tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
<cole-h>
samueldr++
<{^_^}>
samueldr's karma got increased to 0b100111100
<colemickens>
I've definitely been getting unexpected random dns failures since turning on resolved, like I just had aarch64.nixos.community fail to lookup
endformationage has quit [Quit: WeeChat 2.9]
<bbigras>
I might have dns issues with resolved too. but I thought maybe it was my config. with dnssec and dns over tls.
slack1256 has quit [Remote host closed the connection]
<Church->
Same here. Might go back to a different resolver
waleee-cl has quit [Quit: Connection closed for inactivity]
cole-h has quit [Ping timeout: 264 seconds]
<adisbladis>
I've had mostly good experiences with unbound
<adisbladis>
It sometimes requires a restart after switching networks, I don't know why
<adisbladis>
But apart from that it's been rock solid
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
spudly1 has quit [Ping timeout: 240 seconds]
spudly1 has joined #nixos-chat
Mic92 has joined #nixos-chat
<eyJhb>
bbigras colemickens In the last couple of days my DNS has been really slow at times, 3-4s lookup times...
<pie_>
joepie91: nod
crazazy[m] has quit [Quit: Idle for 30+ days]
Mic92 has quit [Quit: WeeChat 3.0]
Mic92 has joined #nixos-chat
krkini has joined #nixos-chat
crazazy has joined #nixos-chat
__monty__ has joined #nixos-chat
Mic92 has quit [Quit: WeeChat 3.0]
Mic92 has joined #nixos-chat
Mic92 has quit [Client Quit]
Mic92 has joined #nixos-chat
<pie_>
tilpner: re yesterday, yeah the netboot-minimal defintely shouldnt be 2 gigs
<pie_>
no idea why it got that big
<pie_>
I need to wait for a kernel build and then i guess ill nix-du it afterwards, hopefully that will help
<pie_>
Hm. That number might have been from somewhere else, the things I found in the nix store seem to be on the order of 800M
<pie_>
but still.
<tilpner>
--apparent-size?
<andi->
800M is still at least 2x as large as it should be..
<andi->
Kernel + nix + minimal User space can't be 800M by now... What did end up in there?
<gchristensen>
unfortunately, it sounds about right tome
bqv has quit [Quit: WeeChat 3.0]
bqv has joined #nixos-chat
bqv has quit [Client Quit]
krkini has quit [Remote host closed the connection]
kini has joined #nixos-chat
lunc has joined #nixos-chat
<andi->
:/
<andi->
It is hard to believe that we need 800MB of code to run a operating system these days.
<andi->
Should run some nix-du on it to figure out where it comes from
bennofs has joined #nixos-chat
<pie_>
how should I set up the user that gets sshd into for remote builders?
<andi->
depending on your exact use case it might have to be a trusted user
<pie_>
i just want to move builds from my weak tablet to my laptop
<andi->
usually I just create a regular (non-interactive) user that only that remote machine is allowed to ssh into
<andi->
also -> #nixos :D
bqv has joined #nixos-chat
bennofs has quit [Remote host closed the connection]
bennofs has joined #nixos-chat
bennofs has quit [Client Quit]
bennofs has joined #nixos-chat
bqv has quit [Quit: WeeChat 3.0]
bqv has joined #nixos-chat
<andi->
nix-tree reports that my nixpkgs in the minimal image is 600MB while it is just 140MB
bqv has quit [Quit: WeeChat 3.0]
bqv has joined #nixos-chat
<gchristensen>
I don't understand
<hexa->
yeah, it's hard to understand. probably more understanding over in #nixos :p
<gchristensen>
lol but also I actually don't understand what that sentence means :P
<steveeJ>
maybe it wants to check that http->https rewrite is enforced?
<clever>
steveeJ: it does validation over http, because your https cert may not be valid yet
<gchristensen>
I assumed it used https and just ignored cert validation errors
<steveeJ>
clever: is there any compatible configuration that doesn't rely on a plain http connection?
