<armin>
if you have any questions about switches or keycaps profiles, let me know
<cole-h>
Will do, thanks for the resource and help
<armin>
as a general rule of thumb: if you want to use it in the office, use mx clears. if you care about a tactile bump, use mx browns. if you want it for gaming, use mx red/black.
<cole-h>
What if I want it for all 3? Hehe
<armin>
if you really have weird preferences and kinks, go topre.
<armin>
hmmmm.
<armin>
well the mx brown is probably the #1 all-around switch.
<armin>
do you like linear switches?
<armin>
those with a constant / like activaton curve?
<cole-h>
Never used one. Before I had these Cherry reds, I was on a membrane keyboard :P
<armin>
yea reds are linears.
<armin>
do you like them?
<cole-h>
I don't dislike them
<cole-h>
But, having nothing to compare them to, I can't really say
<armin>
but you do notice they don't have no tactile feedback when pressing keys?
<armin>
ok
<cole-h>
Yeah, I notice that.
<armin>
i have one board with reds actually
<armin>
and i find them much too light for precise typing most of the time
<armin>
also the sound of them annoys me
<armin>
my favourite switch is mx clears btw
<armin>
yeah that keyboards thing. started as a hobby, turned me into someone arcane and alien who "has a keyboard problem".
<cole-h>
Haha
<armin>
i think if i count the keyboards at work in it's about 18
<armin>
and there's still 3 un-built
<armin>
so 21
<cole-h>
Quite a hobby
<armin>
i mean why would any sane person on the planet have 21 keyboards, 7 tapedecks, 2 vinyl decks, or 7 laptops...
<colemickens>
So if I don't want gnupg, can I get away with pkcs11 and a yubikey for most things? I think so... I was going to do this once.
<armin>
(yeah that's me)
<emily>
colemickens: yes but no ed25519 support for pkcs#11
evelyn has joined #nixos-chat
<colemickens>
ahhh
<emily>
colemickens: ed25519 fido2 ssh works, but if you want ed25519 encryption/decryption then you need the openpgp applet
<colemickens>
not that I was getting it with gnupg anyway
<emily>
yes you do!
<armin>
:D
<emily>
all my openpgp yubikey keys are 25519 ^^
<colemickens>
oh I think I just forgot when I burned my initial keys. or didn't know better lol
<colemickens>
nice
<emily>
it's only in new yubikeys
<emily>
they started shipping it sometime late last year I think, I forget when
<colemickens>
it reminds me, I'm overdue for a rotate anyway. one of them got away from me a while back
<emily>
you could just hold off a year and see if they implement ed25519 in pkcs#11 :P
<armin>
btw i was told today that i wouldn't need gpg-agent if i don't plan to use a yubikey. i use ssh-agent though since a decade or so. anything i have to worry about?
<emily>
colemickens: the problem with PKCS#11, OpenPGP, ... is that they only support a static, small number of keys
<evelyn>
gpg-agent is a mandatory part of gpg now though
<armin>
huh
<evelyn>
you can't use gpg without the agent
<emily>
colemickens: which is really annoying, because the U2F/FIDO2 implementation already does the trick necessary to allow arbitrary key derivation without persistent storage
<emily>
colemickens: but they just don't let you use it for encryption/decryption...
<evelyn>
gpg 1.4 does not use the agent, but it is also basically unmaintained
<armin>
evelyn: wow that's weird
<evelyn>
you may not think you are using the agent if you are using 2.x, but that just means you have not noticed it
<evelyn>
if you read the manpage there is hilariously a dummy option called --no-use-agent but it is just an alias for --use-agent
<armin>
well i heavily use ssh but i rarely encrypt things via gpg
<armin>
lol
<evelyn>
because.. I don't know why. It's just confusing
<armin>
there are so many confusing things on a todays unix machine
<joepie91>
evelyn: what
<colemickens>
hm, I'd have to refigure out how to do git signing remotely and stuff without gpg-agent forwarding though.
<armin>
cole-h: anyways i have 21 keyboards and ONE of them is ANSI and it is still unbuilt and you can have that if you want.
<armin>
cole-h: i also have BOXES full of keycaps.
<armin>
cole-h: do you touch type or do you look at your fingers?
<emily>
colemickens: fwiw I know someone who set up PKCS#11 instead of OpenPGP for SSH on their yubikey and ended up regretting it for a billion tiny reasons but I don't remember what those reasons were
<cole-h>
It's kinda like a hybrid touch type? I don't rest on homerow
<armin>
cole-h: fuck.
<emily>
colemickens: I just get the impression that OpenPGP is actually somehow less fuss on net
<cole-h>
WAD JIL is where my fingers lay at rest
<emily>
though on non-linux platforms this may be less true
<armin>
damn.
<cole-h>
and ;
<emily>
e.g. chromeos has pkcs#11 integration but not openpgp
<evelyn>
joepie91: what ... ?
<armin>
cole-h: that cannot be true - get a towel and put it over your hands while you type.
<joepie91>
evelyn: just "what". the no-agent thing
<joepie91>
I have so many questions :P
<evelyn>
--no-use-agent This is dummy option. gpg always requires the agent.
<evelyn>
it's so stupid
<cole-h>
Why can't it be true? :P I don't look at my hands, but I don't rest on homerow.
<emily>
armin: (I also touch-type without consistently using the home row)
<armin>
cole-h: no really you must learn to touch-type it will improve your life by 500%.
