<elvishjerricco>
fresheyeball: Just to be sure: You're not `imports`-ing a file that you previously used directly with nixops, right?
hakujin has joined #nixos
<fresheyeball>
elvishjerricco: yes I have actually
<elvishjerricco>
There's a difference between a nixops expression and a module
<fresheyeball>
elvishjerricco: what is the difference?
<fresheyeball>
they looked the same to me
<elvishjerricco>
nixops expressions are attrsets with keys being machine names and values being modules. Plus some special keys like `resources` and `network` with different types of values
<elvishjerricco>
so the module which you could `imports` is the thing on the rhs of the machine definition
mkoenig has quit [Ping timeout: 240 seconds]
<elvishjerricco>
yay lack of static type system :P
<fresheyeball>
elvishjerricco: right I know there are extra keys for nixops
<fresheyeball>
but if I inline the set in the other file, everything works
<fresheyeball>
but importing it with `imports = [./foo.nix];` does not work
<elvishjerricco>
fresheyeball: Well my point is that the contents of the file you'd normally use with nixops, e.g. `{ machineName = { ... }: {}; }` is not a module
<elvishjerricco>
the `{ ... }: {}` is a module
<elvishjerricco>
Excluding the special keys, the type of a nixops file is basically `Map String Module`
<elvishjerricco>
Whereas imports needs a file whose expression has type `Module`
<fresheyeball>
elvishjerricco: ok
<fresheyeball>
so I have a file
<fresheyeball>
that has a {...}: { inherit mystuff };
<kalbasit[m]>
clever: do you think it's possible to submit the wee-slack derivation to nixpkgs?
<clever>
kalbasit[m]: probably, i just never got around to it
<kalbasit[m]>
maybe a concept of `weechatScripts` ?
<rotaerk>
hmm what's the simplest way to make a shell.nix that allows me to build haskell projects with cabal, but not necessarily building with nix-build
<clever>
kalbasit[m]: it also recently gotsupport for plugins in nixpkgs
<rotaerk>
so far all my shell.nix files have been <myproject's derivation>.env
<ekleog>
> <nixpkgs/nixos>
<{^_^}>
/var/lib/nixbot/state/nixpkgs/nixos
<ekleog>
^ fresheyeball elvishjerricco
<rotaerk>
and I'd like to avoid making a project derivation, for this
<clever>
kalbasit[m]: wee_slack.patch allows you to ise weeslack without getting approval from your slack admins, which may sometimes be required
<kalbasit[m]>
clever: not sure if it's necessary with wee-slack v2
<kalbasit[m]>
I know they changed their auth, not sure how it works now though
<clever>
kalbasit[m]: stringio.patch is from an upstream PR, it was doing string appends poorly, and the slack with 16,452 users on it had several mb worth of json at connect time, and it consumed enough cpu to cause weechat to crash
<kalbasit[m]>
I'll check
<kalbasit[m]>
clever: what about the libpath patch?
<samueldr>
ah, I remember why I thought I needed to do + "/something" with paths, it was for use within a loop with a variable
<clever>
kalbasit[m]: thats to deal with the in-ability to patch PYTHONPATH, the recent changes in nixpkgs to support plugins properly may improve that
<leotaku>
Is there any way for a non-root user to manage ad-hoc nixos containers? The wiki says there isn't but I thought I'd still ask in case it was outdated.
hakujin has joined #nixos
<teto>
Is it possible to run the bot on a specific channel ? seems like it returned incomplete results or from a different version than nixos-unstable
<samueldr>
might just have an older index, it was tracking unstable
justan0theruser has quit [Ping timeout: 240 seconds]
justan0theruser has joined #nixos
hakujin has quit [Ping timeout: 256 seconds]
hakujin has joined #nixos
justan0theruser has quit [Excess Flood]
justan0theruser has joined #nixos
hakujin has quit [Ping timeout: 240 seconds]
justan0theruser has quit [Ping timeout: 244 seconds]
graphene has joined #nixos
justan0theruser has joined #nixos
judson has quit [Ping timeout: 276 seconds]
<rotaerk>
nm, I figured it out
<teto>
Is there a way to disable hardening when in "nix-shell -p clang" ? (aka outside mkDerviation { hardeningDisable=["all"] })
<clever>
teto: you want to use clangStdenv.mkDerivation
<clever>
teto: -p just dynamicaly generates a stdenv.mkDerivation with the listed packages in buildInputs
<teto>
clever: I was more thinking of an env variable like NIX_HARDENING="disable", I don't want to write a derivation, I just want to get clang in PATH then experiment with it but without the hardening
andreabedini has joined #nixos
<clever>
teto: also of note, every attribute you put on a derivation becomes an env var
<clever>
teto: so you can just hardeningDisable=all nix-shell -p clang
mkoenig has quit [Ping timeout: 240 seconds]
sigmundv has quit [Ping timeout: 244 seconds]
<teto>
clever :o ! (i.e., "nice !")
mkoenig has joined #nixos
<{^_^}>
[nixpkgs] @dlahoti opened pull request #44658 → add `extraConfig` section to `networking.wireless` → https://git.io/fNyKF
<teto>
hum, even with "hardeningDisable="all" nix-shell -p llvm_5 clang" , when I run clang -v I get the stack protector
jtojnar has quit [Remote host closed the connection]
jtojnar has joined #nixos
<clever>
teto: what about with: nix-shell -E 'with import <nixpkgs> {}; clangStdenv.mkDerivation { hardeningDisable=["all"]; name = "name"; }'
worldofpeace_ has quit [Ping timeout: 256 seconds]
hakujin has joined #nixos
<Orbstheorem>
Hi, I reciently discover a binary the build process of a package I'm working on silently downloads sources from the internet on build. Is there any way to prevent packages from doing this kind of stuff?
hakujin has quit [Ping timeout: 256 seconds]
<Orbstheorem>
s/binary the/binary in the
ma27 has quit [Quit: WeeChat 2.0]
<joepie91>
Orbstheorem: sandbox mode should prevent this iirc
<selfsymmetric-mu>
adisbladis[m]: Thank you!
<teto>
Orbstheorem: sandbox cuts off the internet. Some well-written packages (fcitx ) will check for the file existence before downloading it so you can let nix download and put the archive where it is expected
<teto>
else you will need to patch upstream I think
<mbrgm>
hey! is someone running ejabberd on nixos? I'm having a hard time setting it up... the ExecStart= of the service always fails with Failed 'RPC connection to the node ejabberd@localhost: nodedown', although I'm using the default configuration file.
<typetetris>
I would like all the machines in a company to use a central nix store. How could I achieve that?
reinzelmann has joined #nixos
hyper_ch2 has joined #nixos
<joepie91>
typetetris: a central nix store or a central binary cache?
techtangents has joined #nixos
<{^_^}>
[nixpkgs] @xeji merged pull request #44655 → Add costrouc to maintainer list → https://git.io/fNywF
<{^_^}>
[nixpkgs] @xeji pushed commit from @costrouc to master « Add costrouc to maintainer list (#44655) »: https://git.io/fNyMp
<techtangents>
Hi all! My team is hoping that Ansible 2.6 will come to Nix soon. Does anyone know if/when/how this could happen?
<joepie91>
techtangents: 2.5 seems to have already been packaged on unstable, but not 2.6; the fastest way would be to submit a PR that adds 2.6 :)
<teto>
is there already a merge functions (module related) to merge options true and false into false ?
<clever>
teto: the types.bool in the module system will throw an error if the bools dont agree on a value
<clever>
and if you dont set a type at all, it will prefer true when they conflict
<Guanin>
Hi, is there anything I need to watch out for when configuring nixOS with xmonad? I wrote a few weeks ago that some apps only start on the second try, and the first one crashes due some libGL problems. I tested them on the live disk and they seem to work flawless
<Guanin>
Or has anything libgl related change in the last few weeks (how can I find out?)
