<xwvvvvwx>
mguentner: So your point is that having everything in /nix/store as world readable is a security issue?
<mguentner>
xwvvvvwx: yes
<xwvvvvwx>
I don't understand why moving to zfs fixes that?
<xwvvvvwx>
Makes more sense to me to use something like these systemd InaccessibleDirectories?
<simpson>
The correct answer is to not put secrets in the store.
<simpson>
I recognize that a *lot* of software isn't designed to operate this way, but most of it is also designed to work with /etc, which we already support.
<simpson>
OTOH the bind-and-hide technique seems like it'd work alright, and I'm sure it's pretty flexible.
<xwvvvvwx>
what is bind-and-hide ?
<simpson>
Like, using the cgroups equivalent for vfs. I don't remember what it's all called. InaccessibleDirectories might be how systemd uses it?
<mguentner>
xwvvvvwx: image a global dataset which is only accessible for root/nix-daemon and each environment will be built for each context as a seperate dataset and mounted with respective permissions
<xwvvvvwx>
So each user would only see the bits of the store that they need to see?
<mguentner>
xwvvvvwx: that's the idea
<xwvvvvwx>
sounds sensible
<xwvvvvwx>
but is multi-user a big use case?
<rycee[m]>
Acou_Bass: You might need a wrapper for the gtk introspection to work. Search python-packages.nix for GI_TYPELIB_PATH...
<simpson>
mguentner: Sounds like capabilities. I like it.
<xwvvvvwx>
I mean I'm the only one using my laptop?
<simpson>
mguentner: I'm now imagining hooking that up to SSH, so that you SSH-to-environment.
markus1209 has joined #nixos
<Acou_Bass>
rycee[m]: thanks ill give that a go! :D
markus1219 has joined #nixos
t7 has quit [(Remote host closed the connection)]
markus1199 has quit [(Ping timeout: 240 seconds)]
markus1189 has quit [(Ping timeout: 252 seconds)]
mexisme has joined #nixos
kampfschlaefer has quit [(Ping timeout: 256 seconds)]
<mguentner>
xwvvvvwx: it's more relevant to systems with a large attack surface (servers with services facing The Internet(tm))
<xwvvvvwx>
right
<xwvvvvwx>
makes sense
<gchristensen>
bendlas: unfortunately I can't really make those search / files links different :(
digitalmentat has quit [(Ping timeout: 276 seconds)]
<mguentner>
simpson: another big improvement would be that the traditional unix/linux fs layout can be used again (/usr/bin /usr/share etc.)
<NixOS_GitHub>
[nixpkgs] Profpatsch opened pull request #22855: mpd avahi support & slight refactoring of module (master...mpd) https://git.io/vDDuy
<gchristensen>
tbh it doesn't seem so important to me
<gchristensen>
or helpful
* gchristensen
shouldn't have said anything
<mguentner>
gchristensen: that would make it possible to actually develop something in NixOS without using the nix-shell
<mguentner>
for example cmake expects make, ar and other stuff to be in /usr/bin, the solution currently is to make a derivation. However all your stuff will be built without debugging symbols...
<Ralith>
development with nix-shell is a core selling point of NixOS
<gchristensen>
I also don't buy the idea that configuration should be kept private
panostimos has joined #nixos
<Ralith>
not sure what you're talking about with cmake, I've done lots of cmake stuff on NixOS and never had any issues at all building with or without debug symbols
erasmas has quit [(Quit: leaving)]
xwvvvvwx has quit [(Ping timeout: 276 seconds)]
<mguentner>
Ralith: forget what I said about cmake, sorry :/
Kingsquee has joined #nixos
<gchristensen>
its all good :)
<mguentner>
gchristensen: I just don't think that postfix should be able to read dovecot's config files
<jchee>
is there a way to configure nix-shell to run a shell other than bash? i live in zsh but nix-shell starts bash
<mguentner>
gchristensen: basically: Principle of least privilege
<simpson>
mguentner: We usually call it POLA, "Principle of Least Authority", in the world of object-capability theory.
<simpson>
Although it's not like Nix is an ocap system~
<Ralith>
jchee: nix-shell --run zsh
<mguentner>
simpson: yeah that one :)
<jchee>
Ralith: awesomesauce, thank you!
<Ralith>
that would be nice to have
<Ralith>
jchee: beware that the default zsh prompt isn't as helpful about reminding you you're in a shell
ryanartecona has joined #nixos
<Ralith>
IN_NIX_SHELL may be of interest
<NixOS_GitHub>
[nixpkgs] grahamc pushed 1 new commit to master: https://git.io/vDD2k
<NixOS_GitHub>
nixpkgs/master b207bf5 Graham Christensen: redis: 3.2.5 -> 3.2.7 for two vulnerabilities...
<NixOS_GitHub>
[nixpkgs] grahamc pushed 1 new commit to release-16.09: https://git.io/vDD2L
<NixOS_GitHub>
nixpkgs/release-16.09 3113646 Graham Christensen: redis: 3.2.5 -> 3.2.7 for two vulnerabilities...
<mguentner>
gchristensen: having config files in the store is not a problem as long as only the process/context that is using them is able to open/read them
<gchristensen>
I agree it isn't most wonderful, but "read-only" is pretty low authority to start with, and doesn't seem like a super high priority to me personally
xwvvvvwx has joined #nixos
<gchristensen>
oh wow, Quagga released a new version
<mguentner>
gchristensen: indeed, having an up-to-date system is better than having a false sense of security
<gchristensen>
oh and the other thing is I'm not willing to give up the benefits having them in the store provides (ie: the unique paths) -- this is huge. how specifically those unique, read-only paths happen, :thumbsup:
<mguentner>
it's just something that should be addressed sometime (also within the security team/context of NixOS). It's always better to address the root of the problem instead of hacking around it (carefully moving important stuff out of the store)
<gchristensen>
right
<gchristensen>
it might be worth looking in to the features systemd provides here
<gchristensen>
it has nice sandboxing support
<mguentner>
gchristensen: yeah, creating virtual stores with zfs/btrfs/xfs could solve this
<mguentner>
also I am in favor of not vendor-locking ourselves completely when it comes to the init system :>
<gchristensen>
I won't say that ship has sailed, but systemd is having a lot of success
<ndowens08>
I actually like how easy it is to start/enable/disable services vs init
Wizek_ has quit [(Ping timeout: 240 seconds)]
Wizek has quit [(Ping timeout: 240 seconds)]
takle has quit [(Remote host closed the connection)]
<jeaye>
Oh, I'm looking to do it in nix, without bash.
<jeaye>
I can do it in inline bash, in a nix file, with the above syntax.
<ndowens08>
like if you need to say bash is located here, it is like ${pkgs.bash}/bin/bash in a nix file
<tippenein>
If I do nix-build default.nix and then nix-shell default.nix, shouldn't the nix-shell use what nix-build already built?
<tippenein>
I'll check further after this build is done, but I think it's rebuilding everything with nix-shell. Maybe I'm misunderstanding paths
<ndowens08>
I am not sure tippenein; I am still new myself, but i just tend to use nix-build -A PKGNAME (inside my local fork of nixpkgs) and then see if it executes, after it builds it puts it in a result folder
nckx has joined #nixos
takle has joined #nixos
<tippenein>
ndowens08: same for me, but I wanted to try haskell's stack integration which uses a shell.nix as the entrypoint
Shoue has quit [(Ping timeout: 258 seconds)]
<Acou_Bass>
hmm im running into another issue with this python package... its now complaining that libXfixes.so wasn't found, but when i added pkgs.libXfixes to buildInputs it then tells me that that attribute wasnt found either
<Acou_Bass>
am i supposed to be adding library dependencies another way? Xd
<ndowens08>
Acou_Bass: in buildinputs put pkgs.xorg.libXfixes
<ndowens08>
i believe
takle has quit [(Ping timeout: 268 seconds)]
Shados has quit [(Remote host closed the connection)]
<Acou_Bass>
oh yeah the udev rules will make the controller work fully with the official steam gui
tm_ has quit [(Ping timeout: 260 seconds)]
<benley>
rock. That is what I primarily want to get working :-)
<Acou_Bass>
the Python package is just for the unofficial gui :D
<NixOS_GitHub>
[nixpkgs] bendlas opened pull request #22857: findutils: plug memory hole in find (master...findutils) https://git.io/vDDXw
<Acou_Bass>
i use the controller for emulators and stuff so sort of like having the external gui if possible
<benley>
oh yeah that will be great too - I forgot how frequently I end up wanting a controller for non-steam games
<Acou_Bass>
i dunno if the Python gui works on nixos yet but ive been building it on nix on arch Linux and it seems to work
<Acou_Bass>
so if you test it let me know how it goes :D
<benley>
will do
<benley>
I finally got around to actually installing nixos on my home machine rather than ubuntu last month and it's _so nice_
<Acou_Bass>
i'm all excited to go back to it on my desktop now... had it but was missing some packages and too lazy to Build them myself so went back to arch... but kept nix on my laptop to remind me what im missing
<benley>
I also went a little nuts and put nixos on my chromebook, which I only had time to do because I got laid off. No regrets, amazingly enough.
<Acou_Bass>
but now I've built sc-controller and the RS client im ready to go back... might see about getting some themes and fonts packaged too but that's just niceties
sellout- has quit [(Quit: Leaving.)]
<Acou_Bass>
ooh chromebook sounds fun
<benley>
there are a bazillion fonts available in nixpkgs nowadays, thankfully
<Acou_Bass>
XD
<Acou_Bass>
even opendyslexia? i love that one
<benley>
not sure.
<benley>
but yeah, nixos with luks-encrypted ZFS root on a chromebook pixel == super nice
<Acou_Bass>
ha! yep there it is
ndowens08 has quit [(Ping timeout: 256 seconds)]
<Acou_Bass>
xD that sounds cool
<Acou_Bass>
took me a while to figure out how to open luks root with a USB key on nxos but eventually got there
<Acou_Bass>
haven't tried zfs yet though
<benley>
ZFS turns out to be pretty simple.
<Acou_Bass>
im not really picky about file systems, my desktops got an xfmytrfs combo and my laptop is purely ext4, not even sure why i use those 3 :D
<Acou_Bass>
xfs/btrfs**
sellout- has joined #nixos
<benley>
I'm fond of zfs for its consistency guarantees; I like to _know_ if data gets corrupted
<benley>
and lightweight snapshots of my homedir are pretty nice
<Acou_Bass>
btrfs snapshots are cool too dunno if zfs does them the same way, opensuse has a great default setup with easy rollbacks and auto snapshots on zypper updates and stuff like that
hexagoxel has quit [(Ping timeout: 260 seconds)]
<benley>
I don't know if the implementations are at all similar, but I think it's a similar effect.
hexagoxel has joined #nixos
<bgamari>
anyone around know about the new scheme for cross-compilation?