<armin>
emily: that's ok
<colemickens>
emily: grumble. I feel like every discussion of moving past gnupg ends up in the weeds like this.
<emily>
remember to distinguish "can fluently type without looking at the keyboard" from "learned the specific formal touch-typing rules"
<joepie91>
I touch-type and don't use the home row at all
<emily>
the latter don't necessarily optimize for efficiency, though they probably have ergonomic benefits
<armin>
i always use the f and j bumps on the keycaps
<armin>
i just feel them
<emily>
I've been typing since I was ~3 so I'm pretty good at it I think >_>
<armin>
it's the best thing ever
<emily>
colemickens: pretty much
<samueldr>
you can feel them but not actually do the formal touch type
<colemickens>
I'm going to give it a go anyway, but I do appreciate the warning :)
<joepie91>
I don't use the bumps at all, I just keep a mental map of the location of my hands on the keyboard
<emily>
colemickens: you should get into hardware design and start making a token with a better protocol ^_^
<samueldr>
(like I do)
<joepie91>
and I don't equally distribute keypresses either, I press most keys with only a few fingers
<samueldr>
I use them when freshly setting my hands on a keyboard, but afterwards they're not really in use
<cole-h>
joepie91: Same.
<samueldr>
sameish
<armin>
joepie91: that surprisingly worked well after a while. i purposefully replaced those keycaps with ones with a normal profile (i use blank keycaps anyways) and after a couple of weeks, finding the home keys was no problem anymore.
<joepie91>
(and I still regularly out-type people who use the homerow)
<evelyn>
the bumps partly wore off my keyboard
<emily>
anyone who thinks you need the nubs to tell where you're typing needs to read the wikipedia article on proprioception
<samueldr>
it's a shortcut to me
<colemickens>
emily: I'm certainly unqualified for both. I'm a bit surprised that one hasn't developed without the other with a shim/emulator type of thing. Back it with some existing stuff, iterate on the protocol on top? I feel like I'm seeing the XKCD comic form before my eyes as I type this...
<emily>
(correlation: typing is really annoying on drugs that mess with proprioception)
<joepie91>
emily: oh, nice.
<joepie91>
lol
<joepie91>
I can imagine
<emily>
colemickens: there's no way to support arbitrary derived keys with the existing tokens/protocols because they're fundamentally based on static key slots
<gchristensen>
emily: do I have proprioception for things that aren't me?
<armin>
i had major problems typing when i just took a hit of some good weed
<joepie91>
emily: I wonder how common it is to be able to visualize/simulate my fingers typing words/texts in my head
<emily>
colemickens: the trick fido/webauthn use is to make the "public key identifier" that you hand out to clients at key generation time be encrypt(new_private_key, root_private_key)
<joepie91>
accurately
<emily>
colemickens: and then you just have to do a decrypt operation to get the private key to work with
<samueldr>
gchristensen: something like ability to use drumsticks to hit things precisely? probably
<emily>
the problem is that this has to be done within the token to avoid exposing the private keys to the client machine
<colemickens>
emily: sure, the shim I'm imagining would be unable to implement the protocol securely.
<colemickens>
it would have to fake it from some sort of poorly-secured storage, or single-keyed storage or something I guess
<emily>
mhm
<emily>
at that point I think you're better off just writing a software implementation
<emily>
there are definitely software implementations of u2f and the like
* colemickens
nods
<cole-h>
joepie91: I can close my eyes and tye fairly accurately. In fact, I usually type faster when my eyes are closed lol
<armin>
fwiw i moved my nixos setup on my laptop from plasma5 to i3-gaps
<cole-h>
(one missed character in that sentence seems pretty good to me)
<joepie91>
cole-h: nono, I mean like when I'm laying in bed, I can 'type in my head'
<colemickens>
emily: do you think fido2 would be expanded ever to cover encryption scenarios, or do you know or other things on this horizon I might want to keep an eye on?
<cole-h>
joepie91: That too
<emily>
colemickens: I don't know if they have any plans to do that -- I kind of doubt it since just solving authentication is a big problem already, but it's also a wide enough consortium that I'm sure there are people interested in painting that bikeshed
<joepie91>
cole-h: ah so I'm not the only one :D
<emily>
I don't know of any "modern hardware cryptographic token" plans beyond cryptocurrency dreck but I'd certainly be interested in hearing about them
<cole-h>
joepie91: I used to do that when I was bored: "type" on my desk or lap or something
<armin>
that whole idea of having to carry around something physical in order to be able to log in to a computer seems wrong to me
<armin>
cole-h: anyways i don't know how many bucks you can spend but you could just look at some vortex keyboards i think.
<armin>
cole-h: i'd recommend them to the highest.
<armin>
cole-h: downside: none of them runs qmk
<cole-h>
Do they have their own customizer type thing?
<armin>
you can customize the whole thing in hardware basically
<armin>
you enter some key combination then the whole thing starts to blink like madly, you enter the source key combination, you enter the destination key combination your mapping relates to, you finish with some special keybinding. that's it.
<cole-h>
Interesting
<armin>
works all the time. not even a need to set what the modifiers should be here and i'm on macos.
<armin>
you just have to mentally understand what keys you need to press to program it and that's it.
<colemickens>
emily: it's not exactly related, but it has come up in terms of replacing gpg-related encryption tasks: https://github.com/FiloSottile/age
<colemickens>
I guess there's a rust impl too, neat.
