parsley936 has quit [Remote host closed the connection]
xd1le has joined #nixos-chat
neeasade has joined #nixos-chat
cjpbirkbeck has quit [Quit: Goodbye, take care]
<ashkitten>
hm, i wonder how much smaller nixos could be if it was statically linked with musl
<ashkitten>
unfortunately it's impossible to tell because you can't build it
<infinisil>
Um, can wireguard let clients talk to each other?
<ashkitten>
wdym?
<ashkitten>
infinisil: if you mean "can wireguard clients route to each other over the network" then yes
<infinisil>
Like, I have one machine with a public IP that runs a wireguard server
<infinisil>
And I have two client machines that don't have a public IP connecting to the server
<infinisil>
I want those two clients to be able to talk to each other
<ashkitten>
sounds like you want ip forwarding. make sure net.ipv4.ip_forward is enabled on the server, and set up routing on the clients so that the server is the gateway for the subnet of your vpn
<ashkitten>
unless you want the clients to connect to each other directly, in which case you can't.
<infinisil>
Nah that's not necessary
<infinisil>
I'll try the ip_forward
<infinisil>
Oh nice that worked!
<infinisil>
ashkitten++
<{^_^}>
ashkitten's karma got increased to 20
<ashkitten>
np
<infinisil>
I think I could maybe use net.ipv4.conf.wg0.forwarding instead too
<ashkitten>
maybe, dunno
<ashkitten>
i'm not super familiar with it
<ashkitten>
i use tinc, so the clients form a mesh and handle routing automatically
<infinisil>
ashkitten: So tinc also e.g. does NAT hole punching to make that work?
<ashkitten>
it can. it can also do local network discovery and upnp port forwarding
<ashkitten>
it requires at least one node that's not behind a nat or is port forwarded to set up the hole punching
<ashkitten>
i haven't had success with hole punching working, which is why i enabled upnp on mine
<bqv>
that's not very dry, currently, but i'm not sure how to unmoisten it
<Church->
Neat, I'll give that a look.
<infinisil>
Neato
<Church->
Was planning on just aping a bit of disasm's iptables "module" from their router config
<Church->
But this could be very nice
<infinisil>
Wait what's nftables for
<infinisil>
I know iptables only
<bqv>
it's the replacement for iptables/ebtables/arptables
<Church->
Basically next-gen iptables
<infinisil>
Oh I see
<infinisil>
Anything to do with networkd?
<Church->
Using... what rules...
<bqv>
it does all of those, and with much nicer configuration
<Church->
ebf?
<Church->
Can't remember what it's called
<bqv>
no idea what the name for it is
<bqv>
infinisil: not required
<bqv>
it's kernel level
<Church->
Christ I hate logging in python
* Church-
mumbles some not so nice words
<bqv>
there's also iptables-nftables-compat, for anything userland that seems to require iptables
<bqv>
i had a PR to made nix realise and use that, but it got bikeshed for weeks so i gave up on it
<infinisil>
Oh my lord
<infinisil>
I just checked the networkd module
<infinisil>
It's 1578 lines long
<bqv>
lol
<infinisil>
This module could definitely use some RFC 42
<Church->
Christ lol
<Church->
infinisil: I'm thinking of patching prometheus finally.
<Church->
Might do that once I can get my two modules compiling heh
<infinisil>
Oh you mean to shorten the huge prometheus modules?
<infinisil>
I currently count 425 options under services.prometheus..
<JJJollyjim>
most of those are different exportrs
<bqv>
so THAT's why man configuration.nix is so long
<JJJollyjim>
*exporters
<bqv>
that is the one thing i miss about nixos-option
<bqv>
browsing as a tree
<bqv>
rather than just as a dumb list
<Church->
infinisil: Eyep.
<Church->
JJJollyjim: True. But could probably/possibly be shortened.
