drakonis has quit [Remote host closed the connection]
lopsided98 has quit [Ping timeout: 264 seconds]
lopsided98_ has joined #nixos-chat
chreekat has quit [Remote host closed the connection]
chreekat has joined #nixos-chat
<eyJhb>
etu: types.strings to types.str :D
<etu>
eyJhb: Where do you find that in my config? ;)
__monty__ has joined #nixos-chat
<eyJhb>
Have you already changed it etu ? :D
<eyJhb>
Damn you!
<eyJhb>
22 hours ago
<eyJhb>
Hmm, should I find a shorter domain name for setting up minio... eyjhb.dk seems too long :%
<__monty__>
Doesn't seem too long to me. Don't get greedy you with your 5 character domain.
<gchristensen>
gsc.io is as short as I could find
<eyJhb>
Hmm, probably right.. But then I need to somewhat migrate my blog to maybe blog.eyjhb.dk. Or host it myself, instead of making Github do it
<eyJhb>
How do you guys manage your blog?
<gchristensen>
emacs
<eyJhb>
gchristensen: why no HTTPS? :( - NO! Bad gchristensen :D
<eyJhb>
But does it compile to HTML, and then upload it?
<gchristensen>
I use jekyll, and github does it for me I think
<eyJhb>
So basically Github pages?
<gchristensen>
yeah
<gchristensen>
oh just kidding I host it myself for some reason, but no idea why
<eyJhb>
Wondering if you can do /blog/ and make nginx forward it to github?
<gchristensen>
my blog is at grahamc.com
psyanticy has joined #nixos-chat
<etu>
eyJhb: I have my website/blog in emacs, as in org-mode :)
<etu>
eyJhb: it's hosted on github pages and I let travis build/deploy it for me :)
<eyJhb>
Deploy it to your own server, or github pages etu ?
<eyJhb>
My only "problem" atm. is if I want to use my eyjhb.dk domain for anything else, than the blog. Then I either have to do blog.eyjhb.dk and point to github, host the blog myself and do some nginx fun or forward requests to github.com via. nginx using something like https://stackoverflow.com/questions/1057239/nginx-proxy-for-a-github-page#1059037
<etu>
eyJhb: github pages
<etu>
eyJhb: I also have a proxy for another domain for the same page, that I run on my own
<eyJhb>
etu: How so/not quite sure what you mean with the last thing
<gchristensen>
is this an interesting summary for a talk? "I will be talking about how Nix and Docker models the relationships between software. Nix's model automatically and efficiently generates minimal Docker containers without alpine, FROM empty, while also reducing rebuild and test time."
<eyJhb>
gchristensen: it does! :) The only thing I would change is the "I will", but that might just be because I am in report writing mode.
<eyJhb>
Also, as-is, doesn't Nix+Docker produce quite large images compared to e.g. alpine or scratch?
<gchristensen>
yeah sometimes
<gchristensen>
but who cares about a few mb when your "dockerfile" expression is buildLayeredImage { config.Cmd = "${pkgs.mysql}/bin/mysql"; }
<eyJhb>
But isn't it more like, a few hundred mb?
<etu>
eyJhb: no reason
<gchristensen>
yeah but still, who cares if you pay that one time
<gchristensen>
although no, probably not such a big difference
<eyJhb>
etu: Just wondering :D But fair ;)
<eyJhb>
gchristensen: default nixos/nix is 157mb. It just seems like quite a lot, even if you only pay that once
<eyJhb>
It is just when "minimal docker container" is used, I would expect less than 5mb of the container
<eyJhb>
But I am guessing minimal is regarding something else
<eyJhb>
But initial pull time means a lot as well, at least for me. Generally I like small images :|
<eyJhb>
50M could be saved by not keeping nixpkgs in the store. Doesn't make sense to keep anyways, as it should not be editied afterwards, right?
<gchristensen>
eyJhb: not sure why nixos/nix is so large
<gchristensen>
eyJhb: when I use buildLayeredImage with hello it is 6.8M. Nix is 23M
<gchristensen>
I think the nixos/nix image is used for something totally different
<gchristensen>
mysql is 99M (the official mysql image is 127)
<eyJhb>
gchristensen: you might be right. So is the total size of "hello" 6.8 default, and 23 using nix?
