<samueldr>
then I pretty much assume llvmPackages.clang will fail too
<lovesegfault>
huh, if I `nix eval nixpkgs#pkgsCross.aarch64-multiplatform.llvmPackages.clang.meta.description` it works
<lovesegfault>
but if I nix-shell -p pkgsCross...clang it doesn't
<cole-h>
lovesegfault: How are you using sops-nix with flakes?
<lovesegfault>
cole-h: Idk? I just am?
<lovesegfault>
not sure what you're asking
slack1256 has quit [Ping timeout: 240 seconds]
<cole-h>
All I have set is `sops.defaultSopsFile` to a path, and `sops.secrets.example-key`. But trying to rebuild gives me "Manifest is not valid: secret example-key with the key example-key not found in /nix/store/.....-secrets.yaml"
<lovesegfault>
you can check all monitors with sudo ddccontrol -p
<lovesegfault>
you need pkgs ddccontrol and i2c-tools
veleiro` has joined #nixos-chat
<lovesegfault>
do not ask me how I know that's the right offset b/c I do not remember how I found out :P
<lovesegfault>
I think ddccontrol -p tells you
<gchristensen>
that is perfect, thank you
<lovesegfault>
np, glad to help :)
<gchristensen>
75% brightness on this big display is painful in a dim room at midnight :)
<gchristensen>
took it down to 5%
<lovesegfault>
I use it for the exact same thing, at night my monitor is like a supernova
<gchristensen>
colemickens: how do you run gddccontrol under sudo? I get (gddccontrol:23890): Gtk-WARNING **: 00:06:37.965: cannot open display: :0 and then exit
<cole-h>
gchristensen: Maybe need GDK_BACKEND=x11 ?
<colemickens>
I'm in GNOME :| maybe even under X11 unwittingly.
<gchristensen>
ah ok
<gchristensen>
I've been considering switching to gnome lately
<gchristensen>
tiling windows hasn't been fitting my lifestyle lately
<lovesegfault>
gchristensen: are you using sway?
<lovesegfault>
if so I know the answer to that question too
<cole-h>
(He is)
<lovesegfault>
then you need to run `xhost +SI:localuser:root`
<cole-h>
omg I remember that
<lovesegfault>
then run gddccontrol with WAYLAND_DISPLAY=
<lovesegfault>
so that it runs in X11 mode
<cole-h>
(provided by xlibs.xhost`
<cole-h>
)
<lovesegfault>
(or xorg.xhost)
<gchristensen>
ehh I think I'll pass for now =) thanks though
<lovesegfault>
:D
<colemickens>
seems like some distros have an i2c group, that wouldn't require root?
<cole-h>
xlibs is an alias to xorg, so yeah lol
<colemickens>
might file an issue later but gotta run
<lovesegfault>
colemickens: Yeah, it's a shame we require root here, it should just be the i2c group
<gchristensen>
w00t just finished off cutting this co's cloud bill in half, lol, bit almost exclusively pruning EBS volumes that people left laying around
<lovesegfault>
THE FUTURE IS NOW
<gchristensen>
time to fatten the bill up again by bringing up too-big-servers again
veleiro` has quit [Ping timeout: 240 seconds]
<cole-h>
gchristensen: nice
<lovesegfault>
I don't care what anyone says, pineau des charentes is the ultimate alcoholic beverage
waleee-cl has quit [Quit: Connection closed for inactivity]
supersandro2000 has quit [Quit: Ping timeout (120 seconds)]
<sphalerite>
lovesegfault: or if you're really lazy, just xhost +
<sphalerite>
(and don't mind all local users being able to connect to your Xwayland server)
cole-h has quit [Ping timeout: 260 seconds]
supersandro2000 has quit [Ping timeout: 265 seconds]
supersandro2000 has joined #nixos-chat
<lovesegfault>
The solution clearly is to run everything as root
<lovesegfault>
and not use a local user
<ar>
sphalerite: back in the old days (like, 2008 or 2009) some distros by-default still had X started with the -net argument, which caused it to listen on network for new clients
<ar>
sphalerite: so what happened, at the company i was working for, some of the NOC/helpdesk guys also ran "xhost +" on their machines because they needed some gui software running as root
<ar>
so what ended up happening, is that a certain someone started showing them xeyes
<sphalerite>
oh fun
<ashkitten>
got fs2020 working in flatpak steam :D
<ashkitten>
supposedly it should work in vr mode too, but i haven't gotten that to work (yet)
<ashkitten>
it just freezes on a black screen if steamvr is active during launch
<philipp[m]>
I found a Red Hat Linux in the wild :D
<philipp[m]>
Mailserver by a different company that did weird things and couldn't talk to us because of failed crypto.
