gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<cole-h> https://i.imgur.com/Y4ozyTB.png GitHub u ok?
<julm> huh, there is a huge /run/current-system/sw/bin/[ --help
<cole-h> Because that's coreutils
<samueldr> that does seem to work, pie_
<samueldr> I torture tested with a chromium, at 1GB max
<samueldr> and chromium itself is having trouble
<samueldr> but everything else seems fine
<pie_> \o/
<julm> so apparently the cgroup memory controller is enabled by default on nixos, doesn't this have a cost?
<samueldr> every decision has a cost
<julm> if I not mistaken there was a time on debian where it was not enabled by default
<pie_> i think a lot of our systemd settings just come from defaults, but i dont know
<pie_> by which i mean upstream systemd defaults
<pie_> dunno if that applies here
<samueldr> pie_: just for fun, do you have like an overlay that wraps firefox into a stub that runs that automatically, or how do you ensure it will be managed?
<julm> apparently there is a new memory controller on its way https://www.phoronix.com/scan.php?page=news_item&px=Slab-Mem-Alloc-December
<gchristensen> systemd-run --user --scope --property MemoryHigh=1M google-chrome-stable <- okay now this is painfully slow, perfect!
<qyliss> how much memory is it using gchristensen?
<cole-h> 1M, duh
<cole-h> (Sorry)
<samueldr> (X) DOUBT
<cole-h> :D
<gchristensen> Memory: 1.9M (high: 1.0M)
<qyliss> damn
<danderson> wow
<danderson> does... it... do... anything?
<cole-h> Wait, so I was close
<danderson> I assume it's having a very bad day
<gchristensen> no, it hasn't done a single useful thing
<cole-h> Hahahaa
<JJJollyjim> So normal web browser behavior then
<gchristensen> the only indication anything is happening is systemd-run printed Running scope as unit: run-re590410367a6401bab16871d1cb664a4.scope
<JJJollyjim> :P
<gchristensen> and it hasn't exited yet
<danderson> pretty sure 1M isn't enough memory for tcmalloc to initialize itself
<danderson> so I wouldn't hold my breath :D
<gchristensen> fine I'll give it 4...
<pie_> samueldr: its crappy ad hoc put a runner script in my environment right now
<samueldr> alright
<pie_> samueldr: which is why i forgot that it exists for like two months and started using it again recenrly
<danderson> gchristensen: probably just about enough to print one "G" in "Google Chrome" :)
<samueldr> I'm wrapping it like I did for the MOZ_USE_XINPUT2=1 setting
<pie_> because when i reboot kde starts firefox sort of
<pie_> and i have to remember to not use that
<pie_> link me and i might cannibalize later
<infinisil> I have a script somewhere to determine the minimum amount of memory Nix needs by combining systemd-run with a timeout if it takes too long to start
<infinisil> And some bisection
<danderson> hm, can't you make the memory limit hard, so it gets killed when it goes over?
<infinisil> danderson: Yeah that's what I had initially, but Nix manages to get by with *very* little memory *if* you give it long enough
<julm> found some doc on the cost of enabling the memory controller: https://cateee.net/lkddb/web-lkddb/CGROUP_MEM_RES_CTLR.html
<danderson> huh, I wonder how that works. It's C++, right? So we're not talking GC thrashing... Or are we?
<gchristensen> it is running about 1 openat syscall every 30s
<infinisil> Here's the script: https://paste.infinisil.com/gJaFRbtZuo.sh
<infinisil> gchristensen: Should also work for chrome if you want to give it a try ^
<infinisil> (well if you adjust it to use chrome instead of nix-instantiate)
<infinisil> Oh though it relies on Nix relling it the initial memory amount with NIX_SHOW_STATS
<infinisil> Guess that could be hardcoded
<infinisil> The bisection logic is mostly useful there
<samueldr> oops, I probably want more than 1GB for my actual browser
<danderson> I would love to get a breakdown of where all this memory is going in browsers
<danderson> I mean, fair enough, turns out large framebuffers aren't cheap, even moreso with 4k displays
<samueldr> I think it's in my 27 windows, with multiple tabs
<danderson> but... really?
<gchristensen> about:memory can give you.....some...idea..... on ff
<samueldr> but my $actual_browser doesn't handle it cleanly by, like, killing tabs, or so it seems
<danderson> I picture chrome serving a static page on about:memory that just says "it's delicious, got any more?"
<gchristensen> I don't know about chrome but I can confirm that is what ff says
<JJJollyjim> I think Firefox has an about:config for killing tabs
<samueldr> right, I forgot how memey it was to touch that subject, now all we'll be able to see is that apparently chrome needs eleventy bajillion rams
<danderson> I genuinely wonder sometimes if it's safe to have both a web browser and the ZFS ARC cache on a single machine
<samueldr> and now I go forth, forgetting that I have this setting active, and never realising it actually works, or worse, to see that it doesn't make a difference
<pie_> lol geez <infinisil> I have a script somewhere to determine the minimum amount of memory Nix needs by combining systemd-run with a timeout if it takes too long to start
<pie_> danderson: XDDD
<julm> btw, I learned a few days ago about NixOS' confinement= to use systemd-confinement, this could sometimes be used instead of containers.* (ie. systemd-nspawn) for which the nixos rebuild consumes much more RAM (it was ~100MB of RES per container, and that is after disabling documentation which added ~50MB/container). AFAICS there is no mention of confinement= in the 20.03 NixOS' manual.
