worldofpeace_ changed the topic of #nixos-dev to: #nixos-dev NixOS Development (#nixos for questions) | NixOS stable: 20.03 ✨ https://discourse.nixos.org/t/nixos-20-03-release/6785 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html | https://r13y.com | 19.09 RMs: disasm, sphalerite; 20.03: worldofpeace, disasm | https://logs.nix.samueldr.com/nixos-dev
alp has quit [Ping timeout: 265 seconds]
<gchristensen> is it interseting to know if process inside a nix-build dumped core?
<cole-h> Maybe?
<gchristensen> # coredumpctl list | awk '{print $10; }' | sort | uniq -c | sort -nr
<gchristensen> 884 /build/llvm/build/bin/opt
<gchristensen> 176 /build/gnutls-3.6.13/tests/slow/cipher-api-test
Emantor has quit [Quit: ZNC - http://znc.in]
Emantor has joined #nixos-dev
phreedom has quit [Ping timeout: 240 seconds]
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixos-dev
cole-h has quit [Client Quit]
drakonis has quit [Quit: WeeChat 2.8]
FRidh has joined #nixos-dev
ixxie has joined #nixos-dev
alp has joined #nixos-dev
__monty__ has joined #nixos-dev
alp has quit [Remote host closed the connection]
alp has joined #nixos-dev
lopsided98 has quit [Quit: No Ping reply in 180 seconds.]
lopsided98 has joined #nixos-dev
makefu has quit [Quit: WeeChat 2.6]
makefu has joined #nixos-dev
alp has quit [Ping timeout: 265 seconds]
<flokli> unfortunately, we can't collect coredumps of these
<srk> why not?
<flokli> srk: cat /etc/sysctl.d/50-coredump.conf
<flokli> can we pipe it to the coredump daemon during a nix build?
<srk> flokli: hmm, I don't think support for namespaced core_pattern is there
<srk> but you can always use core
<flokli> yeah, ofc
<srk> and collect files?
<srk> it was one of the DoS vectors for ABRT, coredumps from namespaces ending up being processed on host
<srk> yeah, it does have few namespace aware args now
<flokli> srk: so we could have some channel to collect coredumps from the sandbox, and collect it on the host?
primeos has quit [Quit: WeeChat 2.8]
primeos has joined #nixos-dev
<srk> b42: ^ do you remember?
primeos is now known as Guest14472
<b42> no:(
<flokli> I mean, this currently is a sysctl. what do you mean by "it's namespaced"?
<srk> flokli: that you can't change it in your namespace as in there's no coredump hook namespace
<srk> (but thinks might have changed, need to take a look / try it)
Guest14472 has quit [Client Quit]
<flokli> srk: core(5): The process runs in the initial namespaces (PID, mount, user, and so on) and not in the namespaces of the crashing process. One can utilize specifiers such as %P to find the right /proc/[pid] directory and probe/enter the crashing process's namespaces if needed.
<srk> yeah, looking at that as well
<flokli> which should mean systemd-coredump should already be able to collect these coredumps
primeos_ has joined #nixos-dev
<flokli> or abrt, if you want to use that
primeos_ is now known as primeos
<srk> not really, its hook is a bit redundant thanks to systemd-coredump
<flokli> yeah, I also don't really see a need for abrt anymore :-)
<srk> we've used to work on that with b42, the rest of the tooling doesn't apply to nixos easily tho :)
<flokli> (for coredumps)
<b42> yeah it's quite tied to fedora/rhel iirc
<flokli> b42: so fedora/rhel doesn't use sd-coredump?
<srk> it does
<srk> there's hope!
<flokli> yeah, full ack on that
<flokli> abrtd could just subscribe on some dbus thingie to get notified every time there's a coredump event happening
<flokli> it'd be just another "exception handler" in abrt
<srk> I would say it can already do that but haven't seen it for a while, not much crashes on nixos either :)
<flokli> good to hear :-D
asbachb has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
<flokli> hmmh
<srk> statistics are fun as well!
