gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
SuperSandro2000 is now known as supersandro2000
Dotz0cat has joined #nixos-chat
<lovesegfault> where my alacritty user gang at? https://github.com/NixOS/nixpkgs/pull/113740
<{^_^}> #113740 (by lovesegfault, 30 seconds ago, open): alacritty: 0.7.1 -> 0.7.2
Dotz0cat has quit [Ping timeout: 256 seconds]
Dotz0cat has joined #nixos-chat
supersandro2000 has quit [Disconnected by services]
supersandro20008 has joined #nixos-chat
rajivr has joined #nixos-chat
tilpner_ has joined #nixos-chat
tilpner has quit [Ping timeout: 258 seconds]
tilpner_ is now known as tilpner
tilpner_ has joined #nixos-chat
tilpner has quit [Ping timeout: 265 seconds]
tilpner_ is now known as tilpner
Dotz0cat_ has joined #nixos-chat
Dotz0cat has quit [Ping timeout: 272 seconds]
supersandro20008 has quit [Quit: The Lounge - https://thelounge.chat]
supersandro2000 has joined #nixos-chat
patagonicus4 has joined #nixos-chat
patagonicus has quit [Ping timeout: 240 seconds]
patagonicus4 is now known as patagonicus
Emantor has quit [Quit: ZNC - http://znc.in]
<cole-h> lovesegfault: Darn, you beat me to it because I was working >:(
<lovesegfault> cole-h: :D
<lovesegfault> can you r+?
Emantor has joined #nixos-chat
<lovesegfault> cole-h++
<{^_^}> cole-h's karma got increased to 130
<cole-h> lovesegfault: I was in the middle of `nixpkgs-review`ing it :P
<lovesegfault> I'm excited because it solves the wayland segfault
<lovesegfault> and because they cut a release because I asked :P
<colemickens> random: linux 5.11 contains: " - Allow unprivileged mounting in a user namespace."
<colemickens> (for overlayfs, that is)
<gchristensen> !!!
<gchristensen> finally
<cole-h> how does it work?
<cole-h> rather, how do I make it owrk?
<cole-h> s/owr/wor/
<lovesegfault> Does anyone here have some photoshop skillz?
<gchristensen> in `08 I was quite good with photoshop, but haven't had photoshop since
<aleph-> gchristensen: Nice
<aleph-> Been waiting for that
<gchristensen> just need it to let me mount zfs datasets now so I can get rid of a very janky alternative
<aleph-> Oh no
<aleph-> Do go on
<lovesegfault> I want a ofborg-style thing of my github profile pic
<gchristensen> uhh
<lovesegfault> to use for my bot account :P
<gchristensen> aleph-: I use systemd to monitor a path in a user's ~, when it is touched, it is mounted ... when another is touched, it is unmonuted https://gist.github.com/grahamc/1ed9c4a5d556c64046978dcbc56d0cda
<aleph-> I am... saddened by this
<gchristensen> you know it is clever
<lovesegfault> Very glad I got this nick: https://github.com/lovesegbot
<gchristensen> what is your bot going to do?
<lovesegfault> push flake updates to my nix-config repo
<gchristensen> cool
<lovesegfault> I'm stupid
<lovesegfault> I should've called it hatesegfault!
<lovesegfault> done
<{^_^}> lovesegfault/nix-config#359 (by hatesegfault, 30 seconds ago, open): flake: update
<lovesegfault> ayoo
<lovesegfault> Do y'all know what bot this is? https://github.com/NixOS/nixpkgs/pull/113740#issuecomment-782491606
<lovesegfault> cc. rmcgibbo[m]
BaughnLogBot has quit [Ping timeout: 240 seconds]
<aleph-> lovesegfault: heh
Dotz0cat has joined #nixos-chat
Dotz0cat_ has quit [Ping timeout: 256 seconds]
slack1256 has quit [Remote host closed the connection]
maljub01 has quit [Quit: maljub01]
maljub01 has joined #nixos-chat
ky0ko has quit [Remote host closed the connection]
<ldlework> jtojnar: how do I fix https://github.com/NixOS/nixpkgs/issues/94073
<{^_^}> #94073 (by heapslip, 29 weeks ago, open): Applications linked against fontconfig 2.12 do not see fonts on nixos-unstable
<ldlework> isn't fixing it for me
<ldlework> nevermind
<ldlework> (sorry)
<siraben> ldlework: are you using flakes?