<{^_^}> #65690 (by davidak, 40 weeks ago, closed): Very slow evaluation and huge RAM usage with many nixos-containers
<{^_^}> #75659 (by danbst, 21 weeks ago, merged): nixos containers: disable NixOS manual in container config.
<{^_^}> #87661 (by dasJ, 11 hours ago, open): nixos/systemd-sandbox: A generic sandboxing module
<emily> confinement of an individual service isn't really comparable to the nixos containers feature imo
<emily> I feel like the latter is more of an organization feature than a hardening one
<qyliss> ^^
<emily> and even with systemd-confinement you need to apply a fair number of other service hardening options to be get like an "isolated container"
<emily> docs would be nice but the feature itself is a bit flaky and could use love
<emily> see also https://github.com/NixOS/nixpkgs/pull/87661, there's a fair amount of work around this stuff recently
<{^_^}> #87661 (by dasJ, 12 hours ago, open): nixos/systemd-sandbox: A generic sandboxing module
<colemickens> <itshappening.gif>
<julm> emily: ack. just mentionning it exists to do filesystem isolation
<infinisil> emily: Oh that's awesome!
<infinisil> das_j++
<{^_^}> das_j's karma got increased to 1
<julm> das_j++
<{^_^}> das_j's karma got increased to 2
<gchristensen> I don't think it is going to start y'all
<cole-h> Still running chrome with 4M? lol
<cole-h> s/running/trying to run/
<gchristensen> I get the impression systemd-run has some really incredible use cases I'm not creative enough to consider
<julm> there are a few examples in the man
<gchristensen> colemickens: I'm having probably silly troubles with sway. I don't suppose you could help a bit?
<aleph-> Hmm I wonder who packages salt stack for nixOS. And why...
<aleph-> Not really much use is there
<hexa-> control your legacy infrastructure from something sane
<aleph-> Okay, more directly why package a salt minion for nixOS
<hexa-> because some people are kinky
<samueldr> is it for nixos?
<samueldr> or is it in nixpkgs?
<samueldr> can this be used on non-nixos from nixpkgs?
<samueldr> I don't really know salt
<hexa-> it can be used on lots of OS
<hexa-> I have a saltstack deployment with debian
<hexa-> though they provide a repo for debian
aleph- has quit [Read error: Connection reset by peer]
<colemickens> gchristensen: sure, happy to help if I can. what's up
drakonis_ has joined #nixos-chat
mitchellh has joined #nixos-chat
mitchellh has left #nixos-chat [#nixos-chat]
drakonis has quit [Quit: WeeChat 2.8]
drakonis_ has quit [Quit: WeeChat 2.7]
drakonis has joined #nixos-chat
vika_nezrimaya has joined #nixos-chat
<ashkitten> gchristensen: what's the line you use for v4l2sink in your modprobe config?
<colemickens> ashkitten: ^
<cole-h> ashkitten: <privesc> modprobe v4l2loopback exclusive_caps=1 video_nr=9 card_label="obs"
<cole-h> where <privesc> is your favorite privilege escalation command (:
<ashkitten> oh cool
<colemickens> But I just make v4l2sink available as a module and specify the options on demand when I load it. Different apps have different requirements, behaviors, as I'm slowly finding out.
<ashkitten> my favorite privilege escalation command is telnet
<abathur> bog; a github account with *10.4K* repos, supposedly over 500 sources and over 9800 forks, followed me
<abathur> I can't imagine the time
<abathur> I feel like I've given out stars like candy for years to everything I found vaguely interesting and I've only starred 553 repos
<ashkitten> i use obs-v4l2sink even though i don't actually need it to capture games because it works way better than window capture in things like jitsi meet
<ashkitten> i'm not sure why
<ashkitten> i get very low framerate in jitsi when using window capture, but with obs-v4l2sink it's very close to smooth
<ashkitten> by the way, is there a way to get gpu utilization stats for amd gpus?
<ashkitten> i know nvidia has nvidia-smi
endformationage has quit [Quit: WeeChat 2.6]
<ashkitten> sway_crashes += 1
<ashkitten> got a fun coredump that i don't know what to do with
* colemickens bites his tongue about sway crashes
drakonis has quit [Quit: WeeChat 2.7]
<ashkitten> it's really fun when i'm doing something and sway takes out my entire session
<ashkitten> i love it
<danderson> oh noes, sway is crashy? I was going to move to it from gnome :/
drakonis has joined #nixos-chat
<ashkitten> but no, sway never crashes, and i've never had to launch a qt application with the xcb backend because dropdown menus go past the bottom of the screen
<ashkitten> (/s)
<colemickens> How do I put this nicely. Yes, sway crashes, and some recent bugs indicate they have some rearchitecting to do that if I were to guess, would've been caught by a certain borrow checker.
<colemickens> Beyond that, I've been suffering mutli-mon issues dating back to October that have recently gotten even more annoying to workaround.
<ashkitten> my favorite thing is how you can't switch between floating windows with the keyboard
<colemickens> I am still using it, and relatively happy with it, so take that for what it is....
<colemickens> ashkitten: hm, I haven't observed that. sometimes I have to guess which "direction" it is in, though maybe that's what you mean :P
<ashkitten> wait, that's a thing?
<colemickens> it would be nice to have a just "cycle through floaters" keybind, I don't think that exists.