<philipp[m]>
Had a call and they seemed kind if relieved that somebody told them to finally upgrade.
srk has quit [Write error: Broken pipe]
srk has joined #nixos-chat
kini has quit [Ping timeout: 264 seconds]
kini has joined #nixos-chat
veleiro` has joined #nixos-chat
armin has quit [Quit: Great minds discuss ideas. Average minds discuss events. Small minds discuss people.]
genevino has joined #nixos-chat
veleiro` has quit [Ping timeout: 240 seconds]
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
__monty__ has joined #nixos-chat
liebach has joined #nixos-chat
aleph- has quit [Ping timeout: 256 seconds]
aleph- has joined #nixos-chat
<supersandro2000>
When you try to research why a server is no more and the only clue you have is a commit with the message: "current status"
<philipp[m]>
Since I made fun of the slack status page recently, I feel I should also link https://status.signal.org/
<bbigras>
hehe
waleee-cl has joined #nixos-chat
<gchristensen>
the stream started
<gchristensen>
but no content, just "landing" page
<gchristensen>
eh, 1-2 :P
<supersandro2000>
spacex is over hyped
<ldlework>
ur overhyped >:
slack1256 has joined #nixos-chat
<supersandro2000>
factorio > spacex
<bbigras>
hehe
<__monty__>
I don't quite understand why Signal is so popular. Is it their marketing?
<gchristensen>
I feel like they put me first
<__monty__>
Signal?
<gchristensen>
yea
<eyJhb>
Ease of use I guess?
<__monty__>
eyJhb: But there's alternatives that are pretty similar.
<bbigras>
Isn't Telegram russian? that might be a plus for sinal.
<eyJhb>
And the many recommendations, so marketing.
<bbigras>
signal*
<__monty__>
A plus?
<eyJhb>
__monty__: which others are you thinking of?
<__monty__>
Russia has proven they can't deal with Telegram.
<gchristensen>
it is really simple, they have and prioritize good encryption in a way I think real people get the bulk of the benefit, collect almost no data
<__monty__>
I'm not so convinced the NSA doesn't force OWS to turn over whatever they have.
<bbigras>
I thought maybe I shouldn't trust russian products.
<bbigras>
a bit like china's
<gchristensen>
OWS doesn't have anything
<philipp[m]>
Signal strikes a nice balance between usability and security.
<philipp[m]>
It's as easy to use as any popular messenger out there but much more secure.
<supersandro2000>
Elon said use signal
<bbigras>
Musk tweeted about signal the other day.
<__monty__>
The only UX difference with Telegram is that you have to opt-in to encryption I think?
<bbigras>
yeah
<supersandro2000>
and all the folks are trashing their door
<gchristensen>
that is a pretty major difference
<philipp[m]>
No! Telegram only does encryption for one on one chats and even then it's very sketchy.
<__monty__>
Sketchy?
<__monty__>
That sounds like FUD.
<f0x>
it is sketchy, their own self-rolled protocol
<f0x>
(and another Major usability concern, it only works on the mobile apps)
cole-h has joined #nixos-chat
<__monty__>
Are you sure? Can't find anything about that anywhere.
<__monty__>
Other parts of the Russian government use telegram, so someone there must believe it's secure at a nation-state level.
<cole-h>
But /usr/bin/env is provided by NixOS for convenience
<__monty__>
Otoh we have Signal, requiring a (smart?)phone, which excludes a good set of users. And their hostility to foss.
<philipp[m]>
__monty__: Governments use all kinds of insecure channels but have operational procedures in place to limit damages in case of breaches.
<__monty__>
There's also Wire, which noone seems to like "because JS". But I think that problem would be satisfactorily solved for most by simply pinning the JS code to the clients?
<__monty__>
Then there's Matrix which seems most promising but has a ways to go UX-wise.
<gchristensen>
and doesn't appear to value e2e encryption as their primarily ethos/value
<gchristensen>
which is what I like about signal
<__monty__>
Matrix? Or Telegram?