Leo` has quit [Ping timeout: 248 seconds]
Moredread has quit [Ping timeout: 248 seconds]
Leo` has joined #nixos
<teto>
clever: ok thanks, I setup a simple merge function for false to win any is there
<{^_^}>
[nixpkgs] @srhb pushed commit from @neonfuz to master « crispy-doom: init at 5.2 (#44536) »: https://git.io/fNy9M
<tobiasBora>
Whoo, nixos takes quite a bit of space, I tried a very minimal install, and my 1Gb qemu partition was not enough. It's not possible to install a more minimal install?
<ekleog>
hmm what am I doing wrong? nix-store --export $(readlink /run/current-system) | wc -c is quite obviously not giving me the right size for my closure (giving me 45M) (I know of nix path-info, just wonder why --export isn't doing what I'd expect)
<ekleog>
tobiasBora: fwiw, the system I'm currently running (a full nixos not particularly tried to be reduced) fits in ~4G minimum (but for easy rebuilds etc. it's much better to have at least twice that)
<ekleog>
Dezgeg: ooooh indeed, it's not recursive, I hadn't read the example in the docs well, recursion was handled by the -qR in the query
<clever>
kernel&initrd are directly passed to qemu, root disk is passed as a virtual cdrom, becuase thats the only thing in qemu that supports read-only files
<tobiasBora>
amazing
<tobiasBora>
Can I still add a disk for apps that needs databases, or user accounts...?
<clever>
yeah
<tobiasBora>
perfect
<clever>
just add another -drive param for a writable image, and modify the stage-1 script to mount it
<clever>
kiloreux: hmmm, buildPythonPackage supports these 4 types, but its not clear which one is requirements.txt
<typetetris>
joepie: Actually I am open to suggestions there, but what I want is: If Program P is installed at Computer C1 (build or substituted), and someone wants to install Program P at Computer C2 afterwards, it should not be built again and not be downloaded again from some third party cache, like the official nixos binary cache.
<FRidh>
kiloreux: the supported way is writing expressions for individual packages. pip instlaling an env is not supported, however, some people do it using nix-shell.
<typetetris>
joepie: I would take, whatever solution takes me there.
<joepie91>
typetetris: you're missing two characters in my nickname, so it didn't highlight me :P but yeah, I don't know if there's any 'caching proxies' for binary caches
<kiloreux>
FRidh, is there a way to generate a file from requirements.txt ? Something like bundix and go2nix ?
<srhb>
typetetris: The "easy" way to achieve this is to ensure all builds are always done on some upstream machine.
mayhewluke has joined #nixos
<colemickens>
Hm, is that easier than just doing `nixos-rebuild --build-host ...` ?
<srhb>
I don't know of a trivial way to push all "incidental" local builds upstream
<srhb>
It would be cool though
<kiloreux>
pypi2nix didn't work out for me too well last time honestly.
<srhb>
colemickens: Probably not.
fendor has joined #nixos
<colemickens>
@typetetris can you stand to pull from the other machine directly? or do you need to push to a local central server that the local machines could pull from?
<colemickens>
Actually, the `nixos-rebuild --build-host` was tricky to get right with the build user, etc, since I don't do root logins, so maybe that's not easier anyway.
hakujin has joined #nixos
<typetetris>
colemickens: I don't understand what the benefit would be, if you talked to "other" machines directly. If you want to install Program P you would need a way to discover, which other machines already have it and from which to pull it. Sounds more complicated to me.
<colemickens>
@typetetris Gotcha, I wasn't sure of the exact setup since I lost my scrollback somehow. In my case, I only have two machines so it works fine.
<colemickens>
I'm not sure the binary package cache is what you need either, that's just for stuff pre-built on cache.nixos, may or may not include the other locally built package.
<typetetris>
Here we have around 50 machines, that would possibly involved.
<srhb>
typetetris: With that sort of setup, I've done what I suggested before.
hakujin has quit [Ping timeout: 256 seconds]
<colemickens>
@srhb do you sign your packages or do you have your downstream machines run with a trusted user to install unsigned packages? (just confirming that I understand correctly that those are the two options...)
<srhb>
colemickens: I always sign.
<typetetris>
srhb: I am not sure, I understood what you suggested. "Ensure all builds are always done on some upstream machine." Does that mean, setting up my own hydra server and using it to build nix expressions from some local git repo?
<srhb>
typetetris: Not necessarily. You could just have all machines use the same remote builder that also acts as a cache
<srhb>
So whenever user A builds something, it's sent to the server S, which also acts as a cache for everyone.
<srhb>
It's a bit inconvenient if you _want_ to preserve local build functionality. In that case you probably want to wrap the necessary options up in some nice commands.
<{^_^}>
[nixpkgs] @dotlambda pushed commit from @r-ryantm to master « spectre-meltdown-checker: 0.37 -> 0.38 (#44688) »: https://git.io/fNyFv
<typetetris>
That sounds like a good start, I need to look up, how it is done. It is the '--builders' Option to nix-build?
<typetetris>
Actually a workflow like: "Ask if the cache has what I need, if not build locally and push to cache." would be better to distribute the build load, some synchronisation on top would be dope.
<typetetris>
With synchronisation I mean, you know, wether someone else is building it already and you are able to wait for him.
<colemickens>
Hm, it would be nice if you could have the best of both worlds, serve the build cache over HTTP with nix-serve but have it fallback to a remote build on the cache machine if the cache machine didn't have it pre-built. Though I think the latter part requires SSH access from a downstream machine to the cache server.
<kiloreux>
FRidh, I am getting weird errors with it like this "pip can't proceed with requirements 'awscli==1.11.165 (from -r /tmp/pypi2nix/553e2445532c62395482049605e5684b/536f29a939ff66d44ff1cb5ecab40fae.txt (line 1))' due to a pre-existing build directory (/tmp/pypi2nix/553e2445532c62395482049605e5684b/build/awscli). This is likely due to a previous installation that failed. pip is being responsible and not assuming it can delete this. Please delete it and try
<kiloreux>
again."
<typetetris>
ssh access would be ok.
<clever>
colemickens: you could just setup nix-serve on every machine in your LAN, and configure them all to read eachothers nix-serve url
<clever>
colemickens: but there is a bug in nix that causes it to never give up when a given url is offline
<dhess>
I agree with typetetris. This happens to me frequently with NixOps deployments. I deploy usually from my desktop, but sometimes from my laptop. The laptop is always behind and when I want to do a deployment from there (using the same nixpkgs, etc., they're all pinned), it spends a bunch of time building derivations that I know are already built on the desktop
<kiloreux>
It doesn't seem like pypi2nixis working as expected.
<clever>
dhess: add the desktop as a cache for the laptop?
<colemickens>
@clever interesting. that would be really missy/noisy at first though right? but over time each machine would end up with the package. fun to think about.
<FRidh>
kiloreux: can't help you with it; I don't use it.
<{^_^}>
[nixpkgs] @dotlambda pushed commit from @costrouc to master « pythonPackages.docrep: init at 0.2.3 (#44665) »: https://git.io/fNyFW
<kiloreux>
FRidh, Ahh I see. Thank you still :D .
<dhess>
clever: sure for my case, but eventually this becomes an M-to-N problem.
<colemickens>
dhess: if you're like me and you just have two machines in this scenario, you can use `nixos-rebuild --build-host` to get that more optimal.
<dhess>
colemickens: well i already have a fleet of build hosts that both machines use, neither actually does the builds locally
<colemickens>
too bad the ipfs stuff hasn't panned out (yet?)
<dhess>
they just cache the products locally before deploying them via NixOps.
fendor has quit [Read error: Connection reset by peer]
vandenoever has joined #nixos
<clever>
dhess: basically, you configure all of the nix-serve's in one central place, that runs cachecache, and that then provides a single cache url, and will mux it out and cache the replies
<dhess>
clever: I will take a look, sounds interesting.