<ashkitten> in i3 it's always left/right for cycling through floating windows
<colemickens> tested it right now, floated two terms, I $mod+right and switched from one to the other
<ashkitten> i didn't ever think to try other directions
<ashkitten> oh right
<ashkitten> i forgot i don't have focus wrapping enabled
<ashkitten> i probably tried right but not left
<colemickens> aha
<ashkitten> that sucks
waleee-cl has quit [Quit: Connection closed for inactivity]
<ashkitten> i guess i'll enable focus wrapping
<ashkitten> later
drakonis has quit [Read error: Connection reset by peer]
vika_nezrimaya has quit [Ping timeout: 246 seconds]
drakonis has joined #nixos-chat
cole-h has quit [Quit: Goodbye]
<aterius> It’s sad because I would love to use sway, but wlroots will never support proprietary nvidia drivers
<danderson> more accurately, nvidia will never support the operating system's rendering pipeline
<danderson> even now they're trying to invent a different new standard to replace the perfectly good one that everyone else uses :/
<ashkitten> supposedly they're going to support the common standard, i think i read
<ashkitten> but i doubt drew will remove the restriction from sway
drakonis_ has joined #nixos-chat
drakonis has quit [Read error: Connection reset by peer]
drakonis1 has joined #nixos-chat
drakonis_ has quit [Ping timeout: 265 seconds]
cjpbirkbeck has quit [Quit: cjpbirkbeck]
<colemickens> without wanting to get into it, I think that if nvidia supported gbm that this would all be a non-issue
<colemickens> as for nvidia, I think they keep teasing their alternative to gbm that they refuse to just discuss openly
<colemickens> and then delayed the event due to COVID19 where they were going to announce whatever they were teasing
<colemickens> and now back to just waiting. I know drew rubs people the wrong way but I respect taking a stand on this shit, especially in terms of being on the supporting end of it
<ashkitten> i can respect it
<ashkitten> i think he's kinda an asshole and sometimes wrong but i respect his stance
<danderson> so, who's making wlroots in rust to make that work?
<danderson> I vaguely recall there were blockers in wayland to that, but I forgot :(
parsley936 has joined #nixos-chat
<danderson> and, nvidia's alternative is still just that, another alternative that only nvidia would use
<danderson> unless it's so obviously amazing that everyone switches to it
<colemickens> post/discussion are relevant: https://lobste.rs/s/jhpn1i/writing_wayland_compositor_rust
<colemickens> I'm a big +1 though, for sure, rust+wayland sounds like the future
<ashkitten> danderson: i thought it was implied that gbm would work on top of their new thing?
<danderson> ashkitten: last thing I saw was still "if other vendors get on board"
<danderson> I haven't seen anything about gbm being able to interface with this new thing, but I haven't paid close attention
<ashkitten> meh, like i always say when this sorta topic comes up, until it's a real tangible thing it doesn't matter at all
<ashkitten> they could choose to do whatever they want but until we can write software for it why does it matter?
<danderson> and their 2019 update talk on their new allocator only talks about "integrate support for it into wayland and other libraries"
<danderson> vs. "and now everyone can use it!"
<danderson> and 50% of the discussion was on all the cool nvidia-only extensions this allocator lets them use
<danderson> which... yeah, okay, cool, that's not going to get AMD and Intel on side now, is it
<danderson> also love how they weaponize nouveau to push their ecosystem fracturing, even though they're happy to leave it on the strugglebus when it comes to actually working well
<danderson> grr.
<aterius> I completely agree that nvidia refusing to embrace gbm, along with their stance on not providing their driver source is user hostile... but I still have to use them and still wish I could use sway.
__monty__ has joined #nixos-chat
<danderson> why do you have to use them? (I believe you, I'm curious about the use case)
<danderson> and yeah, it sucks when open source maintainers don't want to do free labor for megacorps. I won't cry *too* hard for them though :)
<aterius> Grad student, we use PhysX for GPU accelerated physics for reinforcement learning environments and tensorflow/pytorch amd support is still catching up
<aterius> Yeah, of course it's on nvidia, not disagreeing :)
<ashkitten> i had an nvidia gpu for 4 years because it was the cheapest option at the time that could do what i wanted, and i had a very tight budget, and then i lived on my own and was extremely poor so couldn't afford any new computer hardware
<ashkitten> i wanted to try out wayland for much of that time
<ashkitten> nvidia hardware is still more bang for your buck and that probably won't change
<ashkitten> i'm fortunate enough now that i can afford an amd gpu to replace the nvidia one i used for so long, but a lot of people don't have that freedom
<aterius> I know nvidia was rumored to be making a GTC announcement about linux drivers, but those were rumours from months ago
<danderson> yeah, for non-graphics applications, nvidia is annoyingly dominant still.