<infinisil>
bqv: I wish we could have some tagging/categorization of options
<infinisil>
So not everything had to be dumped under services.*
<infinisil>
s/had/has
<infinisil>
Or maybe some better abstractions/interfaces
<bqv>
your settings stuff should better the situation a bit, at least
<bqv>
i made use of that recently, for ipfs-cluster
vika_nezrimaya has quit [Read error: Connection reset by peer]
<infinisil>
Nice
<bqv>
one option's better than 200
<infinisil>
And with freeform modules you can still have some type checked ones
<JJJollyjim>
ooh that reminds me
<JJJollyjim>
i use a couple of apps which provide json-schemas of their json/yaml config files
<JJJollyjim>
what seems more reasonable out of a tool that converts that to the module type system, or running a json-schema validator after building the file?
<bqv>
normally i'd just make a checker using the tool itself
<bqv>
like for haproxy i just had it build and run the checker as part of forming the config file
<JJJollyjim>
yeah, that's probably smarter
<Church->
Does everything have to go under services?
<infinisil>
JJJollyjim: Definitely a validator that runs at build time
<infinisil>
This allows you to always have the correct package version, even with overlays and whatnot
<JJJollyjim>
oh true (without ifd at least)
<infinisil>
Church-: Well just services, but there's no hierarchy like `services.backup.*` and `services.web.*`
<Church->
Ahhhh.
<samueldr>
(cross-compilation though becomes harder)
<samueldr>
(either unverified, or verified with not-actually-what-is-running)
<Church->
infinisil: Kinda odd we don't do that given we already ostensibly tag them under nixpkgs...
<bqv>
i mean ifd makes everything super spicy, but it shouldn't affect a plain old config module
<bqv>
right?
<JJJollyjim>
yeah it's weird how we have that directory structure in nixpkgs but it isn't exposed
<infinisil>
Well my gripe with that structure in nixpkgs is that there's always packages with multiple categories
<JJJollyjim>
true
<infinisil>
So ideall it would be a tagging system instead, where you can assign arbitrary many tags
<infinisil>
But then you can't use the filesystem or attribute sets to represent it anymore :/
ninjin_ has quit [Remote host closed the connection]
ninjin_ has joined #nixos-chat
waleee-cl has quit [Quit: Connection closed for inactivity]
kalbasit has joined #nixos-chat
cole-h has joined #nixos-chat
kalbasit has quit [Ping timeout: 256 seconds]
<bqv>
flakes seem to think my repo is derty
<bqv>
but it's not
<bqv>
i don't understand
<bqv>
git status is clean
<JJJollyjim>
i have the same problem with my flatmates and the kitchen
<JJJollyjim>
:P
<bqv>
lmao
<Church->
Lol
<bqv>
no comment
<Church->
Christ I can't wait for my new router tomorrow
* Church-
is excited
* Church-
is gonna run some BGP
<JJJollyjim>
is lib.formats from rfc42 in nixpkgs?
<JJJollyjim>
i guess not, misremembered that it already was
buckley310 has joined #nixos-chat
cole-h has quit [Quit: Goodbye]
<sphalerite>
Church-: on nixos? :)
<JJJollyjim>
hmmm
<Mic92>
there is bird and some recently compiled opengbpd
<JJJollyjim>
if i set something to an mkDefault, why am i getting `{ _type = "override"; content = "-"; priority = 1000; }` out rather than the resolved value?
<JJJollyjim>
does mkdefault only work for certain types?
<JJJollyjim>
ah, i need freeform modules
<JJJollyjim>
luckily freeform modules exist!
<JJJollyjim>
infinisil++
<{^_^}>
infinisil's karma got increased to 339
taktoa[c] has quit [Read error: Connection reset by peer]
jackdk has quit [Ping timeout: 260 seconds]
srhb has quit [Ping timeout: 260 seconds]
<JJJollyjim>
i love nixos tests so much :3
manveru has quit [Ping timeout: 260 seconds]
manveru has joined #nixos-chat
manveru has quit [Max SendQ exceeded]
manveru has joined #nixos-chat
srhb has joined #nixos-chat
jackdk has joined #nixos-chat
taktoa[c] has joined #nixos-chat
buckley310 has quit [Quit: Connection closed for inactivity]
<Mic92>
colemickens: so you are saying it does not work without AT_SYMLINK_NOFOLLOW ?