<vandenoever>
what is the best way to avoid long compile surprises on 18.03-release? I was thinking some script to update at night before going to bed
<clever>
vandenoever: nixos-rebuild build, after updating the channel
<colemickens>
@dhess I might be too weak in my Nix knowledge here to understand the distinction then. Is it just about having to rebuild the derivations themselves on the other machines?
<vandenoever>
having to compile gcc, bash etc after a 18.03 release channel update is not uncommon
<clever>
vandenoever: if your following channels properly, then gcc shouldnt rebuild
<clever>
vandenoever: then it should just grab gcc and bash from the cache
<vandenoever>
clever: and it's quite often that i need to rebuild gcc, binutils, perl etc
<dhess>
colemickens: the laptop sees that they derivations aren't in its local /nix store, so it starts downloading things and asking the remote builders to build things. Most of the time the remote builder already has it and so it just gives back what's in *its* /nix store, but the round-trip time slows things down.
<dhess>
I don't really have a good answer for how to speed it up. I guess what I really want the laptop to know is that, hey, the machines you're deploying to already have like 99% of the derivations that you're trying to deploy, so just build the handful of things that they don't
<dhess>
because when the laptop is done copying everything into its /nix store, most of the time it doesn't even deploy anything!
<clever>
vandenoever: yeah, you have no cache support and must build everything, gentoo style!
<dhess>
so I guess I want a "catch-up" mode or something.
<clever>
dhess: yeah, nixops wants a complete copy of the closure locally, before it even tries to update the machines
<dhess>
clever: right
<dhess>
I would also like it if NixOps told the machines in the deployment where to go to get the derivations, rather than pushing them itself.
<clever>
dhess: there is a flag to allow the remote machines to use their own binary cache config to speed things up
<dhess>
which would solve this problem and just be much faster in general.
<clever>
for example, when managing machines within my house, true would be best, since my gigabit trumps the modem
<dhess>
wait so I should turn that off if I want the hosts to download directly?
<clever>
correct
<clever>
but also, my nixops machine is the laptop, with its cruddy 54mbit wifi
<dhess>
ohhh. it's named even worse than I thought then
<clever>
so setting it to false would make the slaves use the 300mbit fiber modem, and deploy faster
qtoni has quit [Quit: Leaving]
<clever>
oh, and if you set it to false, nix-copy-closure will also gzip things
<dhess>
right that's the bit I remember seeing
graphene has quit [Remote host closed the connection]
<dhess>
I did not feel I needed that as I have a fast LAN for my Hydra builds and pretty decent ISP service.
<dhess>
I think that's what led me to turn it on
graphene has joined #nixos
<clever>
during the deploy, it will also tell you if its fetching from a cache or copying to the slave, for each storepath
<vandenoever>
what are the right values for nix.binaryCaches and nix.trustedBinaryCaches? not setting them still lets nixos-rebuild compile all the basics
<dhess>
ok I should play with that setting then. I might have configured it backwards.
<clever>
vandenoever: not setting them is correct, but the change only takes effect after nixos-rebuild has finished
<vandenoever>
clever: autch :-P
<vandenoever>
clever: does gc-keep-outputs and gc-keep-derivations have an influence?
<clever>
vandenoever: you can also `nixos-rebuild build --option substituters https://cache.nixos.org` to bypass the current config immediately
<clever>
vandenoever: those only control what nix-collect-garbage can delete
qtoni has joined #nixos
<vandenoever>
clever: ok, is substituters spelled ok? it's still compiling
<clever>
i copy/pasted it because i dont trust myself with that word :P
graphene has quit [Remote host closed the connection]
sophiag has quit [Ping timeout: 240 seconds]
graphene has joined #nixos
betaboon has joined #nixos
jgt has joined #nixos
<jgt>
trying to build a Haskell package and running into: "This package indirectly depends on multiple versions of the same package. This is very likely to cause a compile failure."
<jgt>
anyone know how I can get around that?
<srhb>
jgt: Don't depend on multiple versions of the same package :P
<jgt>
srhb: :(
<srhb>
It should tell you which package is the culprit.
<jgt>
srhb: I don't think I am though; or at least, I think I am somehow depending on the same versions, but compiled differently
<srhb>
I think that's essentially the same thing.
<jgt>
srhb: so they have the same version numbers, but different hashes
hakujin has joined #nixos
<srhb>
I think they must be the exact same.
<srhb>
That is, there should only be one of each (name) in the graph. :)
carlosdagos has quit [Quit: Connection closed for inactivity]
worldofpeace_ has quit [Ping timeout: 256 seconds]
<dhess>
jgt: probably what's going on is that one of the Haskell packages your package is depending on is specifying a package override (in pkgs.haskellPackages)
<jgt>
srhb: I can be more specific with my problem. I'm depending on a haskell package called 'cassava'
<dhess>
so if you can figure out which one that is, you can override it yourself in an overlay or in your project
<dhess>
assuming it builds with the override.
<jgt>
srhb: dhess: cassava fails to build because 'Setup: Encountered missing dependencies: bytestring >=0.9.2 && <0.10.4, text-short ==0.1.*'
v0|d has joined #nixos
hakujin has quit [Ping timeout: 240 seconds]
<srhb>
jgt: Jailbreak if you can?
<dhess>
jgt: are you familiar with doJailbreak?
<srhb>
Failing that, override the version.
<v0|d>
hello, what might be the reason for having mount: No such file or directory in ecryptfs-mount-private, any ideas?
<jgt>
srhb: dhess: yes, I'm familiar with overrideCabal and most of those options under pkgs.haskell.lib
<jgt>
it might be that I'm overriding the wrong package
<{^_^}>
[nixpkgs] @yrashk opened pull request #44699 → nodePackages.tiddlywiki: init at 5.1.17 → https://git.io/fNyxk
arahael1 is now known as ArahaelPi
<dhess>
jgt: try doJailbreak on cassava, then.
<srhb>
jgt: Which channel is this and what combination of packages is the problem?
<jgt>
dhess: srhb: Ok, I found the issue. I screwed up when doing the self/super dance
<srhb>
jgt: Great. :)
<jgt>
I had 'cassava = pkgs.haskell.lib.addBuildDepend (pkgs.haskell.lib.dontCheck (pkgs.haskell.lib.appendConfigureFlag pkgs.haskellPackages..cassava "-f-bytestring--LT-0_10_4")) self.text-short;', whereas I should have had 'cassava = pkgs.haskell.lib.addBuildDepend (pkgs.haskell.lib.dontCheck (pkgs.haskell.lib.appendConfigureFlag super.cassava "-f-bytestring--LT-0_10_4")) self.text-short;'
orivej has joined #nixos
<srhb>
ugh how I miss (.) in those crazy stacks...
<jgt>
ignore the '..' typo I made in the above snippet
<jgt>
sorry for not describing the problem more clearly, and thanks both of you for rubber ducking
<srhb>
quack.
<dhess>
🎉
<jgt>
(not implying you weren't both helpful) :grimace_emoji:
<dhess>
no worries of course
Maxdamantus has quit [Ping timeout: 268 seconds]
<srhb>
Haha, not at all. :-)
<srhb>
#nixos is great for rubber ducking, not to be underestimated.
<mikeplus64>
i got a project to build and am now getting cabal2nix install fails that i can't explain... using this as default.nix, any ideas? https://lpaste.net/4186809041550311424
<mikeplus64>
see paste for the error
<betaboon>
qknight: did you succeed ? :D
<mikeplus64>
oh, ?????, it works if i don't fix the version of nixpkgs
<sigtrm>
Sorry if this is a dumb question, but where can I find the rpi 3 aarch64 installation files from NixOS. All it says on the wiki is that it is recommended to use aarch64, but then mentions where to get the community supported version, not the upstream version
<colemickens>
what's the process for adding to development/node-packages/* ? I tried to add something to the json and regenerate but the diff is rather huge
<srhb>
Not sure if there's any gotchas with the bridge
<mikeplus64>
anyone know why a build with pinned nixpkgs, using latest nixpkgs git as of a few minutes ago, might break, when one that just uses `import <nixpkgs>` doesn't, even though afaik it should be the same?
