gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<infinisil> samueldr: Ohh that's a great idea, I should put disk space in my xmobar
<samueldr> conky can be docked :)
<infinisil> samueldr: What's that mean?
<samueldr> like a taskbar, to a side of the screen
<samueldr> (that was more for cole-h)
<infinisil> Ah, but yeah I see
thibm has quit [Quit: WeeChat 2.6]
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-chat
<cole-h> or I could add that info to my swaybar lol
<ldlework> oh good idea
<energizer> having a constant monitor for space seems like the wrong model
<cole-h> How so?
<cole-h> Certainly better than nothing
<energizer> if it's not actionable you don't need information about it
<cole-h> it is actionable though
<cole-h> for me
<energizer> usually it isn't
<energizer> because it's usually not full
<energizer> so a notification for the rare almost-full event is more appropriate
<gchristensen> +1
<joepie91> <samueldr> conky can be docked :)
<joepie91> return of the Windows Vista sidebar!
<gchristensen> vista was the best thing since xp sp1
<joepie91> SP3*
<samueldr> yes please
<infinisil> energizer: Problem with a notification is that it's easy to just brush it away
<samueldr> make it show up in your *bar when it's about to be full only, and in red, and comic sans
<energizer> infinisil: that's a good point. the interface should be more like an issue tracker
<samueldr> and no way to brush it away, other than fixing the problem
<infinisil> Lol
<joepie91> weaponized comic sans!
<infinisil> What if you made the machine beep with a frequency inversely proportional to the space left
<samueldr> if you can, make it an overlay on top of your display
<samueldr> that you can click through
<samueldr> infinisil: sad boops
<infinisil> Hmm, but the beeps should only occur from a certain point on
<cole-h> how to compare file sizes from stdin
<infinisil> You wouldn't want it to beep at all when it's 50% full
<infinisil> cole-h: wc -c
<cole-h> e.g. check if $1 is less than 20G, and would still work when $1 is 200G or 200B
<cole-h> infinisil: File sizes, yet detached from files :P
<lovesegfault> Mic92: Are you around?
<cole-h> Hm, maybe `numfmt --from=ie` will help
<cole-h> s/ie/iec/
<infinisil> cole-h: Ohh use stat
<infinisil> stat -c %s <file>
<cole-h> I meant detached from files in that there is no file
<cole-h> just sizes
<lovesegfault> cole-h: are you using nix-sops?
<cole-h> Nope, sorry.
<cole-h> My script ended up as: test (zfs list -H | awk '{if ($1 == "rpool") print $3}' | numfmt --from=iec) -lt (echo 20G | numfmt --from=iec) && echo '!! less than 20G left in rpool !!'
<cole-h> (fish syntax)
<lovesegfault> s/cole-h/colemickens/
<lovesegfault> colemickens: ^
<lovesegfault> damn pinger
<colemickens> lovesegfault: yep
<infinisil> colemickens: zfs list -Hp -o used rpool
<infinisil> :)
<lovesegfault> colemickens: have you seen this before: /nix/store/1x3hwkmfmin33pb3bmlbxqw9416vp3pk-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/1x609d7a9n7l4gd208r52kpgx7pfzjhh-stcg-aws-credentials.yml': Error getting data key: 0 successful groups required, got 0
<lovesegfault> I saw that you had hit something with setting gpgHOme
<lovesegfault> but I don't think I set that anywhere
<colemickens> I don't set gpgHome in my configs I don't think either.
<lovesegfault> is your config public?
LnL has quit [Ping timeout: 258 seconds]
LnL has joined #nixos-chat
LnL has joined #nixos-chat
<energizer> what are yall using pgp for anyways?
<lovesegfault> sops
<hexa-> pass
<hexa-> git commit signing
<lovesegfault> ,locate sopsdiffer
<{^_^}> Couldn't find in any packages
<colemickens> it's an alias, looks like?