<bgamari>
I'm trying and failing to port my RISCV toolchain expressions
mizu_no_oto has quit [(Quit: Computer has gone to sleep.)]
takle has joined #nixos
Kingsquee has quit [(Read error: Connection reset by peer)]
Kingsquee has joined #nixos
<copumpkin>
wow, image builds are pretty slow even on KVM-enabled machines
<copumpkin>
I gotta finish my fix
takle has quit [(Ping timeout: 240 seconds)]
eacameron has quit [(Remote host closed the connection)]
<benley>
copumpkin: what's your fix?
<copumpkin>
avoids copying stuff around as much and uses almost no VM (possibly none when I finish it)
<benley>
cool.
<copumpkin>
yeah, the old one took almost half an hour on EC2 (because it has no hardware virtualization) and the new one takes about a minute
<benley>
the current vm builds don't actually build things inside the VM, do they?
eacameron has joined #nixos
<copumpkin>
they build an image inside a VM
<copumpkin>
they don't boot the machine being built
<benley>
ah, ok
<benley>
and in theory that step can be done without a VM, I guess
<copumpkin>
yeah, it's just that in the past it's been pretty difficult to manipulate filesystems and partitions without a VM or superuser
AllanEspinosa has quit [(Ping timeout: 268 seconds)]
takle has joined #nixos
takle has quit [(Ping timeout: 245 seconds)]
brh_ has joined #nixos
proteus-guy has quit [(Remote host closed the connection)]
takle has joined #nixos
Rizy has quit [(Quit: Rizy)]
fhoffmeyer has quit [(Remote host closed the connection)]
alx741 has joined #nixos
takle has quit [(Ping timeout: 258 seconds)]
nwspk has quit [(Ping timeout: 256 seconds)]
<brh_>
Has anyone ever seen an issue where a default.nix shell built just fine on NixOS, but when run on a Debian machine it errors with "undefined variable 'licenses'" ?
<brh_>
while evaluating meta.license = licenses.mit;
justanotheruser has joined #nixos
nwspk has joined #nixos
<brh_>
not sure if I should be putting some extra parameters on my $ nix-shell call
ebzzry has quit [(Ping timeout: 240 seconds)]
ebzzry has joined #nixos
Rizy has joined #nixos
systemfault has quit [(Quit: Bye!)]
stepcut has joined #nixos
endformationage has quit [(Quit: WeeChat 1.6)]
roconnor__ has quit [(Ping timeout: 240 seconds)]
takle has joined #nixos
mexisme has quit [(Read error: Connection reset by peer)]
mexisme has joined #nixos
dramforever has joined #nixos
eacameron has quit [(Remote host closed the connection)]
takle has quit [(Ping timeout: 240 seconds)]
takle has joined #nixos
marusich has joined #nixos
saintromuald has quit [(Ping timeout: 245 seconds)]
proteus-guy has joined #nixos
Sonarpulse has quit [(Ping timeout: 255 seconds)]
Mercuria1Alchemi has joined #nixos
takle has quit [(Ping timeout: 240 seconds)]
alx741 has quit [(Quit: alx741)]
ertesx has joined #nixos
ebzzry has quit [(Ping timeout: 260 seconds)]
ertes has quit [(Ping timeout: 258 seconds)]
ertesx is now known as ertes
katyucha1 has joined #nixos
eacameron has joined #nixos
ebzzry has joined #nixos
Rizy has quit [(Quit: Rizy)]
eacameron has quit [(Ping timeout: 255 seconds)]
ebzzry has quit [(Ping timeout: 268 seconds)]
katyucha has quit [(Killed (verne.freenode.net (Nickname regained by services)))]
katyucha1 is now known as katyucha
katyucha1 has joined #nixos
marusich has quit [(Ping timeout: 240 seconds)]
MoreTea has joined #nixos
DutchWolfie has joined #nixos
saintromuald has joined #nixos
edvorg has joined #nixos
Itkovian has joined #nixos
johann__ has joined #nixos
freusque has joined #nixos
Itkovian has quit [(Client Quit)]
joshie_ has quit [(Ping timeout: 245 seconds)]
kampfschlaefer has joined #nixos
takle has joined #nixos
joshie has joined #nixos
takle has quit [(Ping timeout: 258 seconds)]
hexagoxel has quit [(Ping timeout: 258 seconds)]
hexagoxel has joined #nixos
reinzelmann has joined #nixos
Guest2225 has joined #nixos
takle has joined #nixos
takle has quit [(Ping timeout: 240 seconds)]
kampfschlaefer has quit [(Ping timeout: 256 seconds)]
MoreTea has quit [(Ping timeout: 240 seconds)]
saintromuald has quit [(Ping timeout: 240 seconds)]
takle has joined #nixos
Guest2225 has quit [(Ping timeout: 240 seconds)]
takle has quit [(Ping timeout: 258 seconds)]
Guest2225 has joined #nixos
fnljk_ has quit [(Quit: ^?^)]
uralbash has joined #nixos
dramforever has quit [(Quit: Leaving)]
takle has joined #nixos
joshie has quit [(Ping timeout: 260 seconds)]
Itkovian has joined #nixos
takle has quit [(Ping timeout: 240 seconds)]
sivteck has joined #nixos
takle has joined #nixos
ambro718 has joined #nixos
Guest2225 has quit [(Quit: Verlassend)]
nschoe has joined #nixos
sivan has joined #nixos
sivteck has quit [(Ping timeout: 276 seconds)]
takle has quit [(Ping timeout: 255 seconds)]
sivan has quit [(Read error: Connection reset by peer)]
takle has joined #nixos
flemming has joined #nixos
hamishmack has quit [(Quit: hamishmack)]
takle has quit [(Ping timeout: 240 seconds)]
derjohn_mob has joined #nixos
sivan has joined #nixos
hamishmack has joined #nixos
flemming is now known as fhoffmeyer
ambro718 has quit [(Ping timeout: 276 seconds)]
defel has joined #nixos
<fhoffmeyer>
I am new to NixOs, but is really liking it so far. I often do some complex merges, and have previously used P4merge. Since that is closed software it is not available in nix packages. Is there a good open source alternative that is good at three way merging? I have tried meld, but was not at all satisfied. I need the local, remote and common ancestor views to understand what is going on. Or is it possible to
<fhoffmeyer>
get P4 working on NixOs?
sivan is now known as sivteck
goibhniu has joined #nixos
<isHavvy>
It should be possible to get P4 working, but you're going to have to learn the Nix expression language or convince somebody to write the expression for you.
blahdodo has quit [(Ping timeout: 245 seconds)]
blahdodo has joined #nixos
<fhoffmeyer>
I have tried to give it a shot, and fixed the interpreter, but if I try to change the rpath in any way, the binary just segfaults.. I did something like this: http://pastebin.com/psmfVvjF
s1lvester has left #nixos ["Leaving"]
<fhoffmeyer>
I tried to run patchelf directly from the command line and change the rpath there.. and that works. So I think I am doing something wrong in the .nix file
<fhoffmeyer>
By "works" I mean that the one dependency that i put in the rpath is set corerctly and it complains about the next one. No segfault
joshie has joined #nixos
<makefu>
fhoffmeyer: you can always try to run with FHS Environments
<makefu>
it essentially prepares an environment which will look like a standard distro with all the packages you specified
<makefu>
"They can be used in various situations when patching some program is too hard to make it work in pure, non-FHS environment"
pi3r has joined #nixos
<fhoffmeyer>
Ok, I will take a look at that, but I just find it strange that I can run patchelf from the command line, and see the change happen, but when it is run through the .nix file the binary is utterly broken.
fhoffmeyer2 has joined #nixos
olesk has joined #nixos
derjohn_mob has quit [(Ping timeout: 276 seconds)]
<makefu>
maybe in the fixupPhase the binary gets stripped and the shebang gets patched
<makefu>
you can always overwrite all the phases
edvorg has quit [(Ping timeout: 260 seconds)]
freusque has quit [(Ping timeout: 240 seconds)]
thc202 has joined #nixos
<fhoffmeyer>
allright. I will try that too. Thanks!
takle has joined #nixos
saintromuald has joined #nixos
sivteck has quit [(Ping timeout: 240 seconds)]
takle has quit [(Ping timeout: 240 seconds)]
peterhhoeg has joined #nixos
cmercier has joined #nixos
ilyaigpetrov has joined #nixos
MP2E has quit [(Quit: leaving)]
<ilyaigpetrov>
I've tried netconsole boot option and it did't work. I guess I need insmod or modprobe for it to work
teknico has joined #nixos
cmercier has quit [()]
peterhhoeg has quit [(Remote host closed the connection)]
<clever>
makefu: that lets you selectively control what fixup does, without loosing all of it
<makefu>
clever: so many hidden features ;)
<clever>
fhoffmeyer: ^^^
jgertm has joined #nixos
takle_ has joined #nixos
<fhoffmeyer>
Cool, I will try it out tonight. I have kind of made it my goal to make P4 work, as a way of telling if NixOs is for me or not. If I can make it work, I get all of the benefits, but can handle the drawbacks. If not.. well, its back to Arch i guess.
<arianvp2>
fuckkkk
<arianvp2>
so acme broke _again_
<arianvp2>
and now all my certs are gone and I cannot update my nixos box anymore
<arianvp2>
wtf
<clever>
arianvp2: broke how?, last i ran it, it worked fine
<arianvp2>
anyhow in /tmp (not privatly mounted version)
<fpletz>
I should've written a test, how did this ever work \o/
<arianvp2>
the unix socket does not exist either
<fpletz>
oh
<fpletz>
maybe PrivateTmp doesn't apply for preStart
<fpletz>
and something in postgresql changed
<arianvp2>
shall we create an issue and collect some facts?
<arianvp2>
We can probably fix this
mudri has quit [(Ping timeout: 264 seconds)]
johann__ has joined #nixos
<fpletz>
arianvp2: yes, please!
<fpletz>
I'm on a train with really shitty internet unfortunately
ebzzry has joined #nixos
<arianvp2>
meh this is not mission critical. I needed a chat for my group at Uni. they wanted to use slack
<arianvp2>
I said "No wait,I can install free software with 3 lines of code"
phreedom has quit [(Ping timeout: 258 seconds)]
<arianvp2>
and they've been staring at my screen with me for an hour seeing me struggle
<arianvp2>
=)
<arianvp2>
such is life
<fpletz>
the easy fix would probably be to use localhost (to use tcp) in preStart instead, mattermost should use tcp anyway
<arianvp2>
so add -h localhost
<arianvp2>
?
<fpletz>
yup
<clever>
depends, some services like mysql take "localhost" as an alias to mean "use the default unix socket"
<clever>
and you need to force tcp via 127.0.0.1
<clever>
should be simple to test
<NixOS_GitHub>
[nixpkgs] peti pushed 4 new commits to master: https://git.io/vDy3S
<NixOS_GitHub>
nixpkgs/master 34584b2 Peter Simons: hackage: update snapshot to 2017-02-12T15:49:03Z
<NixOS_GitHub>
nixpkgs/master 918a592 Peter Simons: hackage2nix: drop obsolete extra packages
<NixOS_GitHub>
nixpkgs/master 5e910bc Peter Simons: hackage-packages.nix: automatic Haskell package set update...
jarlg has joined #nixos
cornu[m] has joined #nixos
kthnnlg has joined #nixos
<arianvp2>
alright
<arianvp2>
thanks
<NixOS_GitHub>
[nixpkgs] romildo closed pull request #14183: texlive-new: fix updmap in combine function (master...fix.texlive-new) https://git.io/vapqz
<arianvp2>
how do I override a module locally?
