<samueldr>
hmm, 17 days ago, so you're up-to-date enough that I wouldn't think it would matter :/
<samueldr>
(and in reality I wouldn't think at any version of 18.03 there would be issues :/)
<nekroze>
tried it anyways, no effect
LysergicDreams has quit [Ping timeout: 252 seconds]
<samueldr>
did it actuallly fail?
<samueldr>
the last line pastebinned is "updating GRUB 2 menu..."
<nekroze>
actually the exit code was 0...
<samueldr>
haha it probably worked fine
<nekroze>
facepalm... mea culpa
<samueldr>
no worries!
<nekroze>
will report back after reboot
<samueldr>
there's a known issue that 18.03-era glibc has trouble loading the more recently updated locales from the more recent glibc
<samueldr>
but most everything works anyways, things just are noisily unhappy
<nekroze>
yeah I had recent issues like that on arch linux so I think I just saw it and alarm bells went off
<samueldr>
don't forget to put back 18.09 as your channel
<samueldr>
or else the next update may look wrong!
nekroze has quit [Quit: Lost terminal]
jperras has joined #nixos
simukis has quit [Quit: simukis]
nekroze has joined #nixos
<nekroze>
reporting back from 18.09, I like the new grub theme
<nekroze>
thanks for the assist all!
<samueldr>
:)
JonReed has quit [Ping timeout: 256 seconds]
<samueldr>
I don't even see it, having customized by grub theme
<samueldr>
I probably should remove my customization
<nekroze>
samueldr: its one of the few things I havent yet reskined with a solarized theme :D
nekroze has quit [Client Quit]
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage-packages.nix: automatic Haskell package set update »: https://git.io/fxs34
goibhniu has quit [Ping timeout: 260 seconds]
<Edes>
any commands I should run after nix-rebuild switch --update?
mayhewluke has quit [Ping timeout: 268 seconds]
mayhewluke has joined #nixos
fragamus has joined #nixos
thc202 has quit [Ping timeout: 252 seconds]
Dedalo has joined #nixos
<jasongrossman>
Edes: No.
Edes has quit [Quit: Lost terminal]
Mateon2 has joined #nixos
<Acou_Bass>
'reboot' probably :D
Mateon1 has quit [Ping timeout: 252 seconds]
Mateon2 is now known as Mateon1
<clever>
if your planning on rebooting, then `nixos-rebuild boot` would be better then switch
LysergicDreams has joined #nixos
sir_guy_carleton has joined #nixos
sigmundv has joined #nixos
smolboye_ has joined #nixos
smolboye has quit [Ping timeout: 252 seconds]
stanibanani has joined #nixos
stanibanani has left #nixos [#nixos]
sigmundv has quit [Ping timeout: 244 seconds]
<Ashy>
hmm, upgrading to 18.09 doesn't seem to be working
<Ashy>
`sudo nixos-rebuild switch --upgrade` succeeds but then `cat /etc/*release` still shows 18.03
<Ashy>
do i need an explicit reboot?
<clever>
Ashy: did you change your channel first?
<Ashy>
i changed system.stateVersion in my config repo
<clever>
Ashy: stateVersion has no impact on what channel your using, and changing it breaks the very thing its meant to fix
<Ashy>
Oh
<jasongrossman>
Sorry to repeat myself, but the name "system.stateVersion" is not working. It's misleading huge proportions of people.
sb0 has quit [Quit: Leaving]
<clever>
jasongrossman: thats why nixos-generate-config puts a giant-ass warning on it now, in the comments
<Ashy>
so how do i declaritively set my channel?
<jasongrossman>
clever: That is very good, and totally in the right direction, IMO, but apparently it's not enough.
lassulus_ has joined #nixos
<Ashy>
yeah, that warning is still in my config heh, reading comprehension fail
<clever>
Ashy: thats one of the few things that cant be done declaratively, you need to use `nix-channel` to change the channel, check its man page
<jasongrossman>
Ashy: Setting channels is one of the ...
<Ashy>
but yeah, if it's not where you set the "major version", maybe it needs a better name?
<jasongrossman>
Overlapped, including even the same wording.
<jasongrossman>
Ashy: You're not alone. It's one of the commonest issues here, to say nothing of all the people who give up on NixOS before finding out the answer.
<Ashy>
PRs welcome? or is this one that hasn't got consensus?
<jasongrossman>
It hasn't. :-(
<jasongrossman>
I don't know whether a PR would help get consensus. Maybe.
<jasongrossman>
I recommend changing it to "system.snthsnthsnthsnthsnthsnththdnthdcgdstnhth".
<clever>
Ashy: stateVersion did recently get moved, but that broke nixops and a few other things
<clever>
so it was put back at the old location
<samueldr>
anything in the config having "18.03" in the name would be a target for a blind change :/
<samueldr>
maybe the solution would be an unlinked incrementing number
<samueldr>
stateEpoch = 1
<jasongrossman>
samueldr: Ooh, good point. Should change the name AND the number then. IMO.
LysergicDreams has quit [Ping timeout: 252 seconds]
Supersonic has quit [Ping timeout: 240 seconds]
<jasongrossman>
I like stateEpoch = 1 very much.
<jasongrossman>
That would make a good PR IMO.
<samueldr>
(haven't put much thought in this though)
lassulus has quit [Ping timeout: 272 seconds]
lassulus_ is now known as lassulus
<samueldr>
the stateVersion gives the fuzzy feeling of knowing that it relates to a nixos release
<clever>
samueldr: that would allow for multiple breaking changes within a 6 month period, and still be compatible with things
<samueldr>
clever: right, was about to say
jperras has quit [Ping timeout: 252 seconds]
<samueldr>
though unlinking it from the release version could allow finer grained control
LysergicDreams has joined #nixos
<jasongrossman>
I'm having what someone described the other day as a "Dental Plan" moment. I'm now pretty sure samueldr's suggestion is the best solution.
<samueldr>
though it may need to start at 20, so it could reuse the stateVersion numbers wholesale
<jasongrossman>
Good thought.