<danderson> For graphics, Radeon is doing a pretty decent job recently
edef has quit [Ping timeout: 260 seconds]
edef has joined #nixos-chat
hax404 has quit [Remote host closed the connection]
hax404 has joined #nixos-chat
<emily> good way to react to security issues in the setuid helper you ship
<emily> I like how the reaction to "here's 6 concrete vulnerabilities and your fundamental design is really dodgy and why are you doing this" is just "fixed. :)"
waleee-cl has joined #nixos-chat
<joepie91> emily: I am becoming increasingly convinced that the venn diagram of "people who write setuid binaries" and "people who should not be writing setuid binaries because they clearly don't know how to do so securely", constitutes a circle
<emily> +1 for "then kiss goodbye to open source and open development. will just move all dev behind a closed door so the public never sees it" if it means they don't distribute this setuid binary code
<emily> ok, ok, I shouldn't be too snarky... but seriously, what a reaction :(
<emily> the design flaws section is terrifying too, looks like a confused deputy waiting to happen
<MichaelRaskin> joepie91: not really, there are also some people in the second set who cannot produce any working code (partially because they have never tried)
<joepie91> MichaelRaskin: hm. I guess you are correct and it's actually one circle enclosed in a much bigger one :)
<MichaelRaskin> joepie91: but also I would say that I believe shadow's su has been around for long enough that they have indeed learned how to do this securely
<julm> emily: can't anyone open a CVE? not necessarily the dev
<__monty__> Aren't there any more details in the tracking issue?
<emily> julm: I think so, but tbh CVEs are the least relevant part of that
<emily> "completely ignoring the long list of fundamental design flaws and then acting vaguely indignant about it" is what worries me
<julm> emily: sure, you're right
<emily> it's not about the vulnerabilities they fixed today, but all the trivial root escalation bugs everyone using Enlightenment is going to unknowingly expose themselves to over the course of the next several years
<emily> speaking of security.wrappers...
<emily> security.wrappers.screen.source = "${pkgs.screen}/bin/screen";
<emily> is it just me, or does this part of the weechat module make screen run as root for everyone if you enable it...?
<emily> oh I guess screen is actually "designed" to be run setuid root wow
<emily> that's kind of awful
neeasade has quit [Remote host closed the connection]
<eyJhb> The response is weird. But do we really need a CVE for each incident? How many use the setuid that they use?
<eyJhb> (didn't read it all)
MichaelRaskin has quit [Ping timeout: 264 seconds]
<gchristensen> hrm. it seems even systemd cannot give me everything I desire
<eyJhb> gchristensen: ahh. the story of most lives :p
<gchristensen> systemd-run --user --scope --property IPAccounting=on --property MemoryHigh=256M --property IPAddressAllow=10.10.2.16/32 --property IPAddressDeny=any curl https://google.com works, tragically
<adisbladis> Right, `systemd-run --user` lacks a lot of the sandboxing & resource accounting
<gchristensen> do you know where I can read about that?
<adisbladis> Nope :/
<gchristensen> :)
<adisbladis> gchristensen: But pretty much, whatever you need to be root to do normally you cannot do in a systemd user session
<adisbladis> And iirc IPAccounting is ebpf-based. So you'd need to be root to upload the bpf program to the kernel.
MichaelRaskin has joined #nixos-chat
<adisbladis> Same with readonlypaths,readwritepaths etc because they use bind mounts
<gchristensen> cgroups have changed so much about what you can do without root that I'm not sure that answer alone gives me enough useful context anymore
<adisbladis> =)
<adisbladis> What is root even?!
<adisbladis> Selinux makes that an even harder question to answer
<adisbladis> Maybe this is an area that could improve if we went cgroupsv2 by default?
<gchristensen> maybe, though I'm using cgroupsv2 already
<adisbladis> Hybrid is iirc not exactly cgroupsv2
<gchristensen> I think I'm on cgroupsv2 proper
<gchristensen> "cgroup_no_v1=all""systemd.unified_cgroup_hierarchy=yes"
<adisbladis> Nice =)
<MichaelRaskin> Wait, screen as setuid root? And what is it supposed to achieve??
<julm> share of sessions ?
<gchristensen> setuid screen ???
<gchristensen> where did screet setuid come from, in the context of this chat?
<MichaelRaskin> Erm, we still cannot get setfacl everywhere so we will emulate it in a setuid root screen?
<MichaelRaskin> weechat module apparently wants it
<gchristensen> spooky
* adisbladis mumbles something about sudo and stupid passwords
<gchristensen> smart passwords only
<adisbladis> ^_^
<gchristensen> yeah that is why I'm not in the docker group _or have docker installed_.
aleph- has joined #nixos-chat
drakonis has joined #nixos-chat
<srhb> gchristensen: Shots fired!
<srhb> What will the devops community think of you now
<srhb> That's still a thing, right? Devops?
<gchristensen> hehehe
drakonis1 has quit [Ping timeout: 260 seconds]
drakonis1 has joined #nixos-chat
<adisbladis> I used to say Docker is an OK container runtime with bad build tooling
<adisbladis> Nowadays I just say it's bad
<srhb> Yeah, sadly.
<adisbladis> Lukewarm take: Docker will be dead in 5-10 years
<adisbladis> OCI will live on in various projects, but Docker itself will not.
<srhb> fsvo "dead", sure.
<srhb> Remember Enterprise.
<srhb> They've just switched!
<srhb> So docker has like at least 30 years to go.
<adisbladis> srhb: Enterprises use redhat
<srhb> Oof.
<adisbladis> And they've already scrapped Docker in Fedora
<srhb> Really? I hadn't noticed.