<timokau>
srhb: Yeah I don't understand the NickSrv thing 100%. But when I tell NickSrv "INFO" it tells me my account name and the date I registered. Doesn't that mean I'm identified?
<mikeplus64>
srhb: i think so? i don't know how to check what version <nixpkgs> is using... i guess trove around NIX_PATH to find it?
hamishmack has quit [Read error: Connection reset by peer]
<srhb>
mikeplus64: nix-info should help
<teto>
could someone share an example of nix overlay that jailbreak a haskellPackages ? I can't find it in nixpkgs manual (would be cool to add it there too)
<timokau[m]>
srhb: re-identifying did the trick, thanks! No idea why I was logged out.
graphene has quit [Remote host closed the connection]
init_6 has quit []
gerschtli has joined #nixos
gerschtli has quit [Quit: WeeChat 2.0]
<srhb>
timokau[m]: Gret :)
<srhb>
... great
graphene has joined #nixos
afics has quit [Ping timeout: 240 seconds]
hakujin has joined #nixos
asymmetric_ has quit [Quit: Leaving]
graphene has quit [Remote host closed the connection]
graphene has joined #nixos
gerschtli has joined #nixos
init_6 has joined #nixos
gerschtli has quit [Client Quit]
gerschtli has joined #nixos
hakujin has quit [Ping timeout: 256 seconds]
<mikeplus64>
srhb: THANKS! although it's fixed my understanding probably isn't. is <nixpkgs> equivalent to nixpkgs HEAD at the time of the last 'nix-channel --update'?
fendor has quit [Remote host closed the connection]
<srhb>
mikeplus64: No, it's equivalent to the channels repo branch HEAD corresponding to your channel
<srhb>
mikeplus64: For instance, the head of channels/nixos-18.03
fendor has joined #nixos
<mikeplus64>
ah, okay
<srhb>
mikeplus64: HEAD of nixpkgs master gets promoted to channels/nixos-unstable and some other channels depending on certain hydra test jobs
<aminechikhaoui>
srhb: hm what do you mean by whithout . ?
<aminechikhaoui>
example ?
<srhb>
foo or 42 is an error if foo is undefined
<aminechikhaoui>
without *
<srhb>
Not sure what you're really trying to achieve there though.
<aminechikhaoui>
I want to make sure ldd is availble with the same expression but with different nixpkgs version which can go back to 15.09
gerschtli has joined #nixos
<srhb>
And you're attempting to switch on whether or not runCommandCC exists
<srhb>
?
<srhb>
The only thing you need to make it possible is to use let pkgs = import <nixpkgs> {}; in pkgs.runCommandCC or ...
<mikeplus64>
srhb: ahhhh okay i think i get it. so each nixos version (e.g. 18.03) morally receives minor/non-breaking-change upgrades to all packages within, and nixpkgs branch release-18.03 acts as a staging area for nixpkgs-channels/nixos-18.03, and gets copied there if hydra tests pass
<aminechikhaoui>
what I expected is that if it's not defined it'll use runCommand
<srhb>
aminechikhaoui: That is, as far as I know, in order to use "or" it *must* be used on an attribute in an attrset. You can't use it on "bare variables"
<aminechikhaoui>
ahh
<srhb>
That is, foo.bar or 42 is valid, bar or 42 is not
<aminechikhaoui>
lemme try that
<Dezgeg>
you could skip runCommand and use stdenv.mkDerivation directly
<aminechikhaoui>
nice it works now srhb
<srhb>
aminechikhaoui: Good :)
mkoenig has quit [Ping timeout: 244 seconds]
abcrawf has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @hedning opened pull request #44720 → nixos/shells: Avoid overriding the environment for other child shells → https://git.io/fNSnN
ma27 has quit [Quit: WeeChat 2.0]
ma27 has joined #nixos
ma27 has quit [Client Quit]
ma27 has joined #nixos
ma27 has quit [Client Quit]
<d1rewolf>
guys, running i3 on a 4k laptop screen and the mouse cursor and fonts in certain apps (qutebrowser, alacritty) are very small. I createed an ~/.Xresources and set Xft.dpi to 220, and xrdb -query shows that the setting takes, but everything is still small.
<{^_^}>
[nixpkgs] @xeji pushed commit from @dtzWill to master « bloaty: 2018-06-15 -> 1.0 (#44716) »: https://git.io/fNSWi
<d1rewolf>
gchristensen: one thing which seems to work is to use xrandr too force resolution to 1080 instead of 4k. do you know if there's any harm or drawabacks from doing so?
<{^_^}>
Henson: If a Nix file foo.nix starts with something like `{ stdenv, cmake }:`, you can build it with `nix-build -E '(import <nixpkgs> {}).callPackage ./foo.nix {}'`
<infinisil>
Henson: then it's pythonPackages.callPackage instead of just callPackage
andreabedini has joined #nixos
<andreabedini>
I am trying to make nix build use s3 as a cache doing `nix build --store s3://my-bucket` but it seems to do ... nothing
vmandela has quit [Quit: Leaving]
<andreabedini>
specifically, if I do `nix build -f '<nixpkgs>' hello --verbose --store s3://my-bucket` it looks like it's computing all the derivations and saving them on s3
<andreabedini>
but then there's no build
pierron is now known as nbp
<Henson>
infinisil: ahhh, thank you.
nbp is now known as pierron
<srk>
andreabedini: --option substituters (might be better than --store, not sure)
selfsymmetric-pa has quit [Remote host closed the connection]
<srk>
would say that --store will use remote store passed as an argument for building the derivation
<rauno>
any examples or tips on using a python script as systemd service ?
<srk>
but something like --substituters https://cachix.cachix.org --trusted-public-keys cachix.cachix.org-1:<hash>
<srk>
will only tell nix build to look for binary caches there
<rauno>
script with a shebangs #! /bin/env nix-shell
<rauno>
#! nix-shell -i python3 -p python36Packages.libvirt works perfectly, but problably systemd service is more isolated and doesn't find nixpkgs path..
<betaboon>
gchristensen: how is your nixops+teraform proposal going ?
<andreabedini>
srk: how do I copy the paths back to the cache?
<srk>
andreabedini: with nix copy
hakujin has joined #nixos
<srk>
rauno: pass it via path = to service config
<andreabedini>
srk: does nix copy copy only the single path or its closure?
<srk>
andreabedini: you can even use it to copy your toplevel closure :))
<srk>
yw!
<andreabedini>
:thinking:
<andreabedini>
I wonder if I should actually do that
<andreabedini>
I'm setting up some CI/CD stuff
<andreabedini>
and I'd rather not hit cache.nixos too much
<srk>
if it doesn't contain any secrets it should be ok
<gchristensen>
andreabedini: why not?
<srk>
cloudfared anyway :)
<andreabedini>
ok, it's all on AWS and there's a CDN, but maybe I don't need that extra traffic
<srk>
is it possible to prioritise substituers?