<jasongrossman>
,dentalplan
Mr_Keyser_Soze has joined #nixos
<samueldr>
(or even 100 so it's clear it's not related to a quickly coming 20.xx release)
fragamus has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
fragamus has joined #nixos
<{^_^}>
[nixpkgs] @waynr opened pull request #47992 → Upgrade FreeCAD to qt5, maybe fix seg fault → https://git.io/fxscW
mayhewluke has quit [Ping timeout: 252 seconds]
mayhewluke has joined #nixos
sigmundv__ has quit [Ping timeout: 245 seconds]
<gspia>
hi, just upgraded nixos to 18.09 and my locales got broken. Release-notes don't mention it but it was yesterday or two days ago when somebody mentioned about an unsolved issue here related to locales and (maybe) glibc.
<gspia>
Do you know how to fix the issue?
<gspia>
or bypass?
<samueldr>
did you rebuild switch or rebuild boot?
sigmundv has quit [Ping timeout: 244 seconds]
<gspia>
first rebuild switch and then booted the machine
<samueldr>
do you have software installed via nix-env or pinned to the older channels?
<samueldr>
meanwhile, I'm searching for the relevant issue
<gspia>
yeah, the editor is probably such, maybe recompiling will help (I'll try to recompile)
<hyper_ch>
for let's encrypt I still use acme.sh though
jD91mZM2 has joined #nixos
<hyper_ch>
but on the notebook I don't need a full-fledge mailserver.. I just need a way to send cron failures
<Myrl-saki>
Holy crap, there's a nixos-mailserver? What doesn't it havE?
<jD91mZM2>
I just recompiled xmonad, and now it won't start any programs! This was just after updating to 18.09beta, xmonad is currently at 0.14.2. Currently in a TTY, help!
<hyper_ch>
Myrl-saki: i use it on my home server for fetching rss feeds with rss2email and then read them on my cell phone or roundcube
voiceftp has joined #nixos
<[Leary]>
jD91mZM2: will they actually not start, or can you just not see them? There was a bug in 0.14 with fullscreenSupport with that effect if you're using it.
<jD91mZM2>
[Leary]: Good point, I should've clarified. The panel indicates a workspace shift when I start one that's pinned on a specific workspace, so I just can't see them I think
<sphalerite>
hyper_ch: nixos-mailserver moved to gitlab, it's the link that I wrote
<jD91mZM2>
I'm using fullscreenSupport
<hyper_ch>
sphalerite: yeah, I noticed :)
<[Leary]>
I suggest overriding your contrib with 0.15.
<jD91mZM2>
[Leary]: Thank you so much! I'll probably just comment it out right now, I'm having some issues with my video drivers which force me to reboot with nomodeset (to prevent X11 from starting) every goddamned time I want to access a TTY :P
jD91mZM2 has quit [Quit: WeeChat 2.2]
fragamus has joined #nixos
Xiro` has joined #nixos
<hyper_ch>
sphalerite: gitlab doesn't offer something like master.tar.gz for download or latest release?
tertl3 has quit [Quit: Connection closed for inactivity]
simukis has joined #nixos
sphalerite has quit [Quit: WeeChat 2.0]
sphalerite has joined #nixos
Itkovian has joined #nixos
init_6 has joined #nixos
Aerobit has quit [Quit: WeeChat 2.2]
iyzsong has joined #nixos
LysergicDreams has quit [Ping timeout: 244 seconds]
LysergicDreams has joined #nixos
slyfox_ is now known as slyfox
<{^_^}>
[nixpkgs] @alexherbo2 opened pull request #47994 → cool-retro-term: Fix link to home page → https://git.io/fxsB1
<Ashy>
sphalerite: I've been failing to get syzkaller going on nixos all weekend because debootstrap is broken
<Ashy>
Just spun up an Ubuntu dedi on packet.net in the end
thc202 has joined #nixos
revtintin has quit [Quit: WeeChat 1.9.1]
sb0 has joined #nixos
sb0 has quit [Quit: Leaving]
orivej has joined #nixos
sb0 has joined #nixos
<{^_^}>
[nixpkgs] @peti pushed 4 commits to haskell-updates: https://git.io/fxsRS
smolboye has joined #nixos
smolboye_ has quit [Ping timeout: 252 seconds]
silver has joined #nixos
Itkovian has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
oldandwise has joined #nixos
<vandenoever>
hyper_ch: no, but i have some knowledge for the future now
<vandenoever>
hyper_ch: i could save some money on a mail account though
<hyper_ch>
vandenoever: well, you hve a static ip address? If you wanna send mails to other MTAs they very likely will not accept mails from a mta without static ip
oldandwise has quit [Quit: leaving]
oldandwise has joined #nixos
<kandinski>
so I switched over from 18.03 to 18.09, and I'm having an issue with encrypted boot. Did the configuration change?
admiral0 has joined #nixos
kiloreux has quit [Ping timeout: 252 seconds]
<{^_^}>
[nixpkgs] @Mic92 merged pull request #47990 → nixos/prometheus-snmp-exporter: fix command line argument format → https://git.io/fxsZK
<{^_^}>
[nixpkgs] @Mic92 pushed commit from @thefloweringash to release-18.09 « nixos/prometheus-snmp-exporter: fix command line argument format »: https://git.io/fxs0y
<symphorien>
kandinski: I have an encrypted boot and I have not needed any change
smolboye_ has joined #nixos
<symphorien>
(On last week's beta)
echo-area has joined #nixos
<vandenoever>
hyper_ch: not at home
<{^_^}>
[nixpkgs] @Mic92 merged pull request #47986 → borgbackup: patch bug that allowed for exceeding quotas → https://git.io/fxstL
<{^_^}>
[nixpkgs] @Mic92 pushed commit from @erictapen to release-18.09 « borgbackup: patch bug that allowed for exceeding quotas »: https://git.io/fxs05
<{^_^}>
[nixpkgs] @Mic92 merged pull request #47994 → cool-retro-term: Fix link to home page → https://git.io/fxsB1
<{^_^}>
[nixpkgs] @jtojnar pushed 155 commits to gnome-3.30: https://git.io/fxsE3
arianvp has joined #nixos
<kandinski>
So something I've noticed and I'll make an issue out of if you tell me I should is the following: I get an error regarding vboxnet0 if the network doesn't exist. That means I have to start any VirtualBox container before running a nixos-rebuild --switch.
