#nixos-on-your-router on 2019-12-10

2019-08-19 13:17 eyJhb changed the topic of #nixos-on-your-router to: NixOS on your Router || https://logs.nix.samueldr.com/nixos-on-your-router

10:13 xwvvvvwx has quit [Quit: ZNC 1.7.5 - https://znc.in]

10:13 xwvvvvwx has joined #nixos-on-your-router

10:20 xwvvvvwx has quit [Quit: ZNC 1.7.5 - https://znc.in]

10:21 xwvvvvwx has joined #nixos-on-your-router

10:28 xwvvvvwx has quit [Quit: ZNC 1.7.5 - https://znc.in]

10:28 xwvvvvwx has joined #nixos-on-your-router

10:38 xwvvvvwx has quit [Quit: ZNC 1.7.5 - https://znc.in]

10:38 xwvvvvwx has joined #nixos-on-your-router

10:45 xwvvvvwx has quit [Quit: ZNC 1.7.5 - https://znc.in]

10:45 xwvvvvwx has joined #nixos-on-your-router

11:01 xwvvvvwx has quit [Quit: ZNC 1.7.5 - https://znc.in]

11:01 xwvvvvwx has joined #nixos-on-your-router

13:35 <betawaffle> why is it so difficult to find an exhaustive reference of nftables' syntax

13:35 <betawaffle> their documentation is so scattered and limited

13:37 <betawaffle> i only just found out yesterday that you can use the `include` directive practically anywhere

14:47 pie_ has quit [Ping timeout: 265 seconds]

15:37 pie_ has joined #nixos-on-your-router

15:58 <andi-> I have very special feelings about those people :)

15:58 <andi-> One keyword: testing (of nftables without root permissions)

18:02 pie_ has quit [Ping timeout: 276 seconds]

19:16 pie_ has joined #nixos-on-your-router

19:56 <gchristensen> cransom: cli53 looks complicated

19:56 <gchristensen> and I'm not sure it supports UPSERT

19:57 <cransom> i'm not sure what upsert is

19:58 <gchristensen> UPSERT creates or updates RRs

19:58 <gchristensen> wheres if you CREATE an RR for foo.bar.com 10x, you can end up with 10 records

19:59 <cransom> cli53 rrcreate --apend i think will do that.

19:59 <cransom> or you can --replace

19:59 <gchristensen> oh cool

20:24 pie__ has joined #nixos-on-your-router

20:28 pie_ has quit [Ping timeout: 268 seconds]

20:53 <betawaffle> andi-: what do you mean?

21:10 <andi-> betawaffle: i wanted my nixos config to syntax check my nft rules. It requires root permissions and upstream doesn't plan to change that.

21:10 <betawaffle> ah

21:11 <betawaffle> andi-: i'm working on a nixos module to build nftables configs

21:11 <betawaffle> can you share yours, so i can see what other people are doing?

21:11 <andi-> Nice, i gave up after the above experience.. asked if they saw that as issue and they said no.

21:12 <andi-> Not even syntax chexcks :/

21:12 <betawaffle> gave up on nftables, or just...

21:13 <andi-> Nftables on nixos

21:13 <betawaffle> so you're using iptables on nixos?

21:13 <andi-> At least on an nixos module that would fit my standards for merging

21:14 <andi-> I do not want to produce invalid syntax — ever.

21:14 <betawaffle> right, but the syntax is pretty easy

21:15 <betawaffle> i think the problem is the -c flag doesn't *only* do syntax checking

21:18 <betawaffle> does iptables provide a way to check syntax? (with or without root)

21:19 <betawaffle> andi-: also, why not just do the syntax check as part of the service unit?

21:19 <betawaffle> not as nice, but at least it won't ever try to activate a faulty config

21:26 ar has quit [Remote host closed the connection]

21:28 ar has joined #nixos-on-your-router

21:28 <andi-> I dont want to push broken code remotely to my servers

21:29 <gchristensen> pkgs.runInLinuxVM

21:29 <betawaffle> it would only be broken from a bug in the module, though

21:30 <betawaffle> unless you're asking users to write their own config snippets

21:30 <betawaffle> in which case... it's their problem

21:30 <betawaffle> and that's possible with basically everything

21:31 <gchristensen> the nginx and prometheus modules validate the configs at build time

21:31 <betawaffle> right, but only because they can

21:31 <gchristensen> validating at build time is a theme of NixOS, one which would be really nice to extend to nftables

21:32 <betawaffle> my idea is to build up the syntax from basic components

21:32 <betawaffle> such that it won't have a chance to be invalid

21:32 <gchristensen> yeah

21:32 <gchristensen> but the nixos module philosophy I like best is they should cover the 80% of use cases really well and allow an extraConfig blob for the remaining 20%

21:32 <gchristensen> and continuing to protect the user in that case would be super good

21:33 <betawaffle> fair enough

21:33 <gchristensen> but yeah, if it doesn't support it it doesn't support it

21:33 <betawaffle> what about iptables?

21:33 <betawaffle> i've never heard of syntax checking for that

21:34 <gchristensen> well if we're just going to stay as sucky as let's save the effort and stick to iptables :P

21:34 <betawaffle> but nftables is strictly better

21:34 <gchristensen> I'm taking a bit more of a hard-lined stance here fwiw

21:35 <gchristensen> going for nftables would be nice

21:35 <gchristensen> going for something that can be validated at build time is even nicer

21:35 <cransom> bpfilter or bust now, amirite?

21:35 <gchristensen> now you're cooking

21:36 <betawaffle> when is bpfilter going to be available and usable?

21:39 <betawaffle> also, bpfilter has no syntax

21:39 <gchristensen> easy to validate :D

21:39 <betawaffle> we should just make a nix interface to netlink... generate rust code that talks to netlink directly

21:40 <gchristensen> bingo

21:40 <betawaffle> also, nixos should give up on perl and bash, just generate rust or c code directly

21:41 <gchristensen> agreed

21:41 <betawaffle> i can't tell if you're serious or not. i'm like 50% serious