<andreabedini>
oh, important part, each build runs on a container so starts with an empty store
<srk>
lets say you have fast cache on LAN which you would like to prioritize over internet
<andreabedini>
so I would end up downloading a ton
<andreabedini>
yeah, I think substituters are tried in order
<srk>
hmm
<andreabedini>
I still don't understand what nix build --store s3://my-bucket does
<gchristensen>
andreabedini: you could put a simple http squid proxy between your builder and the cache
<gchristensen>
to reduce bandwidth and improve locality
<rauno>
srk, thx!
pierron is now known as nbp
hakujin has quit [Ping timeout: 265 seconds]
hakujin has joined #nixos
jD91mZM2 has joined #nixos
afics has joined #nixos
nuncanada has joined #nixos
Fare has joined #nixos
simukis has joined #nixos
orivej has joined #nixos
layus has joined #nixos
<layus>
What are these {memory:83} -> ... in my nix-store --gc --print-root ?
alex`` has quit [Ping timeout: 248 seconds]
<symphorien>
some running process has a store file mmaped
<symphorien>
For examp'e
<layus>
Ah... how does nix even know about that ?
<layus>
I how can I track down that process ?
<symphorien>
It's written in /proc
<symphorien>
You can use fuser if you know the file
<symphorien>
Or lsof if you know the process
<symphorien>
The 83 might be the pid
<layus>
It is not a pid. There is no such pid
hakujin has quit [Ping timeout: 240 seconds]
leotaku has joined #nixos
hakujin has joined #nixos
<leotaku>
So... I seemingly have managed to lock myself out of my system... I did a nixos-rebuild with "--install-bootloader" which must have messed something up. What options do I have?
<elvishjerricco>
Something I don't understand about trust in nixpkgs: If untrusted users are allowed to do arbitrary builds, why can't they pull arbitrary, unsigned paths from binary caches?
<kiloreux>
How can I override a package step ?
hakujin has quit [Ping timeout: 256 seconds]
<elvishjerricco>
Derp, it's because we don't care about build processes; we only care that a build is actually the result of a particular `.drv`. Building the `.drv` yourself (even as an untrusted user), or getting the path signed are the two ways to ensure this.
<typetetris>
How is terminfo stuff handled in nix? Actually I am running into this https://github.com/tmux/tmux/issues/1264 with tmux,st,nvim with nix on debian8 (nixpkgs-master, nix-channel --update a few minutes ago). Seems to be a bug in terminfo entry for st.
<rauno>
when adding pkgs.python36Packages.lxml to service path then why it points to */bin directory of this package which even doesnt exist in nix store ?
<leotaku>
I am trying to restore my unbootable system. I tried to follow the guide here: , but running the last command results in the error "Could not prepare boot variable: no such file or directory".
<samueldr>
leotaku: basic question, but to reduce the questions tree: do you know if you booted in uefi mode, and have booted in uefi mode?
ma27 has quit [Quit: WeeChat 2.0]
<leotaku>
samueldr: My installation (the one I am trying to fix) or the "rescue" live usb.
<leotaku>
?
<samueldr>
the live usb
ma27 has joined #nixos
<leotaku>
samueldr: no, I did not
<samueldr>
and is your install a legacy install (if you booted the live system in legacy bios boot)
<samueldr>
(basic checkup, but it's simpler if the live boot is booted in the same mode as the system will be)
selfsymmetric-pa has joined #nixos
ersran9 has quit [Ping timeout: 256 seconds]
<leotaku>
I don't quit follow the question but basically if my install was efi i should also boot the live usb that way, correct?
<samueldr>
yes
<samueldr>
(makes things easier to debug, and some things are only possible that way)
<selfsymmetric-pa>
I'm having trouble using `mbsync` service from `home-manager`. The `PassCmd` in my `.mbsyncrc` is `gpg2 -q --for-your-eyes-only --no-tty -d`, but it does not prompt me to decrypt.
<selfsymmetric-pa>
If I run `mbsync` myself, then it prompts normally.
<leotaku>
samueldr: should I first retry what I did with the live usb booted in efi mode and then get back to you if things still don't work?
<selfsymmetric-pa>
`mbsync.service` fails with `sh: gpg2: command not found`
Drakonis has joined #nixos
selfsymmetric-pa has quit [Quit: Using Circe, the loveliest of all IRC clients]
selfsymmetric-pa has joined #nixos
<leotaku>
samueldr: I retried the steps of the tutorial again (booted in efi mode) but unfortunately I got the same error.
selfsymmetric-pa has quit [Read error: Connection reset by peer]
selfsymmetric-pa has joined #nixos
revtintin has joined #nixos
Ariakenom_ has quit [Ping timeout: 244 seconds]
<samueldr>
entirely possible, you may even have been booted using uefi beforehand
<samueldr>
leotaku: what brand of laptop/tower/motherboard is this? (just to confirm suspiscions if others had a similar issue with any linux systems)
<leotaku>
samueldr: any idea what i could try next?
<samueldr>
leotaku: if you do `mount | grep efivar` and have a line "efivarfs on ..." your system is probably booted fine... but maybe has a weird UEFI implementation
<samueldr>
couldn't find confirmation about your model
<selfsymmetric-pa>
Hey #nixos, what's the right way to version-control my configuration? I have most of my configuration /etc/nixos, in a git repository where I have to type sudo a lot. I also have a home-manager configuration in ~/.config/nixpkgs/home.nix. This feels a little lopsided. How do you manager your config?
ma27 has quit [Client Quit]
<Dezgeg>
you could symlink /etc/nixos/configuration.nix to your home directory
ma27 has joined #nixos
<gchristensen>
or change the NIX_PATH to use a different nixos-configuration path: $ echo $NIX_PATH
<selfsymmetric-pa>
Oh okay, gchristensen that seems way better.
<typetetris>
hmm, why does a change to ncurses trigger a rebuild of libX11 ?
<selfsymmetric-pa>
gchristensen: I feel like NIX_PATH is very low-level though. Where should I specify it?
puck has quit [Quit: *eh*]
<selfsymmetric-pa>
Or do I just put it anywhere before doing a `nixos rebuild switch`?
<gchristensen>
I think you can set the nix.nixPath option to have it, like nix.nixPath = [ "nixos-config=/home/selfsymmetric-p/nixos-config/" ]; and then do a nixos-rebuild switch, and then move your config to your home dir
<Dezgeg>
I'd guess the dependency chain is something like ncurses -> python -> libxml2 -> {some xml documentation thing} -> libX11
<gchristensen>
you'll probably need to log out and log bacrk in for the environment variable to be updated
<selfsymmetric-pa>
Got it.
ma27 has quit [Client Quit]
Mr_Keyser_Soze99 has quit [Quit: Leaving]
<selfsymmetric-pa>
Another question: what is the difference between "programs" and "services" in NixOS? Sometimes I have a hard time distinguishing between the configuration options of `services.foo` and `programs.foo`.
<selfsymmetric-pa>
To unpack that a little, some services like `mbsync` are associated with an executable, also called `mbsync`. So how does package maintainer decide where to put a particular piece of functionality?
dvim has quit [Quit: WeeChat 2.2]
<gchristensen>
a service usually means it has a systemd service or long-running process
<gchristensen>
a `program` option is usually for a program you execute manually but needs a global thing configured first
puckipedia has joined #nixos
<selfsymmetric-pa>
I see. In a well-maintained package is it possible for `service.foo` to be affected by `programs.foo`? Or does good practice mean that they are independent?
<gchristensen>
most packages don't have a program or service module
<gchristensen>
I don't know if there are guidelines about that specific question
<selfsymmetric-pa>
Okay! No worries, I'm asking after nuances here. Thanks for the notes. :)
<leotaku>
samueldr: what does "appropriate location" mean? Can I just mount the boot drive somewhere and supplement the path in the instructions with that path?
<samueldr>
uh, appropriate could have been arbitrary too, juste mount the ESP to somewhere
<samueldr>
and in those instructions the ESP is mounted at /boot
<leotaku>
samueldr: and the refind binary is self-contained right? So I can run the build command from the live usb.
<samueldr>
yeah
<samueldr>
the nix-build command is basically to use the cached version that's already built by hydra for us
<leotaku>
thank you for your help samueldr, I honestly really apprechiate it!