<lovesegfault> yup
<lovesegfault> I was confused for a seoncd
<lovesegfault> kind of lame that I cant' export the difftool in gitattributes
<gchristensen> tbh that scares me, gitcrypt doing that is why I pushed unencrypted private keys to a git repo
<lovesegfault> tired: nix-build building your thing
<lovesegfault> wired: nix-build doing absolutely nothing and just sitting there forever
<gchristensen> inspired: actually it is building but protocol changes broke progress reporting in mixed version environments
<samueldr> gchristensen: at that point they were public keys
<samueldr> [┼␋│⎺⎽@┼␋│⎺⎽:·]$
<gchristensen> ooooohh
<samueldr> woopsie, looks like reset doesn't want to fix it this time
<abathur> grumble
<lovesegfault> another one:
<lovesegfault> tired: typing your password at a normal speed and getting it right
<lovesegfault> wired: typing your password superspeed 5000 and having to re-enter it 20 times
<samueldr> inspired: typing your password carefully, having to re-enter it 20 times
<energizer> can i use a fingerprint yubikey instead of a password?
<lovesegfault> woohoo got sops-nix working
<lovesegfault> 🎉
<Mic92> colemickens: so new systemd supports reading secrets from a socket.
<Mic92> This helps a lot with privileges and race conditions on startup
<lovesegfault> Mic92: What do I do if I add a new host key that I want to be able to decrypt a pre-existing secret?
<lovesegfault> Only way I figured was to delete the secret and re-create it
<Mic92> I also suggest to use a .sops.yaml
<lovesegfault> So what do I end up gaining by having `keys/hosts/`?
<lovesegfault> nvm, I'm mixing up fp's and the actual key
<Mic92> lovesegfault: someone suggest me also to use yaml magic to avoid having to re-specify the host fingerprint over and over again
<Mic92> with yaml anchors or so
* lovesegfault googles yaml anchor
<Mic92> colemickens: I would like to fork() myself and finish this, nix-ld and my current project I am working on for my Phd in parallel
<lovesegfault> Nice, got magic DNS working
<Mic92> lovesegfault: and I found the yaml anchor stuff
spudly1 has joined #nixos-chat
<lovesegfault> Oh damn
<lovesegfault> that is _NICE_
<lovesegfault> Mic92++
<{^_^}> Mic92's karma got increased to 41
<abathur> yaml anchors are a good example of that wtf-is-this-syntax problem we discussed the other day :)
Jackneill has quit [Ping timeout: 264 seconds]
Jackneill has joined #nixos-chat
<energizer> lovesegfault: can i see your magic dns config?
<colemickens> ew, but also nice
<colemickens> I should be better about my secrets, I just blast them all out to all machines right now
<energizer> lovesegfault: thanks
<lovesegfault> np :)
<lovesegfault> bbigras: really tempted to try flakes nwo
<lovesegfault> *now
<lovesegfault> gchristensen: had to revert the spawn-in-cgroup change
<lovesegfault> consistently had systemd segfaulting after a couple hours use
<bbigras> lovesegfault: since you figured out how to use sops-nix? I was looking at it today too. I even asked mic92 a dumb question on his dotfiles repo.
<lovesegfault> bbigras: Yeah :D
<lovesegfault> it's all up on GH
<lovesegfault> from this commit onward
<lovesegfault> (you probably just want to look at master since I fixed a number of things throughout the day)
<lovesegfault> so that only the hosts that need a certain secret can actually decrypt it
<bbigras> awesome. I wish digital ocean would have something like google and aws for the key but pgp will be fine.
<bbigras> there's no easy way to use sops with something like `services.spotifyd.settings.global.password` right? I'm guessing even if we could it would end up in the nix store. mic92's dotfiles use some trick like https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/bitwarden.nix#L50-L54 . It seems a pain to have to define your own systemd servies for everything but I guess it must be the only way.
<lovesegfault> Yeah, it's the only way I can think of
<lovesegfault> You can also upstream a passwordFile config for those services
<lovesegfault> IMHO it should be standard
<bbigras> yeah I agree
<bbigras> another cool thing with Sops. https://github.com/direnv/direnv/wiki/Sops . I guess it's like when we put passwords in .env but now it's encrypted. Another thing I saw in mic92's repo.
