchecks running from my system
<joepie91>
DNS hadn't propagated yet so some healthchecks were succeeding when they should've failed
<srhb>
Fun!
<joepie91>
in hindsight this was in the docs, but I'd overlooked it
<joepie91>
anyway, the headers thing has recently been patched so now I actually can run healthchecks from the target system
Myhlamaeus has joined #nixos-chat
<joepie91>
which was previously impossible because the hostname of a given site would point at the old DNS record and it wouldn't be possible to say "this hostname, but localhost"
<{^_^}>
DBCDK/morph#65 (by joepie91, 2 weeks ago, closed): Headers in HTTP health checks
<joepie91>
elvishjerricco: well shit, the fetchurl+overlay trick for jellyfin seems to have worked
<joepie91>
thanks :P
pie_ has joined #nixos-chat
Myhlamaeus has quit [Remote host closed the connection]
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-chat
pie__ has joined #nixos-chat
pie_ has quit [Client Quit]
<aanderse>
eyJhb: Taneb: are either of you interested in being the moodle maintainer in nixos?
<Taneb>
aanderse: not currently
<aanderse>
T_T
pie__ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-chat
Myhlamaeus has joined #nixos-chat
avn has joined #nixos-chat
pie_ has quit [Ping timeout: 250 seconds]
Lukas4452 has joined #nixos-chat
Lukas4452 has quit [Client Quit]
pie_ has joined #nixos-chat
zfnmxt has quit [Quit: Bye!]
zfnmxt has joined #nixos-chat
zfnmxt has quit [Client Quit]
zfnmxt has joined #nixos-chat
pie_ has quit [Ping timeout: 250 seconds]
endformationage has joined #nixos-chat
pie_ has joined #nixos-chat
pie_ has quit [Ping timeout: 250 seconds]
<manveru>
man... pijul needs a new slogan, it sure isn't fast :|
<manveru>
let's see how to profile rust :)
<manveru>
strace already showed some expensive behaviour like looking for a `.ignore` and `.pijulignore` file in every single directory of a repo just to display status... and doing that on nixpkgs takes over 80s
<infinisil>
Damn
<manveru>
i quit using darcs over a decade ago because of performance, was all excited about pijul :P
<manveru>
just gonna see if there's an easy fix, like telling it that there won't be any such ignore files, but it also seems to read every single file
<manveru>
ah, they have a channel, time to ask there i guess
pie_ has joined #nixos-chat
<infinisil>
"The German-Dutch mathematician Ludolph van Ceulen (circa 1600) computed the first 35 decimal places of π with a 262-gon. He was so proud of this accomplishment that he had them inscribed on his tombstone."
<infinisil>
Nice
<infinisil>
Wait that should be 2^62-gon, paste messed it up
<infinisil>
"The English amateur mathematician William Shanks, a man of independent means, spent over 20 years calculating π to 707 decimal places. This was accomplished in 1873, with the first 527 places correct."
<infinisil>
People sure can be dedicated
cbarrett has joined #nixos-chat
<Ralith>
number go up^H^Hsideways
drakonis has joined #nixos-chat
<joepie91>
hehe
pie_ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-chat
Myhlamaeus has quit [Ping timeout: 246 seconds]
pie_ has quit [Excess Flood]
pie_ has joined #nixos-chat
<adisbladis>
qyliss: I have a qubes person who'd like to talk to you
pie_ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-chat
nabana has joined #nixos-chat
<ashkitten>
sphalerite: you around?
<ashkitten>
does tinc not resolve dns?
<sphalerite>
ashkitten: hmm I seem to remember having some problems there too, hang on
<joepie91>
ashkitten: do you mean in the node address specification? or in terms of tunneling DNS over tinc?
<ashkitten>
it says Error looking up <dns name> port 655: Device or resource busy
<sphalerite>
huh
<joepie91>
okay, so the node address specification, and yeah, that's broken
<joepie91>
I don't know why
<ashkitten>
oh
<ashkitten>
that blows
<joepie91>
very open to suggestions on fixing
<sphalerite>
It is supposed to work
<joepie91>
I've worked around it by specifying IPs now
<joepie91>
sphalerite: it's been broken for at least a year :P
<ashkitten>
whatever tho, i guess. yeah i'll do that
<sphalerite>
joepie91: yeah, although someone else in here I think said it worked for them
<joepie91>
I had the same issue with my nixops deployment
<joepie91>
and that was well over a year ago
<joepie91>
afaik
<joepie91>
hm, odd
<sphalerite>
elvishjerricco: apparently it works for you
<sphalerite>
there's #14433 which is closed though
<ashkitten>
on steve's end, it says it doesn't have fucko's rsa private key
<ashkitten>
er
<ashkitten>
public key
<ashkitten>
why does it want that? i thought tinc 1.1 deprecated rsa
<qyliss>
adisbladis: they still around?