<colemickens>
no, it works fine
<colemickens>
The Fchownat with just AT_EMPTY_PATH does work.
<colemickens>
Mic92: I'm just a bit confused still. Can't the would-be attacker still change the contents of the symlink that the FD points to?
<colemickens>
oh, but you're worried about the parent dir being changed, and this still protects against that.
<colemickens>
I've got myself a bit confused tbh. maybe I should look again in the am
<Mic92>
colemickens: They can make you chown a non-symlink.
<Mic92>
i.e. a regular file that was not readable before.
<Mic92>
If they point the symlink to a different file it should not matter. So maybe we can actually skip the readlinkat.
<Mic92>
colemickens: but let me check if you can change a symlink without creating a new inode
<Mic92>
symlink might always create a new inode
<Mic92>
colemickens: so from what I can see you cannot change a symlink contents, you can only create a new symlink that points to a different locaiton.
<colemickens>
aha
<colemickens>
okay, I am less confused than I was before.
<{^_^}>
#93659 (by ju1m, 4 weeks ago, open): nixos/security.gnupg: provisioning GnuPG-protected secrets through the Nix store
<bqv>
I'm still waiting for someone to actually notice it, but seems to me it'd be better than all these
rajivr has joined #nixos-chat
<julm>
I've started to read about sops/sops-nix, it's promising 8) Now I have to find some time to test it (but I've been spending my time in learning flake.nix recently and I'm not out of this pleasant rabbit hole yet :)
<julm>
regarding security.gnupg, I still have to fix a directory creation to not force the use of a local gpg-agent (but a remote one)
parsley936 has joined #nixos-chat
<julm>
and I've been hit by builtins.path visibly not working with flake.nix, so I'll also have to remove its use in security.gnupg
<eyJhb>
APIs that do not conform to the described output, int, and sends a float 123.0, but it is not a issue since JSON does not know the difference. Wtf...
waleee-cl has quit [Quit: Connection closed for inactivity]
ajs124 has quit [Quit: killed]
das_j has quit [Quit: killed]
das_j has joined #nixos-chat
ajs124 has joined #nixos-chat
<ajs124>
test
<philipp[m]>
Yo!
parsley936 has quit [Remote host closed the connection]
parsley936 has joined #nixos-chat
nullheroes has joined #nixos-chat
rajivr has quit [Quit: Connection closed for inactivity]
<pie_>
joepie91: im really bad at this, you have any good crash course links for why privacy is important and why e2e encryption is important and why oss is important
<pie_>
basically trying to explain to people why to use Signal
<joepie91>
pie_: on OSS: I do not consider Signal to be OSS proper
<joepie91>
but also don't immediately know of a good summary of why it is important
<joepie91>
that I can really fully agree with, and that I believe is complete
<joepie91>
there are lots of individual bits of information about OSS but nothing I know of that ties them all together well
<joepie91>
like, sindresorhus' post on small modules explains the public commons thing very well but never actually calls it that and it's very developer-focused
<joepie91>
the OSS definition explains a lot of considerations in open-source licensing but not in a context that's understandable to someone who isn't already involved in it
<joepie91>
etc.
<pie_>
joepie91: i dont have anything other than signal that i can recommend though
<pie_>
its closer to oss than whatsapp and idek why telegram rolled their own crypto (signal wasnt out yet?)