<arianvp2>
so I can hot patch this for now?
Shoue has joined #nixos
ebzzry has quit [(Ping timeout: 240 seconds)]
<clever>
arianvp2: modules cant easily be overriden, simplest thing is to mkForce the setting that the module was configuring
<clever>
arianvp2: so an mkForce on the prestart entry i believe
johann__ has quit [(Read error: Connection reset by peer)]
<pareidolia>
clever: Or prefix everything
<arianvp2>
i will just copy over the module now
fhoffmeyer2 has quit [(Ping timeout: 276 seconds)]
<clever>
if you copy the module, then youll need to rename it to make it a new service
johann__ has joined #nixos
fhoffmeyer2 has joined #nixos
<mbrgm>
when I'm creating a nixpkg and use the documentation text from a man page for option descriptions, do I have to take care of the package's licensing?
<arianvp2>
ahh
<arianvp2>
it still doesn't work..
<arianvp2>
now I get
<arianvp2>
Feb 16 11:08:19 arianvp.me mattermost2-pre-start[30932]: psql: fe_sendauth: no password supplied
<arianvp2>
so even more seems to be broken
<arianvp2>
as you can't just connect to psql without a password it seems
<arianvp2>
eventhough the script assumes that
<arianvp2>
ahh
<arianvp2>
if you connect through TCP a password is required
<arianvp2>
so that wont work :)
<jarlg>
Anyone using CUDA? I'm confused as to how to specify $CUDA_ROOT to Theano..
<arianvp2>
okay
<arianvp2>
PrivateTmp=true was the problem :)
johann__ has quit [(Quit: Leaving.)]
Itkovian has quit [(Quit: My MacBook has gone to sleep. ZZZzzz…)]
<NickHu>
I have a pr to add a new nixpkg; it's been tagged with 8.has: package (new) and I don't think there's anything left to be done except the merge
<NickHu>
Do I just wait until that happens, or should I ping the pr or something?
yenzenz has joined #nixos
jensens has quit [(Read error: Connection reset by peer)]
fhoffmeyer3 has joined #nixos
fhoffmeyer2 has quit [(Read error: Connection reset by peer)]
eacameron has joined #nixos
Shoue has quit [(Ping timeout: 258 seconds)]
eacameron has quit [(Read error: Connection reset by peer)]
eacameron has joined #nixos
nwspk has quit [(Remote host closed the connection)]
nwspk has joined #nixos
eacameron has quit [(Ping timeout: 260 seconds)]
<gchristensen>
NickHu: link?
<NixOS_GitHub>
[nix] edolstra pushed 3 new commits to master: https://git.io/vDyCI
<NixOS_GitHub>
nix/master e6e74f9 Renzo Carbonara: Add netrc-file support
<gchristensen>
linking libraries in to your $out is a bit unconventional
kthnnlg has quit [(Remote host closed the connection)]
<mbrgm>
let's say I split up config options for a module into several files (as some of them are part of a submodule list). is there a recommended way to specify assertions in the same file as the submodule options?
pi3r has quit [(Ping timeout: 268 seconds)]
<mbrgm>
or does someone have an example (module) for that case?
mudri has joined #nixos
<gchristensen>
mbrgm: can you just put the asserts at the top of your configuration.nix, or in any one of your configs?
<mbrgm>
gchristensen: I can. would you recommend it? it seems kinda counter-intuitive to me, as 1) it's in a different place than where the related options are and 2) I'd have to map over several manifolds, as there's a submodule-in-submodule involved
<gchristensen>
I don't know :)
<mbrgm>
gchristensen: ah, I see the submodule can have its own config!
<gchristensen>
indeed! ):
<gchristensen>
:)
freusque has joined #nixos
Itkovian has joined #nixos
hamishmack has quit [(Read error: Connection reset by peer)]
hamishmack has joined #nixos
mizu_no_oto has joined #nixos
<NixOS_GitHub>
[nixpkgs] abbradar pushed 1 new commit to master: https://git.io/vDyR4
<NixOS_GitHub>
nixpkgs/master 434affb Nikolay Amiantov: openbox: fix openbox-xdg-autostart...
<ocharles>
haskell people, any idea why the above doesn't work to get me xmonad 0.13? When I nixos-rebuild, it does try and build 0.13, but it tries to apply the old 0.12 patch
<ocharles>
Even though I have patches = [] in my overrides
<mbrgm>
does nix have something like the '$' infix operator in haskell?
<gchristensen>
what is it supposed to do?
<gchristensen>
copumpkin: you know what would be neat?
<gchristensen>
an `insecure` flag that we could add, like `broken` but without a global toggle, but a per-package whitelist
<maurer>
gchristensen: It's function application with reverse fixity, to avoid needing to parenthesize an argument
<maurer>
e.g. if you have f x y (g q)
<maurer>
you can write
<maurer>
f x y $ g q
<gchristensen>
oh, no, we don't have that
<maurer>
mbrgm: I'm not aware of one, but that doesn't mean it doesn't exist
<gchristensen>
I'm sure I would have seen it :D
<mbrgm>
too bad ;)
<copumpkin>
gchristensen: why insecure?
<NixOS_GitHub>
[nixpkgs] abbradar pushed 1 new commit to master: https://git.io/vDyz4
<NixOS_GitHub>
nixpkgs/master 5125ecb Nikolay Amiantov: blueman: add librsvg
<gchristensen>
because for example, mongodb248 should just go away, but mfi depends on it. kde4 should go away entirely, but a lot of people depend on it. being able to have a period of "this is insecure and leaving, but for now you can still have it" would be nice
<sziszi>
I'd put an allowInsecure option in the configuration
<maurer>
Are these packages insecure, or just legacy?
<gchristensen>
I really don't like that because it lets you "set it and forget it" and then not know
<sziszi>
both
<copumpkin>
gchristensen: ah, it would be nice to mark things with some sort of status, yeah
<maurer>
insecure may not be the best word for legacy stuff, since it weakens the word to users
<maurer>
e.g. if I needed an old version of a library that did a major API rev for a package, and as a user I had to flip "allowInsecure" on for it, I'd be less hesitant to flip it on for other packages
<gchristensen>
legacy isn't a problem
derjohn_mob has joined #nixos
<maurer>
Is KDE not just legacy at this point?
<gchristensen>
KDE hasn't received security patches in 2 years
<maurer>
(this is one of teh changes in kde5, they split this up a bit)
<copumpkin>
is it amusing or sad that I've been using NixOS for a couple of years now and have still never configured anything graphical on it?
<maurer>
vov, people use it for different stuff
<maurer>
I know a lot of mac users whose whole interface to the linux world is a pimped iterm connected to their linux server
<copumpkin>
that's basically me
<copumpkin>
I have a NixOS VM always running in the background and otherwise a bunch of NixOS EC2 instances
<ikwildrpepper>
copumpkin: ah, you don't run nixos on your laptop?
<ikwildrpepper>
:o
<maurer>
But yeah, I'd expect it to take probably a minimum of 6 months before 80% of kde4 requiring applications are able to be upgraded to kde5.
<maurer>
simply due to needing upstream to move too
<copumpkin>
hell no, I still have bad dreams from last time I tried running linux on a laptop
<copumpkin>
it never wakes up!
<ikwildrpepper>
:D
<gchristensen>
copumpkin: nixos is better :|
<ikwildrpepper>
copumpkin: oh yeah, I never use sleep/suspend/etc
<copumpkin>
:P
<gchristensen>
seriously, I swore off linux on the laptop forever until I tried nixos.
<ikwildrpepper>
nowadays everything boots so quick, that I just shut it off :D
<gchristensen>
maurer: can you provide your feedback on that ticket?
<copumpkin>
gchristensen: and you sleep/suspend regularly? on a MacBook Pro?
<gchristensen>
yep, 11,3
<copumpkin>
maybe I'll give it a go someday, but I still like lots of my mac-isms, and I do still enjoy doing the darwin+nix hacking when I get time for it
<gchristensen>
fair enough
<gchristensen>
it is nice having you on darwin, fixing all the problems
<ikwildrpepper>
copumpkin: yeah, better stay on OSX, we might get awesome nix support on OSX then one day ;)
<copumpkin>
hah
<gchristensen>
:D
<copumpkin>
ikwildrpepper: had a chance to try out SSM yet?
<ikwildrpepper>
!m copumpkin
<[0__0]>
You're doing good work, copumpkin!
<LnL>
gchristensen: same, but I'm already halfway to nixos now ;)
<gchristensen>
hehe
<copumpkin>
also, did you see the volume resize?
<copumpkin>
LnL: nooooo not you too
<ikwildrpepper>
copumpkin: no not yet (ssm). yeah, volume resize is awesome
<copumpkin>
ikwildrpepper: I'm now trying to work up the courage to get involved with the linux kernel community to ask them to give me a uevent for volume resizes
<copumpkin>
or possibly submit a patch
<copumpkin>
ikwildrpepper: since we don't get a udev event for it, so we can't respond
<gchristensen>
I'm imagining a nixpkgs config of `allowInsecure = [ pkg1 pkg2 pkg3 ];` which somehow "fixes" a pkg's meta.insecure = true
<ikwildrpepper>
copumpkin: yeah, I am just already happy that the ebs volume itself is now easy to grow :D
<copumpkin>
yeah, it's quite nice
<ikwildrpepper>
that saves already so much hassle with snapshots etc
<copumpkin>
unfortunately they gave it a "refractory period" for some reason
<copumpkin>
so you can't resize more than once every 6 hours
<maurer>
copumpkin: Yeah, the main thing that prevents me from ever seriously using another OS for work at this point is the lack of tiling window manager
<LnL>
copumpkin: I'm talking about the module system ai wrote for darwin
<maurer>
I didn't realize how badly I needed one until I had one
<ikwildrpepper>
copumpkin: yeah, it's not too bad for us, we never had to do a resize twice in such a perios ;)
<ikwildrpepper>
period
<copumpkin>
ikwildrpepper: hah, I was just tinkering with the udev events and trying to see if there were notifications that appeared anywhere
<copumpkin>
the only thing is a very unassuming line showing up in dmesg
<copumpkin>
the thing about NixOS VM tests is that they could easily be nondeterministic
<copumpkin>
but I can't run them more than once without calling nix-store --delete
<gchristensen>
rerun with --check
<copumpkin>
last I tried --check didn't work with a daemon
<gchristensen>
ah
<copumpkin>
is that fixed?