<armin>
still, QMK does a completely different approach of course, and if you ever edited a custom keymap.c you know how flexible QMK can be.
<emily>
colemickens: right. like I mentioned in #nixos I'm vaguely interested in writing stuff that talks openpgp card protocol but works with age/minisign/... formats
<emily>
which at least would encapsulate the curse and allow less use of gnupg
<colemickens>
emily: aha cool
<colemickens>
"mount enables the rage-mount tool, which can mount age-encrypted TAR or ZIP archives as read-only. It is currently only usable on Unix systems, as it relies on libfuse."
<aleph->
Hmm, time to get a libvirt web interface going... shame I can't just steal proxmox's
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-chat
<samueldr>
I'm looking for something that can make lists, with the main purpose of making a shopping list, that can be synced on android, and usable on desktop (web-based or not)
<samueldr>
where "synced" means using something like syncthing is acceptable
<gchristensen>
[grahamc@flexo:~]$ nixos-version
<gchristensen>
20.03.1577.74a80c5a9ab (Markhor)
<gchristensen>
yy
<samueldr>
and, hard mode, available on f-droid
<samueldr>
gchristensen: took you quite some time ;)
<gchristensen>
I like todoist, samueldr
<gchristensen>
has an okay cli too
<evelyn>
if you use roundcube you can compose notes stored in IMAP in its web client, it's the same mechanism that apple notes uses too
<evelyn>
it's weirdly usable
<evelyn>
I swear it's standardised but I can't find any actual native clients for it
<samueldr>
oh, maybe I forgot to make it obvious, I'm looking for solutions where I am in control of the data, todoist looks like a service-based approach, right?
<gchristensen>
correct
<samueldr>
aw
<evelyn>
well roundcube is self-hosted...
<samueldr>
evelyn: yeah, your suggestion fits more towards my goal
<samueldr>
I'm feeling it's really hard to get out of trello, I've been (mis)using it for too many things
<evelyn>
roundcube used to be kind of crap on mobiles, it has got better though
<evelyn>
it might be also that mobile devices have got beefier
<samueldr>
and I've seen nothing as misusable as that that has an okay interface on desktop and mobile, and offline use on mobile
<evelyn>
quite surprised at this point there isn't something OSS that's the equivalent of the neat apple notes iphone app
<samueldr>
evelyn: what is it called in the interface?
<evelyn>
given all it does is sync the messages as IMAP messages
<samueldr>
I'm trying to find what's the imap feature it relies on to search about it
<evelyn>
one sec I'll log in (although this is to my email provider's webmail, I don't run a roundcube instance any more sadly)
<evelyn>
but I distinctly remember using it
<samueldr>
no worries, I simply want a string to grep for in the source code :)
<evelyn>
I think it's at the top by the calendar?
<samueldr>
I don't have roundcube running
<samueldr>
finally found something (elsewhere) about the name of that feature
<evelyn>
yeah the problem is that it's such a generic search term it's really hard to find anything
<evelyn>
FWIW my email provider is not Fastmail :)
<samueldr>
exactly, I've not had much success finding anything about it
<evelyn>
I tried making a cute program to synchronise the folder and let me edit them as rich text in emacs (or $editor) but I can't work out how to submit them again so that apple notes and roundcube like them
<evelyn>
roundcube just thought they were emails
<evelyn>
and they didn't appear in the notes interface, just in the IMAP folder
<evelyn>
it's all weirdly undocumented and it strikes me as though it's an apple thing that then roundcube has adopted
<evelyn>
but apple have since added new features to teh notes app and you can't synchronise those notes with IMAP accounts,only their email/storage service seemingly
<evelyn>
it's a shame because it's actually a really good idea, and when Apple notes works it works great.
waleee-cl has quit [Quit: Connection closed for inactivity]
<aleph->
Man figuring out getting a cluster running is a pain
<aleph->
Maybe two giant VM's for proxmox and just run nested VM's...
slack1256 has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.8]
aranea has quit [Ping timeout: 265 seconds]
immae has quit [Ping timeout: 265 seconds]
ajs124 has quit [Ping timeout: 260 seconds]
das_j has quit [Ping timeout: 260 seconds]
joepie91 has quit [Ping timeout: 265 seconds]
hexa- has quit [Ping timeout: 265 seconds]
aranea has joined #nixos-chat
immae has joined #nixos-chat
ajs124 has joined #nixos-chat
das_j has joined #nixos-chat
hexa- has joined #nixos-chat
slack1256 has quit [Remote host closed the connection]
cole-h has quit [Quit: Goodbye]
parsley936 has joined #nixos-chat
<hyperfekt>
my phone is dead again :<
<hyperfekt>
hurry up samueldr :b
<eyJhb>
hyperfekt: I should buy a new phone in general. I think my OnePlus One is a little old... So would be perfect if NixOS worked as a daily daily driver when that dies samueldr :p
ashkitten has quit [Ping timeout: 272 seconds]
ashkitten has joined #nixos-chat
<manveru>
armin: i'd love to get some fractals for wallpapers... and generate a new one every half hour or so :)
<viric>
Ah what thing is there in nixpkgs that uses opencl?
<viric>
succesfuly.
<srk>
ooh, is it that bad?
<manveru>
srk: it just uses my cpu i guess?
<srk>
manveru: there's a flag to disable opencl as well if it causes trouble but I want to try with openCL support
<manveru>
well, it renders some random settings file for me from the cli, just has no textures...
