gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<ashkitten> is there a web ui thing i could use for managing files and uploading them
<ashkitten> like some sort of ftp-over-http frontend i guess
drakonis1 has joined #nixos-chat
drakonis has joined #nixos-chat
endformationage has joined #nixos-chat
<clever> > :p let overridable = foo: (rec { a = 42; b = a*10; __overrides = foo; }); in overridable {}
<{^_^}> { __overrides = { }; a = 42; b = 420; }
<clever> > :p let overridable = foo: (rec { a = 42; b = a*10; __overrides = foo; }); in overridable { a = 5; }
<{^_^}> { __overrides = { a = 5; }; a = 5; b = 50; }
<clever> infinisil: seen _overrides before?
<infinisil> Yeah xD
<infinisil> Hacky stuff
<clever> sadly, everybody using rec has to opt-in and allow it
Synthetica has quit [Quit: Connection closed for inactivity]
<infinisil> Fun fact: The expected number of 7 char git revision collisions in nixpkgs is about 149
<infinisil> The math from https://math.stackexchange.com/a/35798/452992, with the numbers n=200'000 and N=16^7, using bc to calculate it
evanjs has quit [Ping timeout: 264 seconds]
lopsided98 has quit [Remote host closed the connection]
lopsided98 has joined #nixos-chat
endformationage has quit [Quit: WeeChat 2.6]
drakonis1 has quit [Ping timeout: 276 seconds]
drakonis1 has joined #nixos-chat
das_j has quit [Remote host closed the connection]
das_j has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.6]
drakonis has joined #nixos-chat
drakonis1 has quit [Ping timeout: 245 seconds]
<yorick> in reality, there are 92
<yorick> git rev-list --all | cut -c1-7 | sort | uniq -c | grep -v " 1 " | wc -l
<yorick> oh, can use uniq -cd | wc -l
xd1le has joined #nixos-chat
<etu> eyJhb: To change what? :)
drakonis has quit [Remote host closed the connection]
lopsided98 has quit [Ping timeout: 264 seconds]
lopsided98_ has joined #nixos-chat
chreekat has quit [Remote host closed the connection]
chreekat has joined #nixos-chat
<eyJhb> etu: types.strings to types.str :D
<etu> eyJhb: Where do you find that in my config? ;)
__monty__ has joined #nixos-chat
<eyJhb> Have you already changed it etu ? :D
<eyJhb> Damn you!
<eyJhb> 22 hours ago
<eyJhb> Hmm, should I find a shorter domain name for setting up minio... eyjhb.dk seems too long :%
<__monty__> Doesn't seem too long to me. Don't get greedy you with your 5 character domain.
<gchristensen> gsc.io is as short as I could find
<eyJhb> Hmm, probably right.. But then I need to somewhat migrate my blog to maybe blog.eyjhb.dk. Or host it myself, instead of making Github do it
<eyJhb> How do you guys manage your blog?
<gchristensen> emacs
<eyJhb> gchristensen: why no HTTPS? :( - NO! Bad gchristensen :D
<eyJhb> But does it compile to HTML, and then upload it?
<gchristensen> I use jekyll, and github does it for me I think
<eyJhb> So basically Github pages?
<gchristensen> yeah
<gchristensen> oh just kidding I host it myself for some reason, but no idea why
<eyJhb> Wondering if you can do /blog/ and make nginx forward it to github?
<gchristensen> my blog is at grahamc.com
psyanticy has joined #nixos-chat
<etu> eyJhb: I have my website/blog in emacs, as in org-mode :)
<etu> eyJhb: it's hosted on github pages and I let travis build/deploy it for me :)
<eyJhb> Deploy it to your own server, or github pages etu ?
<eyJhb> My only "problem" atm. is if I want to use my eyjhb.dk domain for anything else, than the blog. Then I either have to do blog.eyjhb.dk and point to github, host the blog myself and do some nginx fun or forward requests to github.com via. nginx using something like https://stackoverflow.com/questions/1057239/nginx-proxy-for-a-github-page#1059037
<etu> eyJhb: github pages
<etu> eyJhb: I also have a proxy for another domain for the same page, that I run on my own
<eyJhb> etu: How so/not quite sure what you mean with the last thing
<etu> eyJhb: https://sa.0b.se/ points at a vps which is a proxy in front of https://elis.nu/ which is hosted on github pages.
<gchristensen> it is really trivial to build with jekyll
<eyJhb> etu: any nice configs for that?