<gchristensen>
hrm no it should
* copumpkin
tries it after this current test run finishes
<copumpkin>
oh lovely
<copumpkin>
it des!
<copumpkin>
hmm, or maybe not
<copumpkin>
error: some outputs of ‘/nix/store/gimbxrp735xdb5v5grjg54zqrw5ihdx9-vm-test-run-ec2-config-userdata.drv’ are not valid, so checking is not possible
adev has joined #nixos
ebzzry has joined #nixos
<copumpkin>
oh never mind, wrong execution
<copumpkin>
the problem with --check for VM tests is that it'll always output a failure because the test reports produced will contain different timings :)
<copumpkin>
next someone needs to make VM tests deterministic ;)
mizu_no_oto has quit [(Quit: Computer has gone to sleep.)]
<gchristensen>
yeah :(
<copumpkin>
gchristensen: I'm now abusing your machine by running the VM test 100 times in a loop
<gchristensen>
LOL
<gchristensen>
I mean
<gchristensen>
you're not abusing that machine until you're running at least 48 of them at once
<copumpkin>
dammit
<copumpkin>
I should've used gnu parallel
<gchristensen>
you really, really should have
<copumpkin>
also, you know what I hate? that message that "we're dumping >256MB path"
<gchristensen>
and you're like, "I have 1,000x that in ram"?
<copumpkin>
lol not just that
<copumpkin>
just in general :)
<gchristensen>
:)
IITaudio has joined #nixos
<maurer>
gchristensen: there, I wrote a bunch of stuff and now sound like a snide stability maintainery person on the internet
<gchristensen>
perfect
<gchristensen>
whoa you wrote a lot
ebzzry has quit [(Quit: Lost terminal)]
<copumpkin>
:O
<IITaudio>
Hi, anybody on 16.09 can compile android apps? android-sdk continue trying to download to /nix/store/..android/../libexec and I can't find a way to change its path
ebzzry has joined #nixos
<gchristensen>
copumpkin: what do you think about my insecure idea? (`allowInsecure = [ pkg1 pkg2 pkg3 ];`)
<copumpkin>
that seems nice, but not sure how to do it unless you make pkg1 into strings
<copumpkin>
or some other voodoo
<gchristensen>
yeah I'm thinking voodoo >.>
<maurer>
gchristensen: is there an issue for that too? I'll keep it short but just want to register my complaint about the word insecure for packages we don't have known vulns against
<copumpkin>
a meta.insecure seems good regardless
<copumpkin>
even if you can't opt out for now except broadly
<gchristensen>
maurer: I don't know where you got the idea we'd use it for packages without known vulns.
<maurer>
(using insecure for packages there are released vulns against on the other hand sounds great)
<copumpkin>
gchristensen: my only fear with meta.insecure is that we need to drive home that it isn't authoritative
<maurer>
gchristensen: Oh, I thought you were just going to plop it on all unmaintained packages
<maurer>
My bad
<gchristensen>
no
<copumpkin>
i.e., just because something doesn't have insecure on it doesn't mean it's secure
<gchristensen>
copumpkin: definitely
<copumpkin>
it just means that we don't know that it's insecure, or that we do and nobody's gotten around to updating the meta field
<copumpkin>
:P
<maurer>
You know what would be really cool? There was a security maintainer nixos site at some point
<maurer>
I forget what it was
<copumpkin>
also, insecurity feels like it exists outside of time
<gchristensen>
maurer: monitor.nixos.org?
<copumpkin>
as in, it shouldn't live in the commit
* maurer
looks
<copumpkin>
because known insecurity applies retroactively to code
<maurer>
I get conn-refused
<gchristensen>
copumpkin: ugh I know, this is why I use git notes for security notes
<copumpkin>
gchristensen: I'm thinking...
<copumpkin>
gchristensen: this might get weirder
<copumpkin>
but a parallel channel that gets overlaid over nixpkgs
<copumpkin>
and updated at different frequencies, possibly by machine
<maurer>
In any case, my point here was that what that site did could be used to autogenerate periodic PRs marking things as insecure when they go out of date due to a known sec bug
<maurer>
It'd not be perfect, but it'd be better thanw hat we have now
<maurer>
*than
ndowens08 has joined #nixos
<maurer>
I like copumpkin's idea - if we made sure you could easily override the meta attribute to secure
<maurer>
you could have a security function that you apply to nixpkgs
<maurer>
which would produce a nixpkgs with all the insecure flags set
<gchristensen>
this sounds hard, though, and I'd rather not cause breakage on pinned nixpkgs versions
<copumpkin>
yeah, my main point is that it can update independently of the main nixpkgs, so even if you stay on 14.12 for years, you'll still know it's insecure
<gchristensen>
it throws wrenches in to reproducible research projects
<copumpkin>
but yeah, it does seem tricky
<copumpkin>
it doesn't have to
<maurer>
gchristensen: That's the nice part about doing it as a function
<copumpkin>
the ooverlay channel is jsut informational
<maurer>
gchristensen: the research project can just pin to nixpkgs
<maurer>
not security {inherit nixpkgs;}
<copumpkin>
anyway, just ruminating :)
<copumpkin>
gotta do something while my 100 iterations of the VM test run, right?
<gchristensen>
anyway, so, the bad way I'm planning to do this is with using overridePackages in the fn that evaluates the allowInsecure list to remove the `insecure` flag from the meta
<maurer>
gchristensen: Maybe just add two bools?
<maurer>
one for insecure, and the other for approved?
<maurer>
and then when asserting, check both?
<maurer>
That way you can e.g. print an informational warning message when installing
<maurer>
"foo-1.3 is insecure, but has been manually approved, building anyways"
<gchristensen>
also, perhaps a better thing than an insecure flag is `meta.knownVulnerabilities = [ "<info-about-issue>" "<info-about-issue>" ];
<gchristensen>
mbrgm: I mean, only for things we're keeping around for some reason. otherwise the tracking of issues needs to be outside of the git repository in a way that we can time-travel.
Rotaerk has joined #nixos
<maurer>
gchristensen: I mean, there's always the answer of just doing it like normal releases
<maurer>
where we just backport all security metadata to any channels
<maurer>
it's not as idyllic, but it'll get the job done
[0__0] has quit [(Remote host closed the connection)]
<gchristensen>
I encourage you to look at the security notes channel, where I've semi-solved this
<LnL>
gchristensen: is there something we should do for that when we create security fixes?
<NixOS_GitHub>
[nixpkgs] joachifm pushed 2 new commits to master: https://git.io/vDywE
<NixOS_GitHub>
nixpkgs/master 2d64361 Joachim Fasting: mozart: refactoring...
<NixOS_GitHub>
nixpkgs/master bc2f53f Joachim Fasting: grsecurity: 4.9.8-201702071801 -> 4.9.10-201702152052
<maurer>
Is this only on the nix-channel repo or something?
<maurer>
nixpkgs is giving me no ref on the remote
<gchristensen>
LnL: I do it once a week, but I could try and write some instructions
<maurer>
Nevermind, I am a dummy
<LnL>
gchristensen: how do you gather the info for that?
<gchristensen>
LnL: I've gotta do an urgent thing for work, let's talk in a bit
<LnL>
sure
<maurer>
Oh god, I just realized, this could be the holy grail if done right
<maurer>
gchristensen: When you get back ping me, there's something useful we could do with this for security researchers
<LnL>
yeah I didn't even know about git notes until gchristensen showed this to me
phI||Ip has joined #nixos
<maurer>
I'm more thinking about the fact that nixpkgs has usually reproducible builds
<maurer>
and someone is already noting down security metadata
<maurer>
You could potentially create a repository that could reproducibly allow you to build and exercise buggy code
<maurer>
with the ability to build with your instrumentation etc
<maurer>
One of the problems researchers in software security always face is that when it comes time to evaluate their tool, it takes a lot of legwork to get a running, verified buggy copy of software
<maurer>
This might be a nice way to catalog them and even allow for easy build hooking
<gchristensen>
if you'd like to do that, that could be very cool
<copumpkin>
maurer: I vaguely remember seeing you involved with BAP
<maurer>
copumpkin: Yes (sadly)
<copumpkin>
why sadly?
<copumpkin>
it looked cute last I looked (which was a while ago)
<maurer>
copumpkin: I am not a big fan of the new project architecture, and have become increasingly vexed with ocaml toolchain
<copumpkin>
ah yes
<gchristensen>
LnL: do you have a few minutes to put in patches for openssl in to stable / unstable? the issue was made public a couple hours ago.
<copumpkin>
I wanted to do something similar in Haskell ages ago, but my other interests won over it
<maurer>
Did you look at around 0.8, or when it was in several repos, or after it was released on opam?
<copumpkin>
maurer: can't even remember, just read docs, didn't actually run it
<maurer>
If you're still interested, I'm more than happy to answer questions. rev.ng also came out recently, and is a little less NIH about things
<maurer>
(I even have a BAP nixexpr)
<copumpkin>
oh interesting
<copumpkin>
rev.ng looks more dynamic
<maurer>
(The creation of which is why I accidentally ended up maintaining a bunch of ocaml)
<maurer>
rev.ng is a static rewriting utility
<maurer>
it uses qemu TCG to lift the code to a semantic IR
<copumpkin>
oh interesting
<maurer>
then manipulates it
<maurer>
and uses LLVM to produces output code
<maurer>
The only other systems with similar capabilities I'm aware of are mcsema and bap
<maurer>
bap is more focused on analysis
<copumpkin>
seems hard (err, impossible in general) to statically rewrite a binary though
<maurer>
It is
<gchristensen>
or maurer, can you do it? ^ what I sent to LnL
<maurer>
I haven't looked into rev.ng's implementation enough to know what tricks they're using, but they openly admit to assuming things like "functions are intended to be used as functions"
<copumpkin>
ah
<phI||Ip>
Who pays for NixOS? Is the foundation the preferred way to support the project? It's not clear who is in charge and how to assist the project.
<jarlg>
Anyone using CUDA? cudatoolkit installs fine, but then cuda-install-samples fails miserably..
<NixOS_GitHub>
[nixpkgs] abbradar pushed 2 new commits to master: https://git.io/vDyok
<NixOS_GitHub>
nixpkgs/master 109ee2a Nikolay Amiantov: kbd service: use systemd-vconsole-setup even with early setup...
<NixOS_GitHub>
nixpkgs/master 0c81594 Nikolay Amiantov: kbd service: use /dev/tty1 for systemd-vconsole-setup...
<copumpkin>
phI||Ip: it's mostly just open source work, but there's some support from LogicBlox for some of the infrastructure, via the foundation, and private donations to the foundation
<gchristensen>
copumpkin: there are other companies supporting it, see the website
<copumpkin>
yeah sorry
<phI||Ip>
So the foundation is the preferred way to donate? I am using it more and more for personal/corporate reasons and I want to make sure I am doing my part to keep it going.