<manveru>
and doesn't really solve my issue of generating random fractals for me, i still would have to write random settings files :P
<manveru>
i dunno anything about opencl, sorry
<srk>
manveru: combine with afl_fuzz :D
<viric>
srk: I was making an innocent question
<srk>
ah :) no idea then, mandelbulber is the first app I've noticed using openCL
<viric>
Then opencl may run emulated or on hw
<viric>
I'm not sure how to check it runs on hw
<viric>
(I think of Intel GPUs)
<viric>
I played a bit with opencl but I think it run emulated in my tests.
<srk>
(I'm using nvidia-smi)
<viric>
I mean that the fact that it runs opencl kernels it doesn't mean they run on hw
<srk>
I see
<viric>
rendering fractals seems like a good testbench for it though
<sphalerite>
gchristensen: what's up with the new twitter name/picture?
<MichaelRaskin>
sphalerite: an experiment whether writing the exact same things under differently stereotyped persona changes the reactions.
<aanderse>
i'm guessing MichaelRaskin hacked the account
<aanderse>
;-)
<MichaelRaskin>
And also the IRC one?
<MichaelRaskin>
I think Graham has also answered the question on IRC by now
<aanderse>
well i guess there goes that theory
<MichaelRaskin>
Also, on Twitter Graham has confirmed it on different days, so that would require a pretty persistent control — and not stopping to post stuff very similar to the style of real Graham.
<qyliss>
maybe real Graham is just also using his twitter account and hasn't noticed your changes
<MichaelRaskin>
And mentions on this topic are the only ones never noticed?
<qyliss>
yes
<MichaelRaskin>
Do I need to also have hacked the person who proposed the experiment?
ottidmes_ has joined #nixos-chat
ottidmes has quit [Ping timeout: 264 seconds]
<andi->
For a second I thought someone was copying all his tweets.. I wish you could just disable the display name and use the handle instead.
<qyliss>
i used to do that in tweetbot, long long ago
<__monty__>
Just duplicating another person's twitter?
<__monty__>
Why?
<andi->
I have seen things on twitter that don't make any sense..
<MichaelRaskin>
__monty__: pretending to be a legitimate account for later use, obviously
<qyliss>
lots of spam bots do that to evade the algorithms, IIRC
<qyliss>
copy stuff from other accounts, occasionally mix some spam in there
<__monty__>
So you were running a spam bot?
<gchristensen>
I confirm what MichaelRaskin is saying :)
<gchristensen>
can an ssh CA's public key be put in a user's authorized_key list? the docs under AuthorizedPrincipalsFile seem to say yes, but I'm getting PAM authentication errors despite the ssh client sending the right cert / key
<gchristensen>
the user is in the princpals... but no extensions on the certificate
<sphalerite>
note to self: cleaning up a git history after the fact is not fun.
<Valodim>
gchristensen: yes they can, I've seen that before
<gchristensen>
hrm
<sphalerite>
gchristensen: ha, neat
<lukegb>
gchristensen: did you prefix it with "cert-authority"?
<gchristensen>
I didn't :)
<lukegb>
you probably also want the principals="" thingy too
<gchristensen>
that sounds liek a good step
<lukegb>
but I forget the exact syntax
<gchristensen>
nice, thanks lukegb!
noonien has joined #nixos-chat
<gchristensen>
lukegb: success! thank you!
avn has quit [Ping timeout: 244 seconds]
<__monty__>
gchristensen: Has your ssh setup simplified your workflow a lot? Or is it not worth the effort on ~5 boxes?
avn has joined #nixos-chat
obadz has quit [Quit: brb]
obadz has joined #nixos-chat
<gchristensen>
not worth the effort
<__monty__>
Thanks, good to know.
drakonis has joined #nixos-chat
waleee-cl has joined #nixos-chat
<LnL>
gchristensen: I initially thought I accidentally followed another account that wasn't actually you :p
<{^_^}>
nixops#1325 (by adisbladis, 6 minutes ago, open): tests: Add functional tests using NixOS in Docker
<adisbladis>
What other testing approaches do ppl have for testing NixOS things in public CIs?
<edef>
gchristensen: you can, yes
<edef>
oops, was scrolled up
<ornxka>
im switching from master to nixos-unstable/nixpkgs-unstable and i saw that nixpkgs-unstable hadnt been updated in 9 days
<ornxka>
at first i was like "hm, thats no good, maybe i should stick with master" and then i thought "wait a sec, if the builds are failing, then thats exactly why you dont want to be using master in the first place"
rardiol has joined #nixos-chat
<emily>
there is nixos-unstable-small for servers if you don't need builds of every package
<srk>
would be cool if there was ProtectAll and a whitelist as well
<lukegb>
I think they're avoiding doing that because if you add more sandboxing options you risk breaking people when they update
<lukegb>
so really it'd be named ProtectAllThisWillBreakIfIUpdateSystemd :P
<srk>
makes sense
<srk>
hehe :D
<tilpner>
srk: Did you run systemd-analyze security yet?
<srk>
tilpner: yup :)
<srk>
it's not very happy :D
<tilpner>
Aww. I was trying to trick you into fixing that
<srk>
yeah, I was about to add that's one more thing to obsess about :D
<emily>
tilpner: the second-best scoring is one I wrote, do I get to feel smug? :p
<emily>
tilpner: in fact it'd be the best-scoring but it doesn't realize some hardening options imply other ones and wrongly penalizes it :(
<tilpner>
emily: Slightly, but it's not going to help you sleep, knowing all the other UNSAFE are still out there
KeiraT has quit [Ping timeout: 240 seconds]
<tilpner>
(Is it working?)