<samueldr>
leotaku: great to hear that the workaround is useful
<samueldr>
do note that *it's not an actual fix* it adds a step during the boot process
<samueldr>
but wooh, is rEFInd a useful thing sometimes when things go sour
<leotaku>
samueldr: Yeah it's kind of strange. I could not boot from refind directly but rather booted from refind to grub, which then allowed me to boot my actual system.
ryanartecona has quit [Quit: ryanartecona]
<samueldr>
oh yeah, that's the expected thing
<samueldr>
nixos doesn't have rEFInd support (yet)
<leotaku>
samueldr: oh, ok
<samueldr>
you could also realistically change your settings to boot.loader.grub.efiInstallAsRemovable = true
<samueldr>
which will set grub to be installed as bootx64.efi
<selfsymmetric-pa>
Ah okay I found mine here: `/nix/store/04fiya0is10s6m2c895bqsb0w82n0abm-nixos-18.03/nixos/nixpkgs/nixos`
<selfsymmetric-pa>
What do I do with it?
hakujin3 has joined #nixos
<srk>
try with 'nixpkgs=/nix/store/04fiya0is10s6m2c895bqsb0w82n0abm-nixos-18.03/nixos/nixpkgs/'
hakujin2 has quit [Ping timeout: 256 seconds]
<selfsymmetric-pa>
I tried `NIX_PATH="nixos-config=/etc/nixos/configuration.nix:nixpkgs=/nix/store/04fiya0is10s6m2c895bqsb0w82n0abm-nixos-18.03/nixos/nixpkgs/" sudo nixos-rebuild switch --upgrade`, but same error. :(
halfbit has joined #nixos
<selfsymmetric-pa>
If I do `sudo nixos-rebuild switch --upgrade -I .` in the right directory I get `error: opening file '/home/self-sym/log/nixos/default.nix': No such file or directory.
Henson has joined #nixos
<clever>
selfsymmetric-pa: try `sudo -i` then set NIX_PATH and run nixos-rebuild
<clever>
sudo will mess with env vars
<Henson>
if I wanted to have my own private list of Nix packages to use in development, what would be the best way to do that? Make my own nix-channel from a tar.xz file?
<selfsymmetric-pa>
clever: That was it! Thank you!
<srk>
,overlay Henson
<{^_^}>
Henson: Overlays look like `self: super: { foo = ...; }`. Use the self argument to get dependencies, super for overriding things and library functions (including callPackage). More info: https://nixos.org/nixpkgs/manual/#sec-overlays-install
hakujin4 has joined #nixos
<selfsymmetric-pa>
clever: How can I set those vars permanently now?
<clever>
selfsymmetric-pa: nix.nixPath will control the defaults for NIX_PATH
<selfsymmetric-pa>
clever: excellent
<clever>
and it only takes effect after nixos-rebuild has finished
hakujin3 has quit [Ping timeout: 265 seconds]
selfsymmetric-pa has quit [Remote host closed the connection]
<jabranham>
what is the equivalent of ~/.xinitrc in nixos? In arch I had this file start my status bar and my WM but it seems to get ignored in nixos
oida has quit [Ping timeout: 250 seconds]
<leotaku>
jabranham: do you use home-manager?
<selfsymmetric-pa>
FYI the working NIX_PATH is `nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels`
<jabranham>
leotaku: no, I'm just starting with nixos
<jabranham>
leotaku: figured I should get acquainted with the OS before adding things on
Neo-- has joined #nixos
<infinisil>
jabranham: What display manager are you using? Also what DE and/or WM?
<{^_^}>
[nixpkgs] @Ericson2314 pushed 3 commits to staging: https://git.io/fN9J6
<{^_^}>
[nixpkgs] @Ericson2314 merged pull request #44517 → stdenv: simplify a bit using shadowing → https://git.io/fNXXz
<jabranham>
infinisil: the DM is whatever the stock one is. SDDM? I don't use a DE/WM. I usually just call "exec emacs" from ~/.xinitrc when the X server starts
bshelden has joined #nixos
<Henson>
srk: ok, thanks for the info. This gives me something to run with
<Henson>
leotaku: thanks for the link, I'll look into that
<infinisil>
You can put whatever you want in there as your session, so e.g. an emacs start and a wait until that process terminates. As soon as this script ends your x session ends
<{^_^}>
[nix] @bobvanderlinden opened pull request #2338 → mention `nix-store --query --roots` when a path cannot be deleted → https://git.io/fN9Ug
<leotaku>
infinisil, jabranham: That method also allows dfferent users to have different WM/DEs etc.
<jabranham>
infinisil: thanks, I think that's exactly what I want
<jabranham>
infinisil: how did you find this?
dnovosel has quit [Ping timeout: 265 seconds]
<infinisil>
jabranham: Have known this for a while, I think I just stumbled through the nixpkgs source code
<{^_^}>
[nixpkgs] @pSub pushed 7 commits to add-missing-licenses: https://git.io/fN9US
<tobiasBora>
(sorry to answer a few hours too late but I lost my connexion this morning)
<elvishjerricco>
It's too bad we can't just.... rewrite nixpkgs from scratch with all this stuff in mind from the get-go :P
<clever>
elvishjerricco: one min...
Fare has quit [Ping timeout: 240 seconds]
<Henson>
is it possible in my overrides.nix file to make a derivation appear within another set? Say I'm building a package called "pipes" but I want it to appear as "python27Packages.pipes"
<srhb>
(Sounds of rustling while clever rewrites nixpkgs from scratch with all this stuff in mind)
<clever>
before stdenv.mkDerivation, there was builderDefs
<clever>
nixpkgs has already gone thru one such rewrite :P
<elvishjerricco>
Neat. How long ago was that?
<tobiasBora>
Also, does anyone knows if it's possible to build a given .nix file with all the new dependencies created in the current folder? I need that because my / partition (with /nix) is pretty small, and I need temporary to create a big file (few Gb) containing a qcow virtual machine, and my /partition is too small for this file
<clever>
elvishjerricco: setup.sh is the core of stdenv, and it was made back in ~2003
<neonfuz>
I keep on deleting files from /boot but no space is freeing up...
<neonfuz>
wtf is happening
<elvishjerricco>
tobiasBora: If you've got Nix 2.0 you can use chroot stores
<sir_guy_carleton>
where can i find more information about pkgs.mkShell?
<neonfuz>
I did sudo rm -f /boot/EFI/nixos/* and no files got deleted
<neonfuz>
and no error was displayed
<neonfuz>
and then I started manually deleting files and they disappear, but no space frees up
<clever>
neonfuz: what does `ls -ltrh /boot/EFI/nixos` say?
<clever>
when ran without root
<neonfuz>
it shows kernels and initrds, even ones I deleted
<neonfuz>
or tried to delete
<clever>
what does dmesg say near the end?
<neonfuz>
is this mounted in some weird forced read only way?
<neonfuz>
some acpi errors, and other unrelated looking things
<clever>
neonfuz: can you pastebin the output from the above ls command?
<neonfuz>
oh you know what
<neonfuz>
I think nixos-rebuild is putting all the kernels back into /boot and running out of space
<clever>
yes, it will do that
<neonfuz>
I don't have enough space for all the stuff it wants to put in there
<neonfuz>
okay, so how can I solve this?
<clever>
you need to set configurationLimit to limit how many it puts there
<neonfuz>
I probably should have made a bigger /boot partition, I just used the one that windows created
<neonfuz>
also I'm not using grub
<neonfuz>
is grub.configurationLimit still the way to go?
<clever>
systemd-boot doesnt have this option
<neonfuz>
okay...
<neonfuz>
well that's what I'm using
<clever>
in that case, your only option is to delete old system generations with `sudo nix-collect-garbage --delete-older-then 30d` and then nixos-rebuild again
<neonfuz>
oh yeah... I never ran a GC as root
<neonfuz>
only as user
<neonfuz>
I didn't think of that
<clever>
it needs root to delete system profiles
<neonfuz>
makes sense
halfbit has quit [Ping timeout: 244 seconds]
<tobiasBora>
elvishjerricco: for this do I need user namespace? And also, will it continue to fetch the existing binaries in the original /nix?