<qyliss>
guessing no…
<joepie91>
ashkitten: do you have a dot in your system hostnames by any chance
<joepie91>
or some other non-alphanum character
<ashkitten>
nope
<joepie91>
ashkitten: so the RSA error basically means "I haven't gotten a key to use"
<joepie91>
you can ignore the RSA part of that error
<qyliss>
adisbladis: if they come back, my DECT is GPL3
<joepie91>
but /something/ is wrong with the key specification
<joepie91>
ashkitten: (it apparently falls back to RSA and so if it cannot find any keys at all it gives you the last error, which is "cannot find RSA key")
<joepie91>
also, tinc is really nice when it works, but its error feedback is junk
<ashkitten>
i literally just copied the Ed25519PublicKey line from `tinc.t0 export`
<ashkitten>
ok, i guess it works now
<ashkitten>
how do i know if it works? i can't ping the subnet address i gave it
<ashkitten>
they keep pinging and ponging each other in the log and sending udp probes or whatever so maybe that's good
nabana has quit [Ping timeout: 264 seconds]
<ashkitten>
oh, there's no route through that interface
<ashkitten>
hmm
<ashkitten>
`ip link set up tinc.t0` and `ip route add 10.100.0.0/24 dev tinc.t0` but now ping says From 10.100.0.1 icmp_seq=1 Destination Net Unknown
pie_ has quit [Ping timeout: 250 seconds]
Myhlamaeus has joined #nixos-chat
<sphalerite>
qyliss: DECT? GPL3?
<sphalerite>
ashkitten: What do the `Subnet` lines look like? And do you have the interface up with addresses assigned on both nodes?
<ashkitten>
sphalerite: Subnet = 10.100.0.1
<ashkitten>
i've got addresses assigned to both nodes now yes
<ashkitten>
but when i do `sudo tinc.t0 info steve` it doesn't list any subnets
<sphalerite>
maybe `tinc.t0 reload`?
<sphalerite>
did you edit the host file in-place or update it through the nixos config?
<ashkitten>
uh hangon
<ashkitten>
i updated it through the nixos config
<ashkitten>
and the changes show up in `sudo tinc.t0 export-all`
<joepie91>
so yeah, that does suggest that you're not properly connected
<ashkitten>
yeah idk
<ashkitten>
it's really weird
<ashkitten>
they're definitely connected
<joepie91>
ashkitten: can you do cat /etc/tinc/cryto/hosts/* (change the 'cryto' to your network name) and gist the result? minus any private keys, if any
<joepie91>
(it may look a bit jumbled, that's fine)
<joepie91>
dunno where that script comes from exactly but that's what you should have :D
<joepie91>
(it's the ExecStart for that service)
<ashkitten>
that worked
<ashkitten>
for some reason
<ashkitten>
cool
<joepie91>
there's also a network-addresses-tinc.foo.service and that's what sets up the address section
<ashkitten>
network-link-tinc.t0.service isn't required by tinc.t0.service
<joepie91>
yeah I think these originate from my network interface block
<joepie91>
not the tinc config
<ashkitten>
yeah
<ashkitten>
anyways it works now
<ashkitten>
thanks
<joepie91>
\o/
<joepie91>
now the question is whether it survives a reboot :P
<ashkitten>
we'll figure that out... LATER
<joepie91>
hehe
<joepie91>
short victory dance first
<joepie91>
I like tinc in principle, but I have to admit that basically every time I reconfigure it, I end up debugging network stuff for hours
<ashkitten>
lol yeah
<joepie91>
it really could use some better debugging tools and error output because it's not helpful at all
<ashkitten>
yeah
<joepie91>
which is a shame because I really like it otherwise :/
<ashkitten>
if only wireguard had mesh networking capabilities built in
<joepie91>
heh, yeah
<joepie91>
I've had this discussion a few times, it always goes the same way
<joepie91>
"tinc? why not wireguard?" -- "well, I want mesh capabilities" -- "wait, doesn't wireguard have that?" <time passes> "oh apparently it does not"
<joepie91>
anyway, off to bath :)
<ashkitten>
i already tried to do meshing with wireguard
<ashkitten>
you need a routing protocol
<ashkitten>
i don't want to set up a routing protocol
<Church->
Yo yo
<Church->
Heh
pie_ has quit [Ping timeout: 250 seconds]
<drakonis>
hey
<ashkitten>
cool, i got meshing working
<ashkitten>
they aren't discovering each other on the local network tho...
<ashkitten>
oh, they just managed to discover each other!
<joepie91>
hm, I thought that was behind a loginwall
<joepie91>
anyway, clearly someone has claimed it :P
<infinisil>
Oh man, I'll be meeting with some friends in a couple days, but my phone is dead, and the only way I have to contact them is via Whatsapp, which doesn't work without phone..
<infinisil>
Fortunately I have a friend who uses matrix, so I can tell him to tell the others they should send me mails for coms
<infinisil>
I really need to convert these other friends over to matrix..