<flokli> srk: if you don't see a lot of crashes in a while and want to debug some, yubioath-desktop coredumps every time I close it :-)
<srk> heh, when I think about it I have few coredump of eternal-terminal which has much worse impact :(
<flokli> coredumpctl debug goes brrr
<gchristensen> lol
Jackneill has joined #nixos-dev
alp has joined #nixos-dev
<b42> flokli: do you know if nixos/tests/common/acme/{client,server} is supposed to be generally usable by tests that obtain certificates from LE, or is it intended for nixos/tests/acme.nix only?
<flokli> I think currently it isn't, but there's plans on making it so
<flokli> so ideally tests with modules usually making use of acme certificates can just include the "acme server infrastructure", and a per-machine configuration snippet
<flokli> there should be an issue/discussion on GH somewhere about this
<b42> right ... it seems that the certificates that pebble hands out are signed by other CA than the one in snakeoil-certs.nix so TLS clients don't accept them
<{^_^}> #85503 (by emilazy, 1 week ago, merged): ACME test cleanups
<flokli> b42: it does a lot of groundwork, but acme and dnsserver are still defined inside nixos/tests/acme.nix.
<flokli> and forcing networking.nameservers to the fake dnsserver isn't part of commonConfig yet.
<flokli> I'll comment on the PR
<b42> flokli: right ... i'm just wondering whether i should look into making it usable or find another way of making TLS work in the jitsi test
<flokli> if you wanna take a try on it ;-)
<gchristensen> hmmm I think kernel params could use some dedup'ing initrd=initrd console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8 console=ttyS1,115200n8
<gchristensen> console=ttyS1,115200n8 initrd=initrd
<gchristensen> (or I could not do something so silly like I am)
<adisbladis> gchristensen: I was considering a structuredKernelParams the other day
<gchristensen> ah yeah we were talking about that
<gchristensen> speaking of which is the cgroupsv2 thing the reason I can't run your tests?
<adisbladis> Which cgroupsv2 thing?
<gchristensen> I'm on v1 aren't I, since I haven't disabled v2?
<adisbladis> Yeah, I'm on the same (NixOS defaults)
<gchristensen> (not sure, throwing spaghetti at walls here)
<adisbladis> I't honestly a bit odd that kernel params is a list (does the ordering of those matter?)
<gchristensen> I don't know, but it is valid for one key to be set twice
<adisbladis> gchristensen: In some cases but not all, right?
shlevy has quit [Ping timeout: 265 seconds]
evils has quit [Ping timeout: 265 seconds]
evils has joined #nixos-dev
shlevy has joined #nixos-dev
<andi-> the kernel cmdline is really hard to get wright as it is used by both kernel and user space...
<andi-> s/wright/right/
<arianvp> How do I set up a new NixOS IRC channel? Do we have a default ChanOp bot for this ?
<andi-> and it is really just a string and not some structured thing
<arianvp> E.g. that keeps logs
<arianvp> I want to make a #nixos-acme channel
<gchristensen> for logs you'll need to coordinate with samueldr
<gchristensen> I'd like to move {^_^} to the nix-community infra so it is easier for people to collaborate
asbachb has quit [Ping timeout: 245 seconds]
<adisbladis> arianvp: Just go ahead and create it
<adisbladis> gchristensen: Are the expressions to deploy {^_^} public somewhere?
<gchristensen> they were, then I added ban support, and then spammers found the rules, and then I made them not publi
<gchristensen> removing ban support and making it public is part of that move :)
<adisbladis> Alright
<adisbladis> gchristensen: Do we need to remove ban support?
<gchristensen> I suppose not
<adisbladis> https://github.com/nix-community/infra/tree/master/secrets is all encrypted with git-crypt
<andi-> I still don't know why we roll our own spam based banning and not just use Sigyn.