<emily>
tilpner: it did make me consider git switch -c systemd-service-hardening and just fix all the ones on my system
<tilpner>
(do it)
<emily>
tilpner: ...however then I thought about how much arguing with people and back-compat concerns that would probably involve to get merged
<tilpner>
._.
<emily>
I do wish stuff defaulted to more "share-nothing" than "share-everything"
<emily>
but I can understand a limited appetite to break existing software that assumes ambient everything
<emily>
I feel like the Nix Way™ would be to sandbox everything off by default and explicitly share only what you need to between services
<tilpner>
Yes, but you need a good interface, documentation, and lots of testing (read: many many hours) for that
<tilpner>
I still have it on my ever-growing todo list :c
<emily>
yeah
<emily>
I forget their nick now, but someone was talking in #nixos a few days ago about whether there's any interest in an abstracted service management interface that would allow the backend to be swapped out; it seems like that would gel nicely with moving towards a more locked-down-by-default model rather than mapping directly to systemd services
<emily>
might be worth collaborating on?
rardiol has quit [*.net *.split]
avn has quit [*.net *.split]
parsley936 has quit [*.net *.split]
vesper11 has quit [*.net *.split]
mtjmullen has quit [*.net *.split]
ornxka has quit [*.net *.split]
kgz has quit [*.net *.split]
lejonet has quit [*.net *.split]
pie_[bnc] has quit [*.net *.split]
ornxka has joined #nixos-chat
rardiol has joined #nixos-chat
KeiraT has joined #nixos-chat
kgz has joined #nixos-chat
vesper11 has joined #nixos-chat
parsley936 has joined #nixos-chat
avn has joined #nixos-chat
mtjmullen has joined #nixos-chat
lejonet has joined #nixos-chat
<gchristensen>
hrm, it seems something has broken for me w.r.t. bash and coproc isn't working right
neeasade has quit [Remote host closed the connection]
KeiraT has quit [Ping timeout: 240 seconds]
mtjmullen has quit [*.net *.split]
lejonet has quit [*.net *.split]
parsley936 has quit [*.net *.split]
avn has quit [*.net *.split]
lejonet has joined #nixos-chat
mtjmullen has joined #nixos-chat
parsley936 has joined #nixos-chat
avn has joined #nixos-chat
<abathur>
?
<gchristensen>
qyliss: I don't suppose you have an example of go code dealing with SSH certificates :P
<cole-h>
I've subscribed from this issue 3 timesnow
<cole-h>
Stop sending me notifications for it
<gchristensen>
qyliss: d'oh, of course :x
* gchristensen
is debugging a Go implementation of SSH, where he can't see the logs or source code
<cole-h>
Ouch
<ajs124>
I'm putting off debugging a patch against the bird routing daemon, because I know I was partially responsible for writing it, but don't understand how any of it works.
<gchristensen>
ouch
<ajs124>
I'm kind of doubting anyone did at the time. Which would explain why it's broken.
KeiraT has joined #nixos-chat
<armin>
gchristensen: ouch, why would you do that to your life?
KeiraT has quit [Ping timeout: 240 seconds]
<gchristensen>
because I like nice thinsg :(
KeiraT has joined #nixos-chat
KeiraT has quit [Ping timeout: 240 seconds]
KeiraT has joined #nixos-chat
<elvishjerricco>
Upgrading to 20.03 from 19.09. `git diff | wc -l` says 960 for my config repo. O_O Granted, 510 of that is a node2nix package update :P But 450 lines in my config is still a lot... I do a lot of weird things with NixOS :P
<samueldr>
s/weird/fun/ hopefully?
<elvishjerricco>
samueldr: I think so
__Sander__ has joined #nixos-chat
<elvishjerricco>
Hm. I may be misremembering, but I think LUKS is using a lot more CPU with 20.03
<eyJhb>
gchristensen: what is the end goal? And I love seeing some Go love in here!
<eyJhb>
:D
<eyJhb>
Just wrote a test, that had a race condition. Loving it. But the code was free from it however
<gchristensen>
eyJhb: trying to get ssh-ca support :)
<eyJhb>
But why in Go?
<gchristensen>
their SSH server is written in Go
leah2 has quit [Ping timeout: 246 seconds]
endformationage has joined #nixos-chat
leah2 has joined #nixos-chat
noonien has quit [Quit: Connection closed for inactivity]
parsley936 has quit [Remote host closed the connection]
<colemickens>
cole-h: did you ever post your pass-rs? ripasso is I guess more confused on "richer" clients, I hadn't realized at the time when I told you about it.
<colemickens>
cole-h: I'm back on my "I want a libsecret frontend for my pass store" game and this is the most immediate problem I want solved right now and I'm in a Rust mood.
<colemickens>
s/confused/focused. can't do English today.
<cole-h>
colemickens: It's private right now, and I haven't done a whole lot of work on it recently. I'll make it public, though. Feel free to do stuff with it. Be warned: there are probably edge cases I haven't tested for yet.
<cole-h>
The shortcoming I'm most unhappy with atm is that searching for entries doesn't generate a tree like pass does. I haven't done much work in getting that to work
KeiraT has quit [Ping timeout: 240 seconds]
<cole-h>
atm I follow gopass's lead in that it just shows the path e.g. `Internet/amazon.com/testuser/password`
<colemickens>
this is much more than I expected based on how you'd sold it, so I'm quite happy.