<siraben> nix run is a flakes command
<lovesegfault> siraben: you can use `nix run` without flakes
<lovesegfault> just like `nix build`
<siraben> lovesegfault: ah, wasn't aware
<siraben> FWIW flakes CLI docs are very good these days
<siraben> made the switch a few weeks ago and haven't looked back
<siraben> well sometimes still needed nix-instantiate
<lovesegfault> I've been using flakes for a few weeks too
<lovesegfault> it's alright
<lovesegfault> zsh completion is broken, which is very annoying
<lovesegfault> otherwise it's mostly fine
<siraben> yeah zsh completion broken
abathur has quit [Quit: abathur]
<lovesegfault> this solves it
<lovesegfault> cc. bbigras ^
<bbigras> lovesegfault: thanks!
cole-h has quit [Ping timeout: 240 seconds]
FRidh has joined #nixos-chat
tilpner_ has joined #nixos-chat
tilpner has quit [Ping timeout: 264 seconds]
tilpner_ is now known as tilpner
tilpner has quit [Quit: tilpner]
cole-h has joined #nixos-chat
eyJhb has quit [Quit: Clever message]
omnd has joined #nixos-chat
AMG has quit [Ping timeout: 265 seconds]
eyJhb has joined #nixos-chat
eyJhb has joined #nixos-chat
eyJhb has quit [Changing host]
AMG has joined #nixos-chat
AMG has quit [Changing host]
AMG has joined #nixos-chat
<eyJhb> Anyone knows if it is possible to upload a custom image to Hetzner Cloud?
<eyJhb> Can't find anything. Wanted to create a costom image, like can be done for DigitalOcean
<sphalerite> eyJhb: no
<sphalerite> eyJhb: a colleague of mine uses nixos-infect with cloud-init to boot hetzner cloud machines to nixos though
dottedmag has joined #nixos-chat
<eyJhb> sphalerite: Thought about doing that, but doing that on-demand seems like quite the startup process :D
<eyJhb> *inital deployment time is high ^ is what I wanted to write
<sphalerite> ah right
<sphalerite> Maybe you can make it faster by using a volume as a cache.
<sphalerite> But it's only a matter of minutes, idk how often you want to do this?
<sphalerite> (and with cloud-init, there's not much manual effort involved)
Bene has joined #nixos-chat
<sphalerite> or you can nixos-infect one machine, then take a snapshot of it and create your new machines from that snapshot
<eyJhb> Hmm, if I could store /nix/store on a volume, then it woud be nice.
<eyJhb> True sphalerite :)
<eyJhb> Could do that. IT is for Minecraft on demand! So not sure how often
<Bene> Hello I am an electrician and want to add AVRGCC to Nixpkgs to use atmeaga prozessors. So I created a default.nix and so on, but then I noticed that in all-package.nix this explanation stand:
<Bene> tinygo = callPackage ../development/compilers/tinygo {
<Bene>     inherit (llvmPackages_10) llvm clang-unwrapped lld;
<Bene>     avrgcc = pkgsCross.avr.buildPackages.gcc;
<Bene>   };
<Bene> Now I am confused what does pkgsCross mean?
<adisbladis> Bene: It's package sets especially for cross compiling for different architectures
<adisbladis> Let's say I'm on an x86_64 linux machine and want to build for an aarch64 linux one
<adisbladis> I'm using the GNU Hello package as an example here:
<adisbladis> > pkgsCross.aarch64-multiplatform.hello
<{^_^}> "<derivation /nix/store/v89cm9w9f1ndch7p82jgrh79l2v61whs-hello-2.10-aarch64-unknown-linux-gnu.drv>"
<adisbladis> The same for AVR:
<adisbladis> > pkgsCross.avr.hello
<{^_^}> "<derivation /nix/store/v8gk4crn3knlfrkq6n364gvi34733asm-hello-2.10-avr.drv>"
<adisbladis> Unlike most software collections cross is a first class citizen in nixpkgs
<adisbladis> To elaborate a bit more on what `pkgsCross.avr.buildPackages.gcc` means:
<adisbladis> pkgsCross.avr < Access the cross compiled AVR packages
<adisbladis> buildPackages.gcc < Pick GCC from the _host platform_ packages (using pkgsCross.avr.gcc you wouldn't be able to run the compiler on your presumably x86_64-linux box)
__monty__ has joined #nixos-chat
<Bene> Ok thank you
<Bene> but the package avr-gcc is a unfree package you can't get the sourecode so you can't compile it. does this expression still make sense or I am dum
<adisbladis> Bene: GCC is GPL
Bene has quit [Quit: Connection closed]
<sphalerite> > pkgs.avr-gcc.meta.license
<{^_^}> attribute 'avr-gcc' missing, at (string):477:1
<sphalerite> huh
<adisbladis> sphalerite: Why would we have an avr-gcc attribute?