<sphalerite>
arianvp_: but you can mount the root filesystem yourself and exec the init from the old system generation which even though it doesn't have any remaining gc roots should still be in your store :D
<sphalerite>
the initramfs should still have everything it needs to boot the old system, even though it can't do it by itself
<rawtaz>
sphalerite: any special reason you chose luks over zfs encryption?
arianvp has quit [Ping timeout: 256 seconds]
arianvp_ has quit [Ping timeout: 256 seconds]
<sphalerite>
rawtaz: zfs encryption isn't in a stable release yet
<hyper_ch>
rawtaz: my reason is one tool to replace 4 other tools
<sphalerite>
I don't want to take that sort of risk with something as fundamental as the filesystem
<rawtaz>
nice. one thing that always bothered me with zfs for root is that pesky ext4 boot partition. if i go zfs of course i want it to cover ALL my disk, i dont want a breakable old ext4 thing in the mix, kinda defeats the philosophy
<hyper_ch>
luks/dm-crypt, mdadm, ext4 and rsync - they got basically replaced by just zfs
<sphalerite>
well… ext4 is still better than FAT32 >_<
<rawtaz>
sphalerite: nice. is that because it's not stable in openzfs or just not reached the stable branch in nixos?
<rawtaz>
sphalerite: hehe sure :)
* rawtaz
sheds a tear over windows xp
<hyper_ch>
encryption on zfs is in master, and will be included in 0.8
<sphalerite>
not sure about openzfs but zfsonlinux doesn't have it in a release yet
<rawtaz>
hyper_ch: in master of openzfs you mean?
<hyper_ch>
I mean ZoL
<sphalerite>
rawtaz: windows xp used ntfs
<sphalerite>
rawtaz: it's just that EFI requires fat32 :|
<hyper_ch>
there was also a format change in the spring .... no format change pending
<rawtaz>
hyper_ch: are you pulling in e.g. master of ZoL in your nixos then, to have encryption available?
<rawtaz>
great, will check that config when i get to install nixos on a physical machine some day
<kandinski>
Trying again: without making any change in my /etc/nixos.configuration.nix, 18.03 updates and boots after a switch, but when I upgrade and rebuild-switch to 18.09, I get this on boot: https://imgur.com/a/w9yvk8n and here is the relevant configuration: http://paste.debian.net/1046236/ any help appreciated.
<sphalerite>
kandinski: oooh that's not nice. Could you boot into the working system and run `nix eval -f '<nixpkgs/nixos>' config.boot.initrd.preLVMCommands --json | jq -r` and paste the output?
Hotkeys has quit [Quit: Connection closed for inactivity]
<kandinski>
sphalerite: now back at the working system.
<rawtaz>
so its the command that's run when the passphrase has been read, thats seemingly not getting the proper arguments. what command is that anyway?
* rawtaz
just trying to understand
<clever>
sphalerite: oh, interesting, i see stage-1 now remembers the passphrase, and can reuse it on several devices
<clever>
sphalerite: that pretty much makes my lvm on luks thing pointless
<kandinski>
Awright, rebooting. See you at the other end, folks!
<rawtaz>
bye..
<kandinski>
back! Thanks everyone who worked on 18.09. Now the second disk gets decrypted withotut a second password prompt. Nice!
<sphalerite>
\o/
<rawtaz>
what was the key solution?
<kandinski>
just add a missing disk label to the configuration.
<kandinski>
sphalerite: do you reckon I should post this as an issue? http://paste.debian.net/1046232/ It didn't let me switch unless I had a running VirtualBox VM, which would activate vboxnet-0
Rusty1 has joined #nixos
<sphalerite>
kandinski: I'd say yes probably
<kandinski>
particularly since it didn't happen when just rebuilding 18.03, only when upgrading to 18.09.
<sphalerite>
oh you used a switch to upgrade?
<sphalerite>
Yeah that generally doesn't work. You need to reboot for major upgrades.
<kandinski>
well, I use switch then reboot
<kandinski>
Should it have been --boot then reboot?
<clever>
`nixos-rebuild boot`
<sphalerite>
yeah, I mean you probably won't break anything horribly by using nixos-rebuild switch then rebooting. But it's unlikely to go smoothly
<clever>
there is a certain upgrade path that tends to break sudo, and that then makes it difficult to actually shutdown/reboot
<sphalerite>
clever: but you need secure boot to use a TPM right?
<clever>
sphalerite: nope
<sphalerite>
oh neat
<clever>
entirely seperate things
<clever>
measured boot is reporting the hash of the next binary to the TPM, before you execute it
<sphalerite>
yes, but I thought the TPM will lock itself unless you use measured boot
<elvishjerricco>
I'm guessing you could put whatever process (be it signing or registering a hash) into the activation script
<clever>
and if you replay the same sequence of hashes, the TPM unlocks, and you can use it to do things like decrypt the hdd
<sphalerite>
elvishjerricco: noooo not the activation script!
<sphalerite>
elvishjerricco: the boot loader installation
<clever>
sphalerite: so if somebody boots an unauthorized os, the tpm just doenst unlock
<elvishjerricco>
sphalerite: Yea that's better
<clever>
secure boot is different, in that the bios will refuse to even run an unauthorized os
<clever>
(which includes a maliciously modified bootloader/kernel)
<sphalerite>
right so you need measured boot for the TPM to be usable but you don't need secure boot for measured boot?
<clever>
yeah, they can both be used seperately
<clever>
i think the tpm can also work without measured boot
<clever>
but then anybody can just shove in a bootable usb, and use it
<elvishjerricco>
clever: The problem I had with TPM (other than it not working on my hardware for some reason) was that you can't reproduce the hashes / encryption yourself, so you can't automatically switch to a new boot loader
<clever>
elvishjerricco: yeah, you need to go into some kind of special configure mode, and then play a sequence of hashes to it, by actually booting
<elvishjerricco>
Yea. So signing felt like a way better method to me
<elvishjerricco>
Plus, PCR 7 is supposed to just measure the secure boot aspects; i.e. a change in boot loader shouldn't change PCR 7 unless the signature used changes
<clever>
but also, if i have physical access, i could do a bios reset to disable secureboot, and then mess with your /boot to save the luks password to the disk in plaintext
<clever>
and next time you login, your screwed
<elvishjerricco>
clever: encrypted boot :)
<elvishjerricco>
encrypted /boot*
<clever>
there must be a plaintext binary somewhere on the hdd, to decrypt /boot
<clever>
and i can modify that
<elvishjerricco>
oh right
<elvishjerricco>
yea
<sphalerite>
either that or you need to be able to fiddle with your firmware.
