gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<ashkitten> dear networking santa, i've been a very good person this year and for crimbo id really like wireguard mesh networking and automatic local peer discovery
<gchristensen> hah
<ashkitten> thanks to the power of ipv6 i can use wireguard with my desktop's globally routable address which i'm uncertain is stable but we'll burn that bridge when we get to it
<ashkitten> hng, after a few days uptime i start getting "error: unable to fork: Cannot allocate memory" when running nixos-rebuild switch...
<ashkitten> wow, nix really chews through an entire gig of ram
<ashkitten> i don't have swap
<ashkitten> what the heckie, i somehow broke ip forwarding
<ashkitten> oh
<ashkitten> dammit
<ashkitten> i added wireguard peer definitions for each client but it doesn't fall back to the gateway if that device isnt available
<ashkitten> i was hoping i could have it automatically add and remove routes for devices as they become available to peer
drakonis has quit [Ping timeout: 245 seconds]
drakonis has joined #nixos-chat
vika_nezrimaya has joined #nixos-chat
<sphalerite> ashkitten: use tinc?
<sphalerite> ashkitten: someone asked on the tinc mailing list a while back if wireguard could be used as a "backend" for tinc which I think would be really cool
<ashkitten> hm, okay
<ashkitten> i started looking for ways to do it with wireguard and tbh this is getting out of hand quickly and i really just want something to work
<ashkitten> lmao
<sphalerite> then use tinc :p
<sphalerite> hm, but adding and removing routes automatically? I don't think it'll do that
<sphalerite> it will reach not-directly-reachable nodes via whichever nodes are able to reach them though
<ashkitten> i just want it to give me the fastest path to a thing
<ashkitten> that's the point i was trying to accomplish with automatic route management
<ashkitten> if tinc gives me reasonable security and works easily i dont see why not
<sphalerite> then yeah I think tinc is what you want
<emily> you may be interested in https://yggdrasil-network.github.io/
<emily> for mesh networking
<ashkitten> sphalerite: do you use tinc?
<sphalerite> ashkitten: yep
<ashkitten> what is the nixos configuration supposed to look like
<ashkitten> i don't understand, it's not clearly documented
<sphalerite> { services.tinc.networks.your-network-name = { extraConfig = "ConnectTo = somepubliclyaccessiblenode\nAutoconnect = yes\nLocalDiscovery = yes"; hosts = { somenode = "tinc-host-file-contents-here"; someothernode = "tinc-host-file-contents-here"; }; }
<sphalerite> plus open port 655 (TCP and UDP I think) in the firewall, and define the addresses in networking.interfaces."tinc.your-network-name".ipv[46].addresses
<ashkitten> what do i need in the host file contents
<sphalerite> the most important part is having Address for at least one host, and Subnet for all of the hosts you want to be able to communicate through the VPN (probably all of them) :)
<sphalerite> you also need the public keys, but you need to start tinc before you can get those
drakonis has quit [Ping timeout: 244 seconds]
ashkitten has quit [Ping timeout: 276 seconds]
ashkitten has joined #nixos-chat
<ashkitten> i just firewalled myself out of my server and had to write a shell one-liner from glowing-bear which was still attached to my weechat relay to get back in
<srhb> ashkitten: Good job! :P
<ashkitten> which is not the worst way to figure out that the weakest link in your server's security is your irc client
<srhb> Yeah :P
<ashkitten> actually i didnt firewall myself out
<ashkitten> port 22 was still open
<ashkitten> i have no idea what happened
<ashkitten> maybe my routing got screwed as a result of enabling tinc
<ashkitten> and it couldn't reply
<srhb> That sounds bad enough.
<srhb> I try to be very careful with not permanently switching my remotes. Burnt too many times :P
<ashkitten> i wonder if i had reloaded my irc client would it have not been able to reconnect
<srhb> I use a modified version of Bas Van Dijks rollback unit most places.
avn has quit [Ping timeout: 246 seconds]
<ashkitten> what's that?
endformationage has quit [Quit: WeeChat 2.5]
<srhb> ashkitten: Basically, upon switch, a timer is activated. If I don't run stop-nixos-rollback on the remote, it will roll back the system after 15 minutes
<ashkitten> that's a good idea
<ashkitten> i'm gonna bookmark that and get back to this whole thing tomorrow when i have a brain
<srhb> Braining does get hard after a while. ^^;
<ashkitten> yep
<ashkitten> okay, nini
<srhb> Sleep well :)
<manveru> hmm, pijul looks neat :)
<joepie91> srhb: I feel like this would be right at home in morph, as a built-in healthcheck feature
<srhb> joepie91: Sorry, what would?