FireFly has quit [Quit: Goodbye]
<bbigras> lovesegfault: are some of your hosts on aws?
<Mic92> bbigras: I have one.
<Mic92> I think I should just move the README of sops-nix to the wiki
<Mic92> like direnv.
<Mic92> Seems to work out great
FireFly has joined #nixos-chat
<bbigras> oh I don't have one on aws. I was just wondering if he was planning to use AWS KMS instead of pgp. Which seems pretty cool.
<bbigras> I'll check the wiki for other cool sops usage.
<bbigras> and I need to check gitAndTools's 9000 packages before adding a new one that I think is useful. I wouldn't be surprised if there's already dozen of them doing the same thing.
<Mic92> bbigras: aws kms is a bit tricky right now. you can ask colemickens how it can be done. I want to fix is in future with sops-nix
<Mic92> right how pgp is the sops-nix happy path
<bbigras> Mic92: thanks 👍️
endformationage has quit [Quit: WeeChat 2.9]
abathur has quit [Quit: abathur]
waleee-cl has quit [Quit: Connection closed for inactivity]
<bbigras> What would you guys use to for secrets `networking.hosts` hosts? I think I'll still have to use a git submodule with a private repo.
<lovesegfault> bbigras: nope
<lovesegfault> one is on GCP
<bbigras> lovesegfault: gcp has some key thing too. But maybe check with mic first.
<bbigras> I wonder if using those key things are tricky with sops or only sops-nix. I also wonder how key rotation works when it happens in gcp's side
<colemickens> Sops works with amazon/google/azure's keyservices.
<colemickens> For Azure it's "automatic", and it should be roughly the same on the others.
<colemickens> The gist is that you create a key in their KMS, you put that in sops.yaml, it is used to encrypt. Then the VM is provisioned with access to the KMS resource.
<colemickens> Sops will look at the encrypted sops file, see that there is, for example, an Azure KV key...
<colemickens> and then Sops's Azure integration knows how to retrieve a valid oauth token from the Azure control plane, and then can decrypt the file.
<colemickens> So after initial setup, it's entirely automated and hands-off. cc @bbigras ^. This is basically all just out-of-box functionality. I think I mostly just needed a PR to fix a small bug in Sop's Azure integration
<colemickens> (this is predicated on sops-nix adopting systemd-activation)
<bbigras> Cc lovesegfault ^
<colemickens> (otherwise it requires a couple extra tricks to get networking+dns available for when it executes)
<colemickens> It makes for a very, very, very cool demo, IMO.
<lovesegfault> I'm back
<lovesegfault> moving furniture around :D
<bbigras> colemickens: yeah it seems awesome. I wish all cloud providers had something similar. Thanks!
<lovesegfault> TIL I can force jemalloc as my system allocator in nixos
<lovesegfault> neat
abathur has joined #nixos-chat
<lovesegfault> hmm systemd segfaulting is unrelated to me spawning everything in a cgroup
<lovesegfault> one of the recent nixpkgs bumps, it must be
<{^_^}> #106791 (by petabyteboy, 2 days ago, closed): system instability after updating systems
<lovesegfault> bingo
kalbasit has quit [Ping timeout: 272 seconds]
cosimone has quit [Quit: cosimone]
ece has quit [Ping timeout: 256 seconds]
ece has joined #nixos-chat
lopsided98 has quit [Ping timeout: 260 seconds]
lopsided98_ has joined #nixos-chat
<lovesegfault> error: reached FD_SETSIZE limit
<lovesegfault> Ah, nix how I love you
thibm has joined #nixos-chat
<lovesegfault> Uuuh what
<lovesegfault> I can't build anything
<lovesegfault> complains there's no space
<lovesegfault> all my disks are pretty much empty
<lovesegfault> tmpfs is empty
* lovesegfault scratches head
<etu> lovesegfault: Hmm
* etu has experienced "full" EFI, but that was just hindering me from installing nixos on a machine because it couldn't create an EFI entry
<lovesegfault> Right, I've had annoying full EFI too
<lovesegfault> but this is just a vanilla nix build
<colemickens> lovesegfault: I swear I was hitting that on one of my remote builders last week but didn't have time to investigate. I'd be curious if you find out what's up
<eyJhb> Is there anything like tmate, but for sharing your desktop?