<clever>
but, if you had used TPM and measured boot, i would need to crack the TPM itself, which is designed to be resistant to such things
<elvishjerricco>
Wait so secure boot can just be disabled with physical access?
<clever>
elvishjerricco: if you can wipe the bios config by force, yes
<elvishjerricco>
That seems dumb
<clever>
you may need to desolder the chip that the config is stored on
<clever>
depends on the motherboard
magnetophon has joined #nixos
<clever>
secureboot is more to protect against malware that replaces your bootloader with a hypervisor
<clever>
and then your in a vm and dont even know it
hiroshi- has joined #nixos
<clever>
as for secureboot and nixos, my laptop allows me to whitelist a binary by its hash
<magnetophon>
I'm trying to update clthreads, but I get: "ldconfig: Can't create temporary cache file /nix/store/fg4yq8i8wd08xg3fy58l6q73cjy8hjr2-glibc-2.27/etc/ld.so.cache~: Permission denied".
<clever>
the desktop only has an on/off switch, and i cant even load custom public keys
<clever>
magnetophon: ldconfig doesnt work on nixos
<magnetophon>
clever: so how do I work around it?
<clever>
but the major problem right now with secureboot in my laptop, is that grub doesnt verify the next stage (linux)
<clever>
so you can just hit E at the grub screen, and boot a malicious linux, or edit grub.cfg
<elvishjerricco>
clever: Isn't there a way to disable that stuff in grub?
<clever>
magnetophon: just dont run ldconfig
<elvishjerricco>
i.e. only allow booting from specific hardware
<clever>
elvishjerricco: secureboot has to be enabled within grub, to verify the hashes of the next binary with the uefi firmware
<elvishjerricco>
clever: Hm. It ought to be possible without verifying the binary with firmware. Grub could just have its own verification, since grub itself is already verified
<clever>
elvishjerricco: it looks like grub doesnt support secureboot, and needs a shim to help out
GiGa has joined #nixos
<GiGa>
Afternoon all
<clever>
elvishjerricco: you could, but then its not really secureboot anymore, and something custom
<elvishjerricco>
clever: So?
<clever>
elvishjerricco: and how do you verify that your grub.cfg hasnt been tampered with?
<elvishjerricco>
clever: encrypted /boot :P
<elvishjerricco>
or something
<clever>
elvishjerricco: efi requires a plaintext fat32
<GiGa>
I'm about to do a fresh NixOS install onto my new SSD. Can I boot from an old live CD to do that, or do I need to download the latest disk? I'm assuming everything just gets pulled out of the repo?
<elvishjerricco>
clever: /boot doesn't have to be on the same partition as grub
<elvishjerricco>
My laptop actually has /boot in the same ZFS pool as /
<clever>
elvishjerricco: yeah, that could work, as long as you ensure the verified grub.efi loads from the luks device
lingeeal has joined #nixos
<clever>
elvishjerricco: oh, but what if an attacker just wipes /boot and makes their own custom /boot with luks, and they know the pw?
<lingeeal>
hi, I can do nix-env -iA nixos.haskellPackages.yesod-bin, but nix-env -qa nixos.haskellPackages.yesod-bin says no packages was found. WhY/
<elvishjerricco>
clever: Yea. Grub decrypts my LUKS device, loads ZFS, find /boot, and launches the kernel. Since the initrd is on an encrypted drive, I don't feel bad having a secret key for LUKS to let the kernel auto-decrypt the LUKS volume
<clever>
elvishjerricco: then they can give grub the pw they just set
<elvishjerricco>
clever: Yea you'd have to make grub somehow able to verify the key your LUKS volume is encrypted with
<lingeeal>
pf, sorry a has to be in caps lock
<clever>
lingeeal: the attrpath is probably yesod.bin
<elvishjerricco>
clever: But just encrypting /boot, and verifying the decryption key somehow, sounds like all that should be necessary to trust the entire drive
<clever>
elvishjerricco: did you hear about the supermicro stuff going around?
<elvishjerricco>
clever: Yea. Apple vehemently denies it, and bloomberg didn't exactly post a ton of proof or named sources. So I'm pretty curious
<clever>
from what i can gather, that chip sits between the motherboard and the bios flash
<magnetophon>
GiGa: You could use an old CD, but I'd say downloading a new one is safer, plus you don't ed up with a generation of old sw on your pc
<clever>
so the firmware it loads from the flash chip is modified slightly
<elvishjerricco>
Yea. That could do the hypervisor kind of attack you mentioned, right?
<clever>
GiGa, magnetophon: though you can also just nix-channel --add + --update before you nixos-install
<clever>
elvishjerricco: yeah
smolboye_ has quit [Ping timeout: 260 seconds]
<elvishjerricco>
(should we go to #nixos-chat)?
<GiGa>
clever: I tend to run the testing channel anyway, so I'd have to do that I guess
<__red__>
is there any nixos dev / committer that would be open to a few questions over /msg?
<__red__>
I'm looking for more human than technical advice.
<GiGa>
__red__: I commit to Nixpkgs. I'm still fairly new to it but I'll have a go at helping you?
<GiGa>
I commit as joncojonathan
<__red__>
thanks
jmeredith has joined #nixos
<mpickering>
Can I pass a link to a github repo to node2nix like I can for cabal2nix?
<clever>
magnetophon: you may need to pass it thru fetchFromGithub first
<magnetophon>
clever: that wasn't for me was it?
<clever>
oops
Ariakenom has joined #nixos
<sphalerite>
Is there some way to reset a USB device? Like unplugging and replugging it, except something that works for a device that's built in to the machine…
<sphalerite>
ideally while keeping the system running. I could of course reboot te whole machine, but…
<sphalerite>
blargh it seems to be dropping keypresses occasionally as well
barrucadu has quit [Quit: Rebooting for kernel upgrade]
<GiGa>
And nixos-rebulid was erroring with the same "expected string 'Derive(['"
<sphalerite>
that sounds like the drv might be corrupted
<sphalerite>
you might be using a different nixpkgs version now where libXrender evaluates to a different drv which means the broken one doesn't get loaded
<clever>
GiGa: try running `nix-store --delete` on that path, then try again
<GiGa>
clever: error: cannot delete path '/nix/store/0621850mygqy4dqgiga9s34fiiq77q58-libXrender-0.9.10.drv' since it is still alive
<schmittlauch[m]>
Hi, I want to update my system from 18.03 to 18.09. Do I need to change `system.stateVersion` (currently set to 18.03)? Because the release notes don't mention it.