<joepie91> (where morph could also automatically run the stop signal, on a new connection)
<srhb> Oh, the rollback
<srhb> Yeah. :)
<srhb> Well, I'm going back to work there in a little over a month, so I guess I can put that on my todo... :P
<joepie91> :)
<srhb> joepie91: Frankly I think it's enough to have it as an optional module..
<srhb> Oh, that's probably what you suggested.
<joepie91> srhb: to fully automate this it would require a change to morph core though, I think? to ensure that the 'stop rollback' command is run over a *new* SSH connection, *after* system switch
<joepie91> or at least a general-purpose API for providing that guarantee of a new connection and then rolling it into the command-based healthcheck API or something
<srhb> Agreed.
<srhb> I don't recall what it does right now.
<joepie91> srhb: I mean, even if it currently opens a new connection, it would probably be worth it to have an "ensure new connection" flag
<srhb> Yeah.
<joepie91> just in case you want to optimize the process in the future without having to uphold a new-connection guarantee for every single check
<srhb> I think I'd prefer a much more generic way to specify the health checks
<srhb> Like, what happens from the local machine and out.
<joepie91> yeah
<srhb> { prevConn, newConn, lotsOfStuff ... } -> HealthCheckAction
<srhb> Bring your own function.
<joepie91> srhb: I actually got caught out by healthchecks running from my system
<joepie91> DNS hadn't propagated yet so some healthchecks were succeeding when they should've failed
<srhb> Fun!
<joepie91> in hindsight this was in the docs, but I'd overlooked it
<joepie91> anyway, the headers thing has recently been patched so now I actually can run healthchecks from the target system
Myhlamaeus has joined #nixos-chat
<joepie91> which was previously impossible because the hostname of a given site would point at the old DNS record and it wouldn't be possible to say "this hostname, but localhost"
<srhb> OK :)
<joepie91> this one
<{^_^}> DBCDK/morph#65 (by joepie91, 2 weeks ago, closed): Headers in HTTP health checks
<joepie91> elvishjerricco: well shit, the fetchurl+overlay trick for jellyfin seems to have worked
<joepie91> thanks :P
pie_ has joined #nixos-chat
Myhlamaeus has quit [Remote host closed the connection]
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-chat
pie__ has joined #nixos-chat
pie_ has quit [Client Quit]
<aanderse> eyJhb: Taneb: are either of you interested in being the moodle maintainer in nixos?
<Taneb> aanderse: not currently
<aanderse> T_T
pie__ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-chat
Myhlamaeus has joined #nixos-chat
avn has joined #nixos-chat
pie_ has quit [Ping timeout: 250 seconds]
Lukas4452 has joined #nixos-chat
Lukas4452 has quit [Client Quit]
pie_ has joined #nixos-chat
zfnmxt has quit [Quit: Bye!]
zfnmxt has joined #nixos-chat
zfnmxt has quit [Client Quit]
zfnmxt has joined #nixos-chat
pie_ has quit [Ping timeout: 250 seconds]
endformationage has joined #nixos-chat
pie_ has joined #nixos-chat
pie_ has quit [Ping timeout: 250 seconds]
<manveru> man... pijul needs a new slogan, it sure isn't fast :|
<manveru> let's see how to profile rust :)
<manveru> strace already showed some expensive behaviour like looking for a `.ignore` and `.pijulignore` file in every single directory of a repo just to display status... and doing that on nixpkgs takes over 80s
<infinisil> Damn
<manveru> i quit using darcs over a decade ago because of performance, was all excited about pijul :P
<manveru> just gonna see if there's an easy fix, like telling it that there won't be any such ignore files, but it also seems to read every single file
<manveru> ah, they have a channel, time to ask there i guess
pie_ has joined #nixos-chat
<infinisil> "The German-Dutch mathematician Ludolph van Ceulen (circa 1600) computed the first 35 decimal places of π with a 262-gon. He was so proud of this accomplishment that he had them inscribed on his tombstone."