<eyJhb> gchristensen: it is more adding that complexity in the form of deployments to my server :p But maybe it is worth it
<gchristensen> right , true
<gchristensen> I find it nice to be able to keep my blog public, but be able to publish pre-releases of posts without pushing to githu
<etu> eyJhb: https://github.com/etu/nixconfig/blob/master/hosts/vps05/configuration.nix#L80-L84 -- but that's using caddy. I should really switch from caddy... but yeah...
<eyJhb> gchristensen: yeah, that is true...
<eyJhb> etu: Hmm, seems easy with caddy, but would prefer nginx. Btw. is there any reason why these are not in a block? https://github.com/etu/nixconfig/blob/master/hosts/vps05/configuration.nix#L112-L123
<gchristensen> is this an interesting summary for a talk? "I will be talking about how Nix and Docker models the relationships between software. Nix's model automatically and efficiently generates minimal Docker containers without alpine, FROM empty, while also reducing rebuild and test time."
<eyJhb> gchristensen: it does! :) The only thing I would change is the "I will", but that might just be because I am in report writing mode.
<eyJhb> Also, as-is, doesn't Nix+Docker produce quite large images compared to e.g. alpine or scratch?
<gchristensen> yeah sometimes
<gchristensen> but who cares about a few mb when your "dockerfile" expression is buildLayeredImage { config.Cmd = "${pkgs.mysql}/bin/mysql"; }
<eyJhb> But isn't it more like, a few hundred mb?
<etu> eyJhb: no reason
<gchristensen> yeah but still, who cares if you pay that one time
<gchristensen> although no, probably not such a big difference
<eyJhb> etu: Just wondering :D But fair ;)
<eyJhb> gchristensen: default nixos/nix is 157mb. It just seems like quite a lot, even if you only pay that once
<eyJhb> It is just when "minimal docker container" is used, I would expect less than 5mb of the container
<eyJhb> But I am guessing minimal is regarding something else
<eyJhb> But initial pull time means a lot as well, at least for me. Generally I like small images :|
<eyJhb> 50M could be saved by not keeping nixpkgs in the store. Doesn't make sense to keep anyways, as it should not be editied afterwards, right?
<gchristensen> eyJhb: not sure why nixos/nix is so large
<gchristensen> eyJhb: when I use buildLayeredImage with hello it is 6.8M. Nix is 23M
<gchristensen> I think the nixos/nix image is used for something totally different
<gchristensen> mysql is 99M (the official mysql image is 127)
<eyJhb> gchristensen: you might be right. So is the total size of "hello" 6.8 default, and 23 using nix?
<eyJhb> Also, can I test this?
<gchristensen> sure
<andi-> nixos/nix is build ontop of alpine that is probably why it is that big. Carries an entire other distribution package manager IIR
<andi-> +C
<eyJhb> andi-: alpine is 5.5MB :p
<eyJhb> If you extract nixos/nix, it is the store which is the biggest
<gchristensen> nixos/nix is meant for using nix actually
<gchristensen> which is not really a thing you'd do in prod
<gchristensen> and nixos/nix doesn't use nix to build it
<eyJhb> Nope :)
<gchristensen> so nixos/nix is not a useful comparison
<eyJhb> Btw. gchristensen I see myself asking this question again and again.. But... Can I make a single .nix file for using the buildLayeredImage?
<gchristensen> ...yes
<gchristensen> I don't understand the question I guess
<eyJhb> I think it is more _how_ would that file look :%
<eyJhb> :p *
<andi-> `(import <nixpkgs> {}).dockerTools.buildLayeredImage { *PROFIT*}` ?
<gchristensen> pkgs.dockerTools.buildLayeredImage { name = "hello"; config.Cmd = [ "${pkgs.hello}/bin/hello" ]; }
<gchristensen> (example stolen from the link I sent)
<eyJhb> andi-, gchristensen and if I want to import pkgs, so I could make multiple in the same .nix file? Because of course this does not work - https://termbin.com/lpc7
<gchristensen> I was assuming more familiarity with nix, sorry: let pkgs = import <nixpkgs> {}; in pkgs.dockerTools.buildLayeredImage { name = "hello"; config.Cmd = [ "${pkgs.mysql}/bin/hello" ]; }
<eyJhb> gchristensen: that is a fair assumption to make, I should at some point be used to this...
<eyJhb> Is there any good way to import the image as well, in a nix way?
<gchristensen> like for a nixos config?
<eyJhb> Or generally for when I run nix-build, that it will show up in docker images afterwards
<srhb> eyJhb: nixery!