<colemickens>
well doc'd too, props
<cole-h>
"well-doc'd"
<cole-h>
In a manner of speaking
<colemickens>
"a crabby rewrite" how is that the first time I've seen this.
<cole-h>
:P
<cole-h>
:D
<cole-h>
ngl, that's the thing I'm most proud of for this project...
<cole-h>
btw, a good first contribution would be to fix up the zsh and bash completions... those were autogenerated, while I manually tweaked the fish ones.
tokudan has quit [Remote host closed the connection]
<cole-h>
... I guess I could make that a labeled `good-first-issue` in case other people find it...
__Sander__ has quit [Ping timeout: 256 seconds]
tokudan has joined #nixos-chat
KeiraT has joined #nixos-chat
<cole-h>
colemickens: Also, some/most of my early commits had a lot of details on things I did and why, which you may or may not find interesting.
<colemickens>
hm, I guess I'm not even sure what pass feature you're talking about vis-a-vis the tree? or maybe I don't use nesting enough to notice?
<cole-h>
colemickens: `pass find test` vs `passrs find test` and you'll see
<cole-h>
(filing an issue for it right now, too)
<colemickens>
hm, maybe gopass implements this the same as passrs, so I don't notice
<colemickens>
I don't know that I've ever actually used pass :|
<cole-h>
Yeah, I followed gopass here
<colemickens>
aha okay
<cole-h>
Just opened issue 2 -- it has an example of both
<colemickens>
heh, just started using fish myself, thanks to you also
<cole-h>
:^)
lassulus has quit [Ping timeout: 250 seconds]
<__monty__>
Fish's history completion is so nice.
lassulus has joined #nixos-chat
<cole-h>
It's really nice. I especially like how it doesn't suggest files that don't exist in the current directory
Peetz0r is now known as Peetzinat0r
Peetzinat0r is now known as Peetz0r
andi- has joined #nixos-chat
__monty__ has quit [Quit: leaving]
<cole-h>
colemickens: Just making sure you saw my two edits in passrs#2 -- hopefully I've clarified my position a bit more
<armin>
just my tiny nixos setup on my >10 years old x220 laptop
andi- has joined #nixos-chat
<evelyn>
uh isn't x220 from 2011?
<evelyn>
distinctly recall being given one when it came out, exactly 9 years ago to this day.
<evelyn>
It ran openSolaris after a few months.
<evelyn>
(or whatever it was that came after that. it was solarish.)
<waleee-cl>
evelyn: openindiana
<qyliss>
I thought x220 was 2012
<armin>
evelyn: i had one of the first ones with ips, that's all i remember
<armin>
could be that it's only 9 years :)
<armin>
fwiw i don't like fish much, i'm probably just not someone who likes to configure a terminal shell in a browser :)
<qyliss>
I'm upgrading from an x220 tomorrow
<qyliss>
because i have recently discovered that contrary to my earlier beliefs, there are modern corebootable laptops
<samueldr>
system76, or a chromeos-based one?
<armin>
which one did you get?
KeiraT has quit [Ping timeout: 240 seconds]
<qyliss>
the latter
<samueldr>
be careful with sound!
<qyliss>
I ordered a second-hand Google Pixelbook
<qyliss>
Yeah I'm gonna have to run cras
<samueldr>
ah, if it's the earlier pixelbook there should be no issue
<qyliss>
but that's okay
<evelyn>
oh yeah all the chromebooks run coreboot... even the pixel c runs it
<evelyn>
(it isn't a chromebook but it was going to be)
<qyliss>
You can really easily flash your own stuff too
<samueldr>
with more recent ones, I wouldn't be surprised if it's actually possible to fry the audio circuitry with the weird setup they're using :(
<samueldr>
yes!
<samueldr>
and go back!
<samueldr>
their hardware team at the chromeos side should teach tricks to android OEMs
<qyliss>
The security chip, embedded controller, and bios chip all have open source firmware
<qyliss>
And the EC and bios are both user replaceable!!
<samueldr>
and safely!
<qyliss>
Yeah!
<samueldr>
got a suzy Q cable?
<samueldr>
that really is helpful
KeiraT has joined #nixos-chat
<qyliss>
it's in my digikey basket
<samueldr>
though with the one you're getting, not mandatory
<qyliss>
gotta get up to $60 for free shipping
<qyliss>
(sparkfun are out)
<qyliss>
I'm gonna port Heads to it
<samueldr>
nice
<evelyn>
did Heads fix the build system?
<qyliss>
no it's still garbage
<evelyn>
it used to just download eerything without verification
<qyliss>
oh it does shasum things I think
<evelyn>
they claimed it was a coreboot issue, but then when coreboot fixede it they didn't upgrade the bbuild system for 18 months
<evelyn>
(to use the new coreboot version)
<qyliss>
Yeah Heads is really poorly maintained
<qyliss>
I also hate that it's written in bash
<qyliss>
I plan on doing a gradual rewrite of it in Rust or something
<qyliss>
and then giving it a proper build system
<samueldr>
qyliss: is heads a linux system in coreboot?