<joepie91>
depending on the situation and requirements, I might recommend Matrix + Element (that is, if I think the remaining UX papercuts are not going to be an issue for someone)
<joepie91>
it may in some cases be useful to recommend Signal, but I definitely would not do so on "OSS" grounds
<joepie91>
pie_: barely closer, though. all you really get is auditability, given that forks are actively sabotaged
<pie_>
mm
<joepie91>
still a better choice than Telegram ofc, if you need actual security
<pie_>
well, "need", but it raises the floor pretty high with relatively low effort
<pie_>
(presumably)
<joepie91>
this is kinda one of those "none of the options are *good*, so you should pick the one that has the least issues for a given usecase" things
<pie_>
right
<joepie91>
hopefully in a year or two that has changed and Matrix has become the definitive answer
<joepie91>
but we're not there yet :P
buckley310 has joined #nixos-chat
<pie_>
"too much code" is also a problem but people have to have their fancy gifs and stuff
<joepie91>
honestly I don't think that that's a major concern, in and of itself
<joepie91>
complexity has a security cost, sure, but most of that cost can be negotiated down through modularizing code well
<joepie91>
it doesn't make it zero, but it definitely does make it fit within "this is auditable"
cole-h has joined #nixos-chat
<joepie91>
the bigger problem is that code quality is not widely recognized as a factor in security and so people don't generally care about it very much
<pie_>
mm
<pie_>
man this cd is f-ed. ddrescue isnt making much progress but the surface doesnt seem bad :/
<joepie91>
likely the organic layer is rotting away
<pie_>
joepie91: im hoping rust and nix change the productivity game and we start getting some cool shit
<drakonis>
the productivity game huh
<drakonis>
i've gotten very productive from not having to worry about all the regular distro jank
<joepie91>
pie_: it's not (just) a tooling problem, also a cultural problem
<drakonis>
the culture is to take the path of least resistancce?
<samueldr>
the path of least resistance is not changing anything
<joepie91>
drakonis: lot more complicated than that. a culture of tribalism, a lack of people recognizing their responsibility for what they build, often not even realizing that they are building *infrastructure* and the implications that that has, bad economic incentives at all levels, etc.
<joepie91>
tech hype, and I could go on like that for a while :)
<joepie91>
but the very blunt summary is "software developers treat their tools like a toybox rather than the powertools they are, and management layers make impossible demands and cut unacceptable corners at every point because it's been widely internalized in society that Computers Are Just Not Reliable and there are no legal consequences so they get away with it"
<bqv>
The disadvantages of nudist olympics is that in the opening ceremony it's hard to tell which country is which
<samueldr>
I won't say I have a spider problem, because spiders are friends, but I found a web in a well-frequented location on a thing I was using up until ~13 hours ago
<drakonis>
oh my oh my
<drakonis>
is it inside your case?
<samueldr>
nope, a newly acquired "professional recording microphone stand" (that's what's written on the box)
<samueldr>
(the only thing professional out of it is the word on the box)
<drakonis>
hah
endformationage has joined #nixos-chat
<cole-h>
I have a spider that's been hanging out in the things you put on the edge of the switch's joycons when you disconnect them
<drakonis>
hahaha
<cole-h>
That's my excuse of why I haven't been using it recently
<drakonis>
have you fed your spider friend?
<samueldr>
cole-h: the rails on the console?
<cole-h>
samueldr: Nah, the things with the wrist strap
<cole-h>
I wonder what the ratios and performance is compared to whatever the default is (at the moment)
<cransom>
wooo.
<Church->
Nice
<eyJhb>
joepie91: think code quality is linked to security
* Church-
loves himself some zstd
<cransom>
i did some bake offs outside of zfs, but zstd pulls off some impressive speed and compression over lz4.
<joepie91>
eyJhb: basically every software developer, modulo a handful
<joepie91>
code quality, as a general thing, just isn't perceived as a security factor
waleee-cl has joined #nixos-chat
<bqv>
I feel like people judge my typos cause they can't see my keyboard layout
<Church->
Hmm, switching my routers out should be interesting...