<adisbladis> gchristensen: So we could put the rules under secrets and keep the generic stuff public :)
<gchristensen> andi-: we do use sigyn
<MichaelRaskin> gchristensen: I would probably add some truly stupid auto-ban (like four copies of the same expletive in a row?) as a format demo, then yeah, the real rules could be secret
<gchristensen> this was before we were allowed to use sigyn. i didn't know you had a long-running confusion about why we didn't use sigyn :)
<gchristensen> that is why I proposed deleting the ban rules
<MichaelRaskin> Ah
<andi-> gchristensen: tbh I think I brought it up a few times already and never got a reply..
ixxie has quit [Ping timeout: 240 seconds]
<gchristensen> ah
<gchristensen> the down side to sigyn is, as you can see, we don't have sigyn now -- they don't keep it in everychannel that wants it, so it has to be requested each time
<flokli> can't you just invite sigyn?
<gchristensen> flokli: not when it is very busy, no
<gchristensen> at least, it has never worked during busy times
<gchristensen> during big spam waves, have to go find an active netop and request it for a list of channels, and they'll only do it in channels of a certain size. so #nixos would get it, maybe this one, but probably not any other of our channels
<andi-> There is always the +r mode that we can set on our channels during these times. I guess we just have to distribute the ability to do so (in some way). We can go full engineering and hack our own solution or just use chanserv/groupserv permissions :)
<gchristensen> and when {^_^} initially got ban support, it was because sigyn couldn't join many channels at all
<gchristensen> I hope that explains it
<flokli> can't we just invite sigyn to the bigger channels now, and use chanserv/groupserv to allow setting +r for the smaller channels if things are busy
<gchristensen> sure
<gchristensen> like I said, I want to delete ban support lol
<flokli> ok
<gchristensen> what is groupserv?
<andi-> you can add people to groups and then hand out permissiosn to groups of people
<gchristensen> freenode has this?
<andi-> apparently not, shocking
<gchristensen> at any rate, that concept sounds good to me
<hexa-> ouch, no groupserv? :<
<gchristensen> I would like to do that in principle, find out how to do it best on freenode, and let's do it? :)
<hexa-> if freenode does not have group based access you'll basically have two options
<hexa-> a) maintain access lists by hand
<hexa-> b) have a bot wrap actions
<qyliss> FireFly: do you have any advice here?
<hexa-> b) would be something like limnoria, which has chantracker for abuse prevention
<hexa-> which is similar to sigyn, but on a channel basis
<gchristensen> I have wished for a tool which would let me register a channel and automatically set some modes, or (un)ban a user across all channels
<hexa-> that is easy
<hexa-> do it like /mode +b $~j:#nixos-bans
<hexa-> and maintain bans on #nixos-bans
<gchristensen> :o
<hexa-> $j:<chan> - matches users who are or are not banned from a specified
<hexa-> channel
<hexa-> /quote help extban
<hexa-> and on #nixos-bans you can /mode +b $a:Genesis for example
<hexa-> which would ban them by their nickserv account
<gchristensen> neat
<FireFly> Hmm
<gchristensen> (fwiw, I'm trying to move another thing out of my control this weekend, with higher priority than IRC things.)
<FireFly> yeah, I think $j is the best approach for banning people from a set of related channels
<gchristensen> FireFly: is there any freenode equivalent to groupserv?
<hexa-> fwiw: groupserv is not suitable for maintaining bans :)
<emily> b42: you need to manually obtain pebble's CA and pass it to curl or similar
<gchristensen> yeah but bans is just a small part of it :)
<emily> b42: it can't be statically configured because it is generated at runtime
<emily> b42: see the acme test for info
<emily> but yeah it might be a good idea to move more in there
<b42> emily: right
<emily> (and this is an intentional feature of pebble, can't be disabled)
<flokli> emily: that's because pebble creates the ca on startup?
