<eyJhb>
Anyone knows if it is possible to upload a custom image to Hetzner Cloud?
<eyJhb>
Can't find anything. Wanted to create a costom image, like can be done for DigitalOcean
<sphalerite>
eyJhb: no
<sphalerite>
eyJhb: a colleague of mine uses nixos-infect with cloud-init to boot hetzner cloud machines to nixos though
dottedmag has joined #nixos-chat
<eyJhb>
sphalerite: Thought about doing that, but doing that on-demand seems like quite the startup process :D
<eyJhb>
*inital deployment time is high ^ is what I wanted to write
<sphalerite>
ah right
<sphalerite>
Maybe you can make it faster by using a volume as a cache.
<sphalerite>
But it's only a matter of minutes, idk how often you want to do this?
<sphalerite>
(and with cloud-init, there's not much manual effort involved)
Bene has joined #nixos-chat
<sphalerite>
or you can nixos-infect one machine, then take a snapshot of it and create your new machines from that snapshot
<eyJhb>
Hmm, if I could store /nix/store on a volume, then it woud be nice.
<eyJhb>
True sphalerite :)
<eyJhb>
Could do that. IT is for Minecraft on demand! So not sure how often
<Bene>
Hello I am an electrician and want to add AVRGCC to Nixpkgs to use atmeaga prozessors. So I created a default.nix and so on, but then I noticed that in all-package.nix this explanation stand:
<adisbladis>
Unlike most software collections cross is a first class citizen in nixpkgs
<adisbladis>
To elaborate a bit more on what `pkgsCross.avr.buildPackages.gcc` means:
<adisbladis>
pkgsCross.avr < Access the cross compiled AVR packages
<adisbladis>
buildPackages.gcc < Pick GCC from the _host platform_ packages (using pkgsCross.avr.gcc you wouldn't be able to run the compiler on your presumably x86_64-linux box)
__monty__ has joined #nixos-chat
<Bene>
Ok thank you
<Bene>
but the package avr-gcc is a unfree package you can't get the sourecode so you can't compile it. does this expression still make sense or I am dum
<adisbladis>
Bene: GCC is GPL
Bene has quit [Quit: Connection closed]
<sphalerite>
> pkgs.avr-gcc.meta.license
<{^_^}>
attribute 'avr-gcc' missing, at (string):477:1
<sphalerite>
huh
<adisbladis>
sphalerite: Why would we have an avr-gcc attribute?
<sphalerite>
idk
<sphalerite>
never mind me
Dotz0cat has quit [Ping timeout: 265 seconds]
Dotz0cat has joined #nixos-chat
BaughnLogBot has joined #nixos-chat
Dotz0cat has quit [Ping timeout: 246 seconds]
pie_38 has joined #nixos-chat
pie_38 has quit [Changing host]
pie_38 has joined #nixos-chat
dadada_ has quit [Quit: WeeChat 2.9]
dadada_ has joined #nixos-chat
<gchristensen>
welp, tailscale is more reliable than my own network at this point
<adisbladis>
Serious question: What's the security model of tailscale?
<adisbladis>
I log into a google account to a centralised service and somehow that grants access to my devices?
<gchristensen>
that sounds like a really big question :P
<gchristensen>
tailscale is STUN and key exchange as a service
<joepie91>
that sounds terrifying
<gchristensen>
sure
<gchristensen>
at this point, *shrug*
<gchristensen>
I disagree with the premise that you should trust your network, so this doesn't change much for me
<hexa->
gchristensen: pretty sure at some point they also provide turn
<hexa->
like when both endpoints are behind nat
<gchristensen>
yeah
<gchristensen>
they call it DERP and I think they get out of it almost immediately
<gchristensen>
it is pretty slick
<hexa->
yeah, being only a broker is far cheaper
<hexa->
DERP stands for Designated Encrypted Relay for Packets
<joepie91>
gchristensen: but isn't the point of tailscale to provide a private, semi-trusted network? or is it really just "bypass NAT and shit to make things work"?
<gchristensen>
I guess that depends on the user, and how much the user trusts it to provide a private, semi-trusted network
<joepie91>
right, but from a "how the service is being sold" perspective
<gchristensen>
I'll leave it up to you to decide :)
<joepie91>
like, if there's no claim of a private secure network, I'm totally fine with it. what terrifies me is that afaik they do make such claims and then, well, this
<joepie91>
though I haven't looked at it in some time
<gchristensen>
I'm not so sure what your concern is with the claim of it being private/secure
<hexa->
joepie91: SSO-authenticated mesh network between devices that don't have static addressing or are behind NATs
<hexa->
to me this is their technical selling point
<hexa->
I'm not sure how it can guarantee me that my traffic stays private
<hexa->
like, couldn't they MITM me?
<hexa->
I probably don't completely understand tailscales setup
Raito_Bezarius has quit [Ping timeout: 272 seconds]
ece has quit [Read error: Connection reset by peer]
<__monty__>
Afaiui you are trusting them, yeah.
<gchristensen>
they hand you privileged software you run on your computer, they could MITM you :)
ece has joined #nixos-chat
<cransom>
i'm not a tailscale user, but it's wireguard, right? can't you compare the priv and pubkeys on the machines you are connecting to and they need to match up, otherwise your traffic is being diverted
<gchristensen>
on the other hand, the client is open source so you could probably check
<__monty__>
Or even implement your own?