<symphorien>
GiGa: some process is using this library
<lingeeal>
there is no stack-1.7.1, which is needed to init the yesod-postgres template. How do I install it?
<lingeeal>
,
<{^_^}>
Special commands: find locate tell - Commands sorted by use count, page 0 (use ,<n> to view page <n>): library dnw pr tofu unstable -A ask ping pinning IFD NUR allah cloudfront info nixcon overlay paste profiling stateVersion unfree whomademe wololo arm bootfull callPackage channels context declarative dentalplan error escape" escape'' escape-special exec fancy-uninstall github hardware haskell help home-manager howoldis imperative logs loot nix-env-r
<Berra>
Using 18.09 I'm getting that nodePackages_10_x.semver "semver is missing" - but looking at node-packages-v10.nix I can't comprehend why. What could be the cause?
<clever>
hyper_ch: lines 4 and 5 together are pointless
<clever>
it will do a normal gc after -d has ran
<hyper_ch>
so cut line 4?
<__red__>
sphalerite: I'll certainly have time, I just need to tell a "make install" where to put the files - so what $ENV do I put in the Makefile
<clever>
hyper_ch: and cut line 3, it also does the same thing as 5
<GiGa>
clever: Looking good, thanks for your help
<sphalerite>
__red__: $out :)
<hyper_ch>
clever: it does? I thought 3 deletes old generations while optimise hardlinks files
<__red__>
sphalerite: is that nix specific?
<clever>
hyper_ch: 5 is `nix-collect-garbage -d`
<clever>
hyper_ch: which deletes all old generations
<hyper_ch>
clever: d'oh :)
<hyper_ch>
so, cut 3 and 4
<clever>
yep
<lassulus>
why is binutils so big?
<hyper_ch>
thank you
<clever>
hyper_ch: 5 may also benefit from sudo, it cant delete nixos generations without root
<__red__>
I'm supposed to be pushing a requirement on a non-nix application which doesn't have an install file, so trying to make it as non-nix as possible
<hyper_ch>
clever: good to know
<__red__>
install *target*
<__red__>
sorry
<__red__>
going to read pill#8 ;-)
<__red__>
okay, so configure --prefix=$out makes sense
<__red__>
but my target app doens't use a makefile
<__red__>
so - I guess there isn't a 'standard' environmental variable for passing directly to a Makefile
<__red__>
because "sensible people"[tm] would have used configure which would have put it in the Makefile alreadt
<GiGa>
Gramps needs language-pack-gnome-xx (where xx is language code) but we don't seem to have a package like that?
<__red__>
this nix-pills thing is freaking awesome btw sphalerite, wish I'd seen it months ago ! :-D
<sphalerit>
__red__: it's often called PREFIX I think for plain makefiles, but yeah the world of plain makefiles is not a very uniform one :p
<__red__>
I'm guesing nix-build doesn't set that though... it relies on --prefix=$out
<sphalerit>
And yeah the pills are great
<hyper_ch>
they are too complicated for me
<__red__>
well, one way to test it. Write a test install section and dump env ;-)
<sphalerit>
nix-build only sets the $out env var
<sphalerit>
The rest, like calling the configure script and make, is stdenv's job
<sphalerit>
i.e. nixpkgs, not nix itself
<__red__>
okay, so there's no way of generating an install target which isn't nix specific because they're not using configure to generate the makefile
endformationage has joined #nixos
<sphalerit>
Why would you need something nix-specific?
<sphalerit>
You can just do something like `installPhase = ''make install PREFIX=$out'';` in the nix expression
<cocreature>
I’ve upgraded using "nixos-rebuild switch --upgrade", found a problem and rolled back. now I want to change by configuration and rebuild but from the channel state at the time before I upgraded (i.e. the one used for the configuration that I’m currently in). how do I achieve that?
<clever>
symphorien: there is also installFlags
<__red__>
In a PR I've been asked during a code review to remove my installPhase in my default.nix (mkdir $out ; cp build/openspin $out/bin/)
<__red__>
and instead push an install target in the upstream application
<clever>
depends on if the compile depends on the prefix or not
<symphorien>
cocreature: to rollback the channel upgrade nix-channel --rollback
<__red__>
and since the upstream application didn't use configure to generate the makefile, I'm at a loss as to how to do that witjout introducing $out
<__red__>
... and then remember to check for a not-null PREFIX else start writing to other OSes root directories ;-)
<symphorien>
you can use ?= iirc
<sphalerit>
Yeah just do PREFIX = /usr/local
<sphalerit>
That will be overridden by a prefix passed on the command line
<GiGa>
How do you tell a derivation to have multiple optional switches?
<cocreature>
symphorien: thanks! is there a convenient way to figure out to what exactly I need to rollback to get to the thing used as the basis for my current generation?
<symphorien>
I don't really understand
pointfourone has quit [Remote host closed the connection]
<symphorien>
GiGa: yes. The package name is only needed with nix-env -e.
kyren has quit [Client Quit]
kyren has joined #nixos
<lingeeal>
I create a yesod project using stack, but then do 'cabal2nix . > default.nix'. However then, running 'cabal configure' in shell I get: could not resolve dependecies.
<GiGa>
I'm trying to add support for more optional packages in GRAMPS, but build is having issues during tests.
<GiGa>
Details: Could not make database directory:
<bgamari>
Does nixos provide any way to restart a service after an ACME certificate is renewe
<gchristensen>
security.acme.certs.<name>.postRun
<bgamari>
ahh, great
<bgamari>
thanks!
Supersonic112 has joined #nixos
Supersonic has quit [Disconnected by services]
Supersonic112 is now known as Supersonic
<rawtaz>
hm, there seems to be a problem with that. there's no preRun
<rawtaz>
how are you supposed to be able to stop a service before the renewal?
<hyper_ch>
rawtaz: not upgrading to native zfs encryption yet? :)
<bgamari>
rawtaz, do you typically want to?