<emily> I think it makes sense to keep the pebble CA local to stuff testing its issued certs in general
<emily> yeah
<flokli> can we pass it in at runtime, and have it generated by nix?
<FireFly> gchristensen: I don't think so unfortunately, I don't think we have a good solution for cross-channel access management
<gchristensen> okay
<flokli> I mean, for the test framework, it'd be super useful
<emily> it's designed as much as possible to discourage you from configuring this stuff statically and trusting it :p
<gchristensen> thanks, FireFly :)
<emily> flokli: not according to the docs
<emily> oh, you can set PEBBLE_ALTERNATE_ROOTS I guess https://github.com/letsencrypt/pebble#ca-root-and-intermediate-certificates
<b42> too bad, having to copy it around at runtime is a bit inconvenient
<emily> but I don't really see the advantage -- I think it makes sense to test the functionality of getting the root CA out, and curl's --cacert works fine. I guess it'd be a pain if you wanted to test clients that don't let you override the CAs, maybe I just have limited imagination for why someone would want to do that in a test with acme
<emily> PEBBLE_ALTERNATE_ROOTS seems pretty much undocumented too
<b42> especially when there's no (simple) way to add the CA to the system CA bundle at runtime
<b42> is there something like --cacert but for firefox?
<flokli> emily: my idea is to include some common things in other tests, that spin up helper machines simulating LE, and configure clients to just trust the CA without having to manually override more stuff at runtime
<emily> fwiw I'd rather move in the direction of having fewer static snakeoil CAs in nixpkgs, we could get rid of the existing one for pebble if they included acme.test or something more reasonable than just localhost/pebble in the CNs, considered opening an issue for that
phreedom has joined #nixos-dev
<emily> I think in general there's a tension between pebble designed to test edge-cases of ACME setups and just wanting TLS certificates in tests
<emily> though probably not so much that it'd ever be worth going back to boulder for non-acme-specific tests
<emily> like pebble is designed to be as inconvenient as possible to just get some certs with, deliberately, because it's insecure
alp has quit [Quit: Leaving]
alp has joined #nixos-dev
pie_[bnc] is now known as pie_
phreedom has quit [Remote host closed the connection]
phreedom has joined #nixos-dev
<arianvp> I created a new #nixos-acme channel emily feel free to join
alp has quit [Ping timeout: 260 seconds]
rsa has quit [Ping timeout: 244 seconds]
NinjaTrappeur has quit [Quit: WeeChat 2.8]
NinjaTrappeur has joined #nixos-dev
alp has joined #nixos-dev
aranea has joined #nixos-dev
alp has quit [Quit: Leaving]
cdepillabout has joined #nixos-dev
cole-h has joined #nixos-dev
nschoe has quit [Quit: No Ping reply in 180 seconds.]
nschoe has joined #nixos-dev
<gchristensen> it seems weird / wrong that searching nginx in the options list shows you all the dokuwiki's duplicated nginx options first
<gchristensen> and matomo
<MichaelRaskin> Hmmm. So the sorting needs to prioritise option name match, and inside that — attribute depth?
<gchristensen> not sure
<gchristensen> I guess I'm not sure even why matomo and dokuwiki have duplicated them so much anyway?
<infinisil> Hmm yeah that's not very good
<infinisil> Like this there's multiple ways of controlling mamoto nginx options
cdepillabout has quit [Quit: Leaving]
ixxie has joined #nixos-dev
Scriptkiddi has quit [Quit: killed]
das_j has quit [Quit: killed]
ajs124 has joined #nixos-dev
Scriptkiddi has joined #nixos-dev
das_j has joined #nixos-dev
asbachb has joined #nixos-dev
FRidh has quit [Quit: Konversation terminated!]