AMG has joined #nixos-chat
<clever>
steveeJ: not sure, i just always setup both port 80 and 443
<steveeJ>
this probably breaks `services.nginx.virtualHosts.<name>.onlySSL`
cole-h has quit [Ping timeout: 264 seconds]
Raito_Bezarius has joined #nixos-chat
lassulus_ has joined #nixos-chat
kalbasit_ has joined #nixos-chat
lassulus has quit [Ping timeout: 260 seconds]
lassulus_ is now known as lassulus
kalbasit_ has quit [Ping timeout: 260 seconds]
rajivr has quit [Quit: Connection closed for inactivity]
crazazy has left #nixos-chat [#nixos-chat]
lassulus_ has joined #nixos-chat
lassulus has quit [Ping timeout: 240 seconds]
lassulus_ is now known as lassulus
<bbigras>
you can use dns for the acme challenge. it allows wildcard domains too.
<supersandro2000>
if your dns provider supports it
<gchristensen>
all dns providers are supported, for it to be fully automatic it has to have an API
<supersandro2000>
if you need to add the TXT record by hand it is very inconvenient
<gchristensen>
yes it is
<infinisil>
Ohh, now that I have DNS support in Nixus I could make an acme module for that
<gchristensen>
still easier than the old days of TLS :')
<supersandro2000>
and you probably need to set security.acme.preliminarySelfsigned = true; or nginx does not start
<supersandro2000>
which shouldn't be that important for DNS but is still nice to have
waleee-cl has joined #nixos-chat
<bbigras>
"if your dns provider supports it". yes but I think it's worth it to switch dns provider just for this.
<steveeJ>
bbigras: I'm not sure what you mean by "use dns for acme challenge". please elaborate
<bbigras>
steveeJ: instead of using the `/.well-known/acme-challenge` method, the tool will create a TXT record at your dns provider using an API, wait for the validation and remove it.
<gchristensen>
if you're getting certs for domains not publicly accessible or a domain which has a lot of servers serving it you'd want the DNS-01 challenge which writes a value to your DNS zone instead
<bbigras>
and for wildcard certs, "Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge."
<gchristensen>
right. proving you have control over DNS proves much more control than over a single URL
<steveeJ>
that's pretty neat. so the tool needs write access to the NS itself, sounds pretty dangerous :-D
<bbigras>
well if you trust the tool with your ssl keys... maybe you can trust it with your dns
<gchristensen>
it is a good point steveeJ
<steveeJ>
awesome, learned a lot here today, thanks folks!
<__monty__>
That's a classic is it only now making its way to ycombinator?
<bbigras>
etu: you might need the more expensive "enterprise edition"
<etu>
__monty__: It has to have been up there before, first I heard about it was like 10 years ago.
<__monty__>
That CORRAS rack does look like a decent option : )
* etu
has a real 42U server rack at home though
<etu>
Not with servers
<__monty__>
>.<
<__monty__>
Doing the math on backup solutions yesterday it really seemed like hosting it yourself is the affordable option, maybe with a LackRack : )
<bbigras>
etu: what are you using for?
<etu>
bbigras: I got shelves in it and put pretty things in it, I also have a LED strip around the outer side and a glass door :)
<bbigras>
oh nice
<etu>
bbigras: I got it for free from adisbladis like 9 years ago :p
<bbigras>
nice.
<sphalerite>
__monty__: nice, just don't forget that you don't get the location redundancy if you're backing up your desktop at home to the backup server at home ;)
kalbasit_ has quit [Ping timeout: 246 seconds]
<__monty__>
sphalerite: Yeah, Lackrack at home, Lackrack at parents'... ; )
<sphalerite>
Perfect!
<adisbladis>
etu: It's very pretty :)
<sphalerite>
__monty__: that's pretty much how I'm doing it with my family's backups, just no lackrack
<adisbladis>
I got it for free from a computer lab before that :D
<__monty__>
Cheapest option I could find was Hetzner btw. Backblaze personal backup looks great but it lacks linux support and it's only a backup of all the files currently on your computer.