__monty__ has joined #nixos-chat
<talyz> lovesegfault: Running out of inodes?
<talyz> Probably not if it's a new system..
<cole-h> lovesegfault: You probably already tried, but I'd strace it :D
<cole-h> Does it behave the same with and without going though the daemon?
cole-h has quit [Ping timeout: 264 seconds]
FRidh has joined #nixos-chat
<eyJhb> ,ping
<{^_^}> pong
lunc has quit [Ping timeout: 256 seconds]
cosimone has joined #nixos-chat
maljub015 has joined #nixos-chat
maljub01 has quit [Ping timeout: 240 seconds]
maljub015 is now known as maljub01
maljub01 has quit [Ping timeout: 256 seconds]
maljub01 has joined #nixos-chat
waleee-cl has joined #nixos-chat
<__monty__> Does anyone know if the credits on Travis-CI's free plan are one-time or recurring?
<abathur> __monty__: my impression is that they're one-time, but that the OSS-only credits are recurring
<__monty__> : /
<__monty__> I don't think I can log in with one of my organizations. Is there any way I can still request OSS credits?
<abathur> I'm not sure about that process; I haven't requested and don't have any yet
spudly1 has quit [Ping timeout: 246 seconds]
kalbasit has joined #nixos-chat
waleee-cl has quit [Ping timeout: 260 seconds]
rajivr has quit [Ping timeout: 260 seconds]
rajivr has joined #nixos-chat
LnL has quit [Ping timeout: 260 seconds]
ashkitten has quit [Ping timeout: 260 seconds]
LnL has joined #nixos-chat
LnL has joined #nixos-chat
ashkitten has joined #nixos-chat
waleee-cl has joined #nixos-chat
slack1256 has joined #nixos-chat
lunc has joined #nixos-chat
<Mic92> one does not simply compile epbf
ixxie has joined #nixos-chat
<Mic92> never mind :) the ebpf verifer actually prevented me from doing something stupid.
<gchristensen> nice
<tilpner> Your previous statement was true though
<tilpner> It requires all sorts of dances, because how dare you have uninitialised padding in your struct!
ixxie has quit [Remote host closed the connection]
ixxie has joined #nixos-chat
lunc has quit []
<lovesegfault> talyz: nope, plenty of inodes
<lovesegfault> it stopped happening all of a sudden
<colemickens> Did yall see OSv and HermiTux? I hadn't heard of either, but both seem very neat. Micro/uni-kernels with Linux binary compatibility. https://ssrg-vt.github.io/hermitux/ https://github.com/cloudius-systems/osv
<ixxie> anybody know how to combine Lorri and node2nix?
FRidh has quit [Ping timeout: 240 seconds]
FRidh has joined #nixos-chat
<lovesegfault> I've started waking up early so I can set the thermostat before my wife
<lovesegfault> I hate the cold
<hexa-> lovesegfault: sounds like you could replace yourself with automation
<lovesegfault> I ain't getting no nest
<lovesegfault> so the next time google goes down it also boils us alive
<lovesegfault> nah-uh
<__monty__> Still, many thermostats have programmable temperature for at least daytime/nighttime?