<gchristensen>
well, either
<gchristensen>
evidenced by neither having e2e encryption always under every circumstance
<supersandro2000>
you know what
<supersandro2000>
we should just talk to people in person
<infinisil>
I actually tried to use it at some point, but didn't get into it very much that I could say anything about it
<infinisil>
Also it's not really maintained
<infinisil>
Not exactly AST editing, but it's close
neeasade has quit []
<adisbladis>
One can dream...
<adisbladis>
I think this is extremely hard for most languages
Dotz0cat_ has quit [Ping timeout: 246 seconds]
<gchristensen>
this is why lisp is the only correct choice
<adisbladis>
This.
<adisbladis>
We took a wrong turn somewhere
<adisbladis>
Lisp machines should have won
* gchristensen
isn't serious
* adisbladis
is half serious
<gchristensen>
lisp machines were too expensive
<adisbladis>
gchristensen: I don't care about the hardware so much as the software
<gchristensen>
sure but one reason they lost because lisp machines were too expensive
<gchristensen>
hardware GC was fancy as hell though
<__monty__>
Hmm, interesting. Though I definitely feel like there needs to be an escape hatch. Where you get to write what you want and the AST-mode can move it to the correct place but not keep you from adding it?
<__monty__>
Like, in haskell, it'd be annoying to have to remember you can only put imports at the top.
<__monty__>
Imports aren't a great example maybe but extrapolate.
veleiro` has quit [Ping timeout: 256 seconds]
<abathur>
there's that language, where you're writing something more like a database, which has immutable functions and a name-mapping between them for mere mortals
* colemickens
needs to bolster his CS knowledge so that nix-ld feels less like magic
cole-h has quit [Ping timeout: 240 seconds]
<bbigras>
colemickens: did you test "new boot and upstream" for the rpi 4?
slack1256 has quit [Ping timeout: 246 seconds]
* colemickens
is gonna light gopass on fire, I swear. One bug lead to another and now I have a secret and a directory with the same name
<gchristensen>
ow
<colemickens>
nah, my attempt to adjust my sleep schedule was instead successful
<colemickens>
bbigras: still hoping to in the next few hours
<__monty__>
colemickens: Please migrate to bitwarden. I'm sure your contributions would only benefit us : )
<gchristensen>
the one thing I like about `pass` is it takes great pains to launch the editor in a secret-safe way
<bbigras>
colemickens: no worries. sleep is important.
<bbigras>
I wish bitwarden could use hashicorp vault as a backend.
<__monty__>
gchristensen: Hmm, how? I imagine it's pretty much impossible to disable things like vim's swapfiles generically.
<joepie91>
abathur: went some bit into that talk, and tbh, I am having difficulty seeing the point of Unison :/
<joepie91>
it seems more like a compiler internals proposal than anything, and I don't really see how it solves any fundamental problems? it just seems to apply a new coat of paint to them
<joepie91>
like, "no dependency conflicts" isn't really true because you're still going to have *conceptual* conflicts when you're trying to use two pieces of code that have been designed against different versions of the same data structure?
<joepie91>
and no amount of content-addressable hashing is going to change that...
<colemickens>
If I were to migrate from a stateless password manager to a stateful one, it will be Vault, not BitWarden.
<joepie91>
(having not watched the full talk, my initial impression is more something along the lines of "this might be a handy way to get statically-typed languages closer to what it's like to work with JS in practice)
<joepie91>
like, is there something I'm missing here?
<bbigras>
vault is not great for normies... it needs more user-friendly tools. like browser extensions. and helpers for ssh, putty....
<__monty__>
But pass isn't stateless?
<gchristensen>
a fairly light weight shim could make a tool think it is talking to `pass` but actually talk to vault
<__monty__>
colemickens: Why vault?
<colemickens>
Because it supports the other features I'd want in a secret manager that warrant the cost of paying for remote state.
<bbigras>
gchristensen: and there's a lot of tools using pass, right? I think I saw some browser support
* colemickens
wants his pw mgr further from his browser, not closer
<gchristensen>
yeah
* colemickens
also winds up with his pw on his clipboard a lot though
<gchristensen>
my browser plugin calls `pass`, which is already a shim around teh real `pass`
<lukegb>
passing tokens to things: still an unsolved problem, apparently
<__monty__>
colemickens: Bitwarden's remote storage is free, just fyi.