<srhb> So I guess kubernetes 2.0 will drop docker. :3
<adisbladis> =)
drakonis has quit [Ping timeout: 260 seconds]
drakonis_ has joined #nixos-chat
<emily> gchristensen: adisbladis: you can use bpf as a normal user these days
<emily> though not with the hardened kernel
<adisbladis> emily: Wow! That's news to me
<emily> also, you can use a lot of the sandboxing with --user still if you set PrivateUsers=true
<emily> (...and aren't running the hardened profile defaults)
<emily> adisbladis: welcome to linux, we added some new attack surface, hope you like it
<adisbladis> I have nothing to hide
<adisbladis> Oh wait... s/nothing/lots of things/
<emily> MichaelRaskin: see the weechat module
<emily> MichaelRaskin: tbh I am dubious that it should exist and wonder if anyone uses it.
<emily> it's especially not the module that should be making screen setuid, if any
<adisbladis> I haven't been touching (e)bpf in ages. That makes it far more likely I'll give it a stab again :)
<emily> there's already https://github.com/NixOS/nixpkgs/issues/85080 but doesn't look like it'll get in in the current form
<{^_^}> #85080 (by tomfitzhenry, 4 weeks ago, open): A declarative secure-by-default headless weechat
<adisbladis> Testing was a pain
<gchristensen> Unknown assignment: PrivateUsers=true hmmm seems it needs to be a service type instead of scope or something.
<MichaelRaskin> emily: ouch, so screen can do something with its own access control, but does not support neither groups nor POSIX ACL?
<MichaelRaskin> Pain
<emily> adisbladis: just make sure to set net.core.bpf_jit_harden=2 if you know what's good for you :p
<emily> (And maybe CONFIG_BPF_JIT_ALWAYS_ON in Kconfig if you're using the JIT because the interpreter itself has been used for exploits)
<emily> (I've idly wondered about upstreaming that as a NixOS default: we use the JIT by default so there's no reason to have the interpreter hanging around, and tbh even for hardened kernels given that bpf is made root-only I feel like the JIT probably has more eyes on it than the interpreter at this point)
cole-h has joined #nixos-chat
endformationage has joined #nixos-chat
KeiraT has quit [Remote host closed the connection]
KeiraT has joined #nixos-chat
<colemickens> gchristensen: pong for sway help
<abathur> anyone have a broken activity feed on GH? I've been ignoring it for a while but started wondering today if I followed or watched something that's breaking it
ornxka has quit [Quit: No Ping reply in 180 seconds.]
ornxka has joined #nixos-chat
<gchristensen> colemickens: sorted it. I was solving a problem by starting sway with dbus-run-session, but that caused another problem, and the symptoms of this other problem are the same ones which makesit look like you need to use dbus-run-session
<__monty__> abathur: My activity feed seems A-ok. I do have a notification stuck in unread limbo though.
<gchristensen> I solved the initial problem by changing to systemd-run --user --wait sway ...
* colemickens repeats 3x "/me is fine with how HM runs sway and doesn't need to tweak it"
<gchristensen> :)
<colemickens> I still have some weird gtk stuff that isn't right and I wonder...
<gchristensen> my resistance to it isn't clear tome
<cole-h> Does HM really do anything that special with sway? Granted, I use it, but...
<gchristensen> right, I tried running it the way HM did but that didn't seem to solve my initial probem
<colemickens> cole-h: don't you use the systemd unit though? I don't think that's the default.
<colemickens> cole-h: oh my goodness you're still not running nixos though lol
<cole-h> Right. The only thing I really use the HM module for is the declarative configuration
<colemickens> I keep forgetting
<cole-h> colemickens: :D
<cole-h> colemickens: Do you have `wrapperFeatures = { gtk = true; };`? Maybe that'll help with your GTK issues...
<colemickens> seems that I do have that already
<cole-h> The only thing I accept HM's help with is the `systemdIntegration` which just enables `sway-session.target` on sway startup (so I can start my mako, etc, services automatically)
<colemickens> cole-h: I want to port gnidorah's gtk/qt config PRs in nixpkgs to HM, kinda the last thing nixos/hm doesn't configure for me already. Whenever I do that, I'll figure out what's wrong with my setup.
<abathur> __monty__: nod, I thought maybe it was just straight up broken for everyone at first, but it's persisted long enough that I know it's gotta be selective
<abathur> __monty__: It times out on the dash, and I literally get the unicorn if I go to /dashboard-feed
<emily> colemickens: what are those configs?
<__monty__> abathur: Oooo, is that an rss feed? (It loads with pretty bare html for me.)
<colemickens> emily: #80866 and #80865
<{^_^}> https://github.com/NixOS/nixpkgs/pull/80866 (by gnidorah, 11 weeks ago, open): nixos/qt: extend
<{^_^}> https://github.com/NixOS/nixpkgs/pull/80865 (by gnidorah, 11 weeks ago, open): nixos/gtk: init
<colemickens> emily: thanks for your hidpi reply btw. big +1 from me. and a TIL about the font.
<abathur> not really sure; I saw visiting it directly as a sanity-check step on reddit; I don't know if it just serves HTML that gets folded in or what as I've never successfully directly loaded it
<emily> colemickens: fancy, but isn't that more of a home-manager-scoped thing than nixos?
<emily> (yeah, I know the boundary is blurry...)
<abathur> __monty__: fwiw, the dashboard page itself has a link to a private RSS feed with an access token, so I'd guess this isn't
<emily> I guess home-manager can't arrange for session variables to be reliably set
<emily> would be nice if it could though
<colemickens> emily: imo yes, that's why I want to port the PRs to HM :)
<emily> colemickens: oh, right :p I droppe the context as soon as I saw the links
<colemickens> I haven't gotten into the details yet though, so who knows
<emily> getting environment variables reliably set in a per-user way is... non-trivial
<emily> but I guess it's mostly just generating config files here
<ajs124> isn't that somehow possible through the system user@ session or something like that?