<copumpkin>
yay
<copumpkin>
I think so, yeah. Keep in mind it's not tax-deductible if you're in the US
<copumpkin>
since it's not a registered US non-profit
<gchristensen>
phI||Ip: yep that is the preferred way indeed :)
ebzzry has quit [(Ping timeout: 268 seconds)]
<phI||Ip>
copumpkin got it thanks
<phI||Ip>
gchristensen thanks!
<gchristensen>
no no, thank _you_ phI||Ip!
DutchWolfie has quit [(Remote host closed the connection)]
<maurer>
gchristensen: Do you want more than PRs with the patch applied and CVE in the commit message?
<gchristensen>
nope, that'll be perfect
<niksnut>
jarlg: I don't use CUDA directly, but I use packages that build against it (e.g. Blender)
<maurer>
gchristensen: OK, building locally now to test
Itkovian has quit [(Quit: Textual IRC Client signing off)]
Itkovian has joined #nixos
danielrf has quit [(Read error: Connection reset by peer)]
danielrf has joined #nixos
reinzelmann has quit [(Ping timeout: 240 seconds)]
cpennington has joined #nixos
kanzure has quit [(Ping timeout: 240 seconds)]
olejorgenb has quit [(Ping timeout: 240 seconds)]
page has quit [(Ping timeout: 240 seconds)]
panostimos has joined #nixos
kanzure has joined #nixos
olejorgenb has joined #nixos
<maurer>
gchristensen: It appears I am too slow for stable
<gchristensen>
oh?
page has joined #nixos
<maurer>
stable already has 1.1.0e
<gchristensen>
what
<gchristensen>
who did it? :P
<maurer>
oh nvm
<maurer>
I typod a git command
proteus-guy has joined #nixos
johnsonav has joined #nixos
cpennington has quit [(Ping timeout: 258 seconds)]
DutchWolfie has joined #nixos
reinzelmann has joined #nixos
<NixOS_GitHub>
[nixpkgs] bjornfor pushed 3 new commits to release-16.09: https://git.io/vDyKj
<NixOS_GitHub>
nixpkgs/release-16.09 e355b97 Profpatsch: geteltorito: init at 0.6 (#18614)...
<NixOS_GitHub>
nixpkgs/release-16.09 5e303aa Profpatsch: geteltorito: switch to upstream dist (#19226)...
<NixOS_GitHub>
nixpkgs/release-16.09 3c227aa Bjørn Forsman: genimage: init at 9...
<NixOS_GitHub>
[nixpkgs] maurer opened pull request #22867: openssl: 1.1.0d -> 1.1.0e for High severity CVE-2017-3733 (master...openssl-cve-2017-3733) https://git.io/vDy6I
<ndowens08>
Well gonna try and see if I can make a darkhttpd module :) first time trying lol
<gchristensen>
thank you maurer
<gchristensen>
maurer: I'll backport
<NixOS_GitHub>
[nixpkgs] grahamc pushed 2 new commits to master: https://git.io/vDy6s
<NixOS_GitHub>
nixpkgs/master 0d2ba7e Matthew Maurer: openssl: 1.1.0d -> 1.1.0e for High severity CVE-2017-3733
<NixOS_GitHub>
nixpkgs/master cfbddd3 Graham Christensen: Merge pull request #22867 from maurer/openssl-cve-2017-3733...
<ndowens08>
mostly going by tomcat's module
<maurer>
OK, all three PRs up
<maurer>
err, four
<gchristensen>
wat?
<jarlg>
niksnut: Are there any tricks to getting it working? Or you simply have cudatoolkit as a dependency, and it works?
<maurer>
(there's one to master, one to unstable, one to 16.09, and one to 16.09-small)
<gchristensen>
err
<maurer>
was that not what I was supposed to do?
<gchristensen>
where did you send these PRs?
<maurer>
to the nix-channels repo
<gchristensen>
ahh, we don't do PRs there
<gchristensen>
I'll explain in a bit, still doing a thing
<maurer>
Had I known I didn't need to build/test/PR for the three other branches, you would have gotten the patch much faster
<maurer>
:P
<maurer>
most of that time was me reapplying and rebuilding my patch
<gchristensen>
so maurer, it does need to be reapplied to the release-16.09 branch in nixpkgs. master in nixpkgs goes to unstable in nixpkgs-channels. release-16.09 in nixpkgs goes to nixos-16.09 and nixos-16.09-small in nixpkgs-channels
<maurer>
Ah, OK
<maurer>
Should I send to release-16.09, or are you handling that?
<gchristensen>
I'll handle this one, thank you :)
<maurer>
k
<NixOS_GitHub>
[nixpkgs] grahamc pushed 1 new commit to release-16.09: https://git.io/vDy6h
<NixOS_GitHub>
nixpkgs/release-16.09 9f7ec81 Matthew Maurer: openssl: 1.1.0d -> 1.1.0e for High severity CVE-2017-3733...
cpennington has joined #nixos
peterhoeg has quit [(Remote host closed the connection)]
<copumpkin>
dammit, I wish I'd done `echo $i` in this loop of 100 tests :)
<copumpkin>
I don't know how many more are left
<gchristensen>
I know that feeling
<copumpkin>
anyway, the test is probably fine
<copumpkin>
it just feels sad to cancel it
<gchristensen>
restart with parallel for a good time
<gchristensen>
also pop open htop
xadi has quit [(Quit: Leaving.)]
xadi has joined #nixos
<copumpkin>
parallel is harder because of needing to clear out the intermediate store paths to convince nix not to avoid work
<gchristensen>
aww ok
<gchristensen>
oh right, it won't do it in parallel because of the locks :|
<copumpkin>
also I made some progress on my fast image build stuff yesterday
<copumpkin>
I think it'll be super cute and maintainable too
<gchristensen>
"and maintainable too" :)
<copumpkin>
factored out most of the filesystem building stuff from nixos-install
<copumpkin>
so we can use it from different places
<copumpkin>
and share code
<copumpkin>
and I think it makes a bit more sense than the old process, too
<copumpkin>
the previous thing was doing stuff to the store of the VM building the image, for example
<copumpkin>
and then setting up a fake substituter to "install" from
<copumpkin>
this is much more direct and just populates the store the first time around
<gchristensen>
neat
<copumpkin>
I wanna try to get it into 17.03
<copumpkin>
will update the PR by this weekend I think
eacameron has joined #nixos
<copumpkin>
it'll be a thing of great beauty and everyone will swoon over it
* copumpkin
rolls eyes
<copumpkin>
oh my god my 100 iterations finished!
<gchristensen>
nice
<maurer>
Ugh, I'm getting more and more peeved with this "linux applications only know about one DPI" thing the more I use my new setup
<maurer>
Maybe I should just intentionally user a lower resolution to avoid it
shlevy has quit [(Ping timeout: 264 seconds)]
shlevy has joined #nixos
<NixOS_GitHub>
[nixpkgs] abbradar pushed 1 new commit to master: https://git.io/vDyXz
<NixOS_GitHub>
nixpkgs/master a72dc9f Nikolay Amiantov: compton: 0.1_beta2 -> 0.1_beta2.5
<NixOS_GitHub>
[nix] edolstra pushed 5 new commits to master: https://git.io/vDyX7
<NixOS_GitHub>
nix/master 40f0e3b Eelco Dolstra: Include "curl" in the User-Agent header...
<NixOS_GitHub>
[nixpkgs] copumpkin opened pull request #22869: amazon-init NixOS module: fix (I think) race condition with network (master...amazon-init-fix) https://git.io/vDy1D
<ikwildrpepper>
three smileys? :o
<gchristensen>
brown-noser :)
<ndowens08>
gchristensen: is there soemthing special i have to do to try my module i created; i created a seperate configuration and exported it as the default file to use; added the location of module in that module_list file, added the call for my options in configuration file and says option 'services.darkhttpd' does not exist?
<copumpkin>
:) :) :) :)
danharaj has joined #nixos
<ndowens08>
which I am sure is true, since it isn't in the repo, hmm
<niksnut>
copumpkin: cool!
<copumpkin>
niksnut: you wrote that error message :)
<ndowens08>
that didnt work, just gave the services.darkhttpd doesnt exist
<ndowens08>
not to your latest reply copumpkin , finished my last msg :)
<copumpkin>
:)
<copumpkin>
niksnut: can you clarify what RemainAfterExit would do? I'm not a systemd guru :)
<copumpkin>
or I can shut up and just add it. I don't think it defaults to true
danharaj has quit [(Ping timeout: 240 seconds)]
erasmas has joined #nixos
<goibhniu>
hrm, I have an imperative 16.03 nixos-container and I'd like to connect to a VPN from it using openconnect, but it fails to create tun0 ... `tunctl` gives me "Failed to open '/dev/net/tun' : Operation not permitted" ... I've tried to configure a virtual interface: http://sprunge.us/FXFJ ... any idea what I'm doing wrong?
<ndowens08>
ok i am getting darkhttpd attribute is missing and that line looks like: cfg = config.services.darkhttpd;
<gchristensen>
goibhniu: /dev/net/tun was broken in 16.03 and fixed in 16.09
<gchristensen>
for nixos containers
<goibhniu>
oh dear, thanks!
fhoffmeyer has quit [(Ping timeout: 240 seconds)]
* goibhniu
gives 16.09 a shot
<gchristensen>
goibhniu: also 17.03 is about to be released :) did you not know about 16.09?
<goibhniu>
IIRC I had some other problem with containers, but I didn't make time to investigate further
fhoffmeyer has joined #nixos
ixxie has joined #nixos
<joko>
Hello, is anyone using LUKS and decrypting partitions during boot via SSH?
fhoffmeyer3 has quit [(Ping timeout: 240 seconds)]
* goibhniu
sees from the logs that it was an openvpn issue the last time ... hope this works!
<copumpkin>
joko: I remember a wiki page about that a while back... haven't done it myself though
<joko>
I've checked the diffs, but I still can't tell what happens once you log in via SSH, do you have to type something, the passphrase directly, what next etc.?
thc202 has quit [(Ping timeout: 258 seconds)]
<NixOS_GitHub>
[nixpkgs] grahamc closed pull request #19523: Allow access to /dev/net/tun inside containers (port to 16.09) (release-16.09...containers-dev-tun) https://git.io/vPwKf
<goibhniu>
oh! :D
<goibhniu>
so, it doesn't currently work for me on 16.09 either
<goibhniu>
do you happen to know if it's only possible using declarative containers in 16.09 gchristensen?
edvorg has quit [(Ping timeout: 276 seconds)]
<ndowens08>
why would cfg = config.services.darkhttpd; produce error atrribute darkhttpd missing?
thc202 has joined #nixos
<copumpkin>
ndowens08: perhaps make a gist of your config?
<LnL>
ndowens08: is it enabled?
<copumpkin>
ndowens08: you need to add your module to the modules list if you haven't already
<copumpkin>
(I'm assuming you're writing a new module)
<ndowens08>
LnL: copumpkin it is a module i created/trying and i did add it to the module list, but gonna double check
<ndowens08>
./services/web-servers/darkhttpd/default.nix yup it is there
<LnL>
ndowens08: did you add it to module-list.nix?