<srhb> Or a sustemd unit that just loads the tarball
<srhb> systemd*
<gchristensen> ah
<gchristensen> `nix-build ./that-file.nix && sudo docker load < ./result`
<srhb> tazjin: Did an ultra short nixery demo yesterday at the CPH meetup, some folks were pretty immediately interested. :)
<srhb> tazjin++
<{^_^}> tazjin's karma got increased to 15
<srhb> #broccoli
<eyJhb> srhb: yeah nixery is awesome! :D gchristensen: that was also my initial thought
<eyJhb> AND CPH MEETUP?! Why couldn't you have done that on monday while I was in CPH :(
<srhb> Sorry, first wednesday of every month :P
<eyJhb> ... And my meetings are always monday or friday :(
<eyJhb> I will be in CPH again the 2nd of December, possibly all day. But I will ahve a hard time staying there until wednesday :p
<eyJhb> Unless I want to sleep on the streets
<eyJhb> Maybe buildLayeredImage would be nice for OCTP/challenges
<eyJhb> Only "problem" is, that non-nix people can't build them
<gchristensen> yeah lol actually the nix image for mysql is much better than the offical one
<gchristensen> 456M official, 334M unofficial (the size I gave and the size on the website is compressed)
<eyJhb> Because it is Ubuntu based :p
<eyJhb> Compressed size if 127 - https://hub.docker.com/_/mysql?tab=tags
<gchristensen> right
<infinisil> yorick: Ohhh nice
<infinisil> Now I'm interested in what the chance of such a deviation is
<infinisil> yorick: I mean, what's the chance that we have less than 92 collisions
<infinisil> The normal birthday problem only tells you the chance of at least 1 collision
<infinisil> 92 is kind of far off tbh!
<yorick> infinisil: N=222787 for me
<yorick> n*
<infinisil> Github says only a bit more than 200000
<__monty__> What probability are you calculating?
<infinisil> 03:49 infinisil: Fun fact: The expected number of 7 char git revision collisions in nixpkgs is about 149
<infinisil> 03:50 infinisil: The math from https://math.stackexchange.com/a/35798/452992, with the numbers n=200'000 and N=16^7, using bc to calculate it
<eyJhb> QUick survey, should I lucidchartify my rich picture, which I made on the whiteboard, or just use it as-is ? (picture of whiteboard)
Jackneill has quit [Ping timeout: 240 seconds]
waleee-cl has joined #nixos-chat
Synthetica has joined #nixos-chat
<__monty__> Isn't the expected number of collisions n(n-1)/2N? N=16^7, n=2e5 -> ~74.5?
<__monty__> Or is that collision with a specific hash?
Jackneill has joined #nixos-chat
<infinisil> __monty__: In that stackexchange thread there's an answer that mentions this as an estimate
<__monty__> What I'd like to know is what the probability is of the nr of collisions deviating by so much.
<__monty__> But I can't figure it out even if I assume nr of collisions is distributed normally.
<infinisil> Yeah that's what I was wondering about earlier
<infinisil> Probabilities are hard!
<__monty__> I guess the problem is we only have a single sample.
<infinisil> Maybe worth double checking our values 92 and 149
<__monty__> I'm not sure where you got 92 from. But the 149 seems reasonable.
<infinisil> From yorick: 07:01 yorick: git rev-list --all | cut -c1-7 | sort | uniq -c | grep -v " 1 " | wc -l
<infinisil> Though not sure i follow that
<__monty__> It lists all hashes, truncates them, sorts so collisions are adjacent, counts the number of adjacent occurrences, greps for all the lines *not* starting with a count of 1, then counts those lines.
<__monty__> Ah, those are the number of collision hashes. Technically the number of collisions is the *sum* of the counts.
<infinisil> Hm yeah, so it only counts >2 collisions once
<yorick> __monty__: there's nothing over 2
<__monty__> Ok, so it's technically correct : .
<yorick> better version : git rev-list --all | cut -c1-7 | sort | uniq -cd | wc -l
<__monty__> Might as well drop the count for that optimal performance : )
<yorick> __monty__: how?
<__monty__> uniq -d
<__monty__> So, if we assume it's a binomial process the probability of 92 collisions is 1.4e-7
<__monty__> And it's easily within 1sigma, sigma=149...
<eyJhb> Does.. Does PHP do some kind of variable guessing? It is using $pin1 without having declared it, and is only available within $_POST["pin1"], but it works
<gchristensen> oh no
<eyJhb> gchristensen: it hurts so much
<eyJhb> Also, there is no empty check on anything in this code.. so "" == "" (totally secure pin)
<eyJhb> I wonder if that would accept any pin then
Jackneill has quit [Ping timeout: 265 seconds]
waleee-cl has quit [Quit: Connection closed for inactivity]
Jackneill has joined #nixos-chat
<pie_> what do you guys think about this env var stuff?