<emily> hm no, the qt stuff involves some gnarly env var stuff
<emily> so that might be quite painful
<colemickens> there's extra fun, I think, with GTK, gtk-under-wayland, gtk+sway, and I know less about QT.
<colemickens> I'm expecting to give a blood sacrifice :)
<emily> ajs124: that would apply only to user units i think, not sure. PAM stuff is generally the most reliable, I believe
<abathur> __monty__: odd, though; 502 bad gateway heh
aleph- is now known as Jared
<cole-h> Man, trying to build the prerelease versions of Iosevka using nix tooling is honestly a huge pain.
Jared is now known as aleph-
<emily> what horrors are you encountering?
<cole-h> All of them
<cole-h> I spent hours yesterday trying to get it to build. Every time, I would be met with some obscure, un-Googleable error in verda or something
<emily> heh
<cole-h> I'll try again now and let you know what shows up......
<emily> I have a... nonstandard Python desire and I feel like maybe this channel will be sympathetic: I want to generate HTML from Python and I am open to pretty much anything that is not the thing everyone does (janky string-based templating languages with no structure). I'd take HTML construction eDSL, JSX-style syntax extension, even XML-based or some haml-style templating DSL over string templating
<emily> but it's not really clear what usable ""contemporary"" libraries exist in this space from googling because, I guess, the kind of people who want this did it in 2005 and then moved from Python to Haskell or something
<emily> I really don't like strings.
<cole-h> You mean generate as in python source -> HTML?
<emily> er, as in, I want a templating library for HTML generation that I can use from within Python
<cole-h> emily: btw here's the error I get: https://gist.github.com/cole-h/025851726d888a4089a75a2b571715a3
<cole-h> Very cool
<emily> I want jinja/moustache/... except I really don't want those because I hate janky templating DSLs that treat the underlying language being templated as formless strings
<cole-h> I love node
<emily> cole-h: oh god
* colemickens squints
<cole-h> I even changed the derivation to use nodejs and nodePackages 12 (since that's what's in the package.json upstream)
<cole-h> Ran the generator
<cole-h> I put literally every single dependency (dev and otherwise) into the in-tree package.json
<cole-h> No dice
<cole-h> n o t h i n g
<cole-h> Oh hey it might actually be an issue with upstream lol. Trying to do the same thing from outside nix-build shows the same error, both master and dev...
<adisbladis> emily: I basically want hiccup in every language.. https://github.com/weavejester/hiccup
<emily> adisbladis: yeah. I did find some options that look vaguely maintained and not too horrible https://github.com/Knio/dominate https://lxml.de/tutorial.html#the-e-factory
<emily> the former is a bit more imperative-looking than I'd like but I guess it's hard to exploit "with" and get nice syntax otherwise
<emily> if your HTML generation library has to have special support for getting thread-local storage right with green threads I am afraid of it
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 265 seconds]
vika_nezrimaya has joined #nixos-chat
<__monty__> Does anyone know if there's comprehensive documentation on all of firefox's settings? Without requiring a running firefox browser that is.
<cole-h> Wait, I can reproduce this issue with Iosevka 2.3.3 as well......... How does it build in nixpkgs then2?!
<cole-h> s/2//
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 244 seconds]
<pie_> __monty__: pff, and keep it up to date?
<emily> Last Updated: 2006-10-24
<pie_> lol there we go
<pie_> it would be neat if they happened to have something that generates docstrings but i doubt it
<pie_> if it existed it would probably show up in about:config :I
<pie_> i dont suppose theres mouseover text for the setting
<pie_> s
<pie_> big sigh
<pie_> s/generated docstrings/ generates docs from docstrings
<pie_> to be clear: i have zero idea and i doubt it...but im interested if you find something
<colemickens> about:config is still like 1/3rd as functional as its XUL predecessor too
worldofpeace_ has joined #nixos-chat
<pie_> gotta compete on webusb 5.0
evanjs has quit [Quit: ZNC 1.7.5 - https://znc.in]
evanjs has joined #nixos-chat
worldofpeace_ has quit [Quit: worldofpeace_]
waleee-cl has quit [Quit: Connection closed for inactivity]
neeasade has joined #nixos-chat
<samueldr> oh, cool, today exactly it's been 3 years since I switched my main machine to NixOS
<gchristensen> !!! nice!!!
<ldlework> happy nixday
<emily> does anyone understand gnarly aarch64 cmake issues enough to want to help me debug a failed ofborg build?