<adisbladis>
etu: From some random guy I was trading retro computers with when I was into that
<etu>
:D
<adisbladis>
etu: It used to belong to Telia
* etu
have only moved it 1200km so far, will probably move it 400km this year
<__monty__>
You should do the Gnome thing and take picz of the rack visiting touristy places : )
<adisbladis>
Haha :D
<etu>
__monty__: That seems, eh, clunky
<etu>
:D
<__monty__>
There should also be a couch surfing pic every time it changes owners.
<etu>
It's not super easy to move.
<__monty__>
That's the best part, etu!
<bbigras>
could you use Backblaze with restic?
<etu>
__monty__: "42U rack on the beach"
<etu>
__monty__: "42U rack at the bar"
<adisbladis>
etu: "Nice rack"
<adisbladis>
(but without being a pig) :)
<bbigras>
"42u at the topless bar"?
<adisbladis>
etu: The guy I got that from was pretty awesome
<adisbladis>
He was using a ~12U Sun machine as his living room table
<etu>
:D
<adisbladis>
It had wheels and everything
<etu>
That's handy!
<adisbladis>
He called it his "portable computer"
<adisbladis>
Which I guess may be technically correct.. But uhh..
<pie_>
bbigras: restic can use the rclone or whatsitcalled backend which does like, everything?
<bbigras>
pie_: I think so. At work I used restic with rclone to backup to onedrive.
<bbigras>
at home I use restic with s3 (without rclone).
<bbigras>
I want to try kopia too.
<pie_>
i need to figure out what i was doing, multitasking is hard but i have to do something during these 20 minute squashfs rebuilds
<bbigras>
maybe a game on your phone
<pie_>
no. bad. :P
<pie_>
Though I might just start drawing then
<ehmry>
speaking of squashfs, I looked at erofs, it supposed to be faster than squashfs, but mkfs.erofs only takes a single source directory as an argument :(
<ehmry>
whereas squashfs takes a number of store paths to bundle together
<sphalerite>
__monty__: do you know what hardware you're going for yet?
<__monty__>
bbigras: I don't think you can. At least with "personal backup." You run the backblaze client and it scours your disks for files to backup. If you disconnect an external disk it then proceeds to delete those files from your backup (30 day retention, 1 year for 2/mo extra, unlimited is available).
<__monty__>
And as I read it any data past 30 days costs 0.5 cent/GB/mo.
<__monty__>
Which is equivalent to the price of their "cloud storage/s3 API" offering I think.
<__monty__>
So with personal backup you're responsible for keeping at least one copy.
<__monty__>
Since I do have linux boxen I was thinking "maybe a NUC with windows to run the backblaze client?" But that doesn't work because then I'd have to buy enough disks to store all my data attached to the NUC.
<__monty__>
And at that point if you double the cost of the hardware you have your very own backup solution.
<__monty__>
Except it's more flexible, can run some services, can serve as a NAS, etc.
<__monty__>
And doesn't come with a monthly fee.
<gchristensen>
doesn't get you to 3-2-1 exactly
<__monty__>
2 types of media isn't very practical though.
<__monty__>
Does cover the 3 I think? Forgot what 1 is.
<sphalerite>
I really don't like the 3-2-1 formulation…
<sphalerite>
1 extra location
<sphalerite>
but that should make it 3-2-2
<__monty__>
sphalerite: I'm still on the fence. This was more of a realization that hosted backups ain't cheap. Not that hosting your own *is* cheap : )
<sphalerite>
fair enough
<sphalerite>
and yeah with hosting your own you have a biiig upfront cost and less scaling flexibility
<ashkitten>
someone should make something that does what f-droid does but is better
<__monty__>
Isn't the extra location subsumed by the 3 copies? Working, local backup, non-local backup?
<sphalerite>
__monty__: 3 copies just means 3 copies, not that they're in different locations
<bbigras>
__monty__: oh I was thinking of "Backblaze B2 buckets". I didn't know about that backblaze was able to backup to external drive.