<gchristensen>
(example stolen from the link I sent)
<eyJhb>
andi-, gchristensen and if I want to import pkgs, so I could make multiple in the same .nix file? Because of course this does not work - https://termbin.com/lpc7
<gchristensen>
I was assuming more familiarity with nix, sorry: let pkgs = import <nixpkgs> {}; in pkgs.dockerTools.buildLayeredImage { name = "hello"; config.Cmd = [ "${pkgs.mysql}/bin/hello" ]; }
<eyJhb>
gchristensen: that is a fair assumption to make, I should at some point be used to this...
<eyJhb>
Is there any good way to import the image as well, in a nix way?
<gchristensen>
like for a nixos config?
<eyJhb>
Or generally for when I run nix-build, that it will show up in docker images afterwards
<srhb>
eyJhb: nixery!
<srhb>
Or a sustemd unit that just loads the tarball
<__monty__>
It lists all hashes, truncates them, sorts so collisions are adjacent, counts the number of adjacent occurrences, greps for all the lines *not* starting with a count of 1, then counts those lines.
<__monty__>
Ah, those are the number of collision hashes. Technically the number of collisions is the *sum* of the counts.
<infinisil>
Hm yeah, so it only counts >2 collisions once
<__monty__>
Might as well drop the count for that optimal performance : )
<yorick>
__monty__: how?
<__monty__>
uniq -d
<__monty__>
So, if we assume it's a binomial process the probability of 92 collisions is 1.4e-7
<__monty__>
And it's easily within 1sigma, sigma=149...
<eyJhb>
Does.. Does PHP do some kind of variable guessing? It is using $pin1 without having declared it, and is only available within $_POST["pin1"], but it works
<elvishjerricco>
Huh. I can't access anything in `.zfs/snapshot/foo`. Just trying to `ls` it, I get `cannot access '.zfs/snapshot/foo/.': Object is remote`
liff has joined #nixos-chat
red[m] has joined #nixos-chat
<red[m]>
success?
xd1le has quit [Quit: leaving]
<ashkitten>
is it possible to have my server announce services it's running via some sort of dns thing on my vpn?
<ashkitten>
i feel like that was some sort of upnp thing wasnt it?
<samueldr>
avahi might
<samueldr>
well, avahi does
<samueldr>
but then there's the issue of software making use of the tips from avahi
<ashkitten>
ahh
<ashkitten>
does avahi not contribute to the hosts file?
<ashkitten>
also avahi doesn't run on my phone, i think
<samueldr>
iphones run their mdns implementation (is it still named bonjour?)
<samueldr>
but yeah, android devices don't have anything like that in the system :(
<ashkitten>
ah
<ashkitten>
theoretically, how would i set avahi to publish specific ports with specific dns names
<samueldr>
hmmm, I don't know about specific dns names for ports, I know only about the fact avahi can say "here, I am bob.local" and "here, I have SSH on port 22, SSH on port 2222, HTTP on port 80" and such
<ashkitten>
ah
<ashkitten>
i guess i could just have it announce its dns name and then use nginx to proxy like normal
<ashkitten>
and just have some domains be local-only
<ashkitten>
yeah that works for me
<ashkitten>
dont even need mdns for that
<red[m]>
ashkitten: the 'correct' way to do that is via SRV records
<ashkitten>
ah, yeah
<ashkitten>
forgot those existed
<red[m]>
but that's not "announce" per se, but more a record of who provides a service in a specific domain if asked
<ashkitten>
i think proxying what i can through nginx is my move rn
<ashkitten>
even if using https over an encrypted tunnel seems wasteful
psyanticy has quit [Quit: Connection closed for inactivity]
<sphalerite>
ashkitten: you could also use regular DNS with public records but private addresses.
<ashkitten>
that's true
<tilpner>
Private records work well too
<Church->
Ugh, I hate testing out sec utils
<Church->
Always a pain to do it right.
<Church->
Don't suppose someone knows how to create null entries in lastlog/wtmp?
Remosi has joined #nixos-chat
Remosi has quit [Client Quit]
Remosi has joined #nixos-chat
tokudan has quit [Quit: Dunno.]
tokudan has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.6]
drakonis has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 268 seconds]
<tilpner>
Welp, average exposure of 8.81 in systemd-analyze security is nothing to worry about, right?
<gchristensen>
better than an 8.82
<samueldr>
depends if it's a score out of 100 for perfect score
<gchristensen>
true
<tilpner>
This is going to take forever to "fix"
<tilpner>
But now that I know of this, I can't just leave it and feel good about it
<gchristensen>
open a tracking issue, gather collaborators, share the load
<tilpner>
This should probably be done by changing the defaults
<tilpner>
But that might break some services outside of nixpkgs
<tilpner>
Which is fine if it's on unstable ._.
drakonis_ has quit [Read error: Connection reset by peer]
<Taneb>
tilpner: what's the scope here?