<copumpkin>
that doesn't quite follow convention, but that's an easy fix
<copumpkin>
we don't typically put modules in their own folder today
<ndowens08>
ah copumpkin :)
<copumpkin>
but the module-list.nix is the important bit
<copumpkin>
as LnL says
<ndowens08>
was following what others had theirs as :)
<gchristensen>
goibhniu: I don't know, but without that PR it is broken on 16.09 ... so it'll take a bit for that fix to reach 16.09's channel :(
<ndowens08>
LnL: that paste is from module-list.nix
mudri has joined #nixos
<ndowens08>
still gives that error, i removed it from dir and changed it in the module list
<goibhniu>
thanks for merging gchristensen! IIUC an extra capability needs to be passed to systemd-nspawn ... I don't know anything about capabilities ... I wonder if I can just do that on the fly ....
<copumpkin>
yours is creating a top-level enable option
<copumpkin>
not scoped or anything
<ndowens08>
woops lol
Shou has joined #nixos
bennofs has quit [(Ping timeout: 252 seconds)]
<copumpkin>
ndowens08: I'd also call it something like documentRoot or document-root, which seems to be the convention from lighttpd and apache modules
<copumpkin>
"convention"
digitalmentat has joined #nixos
<ndowens08>
don't know if this gonna work, but thought why not try :)
<NixOS_GitHub>
[nixpkgs] ttuegel opened pull request #22872: Update isync-git, with several other improvements (master...isync) https://git.io/vDyFF
<ndowens08>
LnL: set that in the test config and still gives incorrect password
<joko>
If I want to use only a remote machine to build nix derivations, should I set build-max-jobs to 0 in /etc/nix/nix.conf so that the localhost does nothing?
<ndowens08>
even set my user acct password there too and nothing
<ndowens08>
seems the rebuild isn't really rebuilding as i disabled display-manager and still it starts
<qknight_>
to include external code in nix i can only use import/imports (which expects a module) and mkDerivation. how could i write a new way to import stuff?
<qknight_>
the problem is that i would like to call a function which applies parameters which then create new modules (modules which are parameterized) and with simply using imports i can't pass parameters to the nix expressions if i understand it correctly
<copumpkin>
qknight_: imports doesn't have to be file paths; you can pass in expressions too
<copumpkin>
for a NixOS module, that is
<copumpkin>
i.e., you can do imports = [ (import ./path/to/module.nix) ] and it'll behave almost the same way
<k0001>
joko: that, or you can just pass `--max-jobs 0` to `nix-shell`, `nix-build`, `nixos-reubild`, etc..
<copumpkin>
the only difference is around error reporting, which currently works a bit better with file paths than with expressions
<copumpkin>
qknight_: having said that, the "endorsed" way to parametrize modules is to define options in them and define those options elsewhere
<copumpkin>
I'm not always a huge fan of that, but so it goes :)
<qknight_>
copumpkin: ah, so the combination of the two is what i seek?
<copumpkin>
well, I don't know. you should be able to get away with passing the path to your module, and defining an option schema inside it
<copumpkin>
that's I think the more idiomatic way
<joko>
k0001: ok, thanks, apparently distributed builds are still not working on my host and it complains that it is unable to start any build due to max-jobs set to 0 >_<
<copumpkin>
if you want to make a nix _function_ that returns a module, that's also possible, but less idiomatic
<clever>
qknight_: you can also add to the arguments that nixos passes to EVERY module
<qknight_>
copumpkin: i want a nix _function_ that retunrs a module!
johann__ has quit [(Ping timeout: 268 seconds)]
<copumpkin>
yeah, so no reason that won't work
<qknight_>
clever: i tried that but it didn't work. what is the syntac?
<clever>
qknight_: this is how pkgs winds up in the args for modules
<ndowens08>
why does nix make me look stupid lol, i use useSandbox = true; in which ya'd think it would clean the sandbox so it builds cleanly, but it seems it just remembers past configuration and doesn't use one i just updated to disable X
<ndowens08>
nor does it set password
<qknight_>
comex: clever thanks so much!
<copumpkin>
hi comex :)
<clever>
qknight_: i think nixops uses something similar, so you can refer to the ip of other boxes in the deployment
johnsonav has quit [(Ping timeout: 256 seconds)]
endformationage has joined #nixos
<NixOS_GitHub>
[nixpkgs] ttuegel pushed 2 new commits to master: https://git.io/vDyxZ
<NixOS_GitHub>
nixpkgs/master 463e902 Benjamin Staffin: pam: add optional pam_kwallet5 integration
<NixOS_GitHub>
nixpkgs/master 7c260ad Thomas Tuegel: Merge pull request #22813 from benley/pam-kwallet...
Rizy has quit [(Quit: Rizy)]
digitalmentat has quit [(Quit: Leaving)]
<eacameron>
Is anyone using nixops to deploy servers with encrypted file systems?
<clever>
eacameron: the bulk of what nixops does is just nix-copy-closure, so as long as the fileSystems attrset is right and you can ssh the machine, it will keep working
<clever>
eacameron: unlocking luks on bootup is a seperate issue, but it should be solveable the same as a local machine
<clever>
and there is a boot.initrd.ssh that recently got added, to let you ssh in and answer luks prompts
<eacameron>
clever: Thats cool! I've hardly worked with luks at all so I was curious if it was "easy" or "hard" to setup with nixops.
<copumpkin>
also, if you use EC2 you can use their native "trust us" encryption
<clever>
eacameron: pretty easy, let me dig up the config for my laptop
<eacameron>
copumpkin: Interesting. I don't use EC2 but that's good to know anyhow. (I'm using DigitalOcean)
<copumpkin>
cool, yeah, they have native (optional) encryption on all block volumes nowadays
<copumpkin>
but it's completely transparent to guest machines
<7JTAAJW67>
[nixpkgs] FRidh pushed 5 new commits to master: https://git.io/vDypc
<7JTAAJW67>
nixpkgs/master 17e9f21 Tom Hunger: parsel: 1.0.3 -> 1.1.0
<7JTAAJW67>
nixpkgs/master dde5350 Tom Hunger: w3lib: 1.14.2 -> 1.17.0
<7JTAAJW67>
nixpkgs/master c10b0e7 Tom Hunger: scrapy: 1.1.2 -> 1.3.1
<copumpkin>
eacameron: yeah they have a full key management system called KMS
<clever>
copumpkin: yeah, if they can access your aws console or the vm, they can just read the block thru the decryptor, and it does nothing
<clever>
copumpkin: i suspect that crypto only works against physical intrusions into the datacenter, assuming the attacker doesnt also steal the box of keys
<copumpkin>
it works fine if your threat model doesn't include Amazon itself
<copumpkin>
:)
<eacameron>
copumpkin: Ah right. Well...I hope we can do better without much work.
<copumpkin>
yeah, it's to guard against datacenter intrustions and it's harder for their employees to break into it
<gchristensen>
you're acting like it is without use
<ndowens08>
aggh!
<clever>
eacameron: line 20 of configuration.nix opens the luks, line 16 opens the zfs for root, and the rest is unrelated stuff
<gchristensen>
having the data on disk being encrypted is not without use
<ndowens08>
:)
<eacameron>
gchristensen: Oh certainly. But I'm just saying if I can set up some quick configurations in nixos then that would be much better and not much harder.
<clever>
gchristensen: it also gives you peace of mind when the drives get retired
<clever>
zero chance of data in the garbage being recovered
<gchristensen>
yep
<eacameron>
clever: Wow thanks! This uses zfs too??
<clever>
eacameron: and lvm
<clever>
eacameron: nixos, zfs, lvm, and luks
<joko>
clever: any chance you have tested this with SSH on another host, e.g. logging in and entering the passphrase remotely?
<eacameron>
clever: Wow! This is awesome. `memtest86.enable = true;` sets ZFS?
<clever>
joko: havent tried the new boot.initrd.ssh stuff yet
<clever>
eacameron: nope, that just puts a copy of memtest in /boot and adds it to grub.cfg
<clever>
eacameron: i have an ext4 /boot partition with no crypto, and the initrd contains the zfs drivers
<eacameron>
clever: Oh...line 16 of the hardware file. lol
georges-duperon has quit [(Remote host closed the connection)]
<clever>
20-23
bennofs has joined #nixos
<joko>
eacameron: for ZFS you do need to have boot.supportedFilesystems = [ "zfs" ];
johnsonav has joined #nixos
<eacameron>
joko: Ah ok.
<clever>
joko, eacameron: nixos will use add the .fsType of every entry in fileSystems to boot.supportedFilesystems
<clever>
and any filesystem with requiredForBoot also gets put in boot.initrd.supportedFilesystems
<eacameron>
clever: Oh so it's "automatic"?
<nahamu>
NixOS's supprot for ZFS made me so happy when I discovered it.
<clever>
eacameron: yeah
<nahamu>
*support
<eacameron>
clever: And you think this will work with nixops....
georges-duperon has joined #nixos
<eacameron>
I've never configured the file systems in a nixops machine.
<clever>
eacameron: as long as its in the fileSystems attrset, it will just work
<clever>
eacameron: but nixops doesnt handle the partitioning/formating
<clever>
eacameron: so you need to pre-make an image with that zfs config
<clever>
eacameron: the only time you need to boot.supportedFilesystems = [ "zfs" ]; is when you want to force zfs support in and not define what to mount via zfs
<clever>
for example, making a usb stick that lacks zfs, but will mount zfs drives manualy
<eacameron>
clever: Oh. That might work for some other backends but DigitalOcean doesn't support custom images.
<eacameron>
DigitalOcean might even use your script to kexec and swap out the OS underneath.
<clever>
eacameron: my kexec trick may work
fhoffmeyer2 has quit [(Ping timeout: 240 seconds)]
<clever>
eacameron: in theory, you could use kexec to get nixos running from ram, then format the hdd and make a zfs based image
<clever>
eacameron: and i believe DO lets you clone the machine after that, so you just have to configure nixops to use that as the base
<clever>
eacameron: the network stuff on lines 81-89, ive heard its buggy
<clever>
eacameron: and somebody else in #nixos wrote a module that properly queries the DO metadata at boot time
<eacameron>
clever: Oh?? I need to know about this...
<clever>
eacameron: and this script appears to do the same thing i did to a gentoo system, it just jams nix onto the box with curl https://nixos.org/nix/install
danharaj has joined #nixos
<clever>
eacameron: and then builds nixos under ubuntu, and overwrites the MBR
<clever>
eacameron: so you are forced to keep whatever partitions DO made for you
<eacameron>
clever: Does that mean no Luks or zfs?
fhoffmeyer has joined #nixos
<clever>
eacameron: yeah, with nixos-infect
<clever>
eacameron: but with the kexec tool i linked, you can boot nixos in ram, without any changes to the MBR
<copumpkin>
aszlig: you still around? :)
<clever>
eacameron: then you can ssh into that, and do whatever you want to the hdd
johnsonav has quit [(Ping timeout: 276 seconds)]
regnat has quit [(Read error: Connection reset by peer)]
<eacameron>
clever: That's awesome. But I wonder how well DO would take to losing *all* semblance of control over the box.