<infinisil> Nice
<infinisil> Wait that should be 2^62-gon, paste messed it up
<infinisil> "The English amateur mathematician William Shanks, a man of independent means, spent over 20 years calculating π to 707 decimal places. This was accomplished in 1873, with the first 527 places correct."
<infinisil> People sure can be dedicated
cbarrett has joined #nixos-chat
<Ralith> number go up^H^Hsideways
drakonis has joined #nixos-chat
<joepie91> hehe
pie_ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-chat
Myhlamaeus has quit [Ping timeout: 246 seconds]
pie_ has quit [Excess Flood]
pie_ has joined #nixos-chat
<adisbladis> qyliss: I have a qubes person who'd like to talk to you
pie_ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-chat
nabana has joined #nixos-chat
<ashkitten> sphalerite: you around?
<ashkitten> does tinc not resolve dns?
<sphalerite> ashkitten: hmm I seem to remember having some problems there too, hang on
<joepie91> ashkitten: do you mean in the node address specification? or in terms of tunneling DNS over tinc?
<ashkitten> it says Error looking up <dns name> port 655: Device or resource busy
<sphalerite> huh
<joepie91> okay, so the node address specification, and yeah, that's broken
<joepie91> I don't know why
<ashkitten> oh
<ashkitten> that blows
<joepie91> very open to suggestions on fixing
<sphalerite> It is supposed to work
<joepie91> I've worked around it by specifying IPs now
<joepie91> sphalerite: it's been broken for at least a year :P
<ashkitten> whatever tho, i guess. yeah i'll do that
<sphalerite> joepie91: yeah, although someone else in here I think said it worked for them
<joepie91> I had the same issue with my nixops deployment
<joepie91> and that was well over a year ago
<joepie91> afaik
<joepie91> hm, odd
<sphalerite> elvishjerricco: apparently it works for you
<sphalerite> there's #14433 which is closed though
<{^_^}> https://github.com/NixOS/nixpkgs/issues/14433 (by mogorman, 3 years ago, closed): running tinc via systemd does not seem to able to use dns
<sphalerite> aah
<sphalerite> chroot = false
<ashkitten> oh
<elvishjerricco> Yea the chroot by default thing is weird. It makes a lot of stuff not work
<joepie91> :|
<joepie91> well I'll have to fix that in my config then, I wonder what the security implications of that are, if it's default-on...
<ashkitten> it keeps timing out
<ashkitten> during connection
<sphalerite> ashkitten: is the port open?
<ashkitten> oh i see
<ashkitten> hangon
<ashkitten> on steve's end, it says it doesn't have fucko's rsa private key
<ashkitten> er
<ashkitten> public key
<ashkitten> why does it want that? i thought tinc 1.1 deprecated rsa
<qyliss> adisbladis: they still around?
<qyliss> guessing no…
<joepie91> ashkitten: do you have a dot in your system hostnames by any chance
<joepie91> or some other non-alphanum character
<ashkitten> nope
<joepie91> ashkitten: so the RSA error basically means "I haven't gotten a key to use"
<joepie91> you can ignore the RSA part of that error
<qyliss> adisbladis: if they come back, my DECT is GPL3
<joepie91> but /something/ is wrong with the key specification
<joepie91> ashkitten: (it apparently falls back to RSA and so if it cannot find any keys at all it gives you the last error, which is "cannot find RSA key")
<joepie91> also, tinc is really nice when it works, but its error feedback is junk
<ashkitten> i literally just copied the Ed25519PublicKey line from `tinc.t0 export`
<ashkitten> ok, i guess it works now
<ashkitten> how do i know if it works? i can't ping the subnet address i gave it
<ashkitten> they keep pinging and ponging each other in the log and sending udp probes or whatever so maybe that's good
nabana has quit [Ping timeout: 264 seconds]
<ashkitten> oh, there's no route through that interface
<ashkitten> hmm
<ashkitten> `ip link set up tinc.t0` and `ip route add dev tinc.t0` but now ping says From icmp_seq=1 Destination Net Unknown
pie_ has quit [Ping timeout: 250 seconds]
Myhlamaeus has joined #nixos-chat
<sphalerite> qyliss: DECT? GPL3?
<sphalerite> ashkitten: What do the `Subnet` lines look like? And do you have the interface up with addresses assigned on both nodes?