<bbigras>
I guess restic to b2 buckets and restic to an external drive would work.
<drakonis>
womp womp indeed
<gchristensen>
m'onit
bennofs has quit [Remote host closed the connection]
bennofs has joined #nixos-chat
<ashkitten>
hm, i *could* look into writing an fdroid server implementation with nix instead of whatever the hell they use now, but i don't really care because i hate android
<__monty__>
bbigras: It doesn't back up to external drives.
<sphalerite>
ashkitten: yes I want this too
<pie_>
on the upside i finally figured out why i was rebuilding the squashfs every time
<sphalerite>
pie_: result symlink?
<pie_>
nah, the other one
<pie_>
or, well, sort of? i was including the local directory because i wanted to copy it to the target machine after installation
<pie_>
but right now im fighting with pxe, so luckily i can just disable that part while testing this
<sphalerite>
ashkitten: I imagine it wouldn't be hard to write derivations that produce an f-droid repo… the tricky bit, I guess, is building android apps in nix
<ashkitten>
yeah
<pie_>
bleh. cant get dnsmasq to serve dhcp right now for some reason
<pie_>
(in container)
LnL has joined #nixos-chat
<infinisil>
pie_: Firewall could be the problem
<pie_>
infinisil: nah its dnsmasq-dhcp: no address range available for DHCP request via eth0
kalbasit__ has joined #nixos-chat
<pie_>
ah damnit. i tried copying a different dhcp-range line and it worked :P
<pie_>
smh about not understanding the software im runnign
<pie_>
apparently needed a different netmask set
<pie_>
bloody heck it works
<pie_>
ok now to try proxydhcp
<samueldr>
sphalerite: didn't eyJhb do some magic for android apps building?
<samueldr>
not sure it was published though
kalbasit__ has quit [Ping timeout: 240 seconds]
<bbigras>
pie_: are you using proxydhcp for pxe?
<pie_>
bbigras: im trying
<bbigras>
pie_: you might be interested in pixiecore instead. it's simpler. not sure if it would work in your case.
<pie_>
bbigras: what does that do
<bbigras>
pie_: iirc correctly it does the dhcp-proxy part without the normal dhcp stuff.
<pie_>
bbigras: ok that would be interesting because i have been googling to hell and the only thing i could find that seems to properly do it is dnsmasq iirc
<bbigras>
pie_: I use pixiecore at work and it works pretty well. I think I use it with an http server.
<bbigras>
it's a lot simpler than dnsmasq. especially when you need to do it oneshot. like temporary.
<bbigras>
bbl
<pie_>
thanks ill check it out
<pie_>
current hair pull: can you not bridge a wifi device?
<pie_>
basically i want to attach the container network to my wifi -_-
<pie_>
this is nuts. there has to be a better way.
<lovesegfault>
that foucault system is x86_64 and it's building on an x86_64 system, yet it fails with unexpected eof
<samueldr>
[...]
<lovesegfault>
samueldr: ?
<samueldr>
again with what seems to me like support questions on the off-topic channel
<samueldr>
though maybe it didn't start as a suport question though
<lovesegfault>
I don't think either of us was asking for support?
<lovesegfault>
I know a few users here have similar setups to mine, I've been seeing something weird happen, so I cam to ask if anyone saw that too
<lovesegfault>
indeed someone had, they had an idea, so I pointed them to a counter-example
<lovesegfault>
this policing around what gets talked in the channels is really annoying and pointless tbh
<JJJollyjim>
lovesegfault++
<{^_^}>
lovesegfault's karma got increased to 46
<samueldr>
it is not pointless. It is entirely to ensure that there is not a two-speed support channel setup, where if you know the secret channel (even if not really secret) "you get better support"
<samueldr>
and *also* to not be unfair to the NixOS contributors that are not present in this channel
<samueldr>
I am aggravated at the continued pattern of only a select few users to continuously and flagrantly flaunt what are guidelines even when asked not to
<samueldr>
and yes
<samueldr>
thanks
<samueldr>
now I'm the bad guy
<samueldr>
hate me y'all
<samueldr>
a slip or two, or discussion evolving is all right
<samueldr>
but some individuals just get here to ask questions
<lovesegfault>
Maybe if we hadn't name #nixos into the bot-message laden usability hellscape that it is people would use it more. Regardless though, I wasn't asking for support to begin with :/
<lovesegfault>
Also not clear to me how talking about something in a channel someone isn't in is unfair to them when the channel is publicly logged and joinable by anyone
<samueldr>
to me it's a coin flip whether this was a round-about way to "not ask for support" :(
<samueldr>
joinable and logged does not mean the individuals monitor the channel, while they might the channels they are into
<lovesegfault>
that's they're choice though? It seems like a normal/OK thing that if you choose not to monitor a chan you won't see what happens there?