<lovesegfault> Ah, not mine
<sphalerite> damn. And here I am, wanting to replace my thermostat that has timer functionality with something smarter :D
<sphalerite> (definitely not nest or similar, for that exact reason)
<lovesegfault> I have a huge fear of smart thermostats
<sphalerite> but it's tricky, there doesn't seem to be anything ready-made for it :(
<gchristensen> local smarts only please
<lovesegfault> yup
<sphalerite> yep
<lovesegfault> not internet of shit in my house
<gchristensen> I like the hubitat a lot
<sphalerite> the only ready-made solution that will work with my boiler is tado, and that's online-only cloud shit
<sphalerite> (the only one I'm aware of)
<hexa-> but you are the hacker man
<hexa-> patchelf the blob away and make it go local
<sphalerite> but I think custom electronics are probably still easier
<sphalerite> https://www.mikrocontroller.net/topic/126250?page=single at least it's been done before
<sphalerite> trouble is I don't have that much electronics experience
cole-h has joined #nixos-chat
red[evilred] has joined #nixos-chat
<red[evilred]> I think we can all relate to this ;-)
* lovesegfault sighs
<lovesegfault> I really need to start putting in the work to get my commit bit
<red[evilred]> I feel ya. I do too (but I still don't feel like I'm ready for it for 99% of things that go by in PR land)
aranea has quit [Ping timeout: 240 seconds]
<red[evilred]> once that gets to 50% I'll consider applying
<lovesegfault> IMHO nixpkgs needs people who can build, test, and read medium-complexity drvs much more than people who understand the depths and intricacies of, idk, patchelf
<lovesegfault> the bulk of the PR load is simple stuff
<lovesegfault> it just needs someone to look, commend, and maybe merge
aranea has joined #nixos-chat
<abathur> better sieves might be a nice lever, though there's probably some tension between effciently funneling issues/PRs towards people best-positioned to resolve them and key members burning themselves off on an infiniscroll of work they know they're the backstop for
<abathur> s/off/out :)
<lovesegfault> Right, I think being able to accurately understand what PR's you are and are not qualified to review is key
<lovesegfault> there's this weird culture in nixpkgs where every committer must have total knowledge of things and feel qualified to review any PR, or at least I've been told that before
<lovesegfault> I find that a bit wacky, I don't know any other large project like that. Usually people find a corner they like and specialize there
<samueldr> >> there's this weird culture in nixpkgs where every committer must have total knowledge of things and feel qualified to review any PR
<samueldr> that's the first I hear about that
<samueldr> maybe if you're interested into managing a release it would help
<lovesegfault> I've been told that before, admittedly a long while ago
thibm has quit [Ping timeout: 258 seconds]
thibm has joined #nixos-chat
<sphalerite> lovesegfault: you have 106 commits in nixpkgs and no commit bit? Pfff. Hey gchristensen ! Can we get a commit bit over here? :p
<bbigras> "managing a release". I wonder if you would get more gray hair than Obama during his terms.
<sphalerite> bbigras: I didn't
<bbigras> sphalerite: hehe. great. The last release manager had some help too.
<lovesegfault> samueldr: What does "managing a release" mean in the context of Nix? (i.e. what is the work around it)
<bbigras> I have 96 "shitty" commits.
<lovesegfault> I have never used non-unstable nix 😅
<samueldr> of Nixpkgs, mainly rounding up the PRs and pushing people into submission
<samueldr> :)
<samueldr> and then making sure things do work as expected, and getting the right people to help to fix broken stuf
<samueldr> stuff*
<lovesegfault> When is the next release? I remember reading we changed the months?
<samueldr> there is an RFC open to change the months
<samueldr> rfcs#80
<{^_^}> https://github.com/NixOS/rfcs/pull/80 (by jonringer, 2 weeks ago, open): [RFC 0080] Change NixOS releases to YY.05,YY.11
<bbigras> What is the change about? the number of months between the releases? I'm guessing doing it 2 months later of whatever wouldn't change a thing.
<bbigras> unless some upstreams have a similar schedule
<samueldr> I'll be blunt, but read the RFC
<samueldr> it's all explained there :)
<bbigras> but I read like the first phrase of the pr 😅
<bbigras> thanks
<bbigras> tldr: "In particular, GNOME and KDE Plasma both have a release in September"
<bbigras> make sense.
<adisbladis> Hmmm
<adisbladis> I seem to recall often having problems while upgrading KDEs major releases
<adisbladis> It's often worth waiting for the first point release
slack1256 has quit [Ping timeout: 256 seconds]
<bbigras> how long does that usually take?
rajivr has quit [Quit: Connection closed for inactivity]
<adisbladis> Usually a week or so
<bbigras> ah not bad.