<evelyn>
no but it's worse than that, they claim it has reproducible builds but it's really not
<qyliss>
pbb has been doing a bunch of work to build coreboot with Nix
<samueldr>
ooh, nice
<evelyn>
if you build it on anything that's not debian or fedora it's not guaranteed to be reproducible
<samueldr>
(that would explain why bash)
<qyliss>
yeah, but that's just reproducible builds being Hard
<qyliss>
samueldr: yes, it is
<qyliss>
it's really need
<qyliss>
*neat
<qyliss>
if something goes wrong at boot I get a busybox shell
<qyliss>
And it means I have no BIOS or EFI
<evelyn>
don't run ping though
<evelyn>
there's no job control
<samueldr>
qyliss: hopefully we can figure out a way to cross-pollinate for the android boot.img
<qyliss>
I boot straight to linux and then kexec
<evelyn>
you literally can't cancel it
<samueldr>
heh
<samueldr>
power button goes brrrrrr
<evelyn>
'my bios is bricked because ping can ne'er stop'
<samueldr>
I figure holding the power stops ping, or else we'd have... quite the situation :)
<evelyn>
also the tutorial is really dangerous
<qyliss>
there's also a bunch of stuff Heads could do better if it were specific to a NixOS-style system
<evelyn>
you can brick the x230 which is what it is developed on with ctheir instructions
<MichaelRaskin>
qyliss: when I was hanging out at Mayflower office one Friday, I think Linus Heckelmann was building Coreboot for Chromebook with Nix and succeeding.
<samueldr>
an aarch64 one though, but still should work on it
<evelyn>
they say you should flash with an external power supply, but that has bricked many x230s
<qyliss>
It was broken on intel for ages wbecause we didn't have an ada compiler
<qyliss>
but pbb either just merged or was just about to merge a PR to bring gnat back
<samueldr>
nice!
<samueldr>
I think andi- was at some point wanting that
<andi->
yes, coreboot <3
<qyliss>
Aww yeah, gnat is in master again :D
noonien has joined #nixos-chat
<qyliss>
Oh no, in staging
<qyliss>
Still
<samueldr>
staging is like the cool new master
<qyliss>
lol
<cole-h>
Staging has been getting pummeled this last week
<cole-h>
openssl, coreutils, binutils, gtk3
<qyliss>
A SpectrumBoot sort of thing, based on Heads, would be a fun sorta-side project to do
<qyliss>
We could have a proper build system, and good documentation, and nice integration with Nix-built systems
<qyliss>
samueldr: what does the android boot.img do?
<samueldr>
in a normal android system, it's the kernel and sometimes the initrd that runs
<samueldr>
in a mobile nixos system, it's the kernel, recovery, and generation selection
<qyliss>
aha!
<qyliss>
generation selection is a problem I will have to solve too
<samueldr>
which is why this would be somewhat relevant
<qyliss>
Heads tries to parse grub.cfg
<qyliss>
in bash
<samueldr>
I also want some help RIIR a bit
<qyliss>
And it fails horribly on NixOS grub.cfg
<qyliss>
But fortunately it does manage to parse NixOS extlinux.conf
<samueldr>
but I have a hard to fix issue, where cross-compliation as in nixpkgs-based cross-compilation for rust seemed out of reach to my neophyte ass
<qyliss>
But only if it's named /boot/grub/grub.cfg, lol
<samueldr>
hah
<qyliss>
Oh, hmm :(
<samueldr>
I don't even parse a file!
<samueldr>
I simply read the generations on disk
<qyliss>
that's cool
<samueldr>
but I don't have kexec going
<qyliss>
I don't really know anything about cross-compilation :(
<evelyn>
fun fact: it should be possible to boot freebsd with kexec, at least on power9.. maybe the linux freebsd bootloader too.
<qyliss>
just in case that's helpful
<qyliss>
oh wow, cool
<samueldr>
ah, in my case it's literally because I'm not there yet :)
<evelyn>
s/linux/amd64/
<samueldr>
I am 99% confident I can just kexec "as usual" and it'll work
<samueldr>
though thanks
<qyliss>
It looks like that's pretty much all Heads does
<samueldr>
one of the issue I had definitely was biting a too big of a chunk at once with trying to do it with rust, since I would have to deal with learning how to develop the dang thing at the same time
<samueldr>
so I ended up going with mruby for a proof of concept
<qyliss>
ooh mruby
<qyliss>
Yeah a neat thing with Heads is that it's a bunch of small shell scripts that all call each other
<qyliss>
So I can start by just rewriting them one at a time and dropping them in
<qyliss>
As long as I can keep the images small enough
<samueldr>
with android-based devices, the minimum spec is ~7MiB for the compressed initrd
<samueldr>
which with udev and libsystemd I'm just over budget, that's something else I need to look into
<qyliss>
Heads targets devices with 8MiB including an ME, I think
<samueldr>
yeah
<samueldr>
what I was going for is there's much more room for activity on the android-side of things
<samueldr>
but we also have annoying things to contend with, like no VT at all (on OEM kernels)
<evelyn>
you can reduce the ME to 1.5MB (if you use the one that comes with Chromebooks)
<samueldr>
so you have to make a UI that works on the framebuffer :(
<samueldr>
though it also scratches my itch of making things pretty
<qyliss>
I should upstream linux_cros into Nixpkgs
<evelyn>
so you get ~9MB of space to play with on the x230, if you replace the 4MB chip with an 8MB one you get 16MB in total (max supported by the hardware is 2 8MB chips)
<armin>
i actually just keep postponing to build my new workstation linux machine and just use my work macbook pro as a desktop machine on a large 32" display and call it a day. shoot me.