<sphalerite> idk
<sphalerite> never mind me
Dotz0cat has quit [Ping timeout: 265 seconds]
Dotz0cat has joined #nixos-chat
BaughnLogBot has joined #nixos-chat
Dotz0cat has quit [Ping timeout: 246 seconds]
pie_38 has joined #nixos-chat
pie_38 has quit [Changing host]
pie_38 has joined #nixos-chat
dadada_ has quit [Quit: WeeChat 2.9]
dadada_ has joined #nixos-chat
<gchristensen> welp, tailscale is more reliable than my own network at this point
<adisbladis> Serious question: What's the security model of tailscale?
<adisbladis> I log into a google account to a centralised service and somehow that grants access to my devices?
<gchristensen> that sounds like a really big question :P
<gchristensen> tailscale is STUN and key exchange as a service
<joepie91> that sounds terrifying
<gchristensen> sure
<gchristensen> at this point, *shrug*
<gchristensen> I disagree with the premise that you should trust your network, so this doesn't change much for me
<hexa-> gchristensen: pretty sure at some point they also provide turn
<hexa-> like when both endpoints are behind nat
<gchristensen> yeah
<gchristensen> they call it DERP and I think they get out of it almost immediately
<gchristensen> it is pretty slick
<hexa-> yeah, being only a broker is far cheaper
<hexa-> DERP stands for Designated Encrypted Relay for Packets
<joepie91> gchristensen: but isn't the point of tailscale to provide a private, semi-trusted network? or is it really just "bypass NAT and shit to make things work"?
<gchristensen> I guess that depends on the user, and how much the user trusts it to provide a private, semi-trusted network
<joepie91> right, but from a "how the service is being sold" perspective
<gchristensen> I'll leave it up to you to decide :)
<joepie91> like, if there's no claim of a private secure network, I'm totally fine with it. what terrifies me is that afaik they do make such claims and then, well, this
<joepie91> though I haven't looked at it in some time
<gchristensen> I'm not so sure what your concern is with the claim of it being private/secure
<hexa-> joepie91: SSO-authenticated mesh network between devices that don't have static addressing or are behind NATs
<hexa-> to me this is their technical selling point
<hexa-> I'm not sure how it can guarantee me that my traffic stays private
<hexa-> like, couldn't they MITM me?
<hexa-> I probably don't completely understand tailscales setup
Raito_Bezarius has quit [Ping timeout: 272 seconds]
ece has quit [Read error: Connection reset by peer]
<__monty__> Afaiui you are trusting them, yeah.
<gchristensen> they hand you privileged software you run on your computer, they could MITM you :)
ece has joined #nixos-chat
<cransom> i'm not a tailscale user, but it's wireguard, right? can't you compare the priv and pubkeys on the machines you are connecting to and they need to match up, otherwise your traffic is being diverted
<gchristensen> on the other hand, the client is open source so you could probably check
<__monty__> Or even implement your own?
<hexa-> cransom: in theory, yeah. unless they completely manage wireguard for you, what is your comparsion basis?
<__monty__> cransom: Yeah but if they have those keys then it's still not secure?
<gchristensen> do tey have those keys? seems lik ea biiiiig thing to claim without looking
<hexa-> I mean … I use wireguard+babeld with fixed links, so I have full control
<hexa-> but also not a full mesh
<cransom> if you are running your own routing protocol over a vpn, managed vpns solutions probably aren't for you
<hexa-> yep
<__monty__> I didn't claim they do. But since their client generates the keys surely it wouldn't be too hard for them to get access to them?
<gchristensen> of course not, their client in fact requires access to it
<__monty__> I'm not clever enough to trust myself to judge whether or not their code sneaks the keys away. Therefore, I have to trust them with my traffic.
<gchristensen> yeah
<cransom> accidentally getting traffic versus being actively malicious are very different problems. there are infinite ways to 'what about' for the second to how you can be compromised
<gchristensen> gotta trust a lot of things with your traffic
<gchristensen> yup
<cransom> you can still treat the vpn as a vulnerable medium. you can still use all the traditional practices with client ssl certs + verification, et al.
<hexa-> well, tailscale at least handles the remote addresses and public key exchange
<hexa-> so unless you don't compare them end to end anything is possible
<cransom> and if you wanted to avoid big firewalls and vpn concentrators to manage machines over different networks, this is a method for it and you move the filtering other places.
<cransom> stateful firewalls are a liability imo. you have to spend mountains of money for performance, and they still like to break your traffic from time to time.