<ashkitten> sphalerite: Subnet =
<ashkitten> i've got addresses assigned to both nodes now yes
<ashkitten> but when i do `sudo tinc.t0 info steve` it doesn't list any subnets
<sphalerite> maybe `tinc.t0 reload`?
<sphalerite> did you edit the host file in-place or update it through the nixos config?
<ashkitten> uh hangon
<ashkitten> i updated it through the nixos config
<ashkitten> and the changes show up in `sudo tinc.t0 export-all`
<ashkitten> it shows the Subnet line
<joepie91> ashkitten: I'd recommend having a look at my tinc configuration, at https://git.cryto.net/joepie91/morph-rc/src/master/configuration/default.nix (ctrl+F tincConfiguration) -- there's a bit of abstraction, but it should be relatively easy to follow, and this is a setup that's known-working :P
<joepie91> (including configuration-specified private/public keys, though the private part is handled via the deploy-secrets feature of morph iirc)
<joepie91> actually, the Tinc setup commit may be more useful: https://git.cryto.net/joepie91/morph-rc/commit/00dc1a33669e16578e793a878976cb77baab1e97
<ashkitten> it's weird, it's like the Subnet option isn't even being used
<joepie91> ashkitten: have you added a network interface, like in that last link?
<joepie91> err, sorry, configured the address for the network interface*
<ashkitten> yes
<joepie91> correct prefix length?
<joepie91> (ie. not 32)
<ashkitten> wait, it shouldn't be 32?
<ashkitten> oh
<joepie91> not in the network interface, only in the Subnet option
<joepie91> I got this wrong the first time as well :P
<joepie91> the network interface's prefix length should be basically the 'full range' that your hosts exist in
<joepie91> in my case I've given it a /24
<joepie91> the Subnet option then specifies the specific IP that a given node should have in that range
<joepie91> (in the tinc config)
<ashkitten> ah
<ashkitten> okay, it still doesn't work
<ashkitten> tinc isn't giving it a subnet
<joepie91> how do you mean?
<ashkitten> Edges: fucko
<ashkitten> Subnets:
<sphalerite> did you put the subnet in the host file on both nodes?
<ashkitten> yeah
<joepie91> hm, not sure where you are getting that output from
<joepie91> haven't seen that format before
<joepie91> also, have you cranked up the debug level yet?
<ashkitten> yeah
<ashkitten> hang on
<ashkitten> yeah i have no clue what's happening
<joepie91> ashkitten: how'd you get the Edges/Subnets output?
<ashkitten> tinc.t0 info steve
<joepie91> ashkitten: this is what I get for my functioning VPN: https://gist.github.com/joepie91/7c849678ac63d1b2e11c6a06693fb278
<joepie91> so yeah, that does suggest that you're not properly connected
<ashkitten> yeah idk
<ashkitten> it's really weird
<ashkitten> they're definitely connected
<joepie91> ashkitten: can you do cat /etc/tinc/cryto/hosts/* (change the 'cryto' to your network name) and gist the result? minus any private keys, if any
<joepie91> (it may look a bit jumbled, that's fine)
<ashkitten> oh, sure
<joepie91> oh yeah actually it does look connected from that full output, just missing the subnet
<joepie91> I really suspect the subnet has somehow not made it into the config
<ashkitten> i can just do tinc.t0 export-all
<joepie91> ashkitten: ... oh, a thing. look for any indentation in the config file
<joepie91> tinc's config format is *not* indentation-friendly
<joepie91> and it fails silently if stuff is indented in particular places
<ashkitten> yeah, no indentation
<joepie91> hm
<joepie91> that config looks correct
<joepie91> only difference with my end is that there's no Address for fucko, presumably because that's from fucko
<joepie91> (I deploy the same host configs to all nodes, so even a node's own config has its Address)
<ashkitten> fucko doesn't have a stable address
<joepie91> aha
<joepie91> either way this should not be an issue
<ashkitten> everything is gonna be connecting to steve initially
<joepie91> you've turned the VPN off and on again, right?
<ashkitten> yep
<joepie91> just to make sure :)
<joepie91> ok
<ashkitten> the addresses don't come up when i restart tinc.t0.service but i'll fix that eventually
<qyliss> sphalerite: we have a DECT phone network at camp
<ashkitten> tinc.t0.service doesn't automatically bring up the interface for some reason, only creates it
<joepie91> ashkitten: how do you mean?