<clever>
eacameron: ive heard that when you clone a droplet, DO will try to mount the rootfs, and overwrite /etc/network/interfaces and /root/.ssh/authorized_keys
<clever>
eacameron: i would expect that to sanely fail when it encounters luks and skip it
<eacameron>
clever: But your machine might be borked.
<clever>
in the case of DO, it doesnt sound like they have any tools to allow recovery
<clever>
but this goes into 2 more ideas i had this week
<clever>
#1 (for datacenters with more manual stuff), put the kernel/initrd from my kexec tool into /boot and grub.cfg
<clever>
so when it breaks, you open a ticket and tell them to boot the rescue option, then you can ssh into that and repair it
<copumpkin>
ManualOcean?
<ndowens08>
ugh still getting darkhttpd attribute missing :\
<clever>
this can also be of use for local systems
<clever>
you essentialy are embeding the install cd in /boot
<copumpkin>
ndowens08: update your gist? :)
<clever>
copumpkin: so you get a very cheap repair ANYTHING option, as long as /boot is intact
<copumpkin>
HalfManualOcean?
<copumpkin>
(I've never used them)
<eacameron>
clever: Hah wow that would be sweet. I wouldn't actually know how to do anything with it but somebody would.
freusque has quit [(Quit: WeeChat 1.6)]
<clever>
eacameron, copumpkin: my second idea, is to make a linux bootloader, that runs as a stripped down kernel+initrd+gui app
<clever>
so on bootup, it runs a custom bootloader, that listens on the network for control
<aszlig>
copumpkin: yep
<clever>
and if it hits a timeout, it will kexec nixos
<clever>
and if you do take control, you can pick which generation to kexec, or kexec into the rescue system
freusque has joined #nixos
<clever>
so you essentialy control GRUB over the internet
<eacameron>
clever: Haha wow now that would be very nice for nixops
<clever>
eacameron: yeah
* eacameron
wishes nixops had a vultr backend since it does support custom images.
<clever>
eacameron: i believe you just put the module.nix into imports, and you get an IP, thats it
<eacameron>
clever: imports?
<clever>
and if you clone the machine via the DO control panel, it automaticaly gets the right ip, no need for nixos to rebuild things
<NixOS_GitHub>
[nixpkgs] rbvermaa pushed 1 new commit to release-16.09: https://git.io/vDSU3
<NixOS_GitHub>
nixpkgs/release-16.09 780a38c Rob Vermaas: nixops: update to 1.5
<clever>
eacameron: yeah, imports = [ ./systemd-digitalocean/module.nix ]; in configuration.nix
<ndowens08>
copumpkin: hmm copumpkin looked at other modules that is similar, and none of them create the uids in theres, they look like mine, sorta
<ndowens08>
may start over
<copumpkin>
ndowens08: no, there's just a list of uids
<copumpkin>
you need to add something to it if you want a user
<eacameron>
clever: Wow thanks for this. So does this mainly apply when cloning droplets?
<NixOS_GitHub>
[nixpkgs] rbvermaa pushed 1 new commit to master: https://git.io/vDSUV
<NixOS_GitHub>
nixpkgs/master 1c366b4 Rob Vermaas: nixops: update to 1.5...
<clever>
eacameron: it also means you cant mess up the config when using nixos-infect (if you turn off the code thats potentialy buggy)
<clever>
or other methods to install
teknico has quit [(Quit: Leaving.)]
<clever>
eacameron: one of the datacenters ive been dealing with lately has similar but worse setup, you need static ip's configured, but it has no metadata service
<eacameron>
clever: ug
<clever>
eacameron: the datacenter IT guys normaly login manualy via the console, and update the config
<ikwildrpepper>
clever: ugh, yeah, that is terrible
<clever>
ikwildrpepper: i gave them a .vmdk file to replace my vm with, and they asked for the pw so they could apply that
<eacameron>
clever: I'm trying to determine how "freaked out" I should be about this since I have a few production servers running nixos on do
<clever>
ikwildrpepper: its nixos, i dont think they would be able to figure it out :P
<NixOS_GitHub>
nixpkgs/staging e962a3c Vladimír Čunát: Merge branch 'master' into staging
Itkovian has quit [(Quit: My MacBook has gone to sleep. ZZZzzz…)]
goibhniu has quit [(Ping timeout: 268 seconds)]
<NixOS_GitHub>
[nixpkgs] vcunat pushed 1 new commit to staging: https://git.io/vDScs
<NixOS_GitHub>
nixpkgs/staging 524de86 Vladimír Čunát: findutils: plug a memory leak (close #22857)...
<ndowens08>
ok let me see if I am correct, in an option I have foward = mkOption { default = ""; url =""; description...}; to call it from config would i do ${cfg.foward.url}?
fresheyeball has quit [(Ping timeout: 276 seconds)]
takle_ has quit [(Remote host closed the connection)]
<NixOS_GitHub>
[nixpkgs] acowley opened pull request #22875: ghostscript: fix installed library name on darwin (master...ghostscript-id) https://git.io/vDSlF
simendsjo has joined #nixos
digitalmentat has joined #nixos
kampfschlaefer has joined #nixos
<ndowens08>
ok if I have url in this example: foward = mkOption { default = ""; url = " "; description=""}; how do i extract the data in foward option?
<eacameron>
clever: Do you have a sense of how hard it is to port a package from say, apt, to nix? I want to port do-agent (DigitalOcean server metrics agent) but I'm not sure where to start.
<clever>
eacameron: if the source is available, start with just a derivation containing a name and src = fetchurl and see what happens
<clever>
eacameron: nixpkgs will handle ./configure and everything automaticaly
ilyaigpetrov has quit [(Quit: Connection closed for inactivity)]
JagaJaga has quit [(Ping timeout: 260 seconds)]
danharaj has quit [(Ping timeout: 260 seconds)]
Itkovian has quit [(Quit: My MacBook has gone to sleep. ZZZzzz…)]
<ndowens08>
clever: is there a way to force nix-rebuild to clean the build env, b/c even when i change my configuration-test.nix to build a vm, but never seems to change anything when i start the vm session, for example, i am telling configuration to disable xserver.autorun and xserver starts up anyway
riptawr has quit [(Remote host closed the connection)]
acowley_away is now known as acowley
fhoffmeyer has quit [(Ping timeout: 245 seconds)]
Itkovian has joined #nixos
mbrgm has joined #nixos
cpennington has joined #nixos
<sziszi>
i'm using a networking.localCommands option with double singlequotes, resulting systemd script builds successfully when I rebuild the system, also the commands working when I run the file manually, so I assume the configuration is correct but these commands didn't ran(maybe they do, but I didn't find any evidence) is there a logfile or something I can look into about this issue? i'm stuck right now
takle has quit [(Remote host closed the connection)]
pi3r has joined #nixos
<mbrgm>
fpletz: I remember you're using gitlab on nixos in production. how is it though to be brought to the frontend?
<cransom>
sziszi: i found when adding extra commands to the firewall via iptables that if not cleaned up properly, the stop/start script would get confused and due to a set -e in the script, would fail on the first error. you might be hitting something like that there.
<mbrgm>
I see nothings listening on a http-alike port
Itkovian has quit [(Quit: My MacBook has gone to sleep. ZZZzzz…)]
mexisme2 has joined #nixos
AllanEspinosa has quit [(Ping timeout: 245 seconds)]
<sziszi>
cransom: thanks! but afaik there is no error in this script, atleast manually there is none, but who knows :))
<NixOS_GitHub>
[nixpkgs] Profpatsch closed pull request #22388: networking.bonds: add support for arbitrary driverOptions (master...bonding) https://git.io/vDsrk
<Ralith>
cransom: systemctl status/list-units should report when that's happened, right?
Shou has quit [(Ping timeout: 260 seconds)]
JagaJaga has joined #nixos
mudri has joined #nixos
<cransom>
Ralith: it does, yes. in my experience, nixos-rebuild would succeed but the firewall unit still failed slightly after nixos-rebuild returned.
takle has joined #nixos
mexisme has quit [(Ping timeout: 240 seconds)]
<Ralith>
that sounds right
johnsonav has quit [(Ping timeout: 245 seconds)]
takle has quit [(Ping timeout: 264 seconds)]
simendsjo has quit [(Quit: ERC (IRC client for Emacs 24.5.2))]
AllanEspinosa has joined #nixos
<sziszi>
Ralith: ohohoh, you're my man
<sziszi>
I got the error
<sziszi>
a few reboot and I'll be done :D
<ndowens08>
doing nixos-rebuild switch usually makes it where you dont have to reboot, most of the time i think?
<NixOS_GitHub>
[nixpkgs] viric pushed 1 new commit to master: https://git.io/vDSDt
johnsonav has joined #nixos
<NixOS_GitHub>
nixpkgs/master 0cee46d Lluís Batlle i Rossell: brotli: update to 0.5.2...
DarcsAurelius has joined #nixos
<sziszi>
ndowens08: sadly not this time
<ndowens08>
ah that sux :\
<sziszi>
Feb 16 20:50:11 narancs systemd[1]: Failed to start Extra networking commands..
<mbrgm>
is someone using gitlab on nixos?
mudri has quit [(Ping timeout: 240 seconds)]
<sziszi>
even better: I have FDE, and the boot process is extremely slow till the system unlocks the disk + typing in my 50+ char long pw...
<sziszi>
mbrgm: if you need a smaller solution I'd look at gitea
<mbrgm>
sziszi: thx for the recommendation. need to gitlab though :-/
mojjo has joined #nixos
<mojjo>
hi! is there a way to run skype or another application that servers as a skype client on nixos?
<clever>
simpson: callPackage_i686 forces skype to use 32bit libraries and to build in a 32bit way
<viric>
nix-env -iA nixos.pkgsi686Linux.brotli
<viric>
and shazam you have it for i686
<clever>
simpson: and also, it forces a linux-32bit build, even on a mac system!!
<mojjo>
Alright, now I'm getting the 'unfree' error. Which I'm wondering, why, since I have allowUnfree allowUnfree = true; in my configuration.nix
<clever>
mojjo: configuration.nix is only used for nixos-rebuild, nix-env never reads it
<clever>
mojjo: nix-env and nix-build only ever use ~/.nixpkgs/config.nix
Shou has quit [(Ping timeout: 240 seconds)]
<philipp[m]>
I'd like to know how to properly update all my containers that are defined in the hosts configuration.
<philipp[m]>
*with minimal downtime
deepfire has joined #nixos
<mojjo>
ah, good to know. The file does not exist on my machine. Would I have to create it?
chris| has joined #nixos
<clever>
philipp[m]: the only way to update the declarative containers is to restart their systemd units on the host, which does a full container shutdown, and then bootup
<clever>
mojjo: yeah, the unfree error should tell you what contents it needs
<clever>
philipp[m]: imperative containers gain the use of "nixos-rebuild switch" within them for faster updates, but they also have some cons: each container has its own channel, and you now have to nixos-rebuild every container one by one
<clever>
with declarative containers, nixos-rebuild on the host updates the build of every container at once for you
georges-duperon has quit [(Ping timeout: 252 seconds)]
<mojjo>
now it installs. nice.