<clever>
tobiasBora: you need to configure it to use /nix as a cache
<clever>
elvishjerricco: with nix 2, you can use URI's for both --store and substituters
<clever>
daemon, local, s3, ssh, ssh-ng, and a few other protocols are supported
<elvishjerricco>
tobiasBora: I believe chroot stores work via libseccomp, which I believe does not need any special privileges
<tobiasBora>
clever: interesting… So I don't even need user namespace enabled?
<tobiasBora>
amazing
<clever>
tobiasBora: it will need the kernel to allow you to make namespaces dynamically
<clever>
debian doesnt allow that by default
<elvishjerricco>
oh, my bad :P
<clever>
either enable it with sysctl, or just sudo the nix-build
<tobiasBora>
oh yes, too bad. But it's very interesting, because most of the time I've root access. And when namespace are not enabled, do I have any solution? (just curious)
<clever>
not sure what will happen then
<elvishjerricco>
tobiasBora: You can make sure /nix exists on a different disk
<elvishjerricco>
No idea how to do that in a way that nix likes
<tobiasBora>
and also, the daemon works even if it's debian and not nix-os? (I didn't know that a daemon was run for a simple nix install)
<elvishjerricco>
but it would work around your disk space issue
<clever>
tobiasBora: it may need local instead of daemon then
<tobiasBora>
clever: ok I'll give it a try as soon as I'm back on my linux !
<elvishjerricco>
tobiasBora: You can install nix with the daemon on any systemd based linux by passing `--daemon` to the installer. If you didn't do this, you'll need local. But auto selects between the two automatically, doesn't it clever?
<clever>
elvishjerricco: oh yeah, i forget about auto
<nek0>
hi folks, I'm trying to use arduino ide on nixos, but it fails every time at compiling, because it can't find libstdc++. Is there some magic nix-shell invocation I forgot?
<tobiasBora>
you're amazing, thanks a lot?
<tobiasBora>
!*
<clever>
neonfuz: nix-shell should have libstdc++ in its search path by default
<clever>
nek0: ^^
<tobiasBora>
elvishjerricco: and if on a usb stick (say) I've a /nix, I can still do something without root access ???
<clever>
tobiasBora: you would need somebody to mount the usb to /nix for you
<nek0>
clever: well, if it hshould have, why doesn't mine?
<clever>
nek0: how are you trying to compile it?
<nek0>
I have installed it through nix-env. When I try to cimpile a project with it, it can't compile.
<clever>
nek0: ahh, then it wants the avr libstdc++, not the x86 one
<clever>
nix-shell only provides the x86 one
<clever>
it sounds like the arduino package is broken
<tobiasBora>
clever: ok, so same problem. And if I don't mind to recompile, the new deps, can I do something?
<{^_^}>
[nixpkgs] @xeji pushed commit from @volth to master « scallion: use mono4 (#44744) »: https://git.io/fN93d
smolboye has quit [Quit: WeeChat 2.2]
<nek0>
clever: can I do something to fix it?
<clever>
tobiasBora: if user namespaces are disabled, you dont really have very many options, your only real choice is to change the /nix path, and that involves rebuilding EVERYTHING
<clever>
nek0: you would need to find the right libstdc++, and then override the nix expression to fix things
smolboye has joined #nixos
Ariakenom has quit [Quit: Leaving]
<elvishjerricco>
tobiasBora: How did you get the same problem? It should have done the build wherever you needed, i.e. on a drive with more space
<elvishjerricco>
Or do you mean you couldn't get the namespace thing working?
<{^_^}>
[nixpkgs] @xeji pushed commit from @r-ryantm to master « opendht: 1.7.2 -> 1.7.4 (#44732) »: https://git.io/fN9nU
<gchristensen>
^ down side to having Sigyn here
<clever>
gchristensen: i did notice it had warned me at 17:43, but i didnt notice the warning until 20mins later
<gchristensen>
(I've removed their k-line)
Fare has joined #nixos
<clever>
the warning also mentioned how long i had been in the channel
simukis has quit [Quit: simukis]
dbmikus has quit [Ping timeout: 256 seconds]
<gchristensen>
finally I have ofborg updates to post... first time in months
<mikky>
hi, does nixos somehow embeds any configuration to grubx64.efi in any way or is it (supposed to be) just a static, stateless file? because for two different builds I get two different files which is something I didn't expect
<Dezgeg>
probably nixos does nothing special, it's all grub-install's responsibility
<mikky>
the builds are on the same machine with shared EFI partition but everything else is isolated, including dedicated /boot
<{^_^}>
[nixpkgs] @xeji pushed commit from @r-ryantm to master « mpc-qt: 18.03 -> 18.08 (#44746) »: https://git.io/fN9n9
<{^_^}>
[nixpkgs] @xeji pushed commit from @bobvanderlinden to master « zopfli: 1.0.1 -> 1.0.2 (#44769) »: https://git.io/fN9c2
Mr_Keyser_Soze has joined #nixos
alexteves has quit [Remote host closed the connection]
Lisanna has quit [Ping timeout: 244 seconds]
<jabranham>
I'm trying to declare what packages I want in ~/.config/nixpkgs/config.nix like it suggests here https://nixos.org/nixpkgs/manual/#sec-declarative-package-management, but when I run nix-env -iA nixpkgs.myPackages I get the error "attribute 'nixpkgs' in selection path 'nixpkgs.myPackages' not found". Do I need to tell nix to consult that file somehow?
<LnL>
are you using nixos?
<jabranham>
yes
<jabranham>
in a VM, if that matters
<clever>
jabranham: then you want `nix-env -iA nixos.myPackages`
<jabranham>
well now I feel silly for struggling with this for the past half hour
<jabranham>
thanks :-)
<clever>
the name there comes from `nix-channel --list`
Dedalo has joined #nixos
Drakonis has quit [Remote host closed the connection]
<mikky>
speaking of declarative package management, I'm using something similar on system level but I was wondering if it would be possible to just include the package list from a file so that the packages could be declared just by, say, "echo pkg >> /etc/../packages"
dbmikus has quit [Ping timeout: 256 seconds]
<symphorien>
<mikky> so much for autodetection then, no dualboot :/ it makes sense though, guess I was just too spoiled by refind << use os-prober ?
<{^_^}>
[nixpkgs] @xeji pushed commit from @volth to master « processing: 3.3.7 -> 3.4 (#44722) »: https://git.io/fN9WU
DigitalKiwi has quit [Quit: DigitalKiwi]
<mikky>
symphorien: this is what a bootloader should be able to handle, os-prober is just ubuntu's workaround of grub2's tragic implementation. And it wouldn't well with multiple /boot's
<mikky>
s/wouldn't/doesn't work/ ^
<clever>
mikky: when using efi, each OS should add its own entry to the efi vars
<clever>
mikky: then you just pick one from the firmware
<mikky>
clever: except multiple nixoses - they keep overwriting the same efi binary
<clever>
mikky: one min
<Dezgeg>
they can all have their own efi partitions, no?
<clever>
mikky: line 4 says my current os is config #3 from the efi vars, line 10 shows config #3, which has a uuid and a path, and line 14 shows the uuid of partition #1
<clever>
-rwxr-xr-x 1 root root 119K Oct 29 2017 /boot/EFI/BOOT/BOOTX64.EFI
<clever>
and at that path within the partition, is the file it named
<Dezgeg>
but I haven't actually tried though (and I just personally avoid EFI anyway given it's overcomplicated crap)
<clever>
Dezgeg: nvme wont boot with legacy at all
<clever>
mikky: it sounds like all modern macs now have secure boot enabled, and you must register the 1st user before you even have the choice to turn it off
<mikky>
clever: still, overcomplicated and not very transparent. This just would not happen with refind or probably not even with systemd-boot
<clever>
so if you have a setup that requires imaging all new macs, you have to partially configure the mac, turn off secure boot, re-image it, then configure it all over!