<emily> (https://logs.nix.ci/?key=nixos/nixpkgs.86694&attempt_id=77ad37dd-3f76-4f07-bd30-d0fd76eac1be -- I assumed it was https://sourceforge.net/p/libpng/bugs/259/ but the bundled libpng in freeimage actually already has that change)
<colemickens> oh no
<colemickens> I went down this path and got lost/stuck/confused https://github.com/NixOS/nixpkgs/issues/77653
<{^_^}> #77653 (by colemickens, 17 weeks ago, open): imv fails to build on aarch64 (due to freeimage vendoring libpng)
<colemickens> and the linked pr
<colemickens> I don't think it's actually useful though, that's just attempts at applying the apng patch
<colemickens> eventually I hit the same error as you
<colemickens> but my research didn't turn up much either. I didn't understand how that error would occur on aarch64 but not on amd64
ravndal has joined #nixos-chat
<samueldr> neon are instructions for ARM
<samueldr> >> png_init_filter_functions_neon
<samueldr> it looks like freeimage expects to be able to link to a libpng with neon optimisations on, while the libpng build it links to has them off
<samueldr> or something along the line
<samueldr> lines 627, 632 (hover over a line to get its number)
<samueldr> so that's why it wouldn't have an issue on x86_64
<cransom> any recommendations for log filtering/aggregation? we dump them all in ES right now, and thats enough, but it would be nice to do some modifications in flight and rsyslog is not super nimble at that for me.
<samueldr> /dev/null aggregates with equal actionable opportunities
<cransom> it's also easier on storage and processing, too, but the write only semantics are not great for analytics.
<pie_> not really helpful but lnav seems kinda nice for viewing
<emily> colemickens: seems like we should maybe mark freeimage broken on aarch64 at least?
<colemickens> Yeah
<danderson> aw, I missed a session of griping on docker :(
waleee-cl has joined #nixos-chat
<emily> colemickens: I think the best solution would be to rip out some of these vendored dependencies, tbh
<emily> they vendor zlib :'(
<colemickens> yeah, I was skeptical of the entire idea of the lib. seems like a relic of a different time?
<emily> it's probably not too awful if it's just a convenience wrapper around the various libraries... but then, image handling is a frequent source of dangerous bugs so doing it in C/C++ in the first place is questionable
<emily> unfortunately we don't get to pick what people depend on
<ldlework> gchristensen: you available for a "everyone vs ldlework" game?
<pie_> clever: how does babby boot over network?
<clever> pie_: ?
<pie_> for some reason i feel like i remember you linking something but maybe im just remembering every time jusdoit was linked
<gchristensen> git status
<gchristensen> oops
<pie_> clever: I figured id try getting nixos on my surface 3 nonpro with this kernel https://github.com/linux-surface/linux-surface/tree/master/patches/5.6
<pie_> and the best way to do that is by starting to figure out how to boot over the network so i can build the kernel on my laptop conveniently
<pie_> *and the best way to start yak shaving
<clever> pie_: you probably want netboot-servers.nix from nixos-configs
<pie_> k will check it out thanks
<ldlework> game is here if anyone wants to spectate instead https://online-go.com/game/23911634
<{^_^}> be5invis/Iosevka#528 (by cole-h, 2 hours ago, closed): Build fails with "TypeError: Cannot redefine property: default"
<cole-h> >> tfw a Microsoft project publishes a breaking release without actually bumping the version accordingly
<emily> :')
<emily> colemickens: I give up, software's haunted:
<cole-h> đŸ”« Software's haunted
<joepie91> haha, I immediately had that mental image
leah2 has quit [Ping timeout: 260 seconds]
leah2 has joined #nixos-chat
leah2 has quit [Ping timeout: 272 seconds]
<cole-h> Ahhhh, yessssss. Having added a working version of tslib to the package.json, I can finally re-build my font...
leah2 has joined #nixos-chat
Gaelan has joined #nixos-chat
leah2 has quit [Ping timeout: 272 seconds]
lukegb has quit [Ping timeout: 258 seconds]
lukegb has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis_ has quit [Read error: Connection reset by peer]
drakonis has quit [Read error: Connection reset by peer]
drakonis2 has joined #nixos-chat
leah2 has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis2 has quit [Ping timeout: 265 seconds]
<eyJhb> If you where to download a file from a site, which type of security would you expect to validate the file? Hash(es?), gpg, etc.?
<infinisil> eyJhb: gpg would be best
<infinisil> But I'm not expecting that at all
<Gaelan> https is fine imo
<danderson> depends on your threat model. Any of those could be fine, or unacceptable.
<cole-h> I just realized I have 7 GiB of free space left
<cole-h> Time to run `nix-collect-garbage`
<eyJhb> Hmm, atm. I am considering just providing various different hashes + HTTPs
<eyJhb> But HTTPS will not be available all the time, but hopefully hashes from a known good server will be good enough
<cole-h> 19069 store paths deleted, 90867.54 MiB freed
<eyJhb> cole-h: 33 GB free here
<cole-h> It's probably due to me downloading the entirety of npmjs (or at least what's in our node-packages*.json) multiple times, trying to build Iosevka (and failing because the issue was with a Microsoft lib pushing out a breaking change in a minor revision lol(
<cole-h> )
<cole-h> And now time to `nix optimise-store` for another 30GiB free
<joepie91> you don't auto-optimise?
<eyJhb> cole-h: ^^
<cole-h> I'm not on NixOS, so I'd have to write a systemd service for it, which I'm too lazy to do
<joepie91> aha
<joepie91> you're not on NixOS?!
<joepie91> heathen!
<joepie91> :P
<cole-h> >:)
<cole-h> Soon! Finals are over after this week... then I'll have some time
* emily is amused that she's using a NixOS module from someone who doesn't run it
<eyJhb> cole-h: it never is like that :(
<cransom> i don't auto-optimise on nixos either. it wreaks on havoc on builds where i create disk images/amis because it can't calculate hard disk image size correctly
<cole-h> emily: :D
<cole-h> emily: It's the main reason it was WIP for so long -- I could only test in VM
<eyJhb> Only got 30 more GBs
<cole-h> But then adisbladis came along and spear-headed the administrative side
<MichaelRaskin> joepie91: I am _no longer_ on NixOS, so I should even qualify as heretic, right?