<simpson>
clever: Huh, but even though they each have their own channel (in the imperative setup), they still share the same store, right?
fhoffmeyer has joined #nixos
<clever>
simpson: yeah, they all share the store, but the "active" nixos build is going to be entirely out of sync
<clever>
simpson: so you need to "nixos-rebuild --upgrade switch" every container seperately
<simpson>
Mm.
<clever>
or one container may wind up on a month old nixos-unstable, because you forgot to run updates on it
<simpson>
I keep wanting to do containers on my laptop, but I don't know what I'd put into the container. Maybe I'm not thinking with containers yet.
<clever>
declarative containers just update every single container, since the host depends on the container builds
<mojjo>
if someone has a good alternative to the official skype client one, I'm keen to here a reommendation...
<clever>
mojjo: toxcore has been working to take over the skype users, https://tox.chat/
bennofs has joined #nixos
ndowens08 has quit [(Ping timeout: 240 seconds)]
<mojjo>
looks good, but I need a way to communicate with skype accounts. Which tox can't I guess..
<clever>
yeah, tox can only talk to other tox users
<clever>
and ive heard rumors that skype is shutting down the p2p network and going purely "cloud" based
<clever>
so any pre-existing skype clients are going to break
<clever>
and then only the official one will remain, and only if you update
<viric>
don't we have SDL2Main?
<simpson>
I've given up, FWIW; my Skype contacts have to use non-Skype to reach me now.
AllanEspinosa has joined #nixos
<mojjo>
simpson: good attitude!
<viric>
what are the multiple outputs? .bin and .dev? that's all?
<clever>
simpson: either M$ thinks their cloud is bigger then the sum of every single user, or the NSA wants help spying on things, lol
<clever>
viric: every string listed in the outputs attribute becomes an output
<viric>
clever: by default I mean
<clever>
viric: and derivations are free to make their own ones up, i have one for logs and static binaries
<viric>
SDL2 should have a libsdl2main.a
<clever>
viric: ive seen bin, dev, lib, and dbg within nixpkgs
<clever>
viric: and sometimes a static
<simpson>
clever: Man, don't get me started on USA spying. It ticks me off so much.
<clever>
viric: checking .outputs should tell you what that package has
<viric>
really?
<viric>
out & dev
<viric>
none with libsdl2main. werid
<clever>
viric: i only see a .out on SDL2, no .outputs, so it has 1 output, thats it
<philipp[m]>
clever: Do the declarative containers pull from the active profile, so is a switch or just a build needed?
<viric>
I see in hydra log: /nix/store/zy2g06kpg8d5byd8yss1c227gf2wm3cf-coreutils-8.26/bin/install -c -m 644 build/libSDL2main.a /nix/store/h03qmjqfczaadhrlhpbr9prm0fh4pv6b-SDL2-2.0.5/lib/libSDL2main.a
<clever>
mojjo: not really, you would need some ugly hacks with unionfs, or just use something raid capable (mdadm, zfs, lvm)
<clever>
philipp[m]: the declarative containers dont have their own profiles, so when you build the host, it also updates the active nixos for every container in the systemd config
<clever>
philipp[m]: and next time systemd boots that container, it uses that version
<viric>
is there anything removing static libs automatically?
<philipp[m]>
Ah, makes sense, so I can also roll back containers by rolling back my system profile.
<sziszi>
I found out: the vde switch fork to the background before a tap device initialize properly, so the next command which needs the tap0 device will fail; therefore i had to insert a "sleep 1" for a quick fix
AllanEspinosa has quit [(Ping timeout: 240 seconds)]
rawtaz has quit [(Quit: bailing)]
DarcsAurelius has quit [(Ping timeout: 240 seconds)]
<thomassgn>
Hi, trying to write a nix expression for fpm2, but keep getting "error: cannot auto-call a function that has an argument without a default value (‘stdenv’)" from nix-build -A fpm2. The default.nix can be seen at http://pastebin.ca/3768612
<thomassgn>
how to understand error?
Itkovian has quit [(Quit: My MacBook has gone to sleep. ZZZzzz…)]
DutchWolfie has quit [(Quit: Konversation terminated!)]
pikajude has quit [(Quit: ZNC 1.6.3 - http://znc.in)]
AllanEspinosa has joined #nixos
pikajude has joined #nixos
phreedom has quit [(Ping timeout: 240 seconds)]
<ndowens08>
thomassgn: can you pastebin your nix file?
phreedom has joined #nixos
fhoffmeyer2 has quit [(Read error: Connection reset by peer)]
<ndowens08>
thomassgn: just noticed, that pkg is already in the repo
<ndowens08>
atleast in unstable channel
srhb has quit [(Quit: Quit)]
<schoppenhauer>
ah ok, I just need to wait longer
<ndowens08>
yeah i dont use things like that schoppenhauer , so cant answer
srhb has joined #nixos
<schoppenhauer>
ndowens08: wuuus?
<NixOS_GitHub>
[nixpkgs] globin pushed 36 new commits to staging: https://git.io/vD9Yy
<NixOS_GitHub>
nixpkgs/staging 108c6d1 Robin Gloster: socat: 1.7.3.1 -> 1.7.3.2...
<NixOS_GitHub>
nixpkgs/staging 71e8ef6 Robin Gloster: afflib: 3.7.6 -> 3.7.15
<NixOS_GitHub>
nixpkgs/staging 4277978 Robin Gloster: gsoap: 2.8.37 -> 2.8.42
<thomassgn>
ndowens08: ah thanks, still get the same error though. It is a standalone in my configuration dir, though. I understand there is a difference, but not what the difference is.
<ndowens08>
thomassgn: have you tried to install through nix-env -i ?
<thomassgn>
no, trying now.
<thomassgn>
It doesn't find fpm2 in store or as an attribute. I'm not trying to have it in nixpkgs, just as a standalone thing for hacking ++
<clever>
thomassgn: you need to add it as an override in config.nix for nix tools to know it exists
<ndowens08>
you must not be using nixos-unstable channel to get it. and nix is sorta standalone, if you install using one profile, it wont be in another
<ndowens08>
yeah i am new to nix myself, i have packaged a couple of the apps in the repo, so i know just a little lol
<pikajude>
does there exist a guide for testing kubernetes deployments on nixos?
<pikajude>
maybe by having nixos act as a kube master?
takle has quit [(Ping timeout: 260 seconds)]
ryanartecona has joined #nixos
<benley>
anyone know if it's possible to refer to other things from NIX_PATH in a NIX_PATH element? Like if I wanted to have NIX_PATH="foo=https://github.com/path/to/foo.tar.gz:bar=<foo>/path/within/foo.nix" (except this syntax doesn't actually seem to work)
<benley>
or, is it possible to refer to a specific file within a http remote tarball in NIX_PATH?
thc202 has quit [(Ping timeout: 240 seconds)]
bennofs has quit [(Ping timeout: 264 seconds)]
<pikajude>
kubelet service doesn't start
tm_ has quit [(Ping timeout: 255 seconds)]
<globin>
pikajude: ping offlinehacker[m] on kubernetes
tm_ has joined #nixos
bobthejanitor has joined #nixos
<offlinehacker[m]>
pikajude: what's the error?
<pikajude>
offlinehacker[m]: 'ln: target '/opt/cni/bin' is not a directory'
<pikajude>
"Will report 192.168.29.156 as public IP address."
<pikajude>
then exit 255
<bobthejanitor>
Quick question, I've gotten output from installing a package about collisions, and it recommends I use nix-env --set-flag priority to fix it. I cannot get it do work, because it states "matches no derivations". Should I state priority name in full (eg nixos.kde5...) because that didn't work
<offlinehacker[m]>
pikajude: hmm wierd, it just exists?
ambro718 has quit [(Ping timeout: 264 seconds)]
<pikajude>
yea
mudri has quit [(Ping timeout: 260 seconds)]
<bobthejanitor>
How do I deal with package collisions?
<offlinehacker[m]>
pikajude: are this all logs from apiserver, i'm running this profile locally, and it works, except for manually creating /opt/cni/bin
takle has joined #nixos
<pikajude>
offlinehacker[m]: that's all that there is in the logs, yeah
Rizy has joined #nixos
<offlinehacker[m]>
pikajude: what does `etcdclt cluster-health` says?
<pikajude>
"command not found"
<pikajude>
lol
<Ralith>
bobthejanitor: uninstall whatever you're colliding with
<offlinehacker[m]>
pikajude: which version of nixpkgs/kubernetes?
<pikajude>
nixpkgs is master
<offlinehacker[m]>
unstable or latest release?
<pikajude>
as of like an hour ago
<bobthejanitor>
I've just done a blanket install of kde5, I'll probably go through and manually install each so I know everything I'm installing, but I'd like to know the best way to solve this for the future
<pikajude>
kubernetes is 1.5.2
takle has quit [(Ping timeout: 240 seconds)]
<pikajude>
anyone know how to get systemctl to show full lines in status output
<offlinehacker[m]>
hmm ok, and i guess docker is running
<pikajude>
and as an aside, why someone thought it was a good idea for systemctl to not show full lines by default
<pikajude>
well, if I run the start command manually, I get Failed to generate service certificate: open /var/run/kubernetes/apiserver.crt: permission denied
<offlinehacker[m]>
ok, if i move left and right i can see full command
<pikajude>
but it doesn't exit 255
<offlinehacker[m]>
what are permissions of /var/run/kubernetes
<pikajude>
root:root
<offlinehacker[m]>
folder
<pikajude>
0755
<offlinehacker[m]>
it should be kubernetes user
<pikajude>
that makes sense
<pikajude>
ok that fixed it
<pikajude>
how the hell did that get to be owned by root
<pikajude>
ok, everything appears to be running now
<pikajude>
thanks offlinehacker[m]
mudri has joined #nixos
<pikajude>
oh, I should be using minikube, shouldn't
<pikajude>
i don't even need kubernetes running, do I?
<pikajude>
not if I'm going to use minikube
<offlinehacker[m]>
but it might be the case that these only get created on boot
<offlinehacker[m]>
pikajude: if you want, you can just use minikube for sure
<offlinehacker[m]>
pikajude: the only difference it will run another vm
<offlinehacker[m]>
but is a more portable solution
<pikajude>
well i just want to experiment with k8s at the moment
<pikajude>
this isn't going to be exposed anywhere
<offlinehacker[m]>
pikajude: if you will be using nixos module, if you see any other issue, please report, me and @matejc are deploying a cluster using it, but i haven't had time to write complete tests for it
<pikajude>
i see, apparently both do the same thing :)
<pikajude>
offlinehacker[m]: ok, thanks for the help