<mikky>
clever: ^ about efibootmgr, etc, not the secureboot
<clever>
mikky: systemd-boot still adds itself to the efi vars listed by efibootmgr
<clever>
mikky: try listing it on your machine if your on systemd-boot
<Dezgeg>
the uefi spec is like 2500 pages, that's quite far from my definition of "simple"
worldofpeace_ has joined #nixos
<mikky>
clever: every bootloader does, that's not the issue here. The idea was not to duplicate functionality and make things simple. Like "have one efi and one grub, boot multiple linuxes hassle-free" - which nearly impossible to achieve...with grub
carlosdagos has joined #nixos
<clever>
mikky: i have something like a ~5 line entry in configuration.nix to boot windows via grub
<mikky>
Dezgeg: most of it is not relevant if you're just interested in booting your favorite OS (without secure boot)
goodwill has quit [Read error: Connection reset by peer]
<mikky>
clever: I take it it's just a chainload of widnows's own efi loader. Or do you actually *boot* windows from grub?
goodwill_ has joined #nixos
goodwill_ is now known as goodwill
<clever>
mikky: currently, it chainloads the legacy MBR for windows, but grub also supports ntldr
<clever>
add the block they show to boot.loader.grub.extraEntries = '' ... '';
<clever>
mikky: the very end also shows an efi chainload method
<mikky>
clever: the problem with grub2 is that it doesn't support "multitennancy", so to speak. You always must configure the entire grub's universe from already running linux and that runnig linux must have access to other OS's to some extent just for the grub (or os-prober, or whatever) to be able to pick them up
<clever>
yeah
<mikky>
I consider this approach utterly wrong.
erasmas has quit [Quit: leaving]
<Dezgeg>
well, they had that approach implemented before the entire EFI spec even existed
<clever>
mikky: it would define the options under options.boot.loader.refind = { ...
<mikky>
Dezgeg: systemd-boot is fine as long as you don't have dedicated /boot
<Dezgeg>
or at least I hear it is capable of autodetecting windows, so I presume it can detect efi bootloaders of other linuxen
<clever>
mikky: make note of line 563-565
<mikky>
Dezgeg: systemd-boot is basically just a chainloader for other efi bineries, windows bootloader is one such binary
<clever>
mikky: and line 545 must point to an executable that will scan /nix/var/nix/profiles/system*, generate the rollback options for nixos, and install the bootloader
<{^_^}>
[nixpkgs] @xeji pushed commit from @utdemir to master « kakoune: 2018-05-21 -> 2018-08-05 (#44706) »: https://git.io/fN94f
<mikky>
Dezgeg: again, systemd-boot can only boot what it finds in ESP, it doesn't understand other filesystems and/or partitions. I prefer not to keep my kernel and ramdisk on error-prone FAT
<clever>
mikky: secure-boot is bsically imposible with nixos, due to needing to re-sign the kernel and initrd constantly at every rebuild
<clever>
mikky: the keys must exist on the hdd, and then an attacker could just steal them and sign his own kernels
<mikky>
clever: perhaps, I had this problem many years ago when it just emerged. There were problems, UEFI solved them rather simply so I never went back :)
<{^_^}>
[nixpkgs] @bjornfor pushed commit from R. RyanTM to master « lftp: 4.8.3 -> 4.8.4 »: https://git.io/fN94i
<mikky>
clever: resigning isn't an issue, it can be achieved in may ways and storing keys on HDD isn't a problem either as long as you have your disks encrypted. Which you have, because it wouldn't make much sense to go for secure boot if you hadn't in the first place ;)
<clever>
mikky: but nothing stops me from just replacing the motherboard with another one that has secureboot disabled, then putting some malware into your /boot partition to save the luks password
<clever>
mikky: it is trivial to lie to the OS and claim secureboot is still on, once you are running your own code in ring0
<Dezgeg>
I think in secure boot you have the EFI/bios/motherboard/TPM calculate the encryption key for /boot itself
<mikky>
clever: enter TPM, LUKS passphrase can be stored in a TPM.
<clever>
mikky: measured boot will break every time you nixos-rebuild
<mikky>
clever: and if your adversary is really this good, you have a whole lot of a different problem :)
<mikky>
clever: measured boot?
<clever>
mikky: thats when the TPM records the hashes of every blob (bootloader, kernel, initrd, kernel params)
oida has quit [Remote host closed the connection]
<clever>
mikky: and only if the same series of recordings are fed to it, will the TPM unlock and allow decrypting the hdd
<clever>
mikky: it prevents an attacker from just booting his own os, if he somehow bypassed secure-boot
oida has joined #nixos
<clever>
it also relies on each executable stage (firmware, bootloader, kernel) reporting the hash of the next, before it hands over control
jabranham has quit [Quit: ERC (IRC client for Emacs 26.1)]
<{^_^}>
[nixpkgs] @bjornfor pushed commit from R. RyanTM to release-18.03 « lftp: 4.8.3 -> 4.8.4 »: https://git.io/fN9Bv
<Dezgeg>
why would it break nixos-rebuild? certainly it's the same case as updating the kernel+initrd on other distros as well?
<clever>
Dezgeg: most distros have a static kernel cmdline, and they dont change the init= at every single boot
<clever>
Dezgeg: but all it takes is rdinit=/bin/sh and i now have a shell inside your signed initrd, which would have had permission to decrypt the hdd via TPM
<clever>
so the kernel cmdline must be part of the TPM measurements
Ridout has joined #nixos
<Dezgeg>
you can have a grub and/or bios password
<clever>
you would have to also tell grub to not report the kernel cmdline to the TPM, and trust that the grub pw lock is secure
<clever>
Dezgeg: oh yeah, and is /boot encrypted??, i can just edit the grub cfg
<clever>
and give up on having the TPM hash that, nixos-rebuild
mayhewluke has quit [Ping timeout: 248 seconds]
<mikky>
you got me there
<Dezgeg>
yes, it would have to be crypted
<clever>
you would need to encrypt /boot with its own TPM entries, based on the measurements of the firmware+grub.efi, and then have a seperate /boot/EFI partition that secureboot monitors
<clever>
and then have 2 TPM entires for encrypted hdds
mayhewluke has joined #nixos
<{^_^}>
[nixpkgs] @bjornfor pushed commit from R. RyanTM to master « plantuml: 1.2018.8 -> 1.2018.9 »: https://git.io/fN9BK
<{^_^}>
[nixpkgs] @xeji pushed commit from @volth to master « graalvm: fix dead url (#44723) »: https://git.io/fN9uY
<{^_^}>
[nixpkgs] @jmettes opened pull request #44778 → ncview: init at 2.1.8 → https://git.io/fN9u3
jperras has joined #nixos
worldofpeace_ has joined #nixos
<colemickens>
Hm, after the conversation last night, it really does seem like it ought to be easier to build a system configuration and push it remotely. Something like nix-deploy or nix-employ? I guess they're already out there, but something officially sanctioned would be nice too.
<colemickens>
it's so hard to keep track of "nix <command>" and "nix-commands". I don't think I stumbled across any discussions of using it last night. Maybe that will help.
<gchristensen>
I agree
<gchristensen>
nix copy is the new version of nix-copy-closure
<colemickens>
is it also unstable like nix build? (not that I care, I guess :) )
<wak-work[m]>
It’s a little annoying that the new nix build dry run won’t write drvs to be store
hakujin has quit [Ping timeout: 256 seconds]
<wak-work[m]>
So you have to instantiate them before doing a dry run