<adisbladis> Gnome may have a similar stabilisation period
cosimone has quit [Quit: cosimone]
<bbigras> lovesegfault: https://github.com/bbigras/nix-config/commit/be216e536fba864ec0a411470ef1073045239a7a . well I'm only using it in my private submodule, but it's a start.
<lovesegfault> bbigras: nice!
cosimone has joined #nixos-chat
julm has quit [Quit: Lost terminal]
julm has joined #nixos-chat
thibm has quit [Ping timeout: 240 seconds]
ixxie has quit [Remote host closed the connection]
thibm has joined #nixos-chat
<clever> gchristensen: i discovered something neat in prometheus/hwmon recently: https://cdn.discordapp.com/attachments/440348507182727169/787901548331008022/Screenshot_2020-12-14_00-39-19.png
neeasade has quit []
<gchristensen> oh interesting ...!
<clever> node_hwmon_in_volts and node_hwmon_curr_amps from the main prometheus node exporter
<clever> sadly, for my laptop, the amps are positive for both charge and discharge
<clever> but i can now see that it draws 500mA when idle, ~750mA when idle with the display on, and it can charge at up to 3A
pinage404[m] has quit [Ping timeout: 268 seconds]
leons has quit [Ping timeout: 268 seconds]
leons has joined #nixos-chat
pinage404[m] has joined #nixos-chat
cosimone has quit [Quit: cosimone]
FRidh has quit [Quit: Konversation terminated!]
cosimone has joined #nixos-chat
<energizer> why does /etc exist in nixos? can't everything be pointed into the store?
<samueldr> (not exactly the right place to ask)
<energizer> ok
<samueldr> but a good question nonetheless
<bbigras> Can /etc/krb5.keytab be read-only with kerberos?
<viric> /nix/store is readable by everyonew
Jackneill has quit [Ping timeout: 256 seconds]
<clever> energizer: /etc is mainly for programs that cant be told to look elsewhere, or for programs that you want to reload and not restart
<clever> energizer: or for things like alsa, where you cant feasible wrap every binary thats reading it
Jackneill has joined #nixos-chat
<samueldr> heh, `exec kexec` when ran as PID 1 is seemingly not a good idea
<samueldr> something about killing init when kexec tries to kill... something?
<samueldr> or... disregard this as I'm probably misreading the logs
<samueldr> yep, unrelated output
<clever> if kexec succeeds, it will never return
<samueldr> yeah, I definitely didn't read something right
<samueldr> I don't even have kexec in that initrd yet :)
<samueldr> (the binary)
slack1256 has joined #nixos-chat
<abathur> if only past-me knew that current-me would be looking through the blame for every ini file I can find that sets a specific option on the off chance anyone felt the need to document why...
<abathur> my consolation prize so far is just this very appropriate commit message: "all at once of course"
slack1256 has quit [Remote host closed the connection]
<infinisil> Oh wow, I could pay my health insurance with bitcoin
* abathur hopes this isn't one of those dumb scavenger hunts where I spend 2 hours searching for something only to end up at an unanswered SO Q/A I opened myself or already have bookmarked
thibm has quit [Quit: WeeChat 2.6]
<energizer> good idea/bad idea: configuration file that requires a `reason` field for every setting value
<cole-h> Would require people to know what they're configuring :P
<samueldr> good idea
<samueldr> yeah
<samueldr> "because"
<cole-h> "asdf"
<samueldr> "fixes stuff"
<cole-h> "idk but why not"
<samueldr> field = 1 // reason: 2
<infinisil> Reminds me of this idea I talked about recently, about programs saying exactly why they do each action
<infinisil> Similar to "Justified programming", as https://www.youtube.com/watch?v=OrQ9swvm_VA calls it
<abathur> the closest I found to an actual commit message discussing why was "Fix SQL?"
<abathur> luckily, that was enough of a hint to track down a few SO threads that make me feel pretty good that I, too, added to fix SQL :)
cosimone has quit [Quit: cosimone]
ravndal has quit [Quit: WeeChat 2.9]
ravndal has joined #nixos-chat
__monty__ has quit [Quit: leaving]