<bqv>
Like, no normal person could mix up x and @, but that's a pretty easy typo here
<colemickens>
Does anyone use gammastep/redshift with nouveau? I can't seem to get it to do much on my desktop even though the module config is identical of course
<cole-h>
colemickens: You use sway, right?
<colemickens>
cole-h: yup
<cole-h>
colemickens: I've found that sway 1.5 broke redshift for me.
<colemickens>
cole-h: oh! okay
<colemickens>
cole-h: thanks for the heads up
<cole-h>
So I overlayed it back to 1.4 and the related wlroots
* samueldr
wonders idly if you can go from a really early NixOS release, and go through all releases to update and how that'd look like in the end
<samueldr>
what breaking changes are there that were left undocumented (or misdocumented) and how does it cope (or not!) with booting older generations
<samueldr>
not *really* thinking about it, just wondering what it'd look like
<alaskacanyon[m]>
hi , how edit readonly config file in privoxy like app ?. i make a .config/... dir and files for privoxy but don't work
<cole-h>
You probably want to ask in #nixos -- this is the off-topic channel :)
<samueldr>
hi! this is the off-topic chat for the community; I don't know how it works with Matrix, but you want the #nixos channel on freenode
<bqv>
#nixos:matrix.org
<joepie91>
that'd be #freenode_#nixos:matrix.org if using the matrix.org bridge
<bqv>
it's not aliased?
<joepie91>
there's also #nix:matrix.org, which is a Matrix-native room
<eyJhb>
joepie91: Well, some might be stupid regarding that. Generally lots of developers do not keep security in mind
<eyJhb>
Let alone sales, CEO, etc.
<joepie91>
eyJhb: well sure, but of the people who *do* keep security in mind, many (if not most) of them treat it as a checklist of things to get right, without any fundamental understanding
<eyJhb>
cole-h: I might die
<joepie91>
and of the people who do deal with it from a position of at least some fundamental understanding, most of those people still treat it in isolation, as in, you only apply the fundamentals to security-critical code
<eyJhb>
joepie91: generally I am not much for such things. But I have seen it myself
<eyJhb>
Just minus the checklist almost
<joepie91>
and then once you've taken a small percentage from a small percentage from a small percentage of developers, you are left with the people who recognize that actually, general code quality might have something to do with it also :)
<eyJhb>
I have met a database administrator that did not know what a SQL injection was. Worked the field for 15 years
<joepie91>
in fairness, that's kinda outside of the scope of a DBA
<joepie91>
a DBA is basically a sysadmin with data modelling competence
<joepie91>
in most cases
<eyJhb>
I would expect them to know what it is
<joepie91>
gchristensen or whoever else: spammer in #nixos
<joepie91>
eyJhb: I honestly wouldn't, it's an application-level issue
<eyJhb>
srhb
<eyJhb>
Would still, but I would expect most in that field to know it. I am not saying they need to prevent it
<eyJhb>
But hell, if you don't know that basic amount of security, and you are the one making queries etc. then something is wrong
Church- has quit [Ping timeout: 260 seconds]
cole-h has quit [Quit: Goodbye]
<Church_>
Bah, can't get ethernet working on this router correctly...
<Church_>
Hmm, something about this bridge device I think.
buckley310 has quit [Quit: Connection closed for inactivity]
__Sander__ has quit [Quit: Konversation terminated!]
<colemickens>
"pipelines" are kind of hot in "cloud-native" land. Is there any prior art for nix+workflow enginey type stuff?
<joepie91>
oh man
<joepie91>
yahoo pipes all over again
<samueldr>
I despise shrinkflation
<samueldr>
basically gaslighting the consumer base into smaller packages instead of adjusting pricing
<colemickens>
sort of, when I think yahoo pipes I think mashing up internet sources rss feeds, transforms, etc. Versus what I'm thinking of is "use nix+shell" instead of "yaml+shell" for declaring CI pipelines.