<bbigras>
a pass shim with vault sounds great then. but maybe only if you run vault locally. I like password manager working offline. maybe the shim could keep a cache.
<colemickens>
USB blood and temperature readers for proper atttestation.
<bbigras>
you have to pay to share password with bitwarden. unless you host it. iirc
<colemickens>
gchristensen: how many times have you been caught with Vault down? That's really my hesitation. My `pass` db is implicitly sort of synced offline (for better and for worse).
<gchristensen>
vault supports replication
<gchristensen>
I don't store my passwords in vault right now, I just think it is a nice idea :)
<bbigras>
gchristensen: can I do a poor-man replication? like only 2 nodes. my vps and my desktop. I don't want to pay too much and I already have 1 vps.
<__monty__>
colemickens: Which vault features do you desire?
<gchristensen>
why not do actual replication?
tilpner_ has joined #nixos-chat
<bbigras>
I mean actual replication. but only 2 nodes. I think often replication is like 3 nodes minimum for consensus. maybe it's not the case with vault.
* lukegb
thinks about Cloudflare's scoped-API-tokens, which are painful to use
tilpner has quit [Ping timeout: 256 seconds]
<colemickens>
__monty__: cert management, token<->cert exchange, stuff like that
tilpner_ is now known as tilpner
<colemickens>
the idea that I could provision vault tokens, stash those somewhere to deploy with gold images that could then be sealed VMs that Vault trusts, stuff like that is highly appealing to me.
<abathur>
joepie91: how far did you watch?
<bbigras>
ssh key signing with vault is pretty cool. dynamic creds too if you host things.
<colemickens>
I can get most of the way there provisioning offline and using sops(-nix) but thats not really the right approach for short-lived automatic rotating certs.
<colemickens>
I'd also move to using ssh host certs more probably if I had Vault keeping track of CA keys etc.
<gchristensen>
bbigras: I think you only really need 3+ if you're doing real stuff ,but for interactive use 2 is probably sufficient
<gchristensen>
you're not going to be doing a lot of write activity to make weird behavior happen imo
<bbigras>
gchristensen: and it should be fine if only my vps is up at times, like during the night, right?
<joepie91>
the core premise just doesn't gel with me
<joepie91>
or what is presented as the core premise, at least
<gchristensen>
bbigras: not sure unfortunately
<gchristensen>
maybe you really would need 3
<joepie91>
like, it's presented as if it's a revolutionary concept, but what's concretely the benefit of a hash over an immutable package version? it doesn't seem to solve dependency conflicts any more than the models of Nix or npm do. I don't have builds with JS either. etc.
<joepie91>
(looking at the 'benefits' slide now)
<bbigras>
gchristensen: I'll try. thank you very much.
<joepie91>
and like, I can appreciate the elegance in the design, to a degree, but it just seems rather thin on real-world benefits, as if they started with a cool idea and then retroactively tried to enumerate benefits
<__monty__>
I wonder how much of vault's features bitwarden misses. Key and cert generation probably but it does have storage of custom data.
<bbigras>
vault can create a login in your database backend on demand.
<gchristensen>
yeah, that is so nice
<gchristensen>
general plugins for "how to prove my identity to you" and "how to get secrets out" is the core, something bitwarden is not in the space of doing
<gchristensen>
the concept of roles and access control and ephemeral secrets
<gchristensen>
and it isn't appropriate for people in general
<gchristensen>
unless consumer websites started to let people hook their vault up as a way to dynamically provision passwords, but that is a bit weird
<__monty__>
It all sounds very enterprisey.
<gchristensen>
well... I mean, it does fit in the enterprise
<gchristensen>
it is also super useful for any use case where you want rotating credentials, or want to share access with a collection of servers and people
<__monty__>
When I say vault features bitwarden misses I do mean for the using vault as a personal password (and more) manager.
<gchristensen>
yeah absolutely it does
<__monty__>
*use case.
<__monty__>
You can rotate credentials because your server would dispatch authentication of your ssh key to the vault service, right?
<bbigras>
for ssh keys, vault can sign your key with a short valid time period (like 1 minute) and your ssh server would accept it. the ssh server has the CA or something for that.
<bbigras>
there's also a OTP mode for ssh
<bbigras>
I guess in this one, the ssh server must be connected to the vault. not sure.
<__monty__>
So your ssh client would fetch an ssh key from vault every time you connect to a host?