<cole-h> What are you on?
evanjs has quit [Read error: Connection reset by peer]
<cole-h> (And by "spear-headed the administrative side" I mean he tested it himself and merged the stuff when it was ready)
<MichaelRaskin> I just write my bootscripts by hand (but manage them with Nix)
evanjs has joined #nixos-chat
<cole-h> NixOS-lite then? :P
<MichaelRaskin> Well, I do use some parts of NixOS code to generate configs
<emily> MichaelRaskin: deciding NixOS is insufficient and hacking up your own better thing isn't heresy, it's transcendence
<MichaelRaskin> So not light
<MichaelRaskin> It's not better
<MichaelRaskin> Because I never even considered polishing it
<emily> ok, your own crappier thing that satisfies certain idiosyncratic preferences better :p
<eyJhb> cole-h: which module was it?
<MichaelRaskin> NixOS is not insufficient — it is _too much_
<cole-h> eyJhb: nixos/doas
<cole-h> alternative to sudo
<cole-h> #86488 <- init pr here
<{^_^}> https://github.com/NixOS/nixpkgs/pull/86488 (by cole-h, 1 week ago, merged): nixos/doas: init
<eyJhb> Ahh, I see :D
<eyJhb> Got 70 GB free space now. Still considering taking a day out to make / non-persistent, including home
<eyJhb> There is sooo much crap building up in there
<cole-h> [78571 paths optimised, 6359.0 MiB / 255474 inodes freed]
<cole-h> 111 GiB free again
<cole-h> :D
<eyJhb> Did anyone solve the, nix-shell -p do not access my $HOME, put stuff into this temp one?
<eyJhb> cole-h: damn you.
<cole-h> HOME=$(mktemp -d) ?
evanjs has quit [Ping timeout: 256 seconds]
<eyJhb> How much total spare is on your drive?
<eyJhb> Hmmm, maybe
evanjs has joined #nixos-chat
<eyJhb> Ah. have to redownload teams now :(
<eyJhb> Damn
<eyJhb> It
<eyJhb> Forgot that my wallpaper is stored in ~/.cache
<eyJhb> Now I just have a white screen of death when locking
parsley936 has quit [Quit: Leaving]
<cole-h> eyJhb: 111GiB total spare :P Though I do have a few other HDDs that have more.
<eyJhb> MichaelRaskin: what was the name of the jail software you used again?
<eyJhb> cole-h: Guessing a 256 GB SSD?
<cole-h> eyJhb: Over
<eyJhb> Damn you :(
<cole-h> :^)
<gchristensen> I wish I could integrate my apple watch in to PAM, similar to how macos does
<cole-h> Oh? How does macOS do it?
<Gaelan> when your apple watch is in bluetooth range, it automagically unlocks
<Gaelan> no idea how it works under the hood
<gchristensen> ^, but more important for me is not the unlocking, but the "don't lock while I'm sitting here, dinkus" feature
<cole-h> Huh, cool.
<samueldr> maybe look into BLE (bluetooth low energy) things?
<gchristensen> it is a bit tricky, since it has to determine the watch is unlocked -- taking the watch off locks it automatically
<samueldr> maybe what the watch broadcasts is enough without more in-depth mechanisms?
<samueldr> ah, that's what I though would happen
<samueldr> short of reversing that apple secret sauce, probably SOL since it's "secure from your tinkering"
<samueldr> "for your benefit"
<gchristensen> I fear that is almost definitely true
<samueldr> and that magic sauce is likely protected behind secure encryption "actually for your benefit"
<samueldr> or signing, or something like that
__monty__ has quit [Quit: leaving]
<samueldr> hmmm
<MichaelRaskin> eyJhb: nsjail, but you might also want to check bubblewrap and firejail
<ldlework> Anyone have a clue how you would get a steam game, that's running via phaser, or whatever the wine thing is through the platform support, via nvidia-offload?
<ldlework> lol
<cole-h> Proton? lol
<ldlework> yeah that
<ldlework> :)
<ldlework> I loaded up exanima, and i'm getting ~40 fps which I could expect from the onboard intel thing
<ldlework> but i would expect better from the nvidia card
<MichaelRaskin> I would try nouveau and DRI_PRIME=1
<ldlework> i thought i just moved off nouveau with the upgrade to 20.09
<MichaelRaskin> Well, how it was called… optirun?
<danderson> samueldr: the magic is likely rooted in the T2 security chip on both ends, so they can say with a straight face that it's hard to break the root of trust
<danderson> but there is a PAM bluetooth module somewhere, that does the same thing but with the presence of a bluetooth device
<danderson> so I could have my screen lock if my headphones disconnect
<waleee-cl> ldlework: https://nixos.wiki/wiki/Nvidia
<ldlework> waleee-cl: yeah thats what i used to upgrade
<waleee-cl> ah, ok
<ornxka> does nvidia-smi say anything
bridge[evilred] has quit [Remote host closed the connection]
bridge[evilred] has joined #nixos-chat
ottidmes has quit [Ping timeout: 264 seconds]
ottidmes has joined #nixos-chat