<lovesegfault>
*their
<samueldr>
right, but when it happens that there is discussion about policy or such about NixOS then it becomes unfair to them
<samueldr>
they have not joined because they didn't care about the off-topic channel
<samueldr>
look, maybe I'm the only one that is vocal about the issue, but these are guidelins that were decided on early when this channel was opened
<lovesegfault>
Sure, that should probably happen in the -dev or main channels
<samueldr>
yes
<samueldr>
and about the bots
<samueldr>
I made an update to the thing
<samueldr>
I think it's not been deployed
<samueldr>
it should cut about by half the noise
<lovesegfault>
My main point here is trying to figure out whether or not someone's message is a secret way to ask for support without asking is a slippery slope for you being able to apply _your_ (flawed, since you're human like all of us) judgment to selectively prohibit discussions
tilpner has quit [Remote host closed the connection]
<lovesegfault>
Which IMHO sounds way worse than people having the occasional "borderline on topic" discussion
<lovesegfault>
(to be clear, I'm not suggesting you are/will do this knowingly or that only _you_ are subject to it. It's univeral)
<lovesegfault>
*universal
<samueldr>
I'm a human, flawed sure, but humans are pattern matching critters
<samueldr>
I'm a simple human, I see a pattern, I match
<lovesegfault>
We're also big bold beautiful bias machines, and allowing people to selectively enforce things based on their subjective analysis of someone's intent sounds pretty bad to me
<samueldr>
look
<samueldr>
I'm sorry I brought it up
<samueldr>
I shouldn't have
<samueldr>
I'll stop making any effort at moderation, apparently it's not desired
<samueldr>
or maybe I'm terrible at it
<lovesegfault>
IMHO we should just revisit the chan structure or think of ways to improve this overall
<samueldr>
too thin of a skin
<lovesegfault>
I don't think it's your fault or the fault of the users at large
<samueldr>
sure doesn't sound like it
<lovesegfault>
is that referring to the statement starting with "IMHO" or with "I don't"?:
JJJollyjim_ has joined #nixos-chat
<samueldr>
with "I don't"
<JJJollyjim_>
Are policy decisions actually made in #nixos? That sounds like the worst possible venue
<samueldr>
though I know I need to cool off some
<lovesegfault>
I promise I don't think you're at fault, or are in any way "bad"; Really
<samueldr>
JJJollyjim_: #nixos-dev
<JJJollyjim_>
good
<samueldr>
but even then, really it's /rfs/
<samueldr>
oops
<samueldr>
NixOS//rfcs/
<samueldr>
ugh, you know what I mean I hope :)
<JJJollyjim_>
yep
<JJJollyjim_>
(I have joined on a second client because I tried looking at #nixos and it crashed my matrix server :P)
<JJJollyjim_>
(I know this is entirely my fault :P)
<samueldr>
(btw, lovesegfault, sorry for dumping some on you, I was purposefully being an ass here)
<lovesegfault>
samueldr: no worries :)
tilpner has joined #nixos-chat
<lovesegfault>
FWIW: I think we should merge #nixos and #nixos-offtopic, remove all the bot chatter or move it to #nixos-bots. Only dev-specific things should be asked to move to #nixos-dev and let the project channels be.