<tilpner>
Taneb: I don't understand the question
<tilpner>
Taneb: systemd-analyze security pointed out a bunch of features that could be used to further contain services
<tilpner>
Enabling them by default will make adding new services very annoying
<tilpner>
Keeping them off by default will result in nobody enabling them
<Taneb>
I mean, are you wanting to try and fix this for all of nixpkgs?
<tilpner>
So far I'm just testing with a local service
<gchristensen>
another good thing to do woudl be make a check-list for new services
<tilpner>
But if possible, it probably wouldn't hurt nixpkgs to enable some of these by default
<tilpner>
We don't have to go all out and enable everything
<tilpner>
It would need good documentation though :(
<Taneb>
I'm just looking at what "systemd-analyze security nix-daemon" says
<Taneb>
It's not a pretty sight
<tilpner>
Hah, 9.6
<tilpner>
(Not that the number is a good indicator of anything)
<tilpner>
E.g. RestrictSUIDSGID, MemoryDenyWriteExecute, SystemCallFilter=~@clock should be fine to enable for nix
<tilpner>
But that will need more testing and reading
<gchristensen>
nix-daemon runs a lot of syscalls, how did you come to ~@clock ?
<tilpner>
Maybe I shouldn't have started with the service that secures my data
<tilpner>
gchristensen: Just a random one which I expect it could do without
<tilpner>
It doesn't @reboot either
<tilpner>
*doesn't need
<gchristensen>
I see
<tilpner>
A compromised nix-daemon still needs store access, so it can always just write bad things in there
<gchristensen>
right
<tilpner>
It's more useful with services that can stay in their own little /var/lib directory
<gchristensen>
actually nix-daemon is the perfect candidate
<gchristensen>
put your eggs in a basket and make the basket really strong
<gchristensen>
the ones which are sandboxed to /var/lib and donat run as root and don't do many interesting things ... are less interesting :)
<tilpner>
I'm not saying it's useless for nix-daemon, just that it needs more permissions because it does more things than other services
__monty__ has quit [Quit: leaving]
<ashkitten>
transformers animated rocks
<ashkitten>
that is all
<andi->
Any Nintendo Switch users here? I am thinking of obtaining one for simple gaming without having to care about the platform. Mostly while travelling.
<samueldr>
nixos could run on the earlier models, but I haven't circled back to it
<samueldr>
wait, that's now what you're asking
<samueldr>
that's not*
<andi->
:D
<andi->
I thought about it for a second and then figured that is exactly NOT what I want.. would be neat tho…
<samueldr>
I think it's disingenuous to say "simple gaming", then see amazing games like smash bros, breath of the wild and mario odyssey :)
<andi->
simple in terms of not having to provide the environment or rebooting into some crappy windows ;)
<samueldr>
yeah :D
<samueldr>
imo, worth it
<samueldr>
though the carts taste weird
<andi->
Probably would connect to dock to one of the screens at my desk.. some gaming while waiting for tensorflow to compile...
<andi->
I am mostly in it for the old games from previous consoles... 20$/y for access to them sounds fine-ish.
<samueldr>
important detail: the display has to handle audio out, no way to force audio out any other way than through HDMI once docked
<andi->
I think these screens have audio.. will double check
<joepie91>
andi-: apparently the pre-Vita PSPs are quite suitable as handheld emulators
<joepie91>
and cheaply available
<andi->
joepie91: that sounds interesting but also another timesink where I'll not be able to think about stuff unrelated to computers :)
<joepie91>
andi-: alternatively, one of the sub-$100 emulator handhelds from China which apparently work OOTB :P
<joepie91>
I imagine that Nintendo's selection of oldies is probably going to be quite limited...
<andi->
it is limited. I would hope they'd just offer the old games.. I wouldn't mind buying those that I really enjoyed back then.
<samueldr>
yeah, if it's only for older games, maybe not the more appropriate solution
<samueldr>
though a bunch, if not most, of those are FLOSS violators in all ways imaginable
<samueldr>
from boot, to OS, to emulator cores :(
<joepie91>
samueldr: afaik both of these run Dingux, which is basically a Linux distro originally created for the Dingoo A320, and which runs open-source emulators as themselves
<samueldr>
good luck getting the actual sources used from the vendor