<hexa->
cransom: in theory, yeah. unless they completely manage wireguard for you, what is your comparsion basis?
<__monty__>
cransom: Yeah but if they have those keys then it's still not secure?
<gchristensen>
do tey have those keys? seems lik ea biiiiig thing to claim without looking
<hexa->
I mean … I use wireguard+babeld with fixed links, so I have full control
<hexa->
but also not a full mesh
<cransom>
if you are running your own routing protocol over a vpn, managed vpns solutions probably aren't for you
<hexa->
yep
<__monty__>
I didn't claim they do. But since their client generates the keys surely it wouldn't be too hard for them to get access to them?
<gchristensen>
of course not, their client in fact requires access to it
<__monty__>
I'm not clever enough to trust myself to judge whether or not their code sneaks the keys away. Therefore, I have to trust them with my traffic.
<gchristensen>
yeah
<cransom>
accidentally getting traffic versus being actively malicious are very different problems. there are infinite ways to 'what about' for the second to how you can be compromised
<gchristensen>
gotta trust a lot of things with your traffic
<gchristensen>
yup
<cransom>
you can still treat the vpn as a vulnerable medium. you can still use all the traditional practices with client ssl certs + verification, et al.
<hexa->
well, tailscale at least handles the remote addresses and public key exchange
<hexa->
so unless you don't compare them end to end anything is possible
<cransom>
and if you wanted to avoid big firewalls and vpn concentrators to manage machines over different networks, this is a method for it and you move the filtering other places.
<cransom>
stateful firewalls are a liability imo. you have to spend mountains of money for performance, and they still like to break your traffic from time to time.
<hexa->
big central ones? yeah
<hexa->
the local university has an ASA in place that can handle ~350k concurrent flows
<hexa->
for a /16 and a /40 respectively
<hexa->
we had a ssh syn flood against an ircd we host in the university network and the ASA collapsed
ece has quit [Ping timeout: 240 seconds]
ece has joined #nixos-chat
<andi->
Maybe it was just the "shut everything off while under attack"-mitigation (which makes no sense but we...)
<cransom>
i don't know specifics, but syn floods aren't new. i know juniper has had those kind of protectiosn and would drop them for forever.
<cransom>
the machine itself would have been fine with it too, it's what syn cookies are for.
<hexa->
well, I don't think very fondly of the it people at the unversity, so
<cransom>
we had decent sized juniper stuff in the datacenters i was in. it doesn't help though when... was it ganglia? or also statsd traffic, the machine would count each udp packet, which was a single statistic, as a flow and stick it in the table for a return packet that would never come. even dropping the lifetime for those sessions to the minimum still ate up insane resources.
tilpner has joined #nixos-chat
<LinuxHackerman>
pffff who needs udp
<hexa->
pls
<hexa->
just tunnel whatever it is over https
<hexa->
s/http/spdy/
<hexa->
ehhh
<hexa->
s/spdy/quic/
<hexa->
oh, back to udp it is
<andi->
iternet over amp over google over spdy?
<eyJhb>
internet over ICMP?
<andi->
not hipster enough in 2021
<andi->
How do you scale that without protobufs?
pie_38 has quit [Quit: Connection closed]
<gchristensen>
good point
<__monty__>
Wrap the transport layer in XML so you can switch out protobufs for capnproto whenever it tickles your fancy.
rajivr has quit [Quit: Connection closed for inactivity]
pie_73 has joined #nixos-chat
<srk>
nested nixos containers seem to work well. docker in nixos container not so. even with --exec-opt native.cgroupdriver=systemd
pie_73 has quit [Changing host]
pie_73 has joined #nixos-chat
<srk>
netiher podman out of box .. Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.
Raito_Bezarius has joined #nixos-chat
Dotz0cat has joined #nixos-chat
<srk>
lol ERRO[0000] [graphdriver] prior storage driver overlay failed: kernel does not support overlay fs: 'overlay' is not supported over btrfs at "/var/lib/containers/storage/overlay": backing file system is unsupported for this graph driver
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece7 has joined #nixos-chat
ece has quit [Read error: Connection reset by peer]
ece7 is now known as ece
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece4 has joined #nixos-chat
cosimone has joined #nixos-chat
ece has quit [Ping timeout: 264 seconds]
ece4 is now known as ece
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
BaughnLogBot has quit [Ping timeout: 264 seconds]
BaughnLogBot_ has joined #nixos-chat
BaughnLogBot_ is now known as BaughnLogBot
ece has quit [Read error: Connection reset by peer]
cosimone has quit [Quit: cosimone]
aleph- has quit [Read error: Connection reset by peer]
aleph- has joined #nixos-chat
FRidh has quit [Quit: Konversation terminated!]
pie_73 has quit [Quit: Connection closed]
pie_40 has joined #nixos-chat
pie_40 has joined #nixos-chat
pie_40 has quit [Changing host]
pie_74 has joined #nixos-chat
pie_74 has quit [Changing host]
pie_74 has joined #nixos-chat
pie_74 has quit [Client Quit]
pie_40 has quit [Ping timeout: 240 seconds]
pie_85 has joined #nixos-chat
pie_85 has joined #nixos-chat
pie_85 has quit [Changing host]
pie_85 has quit [Quit: Connection closed]
__monty__ has quit [Quit: leaving]
Dotz0cat has quit [Ping timeout: 240 seconds]
cwNovusOrdoSeclo has left #nixos-chat ["User left"]