<bgamari>
rawtaz, I would think you rather want to renew and then only restart once you have a new cert
silver has quit [Read error: Connection reset by peer]
<rawtaz>
bgamari: yes, when using HTTP challenge, you might need the renewal http server to bind to the same port you have your regular HTTP service on
<Acou_Bass>
presumably he wants to go 'stop service, renew cert, start service' (so that theres no weirdness with the service trying to use the old cert when its been overwritten
<rawtaz>
i have that now on another server. i run lego for the LE cert management and the cert is for a service listening on HTTPS. so i shut that service down, fire up lego renew which binds to HTTPS for the challenge duration, then start the service again
<rawtaz>
this is way simpler than having to interact with the firewall top open up another port temporarily
<bgamari>
rawtaz, why not just expose the challenge directory via your usual HTTP service
<clever>
rawtaz: the nginx stuff in nixos automatically handles LE for you, and you dont have to stop the daemon
<bgamari>
hmm
<clever>
rawtaz: it handles the challenge/response stuff thru nginx
<rawtaz>
clever: i dont run nginx
<rawtaz>
this is a custom HTTP service
<clever>
ah
<rawtaz>
bgamari: i started looking into doing that but for some reason ended up not going that route, i dont remember specifics though, hm
<{^_^}>
[nixpkgs] @NickHu opened pull request #48006 → profile-sync-daemon: add missing path to systemd service → https://git.io/fxsrA
<rawtaz>
bgamari: to be fair it might still be an option. then again, a simple preRun to complement postRun would be equally nice :)
<gchristensen>
you don't need prerun / postrun anyway, you can do it all with systemd unit configurations
<rawtaz>
gchristensen: but wouldnt that have to be configured in the ACME service? how do you config that through nixos config?
<gchristensen>
I can't say much, I'm on poor internet, but it is possible with attrset merging the module system provide + symmetric config options in systemd anyay
<rawtaz>
it's a carefully guarded secret, them specifics :-)
<schmittlauch[m]>
How is the process of getting commits from master back to the stable branch? commit 248ed3575c41866c657d0aa2f4a70ebb7a2c079a needs to find its way to the 18.09 channel, as the distfile is gone from the server.
<rawtaz>
schmittlauch[m]: you ask someone to backport it :)
<schmittlauch[m]>
Or will that happen automatically when certain hydra checks pass?
<rawtaz>
just gotta find that someone :D
<schmittlauch[m]>
Well… Does someone want to backport that xD?
<schmittlauch[m]>
In cas I contribute to nixpkgs at some point: I guess PRs can be marked to be backported as well?
pointfourone has quit [Remote host closed the connection]
pointfourone has joined #nixos
<schmittlauch[m]>
rawtaz: If I want to open a PR, should I do it to release-18.09 branch or to the staging one?
<GiGa>
As there's nothing in there to say "go and build this package"
<GiGa>
Sorry, trying to learn and contribute at the same time
wykurz has joined #nixos
<symphorien>
yes but update the path to nixpkgs to your clone
<symphorien>
you can use nix-build -E but I find it confusing and prefer writing a file
<GiGa>
oh yes, sorry, meant to do that before hitting go
<GiGa>
so the file would build gramps but set those override options?
pointfourone has quit [Remote host closed the connection]
<symphorien>
yes
pointfourone has joined #nixos
<GiGa>
nix-build doesn't like the semicolon at the end of the first line, it's expecting $end
Anton-Latukha has joined #nixos
jmeredith has quit [Quit: Connection closed for inactivity]
<symphorien>
you miss the "with"
<symphorien>
with import path {}; gramps
<wykurz>
hi! I have a question regarding nixos AWS AMIs - how can I verify them?
<__red__>
Giga: my mentor (who has decades of Makefile experience) just recommended writing a second Makefile because they don't see how to integrate the changes we need without blowing up their existing stuff.
<GiGa>
__red__: seems good advice
<__red__>
as you can't do conditionals outside of the declaration section
<GiGa>
symphorien: same output file
<GiGa>
like it's built graphviz in already?
<__red__>
GiGa: except I'd be committing a 60 line Makefile to an upstream project to replace a 2 line expression in default.nix
<__red__>
I'm just going to document this and move on.
<symphorien>
GiGa: you put the default to true
ZeDestructor has quit [Ping timeout: 252 seconds]
<GiGa>
symphorien: Ah yes, I'm a wombat! So I want "enableGraphviz ? false, graphviz" in the derivation?
<symphorien>
well depends on what seems a sane default
<GiGa>
It's a highly recommended package by Gramps
<astronavt>
is there any hyperpolygplot-style comparison of nixos and guix functionality?
<arianvp>
I wish we documented the existence of all those image builders...
<arianvp>
like netboot, gce, amazon
<arianvp>
I'm working on one for digitalocean by the way
<wykurz>
arianvp: yeah, it'd be nice. there's a bunch of images on aws that are not on that list, and idk if they are safe. maybe? it's hard to distinguish them from the "official" ones
Anton-Latukha has quit [Read error: Connection reset by peer]
astronavt has quit [Ping timeout: 252 seconds]
Anton-Latukha has joined #nixos
pareidolia has joined #nixos
<pareidolia>
Can someone help me install NixOS on my raspberry pi2? I can't rebuild, I get fixed-output derivation checksumer errors whatever I do
astronavt has joined #nixos
ZeDestructor has joined #nixos
<GiGa>
sphalerit: does that mean that my "++ stdenv.lib.optional enableOSM osm-gps-map" lines are redundant then, given they're set to true by default?