<joepie91>
colemickens: I think it is a minor achievement that "thinking yahoo pipes" comes up with anything other than a big blank sheet for you, considering its death into obscurity :)
<joepie91>
usually when I mention yahoo pipes the response is "yahoo what?"
<joepie91>
colemickens: anyway, is it not just Hydra you're thinking of?
<colemickens>
yahoo pipes, yui! was around that time I think
<joepie91>
or am I missing some detail here
<joepie91>
yeah pipes was built on YUI
<colemickens>
joepie91: no, I don't think so, if you look at the nixkite thing, it's a bit more elaborate than hydra, at least from what I've seen out of hydra
<joepie91>
did you know that for quite a few years, Yahoo was basically the only big tech/search company with actual customer support?
<joepie91>
fairly recent years, too
<colemickens>
feels like it was the trillian days, when I think about eras of me+computers, ha
<joepie91>
I talked to them back in like 2015 or something, asking them to add a public-domain-ish license to Flickr
<joepie91>
response was "we'll forward the request to the devs"
<colemickens>
weird, that's hard to even imagine lol
<joepie91>
few months later, CC0 option appeared
<joepie91>
I know!
<joepie91>
I was kinda surprised to just find a ticket system, with actual humans, instead of the maze of bad knowledge bases I expected
<joepie91>
I think they've axed that since, though :(
<colemickens>
well, and a result
<joepie91>
yeah
<colemickens>
I've had a few banks here take my feedback earnestly, and yet years later the 2fa options are worse than ever
<colemickens>
like, they actually removed email and replaced it with sms-only somehow?
<joepie91>
lol
<colemickens>
"my xbox account is more secure than my bank account", idk, it ought to be more compelling, but ...
<joepie91>
Dutch banks generally actually have sensible 2FA...
<joepie91>
I ain't getting into my e-banking without a bank card
<colemickens>
yes, banks are on the list of reasons I'd like to live in a Dutch country.
<joepie91>
a Dutch country? our colonialism days are mostly over :)
<colemickens>
I uh, don't know what I was thinking :|
<joepie91>
:D
<colemickens>
I have a friend that moved to Amsterdam last year, we were there almost a year ago, sometimes I think about life if we had just stayed with our friend [somehow].
<joepie91>
I'd definitely recommend looking further than Amsterdam if you want to live in NL
<joepie91>
but yeah, go for it if you think that would improve your life!
<joepie91>
colemickens: like, aside from the usual "make sure all your ducks are in a row, and be prepared for the immigration requirements" stuff, this is probably one of those "better regret that you did it, than regret that you didn't" kind of things
<colemickens>
It's general musing of having enjoyed our time in EU/Netherlands. I want to go back to Rotterdam, Gouda, the Hague and check them out.
<joepie91>
definitely also try some of the lesser-known places :) and I can recommend just renting a hotel room or camping out or whatever in the more rural areas
<joepie91>
around flevoland, gelderland, etc.
<colemickens>
joepie91: my partner's schooling increasingly looks like it will permanently be online and its unlocking some interesting potentials. we live... pretty lightly and unattached.
<joepie91>
and just cycling around
<joepie91>
nice :)
<colemickens>
joepie91: i went camping lately (a bit out of character) to get away from Seattle noise, so that sounds appealing too.
<joepie91>
colemickens: also, one piece of advice: if you travel to NL and plan on staying for more than a week or so, don't bother renting a bike, just buy a second-hand one and give it away afterwards or whatever, it will be cheaper :P
<bqv>
mwaha, now my url dispatchers are a mode in nyxt, so i can actually browse twitch without accidentally opening thousands of instances of mpv
<colemickens>
I stepped out but thank you for the pics/info joepie91 ! :)
<bqv>
right, time to build webkitgtk...
xd1le has quit [Read error: Connection reset by peer]
xd1le has joined #nixos-chat
parsley936 has quit [Remote host closed the connection]
davidtwco has quit [Ping timeout: 260 seconds]
steveeJ has quit [Read error: Connection reset by peer]