<hexa-> big central ones? yeah
<hexa-> the local university has an ASA in place that can handle ~350k concurrent flows
<hexa-> for a /16 and a /40 respectively
<hexa-> we had a ssh syn flood against an ircd we host in the university network and the ASA collapsed
ece has quit [Ping timeout: 240 seconds]
ece has joined #nixos-chat
<andi-> Maybe it was just the "shut everything off while under attack"-mitigation (which makes no sense but we...)
<cransom> i don't know specifics, but syn floods aren't new. i know juniper has had those kind of protectiosn and would drop them for forever.
<cransom> the machine itself would have been fine with it too, it's what syn cookies are for.
<hexa-> well, I don't think very fondly of the it people at the unversity, so
<cransom> we had decent sized juniper stuff in the datacenters i was in. it doesn't help though when... was it ganglia? or also statsd traffic, the machine would count each udp packet, which was a single statistic, as a flow and stick it in the table for a return packet that would never come. even dropping the lifetime for those sessions to the minimum still ate up insane resources.
tilpner has joined #nixos-chat
<LinuxHackerman> pffff who needs udp
<hexa-> pls
<hexa-> just tunnel whatever it is over https
<hexa-> s/http/spdy/
<hexa-> ehhh
<hexa-> s/spdy/quic/
<hexa-> oh, back to udp it is
<andi-> iternet over amp over google over spdy?
<eyJhb> internet over ICMP?
<andi-> not hipster enough in 2021
<andi-> How do you scale that without protobufs?
pie_38 has quit [Quit: Connection closed]
<gchristensen> good point
<__monty__> Wrap the transport layer in XML so you can switch out protobufs for capnproto whenever it tickles your fancy.
rajivr has quit [Quit: Connection closed for inactivity]
pie_73 has joined #nixos-chat
<srk> nested nixos containers seem to work well. docker in nixos container not so. even with --exec-opt native.cgroupdriver=systemd
pie_73 has quit [Changing host]
pie_73 has joined #nixos-chat
<srk> netiher podman out of box .. Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.
Raito_Bezarius has joined #nixos-chat
Dotz0cat has joined #nixos-chat
<srk> lol ERRO[0000] [graphdriver] prior storage driver overlay failed: kernel does not support overlay fs: 'overlay' is not supported over btrfs at "/var/lib/containers/storage/overlay": backing file system is unsupported for this graph driver
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece7 has joined #nixos-chat
ece has quit [Read error: Connection reset by peer]
ece7 is now known as ece
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
ece4 has joined #nixos-chat
cosimone has joined #nixos-chat
ece has quit [Ping timeout: 264 seconds]
ece4 is now known as ece
ece has quit [Read error: Connection reset by peer]
ece has joined #nixos-chat
BaughnLogBot has quit [Ping timeout: 264 seconds]
BaughnLogBot_ has joined #nixos-chat
BaughnLogBot_ is now known as BaughnLogBot
ece has quit [Read error: Connection reset by peer]
cosimone has quit [Quit: cosimone]
aleph- has quit [Read error: Connection reset by peer]
aleph- has joined #nixos-chat
FRidh has quit [Quit: Konversation terminated!]
pie_73 has quit [Quit: Connection closed]
pie_40 has joined #nixos-chat
pie_40 has joined #nixos-chat
pie_40 has quit [Changing host]
pie_74 has joined #nixos-chat
pie_74 has quit [Changing host]
pie_74 has joined #nixos-chat
pie_74 has quit [Client Quit]
pie_40 has quit [Ping timeout: 240 seconds]
pie_85 has joined #nixos-chat
pie_85 has joined #nixos-chat
pie_85 has quit [Changing host]
pie_85 has quit [Quit: Connection closed]
__monty__ has quit [Quit: leaving]
Dotz0cat has quit [Ping timeout: 240 seconds]
cwNovusOrdoSeclo has left #nixos-chat ["User left"]
<samueldr> hey, I made this silly thing boot a Mobile NixOS system: https://www.youtube.com/watch?v=qdmn-jIaIa8
<samueldr> (yes, it takes some time)
slack1256 has joined #nixos-chat
<joepie91> nice :D
<joepie91> samueldr: can I share that video with people?
<samueldr> sure
<samueldr> it's not unlisted anymore
<samueldr> it wasn't meant to stay unlisted :)
<joepie91> ah ok :)
<samueldr> I'm about to open the relevant PR
<joepie91> still showed as unlisted for me, hence the Q
<samueldr> I literally made it public the momeny you asked
<samueldr> moment*
<samueldr> that must have been one of the ports that took me the longest to get the this basic level of working :|
<joepie91> it's kinda bizarre to essentially see a firmware version selector on a smartwatch :P
<joepie91> heh
<joepie91> no existing Linux support, or?
<samueldr> yes there was
<samueldr> it's wear OS (android)