<manveru> i dunno, it's so 70s
<manveru> or what env vars are you talking about?
<pie_> derp
<pie_> i failed to link something
<pie_> this question can also be extended to: dealing with various things is pretty annoying because they all go through the daemon
<pie_> (gdb for exampleÖ
<pie_> idea: two-.tiered nix daemon that spawns subdaemons for specific tasks
<pie_> i wonder if it aleady does that actually...
waleee-cl has joined #nixos-chat
evanjs has joined #nixos-chat
drakonis has joined #nixos-chat
nckx has quit [Quit: Updating my GNU Guix System — https://guix.gnu.org]
nckx has joined #nixos-chat
endformationage has joined #nixos-chat
drakonis has quit [Ping timeout: 252 seconds]
drakonis has joined #nixos-chat
<infinisil> Haha oh my god this is so great: https://youtu.be/5KO2IjWI9fA
<infinisil> The voice acting is superb
ravndal has joined #nixos-chat
__red__ has joined #nixos-chat
<elvishjerricco> Huh. I can't access anything in `.zfs/snapshot/foo`. Just trying to `ls` it, I get `cannot access '.zfs/snapshot/foo/.': Object is remote`
liff has joined #nixos-chat
red[m] has joined #nixos-chat
<red[m]> success?
xd1le has quit [Quit: leaving]
<ashkitten> is it possible to have my server announce services it's running via some sort of dns thing on my vpn?
<ashkitten> i feel like that was some sort of upnp thing wasnt it?
<samueldr> avahi might
<samueldr> well, avahi does
<samueldr> but then there's the issue of software making use of the tips from avahi
<ashkitten> ahh
<ashkitten> does avahi not contribute to the hosts file?
<ashkitten> also avahi doesn't run on my phone, i think
<samueldr> iphones run their mdns implementation (is it still named bonjour?)
<samueldr> but yeah, android devices don't have anything like that in the system :(
<ashkitten> ah
<ashkitten> theoretically, how would i set avahi to publish specific ports with specific dns names
<samueldr> hmmm, I don't know about specific dns names for ports, I know only about the fact avahi can say "here, I am bob.local" and "here, I have SSH on port 22, SSH on port 2222, HTTP on port 80" and such
<ashkitten> ah
<ashkitten> i guess i could just have it announce its dns name and then use nginx to proxy like normal
<ashkitten> and just have some domains be local-only
<ashkitten> yeah that works for me
<ashkitten> dont even need mdns for that
<red[m]> ashkitten: the 'correct' way to do that is via SRV records
<ashkitten> ah, yeah
<ashkitten> forgot those existed
<red[m]> but that's not "announce" per se, but more a record of who provides a service in a specific domain if asked
<ashkitten> i think proxying what i can through nginx is my move rn
<ashkitten> even if using https over an encrypted tunnel seems wasteful
psyanticy has quit [Quit: Connection closed for inactivity]
<sphalerite> ashkitten: you could also use regular DNS with public records but private addresses.
<ashkitten> that's true
<tilpner> Private records work well too
<Church-> Ugh, I hate testing out sec utils
<Church-> Always a pain to do it right.
<Church-> Don't suppose someone knows how to create null entries in lastlog/wtmp?
Remosi has joined #nixos-chat
Remosi has quit [Client Quit]
Remosi has joined #nixos-chat
tokudan has quit [Quit: Dunno.]
tokudan has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.6]
drakonis has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 268 seconds]
<tilpner> Welp, average exposure of 8.81 in systemd-analyze security is nothing to worry about, right?
<gchristensen> better than an 8.82
<samueldr> depends if it's a score out of 100 for perfect score
<gchristensen> true
<tilpner> This is going to take forever to "fix"
<tilpner> But now that I know of this, I can't just leave it and feel good about it
<gchristensen> open a tracking issue, gather collaborators, share the load
<tilpner> This should probably be done by changing the defaults
<tilpner> But that might break some services outside of nixpkgs
<tilpner> Which is fine if it's on unstable ._.
drakonis_ has quit [Read error: Connection reset by peer]
<Taneb> tilpner: what's the scope here?
<tilpner> Taneb: I don't understand the question
<tilpner> Taneb: systemd-analyze security pointed out a bunch of features that could be used to further contain services
<tilpner> Enabling them by default will make adding new services very annoying
<tilpner> Keeping them off by default will result in nobody enabling them
<Taneb> I mean, are you wanting to try and fix this for all of nixpkgs?