<GiGa>
symphorien: meant to direct that to you, rather than sphalerit
<symphorien>
if someone overrides them to false, they will have an effect
<pareidolia>
Here's one on nixos-unstable: fixed-output derivation produced path '/nix/store/b532v0f48jbhw151h7v8v6ab8vshlj4z-autoconf-2.69.tar.xz' with sha256 hash '05s19ghbic9whsqsgja87qfjibm0i350daz8i2dawd2xymyc6yjg' instead of the expected hash '113nlmidxy9kjr45kg9x3ngar4951mvag1js2a3j8nxcz34wxsv4'
<pareidolia>
This error is reliable, the incorrect hash is produced every time, so that rules out cpu/mem errors
sigmundv__ has joined #nixos
<pareidolia>
Changing over to channel nixos-18.09
<pareidolia>
I get fixed-output derivation produced path '/nix/store/bmh2s8hlc3jmllajarl1f9f3y38mvc9x-0a3755c1799d3a4dc1875d4c59c7c568a64c8456.patch' with sha256 hash '1flnxgjjrrlzdk5klx47l8y8rg1vmzdd9vhzxxq6wiwyvd4bd92r' instead of the expected hash '0bizaf2yf93hwkrrjcl3fhawyhmw9dzq9pc283dxmmpxqvvif5xg'
<{^_^}>
[nixpkgs] @joncojonathan opened pull request #48008 → gramps: added support for recommended packages. → https://git.io/fxs66
<typetetris>
Puh, that was a journey
<pareidolia>
Changing over to channel nixos-18.03
<pareidolia>
fixed-output derivation produced path '/nix/store/lh5y5fj790q2qvspgw7l58jcgz8csi39-coreutils-8.29.tar.xz' with sha256 hash '0pbwl23gwlaj6psy3sg4ak10asrpn50k2sb11ff9x18jl23549r0' instead of the expected hash '0plm1zs9il6bb5mk881qvbghq4glc8ybbgakk2lfzb0w64fgml4j'
<pareidolia>
Why am I getting this?
<typetetris>
nixos-rebuild boot didn't call `bootctl --path=/boot install` for me, which I didn't know about. So reboot didn't work. Needed to get a bootable usb device, chroot into the old system and call `bootctl --path=/boot install` clear my tpm state and add systemd-boot as well as the kernel-efi-file as trusted efi images.
revtintin has quit [Quit: WeeChat 1.9.1]
<{^_^}>
[nixpkgs] @matthiasbeyer opened pull request #48009 → simutrans: Fix hash of pak128 → https://git.io/fxs6p
<{^_^}>
[nixpkgs] @joncojonathan opened pull request #48010 → Gramps add to maintainers → https://git.io/fxs6h
<GiGa>
I don't understand why pull request #48010 also includes my earlier commit - sorry about that!
<symphorien>
pareidolia: are you on a case insensitive fs on linux ?
Neo-- has quit [Ping timeout: 260 seconds]
<Berra>
Using 18.09 I'm getting that nodePackages_10_x.semver "semver is missing" - but looking at node-packages-v10.nix I can't comprehend why. What could be the cause?
<pareidolia>
symphorien: I'm on ext4
silver has joined #nixos
<symphorien>
then could it be that some man in the middle (corporate firewall ?) is messing with the downloads ?
<pareidolia>
symphorien: No, I'm at home with a direct connection
<symphorien>
no idea, then, sorry
<sphalerite>
pareidolia: not sure about the coreutils tarball. The patch issue is link rot, I think, but it probably shouldn't even be trying to download the patch. Have you disabled the official binary cache by accident maybe?
<pareidolia>
sphalerite: I'm follwing the Raspberry pi guide. I'll paste my .conf
<sphalerite>
oooh 32-bit ARM? Yeah then it would make sense that it tries to download sources
<pareidolia>
Ok
<sphalerite>
or are you on a pi 3?
Rusty1 has quit [Quit: Konversation terminated!]
<pareidolia>
sphalerite: A Pi 2B
<sphalerite>
yeah ok
wykurz has quit [Quit: meh]
<{^_^}>
[nixpkgs] @ju1m opened pull request #48012 → redmine: add selectable plugin support at the cost of reproducibility. (FYI only, NOT for merging) → https://git.io/fxsiF
fragamus has joined #nixos
<sphalerite>
pareidolia: simplest "solution" is probably just adding the official binary cache back anyway.
<sphalerite>
pareidolia: but you'll probably also want to go to 18.09 rather than just 18.03
<pareidolia>
sphalerite: How do I add them back?
phreedom has quit [Quit: No Ping reply in 180 seconds.]
b has quit [Quit: Lost terminal]
<sphalerite>
pareidolia: remove "lib.mkForce" from the binary caches line
<sphalerite>
oh wait no that won't be enough probably
<Acou_Bass>
cool to see cache.nixos.org has aarch64 binaries for stable channels now, used to just be unstable
* Acou_Bass
wants to putit on his pi3 now
<pareidolia>
I can't use them on my Pi2 though
<samueldr>
Acou_Bass: still not up to parity with the stable channels, so hard-to-build things aren't yet availble, but personally running it on a couple boards and it works fine for what I use
* sphalerite
is running aarch64 nixos on his chromebook without a hitch
<sphalerite>
well except maybe not having haskell
<Acou_Bass>
cool
<Acou_Bass>
i ran aarch64 nixos on my pi3 when 17.09 was the latest (though i was on unstable) and it was pretty sweet, just a couple things missing that made me go back to the other distro
<Acou_Bass>
buuuuut... i reckon looking at it i could probably use 18.09 fully now, and if anything needs building i can just cross-compile with my two other computers running nixos hehe
obadz has quit [Ping timeout: 252 seconds]
<sphalerite>
cross-compiled stuff is more problematic than native stuff
<Acou_Bass>
huh
<Acou_Bass>
fair enough
<sphalerite>
especially in terms of "it actually builds"
<Acou_Bass>
BUT i will say... back then, i dont think i had to build anything (and if i did, it was something small that built fast on the pi3 anyway), my usage isnt ridiculously complex, just standard home server stuff
<Acou_Bass>
soo... i probably wont even need to cross-compile
<sphalerite>
yeah that should be fine
astronavt has quit [Ping timeout: 260 seconds]
<Acou_Bass>
i think back then i had trouble with the znc configuration because i was doing it in configuration.nix (rather than making it mutable + configurable via admin interface)
<Acou_Bass>
and for some reason that just messed everything up :P
GiGa has quit [Quit: Leaving]
Rusty1 has joined #nixos
<{^_^}>
[nixpkgs] @schmittlauch opened pull request #48014 → backport tor-browser-bundle-bin minor update → https://git.io/fxsXT
leothrix has quit [Ping timeout: 252 seconds]
<schmittlauch[m]>
^ Can someone review the backport of tor-browser-bundle-bin update?
leothrix has joined #nixos
Ariakenom has joined #nixos
magnetophon has quit [Remote host closed the connection]
lesh has quit [Quit: WeeChat 2.1]
<makefu>
schmittlauch[m]: i used all my non-maintainer powers
<andi->
schmittlauch[m]: on it, actually have it locally just not pushed /o\
<andi->
I spent a few hours looking into how and why we build the non-bin tor-browser-bundle how we do it.. Decided to not touch it until tomorrow :-)
<samueldr>
andi-: if it helps, IIRC oxij knows that bit
<andi->
samueldr: I know and that part of the mistery for for me.. we use a fork of tor for that where it is super critical not to make things go wrong.. That fork that oxij uses isn't really being updated as frequently as we should
<samueldr>
good, just sharing the bit I knew
<andi->
I am very close to marking the non-bin tor-browser(-bundle) as insecure with a mark to just use the binary releases..