asbachb has quit [Ping timeout: 245 seconds]
teto has quit [Ping timeout: 272 seconds]
<sphalerite> maybe there should be a "types.see" that copies the type from another option but refers to that option rather than duplicating its hierarchy
<sphalerite> so it would be something like `options.services.matomo.nginx = types.see "options.services.nginx.virtualHosts"
<cole-h> `mkSee [ "services" "nginx" "appendConfig" ]`?
teto has joined #nixos-dev
<sphalerite> yeah it needs a little work from my example, also the fact that I'm setting the option and not the option's type
<sphalerite> and that it refers to the option for _all_ the virtualHosts, not the individual entries in that
<cole-h> That was my main problem with your suggestion -- using a `types.*` in a non-`types =` location :P
<cole-h> s/types =/type =/
<sphalerite> I'm also unsure how to extract the individual one
<sphalerite> > options.services.nginx.virtualHosts
<{^_^}> value is a function while a set was expected, at (string):309:1
<sphalerite> > nixos.options.services.nginx.virtualHosts
<{^_^}> { _type = "option"; declarations = <CODE>; default = <CODE>; definitions = <CODE>; description = "Declarative vhost config"; example = <CODE>; files = <CODE>; highestPrio = <CODE>; isDefined = <CODE>;...
<sphalerite> > nixos.options.services.nginx.virtualHosts.getSubOptions []
<{^_^}> attribute 'getSubOptions' missing, at (string):309:1
<sphalerite> > nixos.options.services.nginx.virtualHosts.type]
<{^_^}> error: syntax error, unexpected ']', expecting ')', at (string):309:47
<sphalerite> > nixos.options.services.nginx.virtualHosts.type
<{^_^}> { _type = "option-type"; check = <PRIMOP>; description = <CODE>; emptyValue = <CODE>; functor = <CODE>; getSubModules = <CODE>; getSubOptions = <CODE>; merge = <CODE>; name = "attrsOf"; substSubModule...
<sphalerite> > nixos.options.services.nginx.virtualHosts.type.getSubOptions []
<{^_^}> { _definedNames = <CODE>; _module = <CODE>; acmeFallbackHost = <CODE>; acmeRoot = <CODE>; addSSL = <CODE>; basicAuth = <CODE>; basicAuthFile = <CODE>; default = <CODE>; enableACME = <CODE>; enableSSL ...
<sphalerite> meh
<sphalerite> maybe listOf/attrsOf/etc should expose the elemType
justanotheruser has quit [Ping timeout: 265 seconds]
<pie_> is there any reason .override for any lambda, as a builtin, would be bad?
drakonis has joined #nixos-dev
<LnL> means nothing can get garbage collected IIRC
<clever> yeah, there is a special function in release-lib.nix, just to strip .override's out
<clever> so nix can GC the inner exprs
justanotheruser has joined #nixos-dev
alp has joined #nixos-dev
teto has quit [Ping timeout: 240 seconds]
teto has joined #nixos-dev
<infinisil> sphalerite: They do
<infinisil> > (nixos.options.services.nginx.virtualHosts.type.functor.type {}).description
<{^_^}> attribute 'description' missing, at /var/lib/nixbot/nixpkgs/master/repo/lib/types.nix:290:41
<infinisil> > (nixos.options.services.nginx.virtualHosts.type.functor.type types.str).description
<{^_^}> "attribute set of strings"
<infinisil> Hm wait
<infinisil> Maybe not
alp has quit [Ping timeout: 272 seconds]
__monty__ has quit [Quit: leaving]
alp has joined #nixos-dev
alp has quit [Remote host closed the connection]
alp has joined #nixos-dev
alp has quit [Quit: Leaving]
<bennofs[m]> What do you think, is this OK for a backport? https://github.com/NixOS/nixpkgs/pull/86604
<{^_^}> #86604 (by fabianhjr, 4 hours ago, open): [20.03] keybase,kbfs,keybase-gui: 5.0.0 -> 5.4.2
nschoe has quit [Quit: No Ping reply in 180 seconds.]
nschoe has joined #nixos-dev