<tilpner> So far I'm just testing with a local service
<gchristensen> another good thing to do woudl be make a check-list for new services
<tilpner> But if possible, it probably wouldn't hurt nixpkgs to enable some of these by default
<tilpner> We don't have to go all out and enable everything
<tilpner> It would need good documentation though :(
<Taneb> I'm just looking at what "systemd-analyze security nix-daemon" says
<Taneb> It's not a pretty sight
<tilpner> Hah, 9.6
<tilpner> (Not that the number is a good indicator of anything)
<tilpner> E.g. RestrictSUIDSGID, MemoryDenyWriteExecute, SystemCallFilter=~@clock should be fine to enable for nix
<tilpner> But that will need more testing and reading
<gchristensen> nix-daemon runs a lot of syscalls, how did you come to ~@clock ?
<tilpner> Maybe I shouldn't have started with the service that secures my data
<tilpner> gchristensen: Just a random one which I expect it could do without
<tilpner> It doesn't @reboot either
<tilpner> *doesn't need
<gchristensen> I see
<tilpner> A compromised nix-daemon still needs store access, so it can always just write bad things in there
<gchristensen> right
<tilpner> It's more useful with services that can stay in their own little /var/lib directory
<gchristensen> actually nix-daemon is the perfect candidate
<gchristensen> put your eggs in a basket and make the basket really strong
<gchristensen> the ones which are sandboxed to /var/lib and donat run as root and don't do many interesting things ... are less interesting :)
<tilpner> I'm not saying it's useless for nix-daemon, just that it needs more permissions because it does more things than other services
__monty__ has quit [Quit: leaving]
<ashkitten> transformers animated rocks
<ashkitten> that is all
<andi-> Any Nintendo Switch users here? I am thinking of obtaining one for simple gaming without having to care about the platform. Mostly while travelling.
<samueldr> nixos could run on the earlier models, but I haven't circled back to it
<samueldr> wait, that's now what you're asking
<samueldr> that's not*
<andi-> :D
<andi-> I thought about it for a second and then figured that is exactly NOT what I want.. would be neat tho…
<samueldr> I think it's disingenuous to say "simple gaming", then see amazing games like smash bros, breath of the wild and mario odyssey :)
<andi-> simple in terms of not having to provide the environment or rebooting into some crappy windows ;)
<samueldr> yeah :D
<samueldr> imo, worth it
<samueldr> though the carts taste weird
<andi-> Probably would connect to dock to one of the screens at my desk.. some gaming while waiting for tensorflow to compile...
<andi-> I am mostly in it for the old games from previous consoles... 20$/y for access to them sounds fine-ish.
<samueldr> important detail: the display has to handle audio out, no way to force audio out any other way than through HDMI once docked
<andi-> I think these screens have audio.. will double check
<joepie91> andi-: apparently the pre-Vita PSPs are quite suitable as handheld emulators
<joepie91> and cheaply available
<andi-> joepie91: that sounds interesting but also another timesink where I'll not be able to think about stuff unrelated to computers :)
<joepie91> andi-: alternatively, one of the sub-$100 emulator handhelds from China which apparently work OOTB :P
<joepie91> I imagine that Nintendo's selection of oldies is probably going to be quite limited...
<andi-> it is limited. I would hope they'd just offer the old games.. I wouldn't mind buying those that I really enjoyed back then.
<samueldr> yeah, if it's only for older games, maybe not the more appropriate solution
<joepie91> andi-: one sec
<joepie91> andi-: afaik this is pretty much the best retro handheld you can get right now, at this price point: https://www.youtube.com/watch?v=nzRXx534qHE -- it's about 85 EUR on aliexpress (https://www.aliexpress.com/item/4000186506459.html) but there's a few local resellers of them also
<joepie91> and it should work out of the box, though the UI may be a bit clunky
<joepie91> (note: I don't have it, just going by what I've read/seen from others)
<joepie91> the Game Kiddy 350H is apparently also quite good
<joepie91> oh hey, there's actually a comparison video now :P https://www.youtube.com/watch?v=FA0CbHPgO8o
<samueldr> though a bunch, if not most, of those are FLOSS violators in all ways imaginable
<samueldr> from boot, to OS, to emulator cores :(
<joepie91> samueldr: afaik both of these run Dingux, which is basically a Linux distro originally created for the Dingoo A320, and which runs open-source emulators as themselves
<samueldr> good luck getting the actual sources used from the vendor
<samueldr> which is the issue