<qyliss>
We have it in Spectrum for VM kernels, but it would presumably also be extremely useful for people who just want to run NixOS on Chromebooks
<evelyn>
and if you do that you can also socket the chips so that you don't have to flash them on the motherboard
<samueldr>
nixos-hardware, maybe more
<qyliss>
samueldr: heads has some sort of UI
<samueldr>
oh, neat
<qyliss>
I don't use it and don't know how it works
<samueldr>
I'm not too fond of having even the raspberry pi kernels in nixpkgs
<qyliss>
But Purism use it on their laptops I think
<evelyn>
that's what I did before the CMOS battery caught fire and burnt part of the motherboard
<qyliss>
nixos-hardware would mean people had to build their own kernels, which would be a bit of a shame
<qyliss>
I can see that putting people off using nixos-hardware at all
<qyliss>
evelyn: oh that's neat, I didn't realise you could upgrade that
<evelyn>
the purisim UI is a crap little shell script that uses whiptail (I think it's related to systemd's prompt somehow but I'm not sure) and it's dredaful
<evelyn>
the messages it spits out aren't coherent
<evelyn>
but it's a "UI"
* armin
loves shellscripts :)
<qyliss>
Oh yes, fbwhiptail
<evelyn>
but if you wait for a few minutes, it will boot automatically I think
<samueldr>
what I ended up going for is based on LVGL
<evelyn>
I stopped using heads because it used gpg 1.4
<samueldr>
(though had I known about fbwhiptail I probably would have investigated it)
<evelyn>
I don't think they have gpg 2.1 yet
<samueldr>
though LVGL is made for embedded use, and is more than whiptail https://littlevgl.com/
<evelyn>
I gave up trying to package that as the build system is so unpleasant
<qyliss>
yeah it could really do with being Nix
<evelyn>
one of the purism employees kept CC'ing an issue I made and I think they might have used my fork as the basis of their pacxaging of it but I unsubscribed and bblocked any email from anyone at purism as they are trolls
<qyliss>
I know of at least a couple of good people at purism
<qyliss>
But the company overall is extremely suspect indeed
<qyliss>
I really shouldn't spend too much effort on boot stuff because it's only going to be useful to the small subset of users with compatible hardware
<qyliss>
Now they seem to be adding a new product to their website every month
<qyliss>
Have you seen they're selling a server now??
<qyliss>
LittlevGL looks cool
<samueldr>
it has some clunk to it
<samueldr>
but its primitives are pretty well done
<samueldr>
the clunk is mostly for the developer-side of things
<samueldr>
user-side it's quite slick
<samueldr>
and with the mruby binding I can abstract the clunkiness away
<qyliss>
tbh for spectrum I'm hoping generation choosing won't really be necessary, because the host side should be very small and mostly static
<evelyn>
the prurism server seems to just be a rebranded supermicro computer
<qyliss>
Yeah
<qyliss>
I assume it's the one that Mullvad ported Coreboot to recently
<qyliss>
(Which is a really cool development!)
<samueldr>
I was hoping that if we can have a common core of features, to which we can add features, it would be better to share what we can, though at the same time, I know how hard it can be
<MichaelRaskin>
qyliss: Three words, upstream CrosVM update.
<qyliss>
Yeah I guess that'll break things
<qyliss>
samueldr: it's tricky -- I'm very keen to (if I do this at all) start with Heads as a base, because it has all the functionality I want already
<MichaelRaskin>
I won't even try to deny that the design sketch for Spectrum that I tried to be pushing is intended to be, among other things, compatible with running Spectrum-like VMs on top of Nix-on-Linux
<qyliss>
But this is all pretty low priority for me, like I said, because most hardware won't be compatible at all, and installing it on most hardware that does is such an involved process
<samueldr>
qyliss: in fact, I would say, at first implement it as you see fit, at worst (for me) you'll have something that is good enough :)
<qyliss>
so I might never even get to it
<MichaelRaskin>
qyliss: also, I would _assume_ that «what-VM-can-see-what» is a host feature, and this definitely sounds like also needing generation choice
<samueldr>
qyliss: though, what if the same bootloader was part of an UEFI built linux kernel+initrd?
<samueldr>
(with secure boot)
<MichaelRaskin>
qyliss: I think even for the first release being a NixOS profile is probably good enougj.
<qyliss>
samueldr: would that be any easier to install?
<samueldr>
than?
<qyliss>
the current coreboot+Linux payload
<qyliss>
Or do you mean it would have more hardware support?
<samueldr>
it would be applicable to, like, all UEFI computers
<qyliss>
Most modern computers have BootGuard, though, don't they?
<samueldr>
that's one thing I'm soon going to work on with my implementation, to dogfood the whole stack
<qyliss>
Presumably that stops you swapping out the EFI
<samueldr>
yep
<samueldr>
so less useful, but security is in layers
<samueldr>
you can do the assumption (even if wrong) that it is safe and use secure boot from your bootloader to continue with your bootloader
<samueldr>
"you" not being you, but "someone/
<qyliss>
interesting
<samueldr>
anyway, that's something to think about, a kexec-based bootloader can be applicable to more than being the actual firmware
<samueldr>
imagine a server, where you replace grub with such a kexec-based bootloader
<samueldr>
you could ssh to select a generation
<samueldr>
that's my sales-pitch for a more broadly-encompassing project