<qyliss> GPL3 (on a T9 keypad) is my number
<joepie91> lol
<joepie91> I wonder if someone's claimed 2602, my usual number
<joepie91> ashkitten: btw, bath is almost ready, I'll vanish then :P
pie_ has joined #nixos-chat
<ashkitten> okay
<ashkitten> yeah i have no clue why it's not working tbh
<joepie91> ashkitten: the 'addresses not coming up' is a clue though
<joepie91> I had this occur after a deployment at one point
<ashkitten> oh?
<joepie91> couldn't reproduce it
<joepie91> but until I manually restarted the failing service, the VPN was down
<ashkitten> like, i have to manually set the interface up
<ashkitten> it starts down
<joepie91> well it's *supposed* to create a service that brings the interface up, and then a separate services that sets up the addresses
<joepie91> and the latter is supposed to run after the former
<joepie91> iirc
<joepie91> and in that one failure case, the latter seemed to have happened before the former
<joepie91> and so it failed
<joepie91> but the former eventually finished or w/e and so when I manually started the latter, the VPN worked again
<joepie91> I suspect that something in the former service is not correctly waiting for completion, maybe
<joepie91> causing a possible race condition
<joepie91> anyway, that may or may not be the same problem you're having
<ashkitten> i don't think so
<ashkitten> the fact that the interface starts out down is weird but there's nothing that's supposed to explicitly bring it up
<joepie91> ashkitten: you should have a network-link-tinc.foo.service
<joepie91> I believe that is what is meant to bring up the interface
<joepie91> unless that only exists because of my separate network interface block?
<joepie91> I dunno
<ashkitten> oh, i see
<joepie91> dunno where that script comes from exactly but that's what you should have :D
<joepie91> (it's the ExecStart for that service)
<ashkitten> that worked
<ashkitten> for some reason
<ashkitten> cool
<joepie91> there's also a network-addresses-tinc.foo.service and that's what sets up the address section
<ashkitten> network-link-tinc.t0.service isn't required by tinc.t0.service
<joepie91> yeah I think these originate from my network interface block
<joepie91> not the tinc config
<ashkitten> yeah
<ashkitten> anyways it works now
<ashkitten> thanks
<joepie91> \o/
<joepie91> now the question is whether it survives a reboot :P
<ashkitten> we'll figure that out... LATER
<joepie91> hehe
<joepie91> short victory dance first
<joepie91> I like tinc in principle, but I have to admit that basically every time I reconfigure it, I end up debugging network stuff for hours
<ashkitten> lol yeah
<joepie91> it really could use some better debugging tools and error output because it's not helpful at all
<ashkitten> yeah
<joepie91> which is a shame because I really like it otherwise :/
<ashkitten> if only wireguard had mesh networking capabilities built in
<joepie91> heh, yeah
<joepie91> I've had this discussion a few times, it always goes the same way
<joepie91> "tinc? why not wireguard?" -- "well, I want mesh capabilities" -- "wait, doesn't wireguard have that?" <time passes> "oh apparently it does not"
<joepie91> anyway, off to bath :)
<ashkitten> i already tried to do meshing with wireguard
<ashkitten> you need a routing protocol
<ashkitten> i don't want to set up a routing protocol
<Church-> Yo yo
<Church-> Heh
pie_ has quit [Ping timeout: 250 seconds]
<drakonis> hey
<ashkitten> cool, i got meshing working
<ashkitten> they aren't discovering each other on the local network tho...
<ashkitten> oh, they just managed to discover each other!
<ashkitten> joepie91: for future reference, i did this to make it automatically set up interfaces on restarting tinc https://github.com/ashkitten/nixos-config/blob/master/common.nix#L214-L215
<joepie91> ashkitten: thanks, will give that a shot here some time soon
<joepie91> hm, I thought that was behind a loginwall
<joepie91> anyway, clearly someone has claimed it :P
<infinisil> Oh man, I'll be meeting with some friends in a couple days, but my phone is dead, and the only way I have to contact them is via Whatsapp, which doesn't work without phone..
<infinisil> Fortunately I have a friend who uses matrix, so I can tell him to tell the others they should send me mails for coms
<infinisil> I really need to convert these other friends over to matrix..
pie_ has joined #nixos-chat