<bbigras>
kinda. you could run the command to sign your key
<gchristensen>
the OTP one isn't so good
<bbigras>
every single time you connect
<gchristensen>
you can also make the cert last for longer than a minute, hours, days, years even
<bbigras>
s/could/would/
<gchristensen>
but making them short is the point :P
<__monty__>
So "ssh me@server" would make you authenticate to vault to get a signature and then connect?
<bbigras>
you can run `vault ssh me@server`
<abathur>
joepie91: FWIW, I linked it in response to the discussion about AST editing, so the local point is just that it's an example
<bbigras>
but by default it's hardcoded for rsa keys
<bbigras>
you can also sign your key manually.
<joepie91>
abathur: right, I was just hoping that you might have a bit more insight into the broader concept behind the language :)
<joepie91>
based on what I've seen so far I can't take it too seriously, I just don't want to definitively draw that conclusion if it's also possible that I'm just missing something
<bbigras>
ah it's more `vault ssh -mode=ca -role=my-role user@1.2.3.4`
<joepie91>
and asking someone who seems to know about it, is usually faster than a few hours of research :P
<bbigras>
I wonder if there's a config or something to avoid having to set the mode and role every time.
<bbigras>
also if you sign your key manually and save it as ~/.ssh/id_ed25519-cert.pub , ssh will pick it up automatically
<abathur>
joepie91: it did take me 12 minutes to figure out what it was called :) I mostly just remembered encountering it; I'm a little bearish on its model as well but don't have any practical experience with it
<joepie91>
heh okay, fair enough
<joepie91>
I'm hesitant mainly because I've seen a few cases now where people from a statically-typed language ecosystem went "look at this revolutionary new thing!" and I was like, uh, yeah, we've had that in JS for 5 years now...
<joepie91>
so anything that smells like JS ecosystem reinvention smells suspect to me :P
<joepie91>
* so anything that looks like JS ecosystem reinvention smells suspect to me :
<joepie91>
:P*
<joepie91>
gah
<abathur>
joepie91: It does seem to be playing with similar ideas as Nix, and there's probably some conceptual potential lurking in its model for how something like Nix could avoid rebuilding package A when package B is updated unless A actually consumes definitions from the new B
<joepie91>
abathur: that sounds possible without code hashing though
<joepie91>
or at least, without implementing that on a language level
<joepie91>
there's already treeshaking / dead code elimination / LTO tooling for an increasing amount of languages
<joepie91>
which has all the code intelligence necessary to determine this :P
<abathur>
has the ability to determine if a change to function Y between two versions of package B will break consumer A?
<__monty__>
gchristensen: You use pass for your passwords and vault for ssh/gpg keys?
<gchristensen>
right now I use vault for anything that servers or my CI pipelines need
<gchristensen>
or any secrets that other collaborators on OSS things would need
<bbigras>
do you expose vault to the web or you make collaborators use a vpn?
<__monty__>
Any reason not to use vault as a password manager? Usability because every request requires a connection to the vault service?
<joepie91>
abathur: yes; DCE implementations need to know a) which code encompasses which functions, and b) which functions get called from where
<joepie91>
those are the same pieces of information necessary to determine whether a dependency update results in an implementation change of something consumed downstream
<__monty__>
bbigras: Wouldn't collaborators use their own vault and get access through some secret sharing feature?
<bbigras>
__monty__: I don't think there's an inter-vault sharing feature.
<joepie91>
I dunno, Unison feels like one of those things which can technically be argued to be a solution to many different problems, but if you were to pick any one of those problems and reason towards an optimal solution from scratch, you would never arrive at Unison
<joepie91>
it's not that it can't solve the problems, just the tradeoffs don't make a lot of sense
<joepie91>
(in the case of using it to integrate with Nix for dependency invalidation, it would necessitate basically rewriting every piece of software and every library in Unison)
<__monty__>
bbigras: Oh, I thought it did because you said bitwarden didn't have password sharing for free.
<joepie91>
anyhow, I should be off to bed, thanks for the chat, abathur :P
<gchristensen>
bbigras: right now they use wireguard
<bbigras>
__monty__: oh no. I was just saying that the free hosted bitwarden version doesn't have the sharing. an bitwarden_rs does. for a vault you can have multiple users but if you provide a service and want to use vault you need to give the collaborators access to your vault and then you can rotate the creds anytime you want. or use dynamic creds.