<andi->
somehwere I have a draft issue for that but I need to clear my brain :-)
<schmittlauch[m]>
andi- If you're at it anyways, you could try to figure out whether https://github.com/TheTorProject/gettorbrowser/ is deprecated, as it's still the first download source to be tried but doesn't have any v8.x builds so far
<andi->
schmittlauch[m]: did that, doesn't look deprecated or at least didn't find such a notice
<{^_^}>
#47901 (by dhess, 2 days ago, open): haskell: re-enable aarch64, but disable parallel builds on that arch.
mayhewluke has quit [Ping timeout: 245 seconds]
fragamus has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
mayhewluke has joined #nixos
<{^_^}>
[nixpkgs] @nh2 opened pull request #48017 → `nload` output corrupts a few seconds after starting. → https://git.io/fxsDJ
<trebuh>
Anyone has got a working example of configuration file using BTRFS over LUKS ?
kp__ has joined #nixos
<Acou_Bass>
i thought i did but for some rason its missing hardware-configuration.nix (and so ive no way of telling you if it is actually btrfs or not) XD sorry
<Acou_Bass>
its got a keyfile on a separate (usb) drive to unlock the LUKS drive
kyren has quit [Remote host closed the connection]
<lingeeal>
I've created a project with 'cabal init', added
<lingeeal>
yesod lib and ran cabal2nix. When in shell I get
<lingeeal>
ideas?
<lingeeal>
libHSmtl-2.2.2-8XubxMJDT8QLsstvlNotkc.so'. Any
<lingeeal>
'can't load .so/.DLL for:
<Acou_Bass>
wow... just realized how old that configuration is, but i dont think the luks part has changed any
<hodapp>
okay, that's weird... "nix-env -i -A draftsight" just returns immediately with no error, "nix-env -i draftsight" just says that doesn't match anything
Diagon has quit [Read error: Connection reset by peer]
<Acou_Bass>
add the channel name too
<Acou_Bass>
eg nix-env -iA nixos.draftsight
<hodapp>
but why would the former just fail silently?
<hodapp>
it's failing silently with nixos.draftsight too
<Acou_Bass>
hmm
<Acou_Bass>
you already got it installed in configuration.nix?
<hodapp>
it's seemingly not installed anywhere
<Acou_Bass>
huh
<Acou_Bass>
weird
<hodapp>
oh, I needed allowUnfree
<Acou_Bass>
ahhhh right :D
<Acou_Bass>
i always forget to do that
<hodapp>
failing silently isn't the way to convey it needs done
trevorriles has joined #nixos
Berra has quit [Remote host closed the connection]
edef has quit [Remote host closed the connection]
edef has joined #nixos
alex`` has quit [Ping timeout: 252 seconds]
<{^_^}>
[nixpkgs] @samueldr merged pull request #47901 → haskell: re-enable aarch64, but disable parallel builds on that arch. → https://git.io/fxYy2
<bgamari>
How does one force a build *without* nix-daemon under NixOS?
jasongrossman has quit [Remote host closed the connection]
<symphorien>
sudo ?
<bgamari>
that will certainly avoid nix-daemon?
<symphorien>
I think so
<bgamari>
hmm, indeed it seems it does
<bgamari>
then I'm terribly confused
<symphorien>
iirc the logic is: if write permission, build directly, else, try with the daemon
<bgamari>
it seems that none of the nix tools can resolve domain names
<bgamari>
name resolution works fine otherwise
alex`` has joined #nixos
<gchristensen>
hmm maybe pkill nscd and nix-daemon
<bgamari>
already tried this
<bgamari>
and confirmed just now that it makes no difference
<symphorien>
what is nscd for, actually ?
* bgamari
wonders what curl is being used here
sigmundv__ has quit [Ping timeout: 268 seconds]
<nh2>
bgamari: strace all the things?
<bgamari>
yeah, I tried that last night; needless to say it produced quite a torrent
<nh2>
even with filters for your curl question, e.g. `strace -fyp YOURPID -e execve 2>&1 | grep -v ENOENT | grep curl`?
<bgamari>
hmm, alright, found the curl being used and it seems to work fine
<nh2>
you might also try to look directly who it asks for the DNS, I'd suspect it to be an `-e sendto` via UDP
fendor has joined #nixos
<dhess>
samueldr: whoa you merged that Haskell aarch64 change without reviews from the Haskell reviewers? :)
<samueldr>
as I described, self-contained enough to I think not cause issues
<dhess>
well everyone, get ready for some GHC aarch64 hotness!
<samueldr>
worst case scenario: builds fail on aarch64 for other reasons, nothing else changes :)
<dhess>
it does build a ton of important packages.
<bgamari>
hmm, I see a connect to 127.0.0.1:53
<dhess>
tls, however, dies on a couple of tests, so it can't get *too* far. I'm not sure whether those are legit aarch64 issues or if it's just a CI server timeout thing
<bgamari>
but indeed no one is listening on that address
<dhess>
peti logged an issue on the tls GitHub about CI failures in 1.4.1, though those were for x86-64 and slightly different failures.
* bgamari
strongly suspects that GHC is a bit broken on AArch64 still
<bgamari>
I've seen segfaults on my local AArch64 box while running haddock
<{^_^}>
[nixpkgs] @Mic92 pushed commit from lassulus to release-18.09 « charybdis service: bin/charybdis-ircd -> bin/charybdis »: https://git.io/fxs9i
Diagon has joined #nixos
lassulus has quit [Ping timeout: 272 seconds]
<{^_^}>
[nixpkgs] @Vskilet closed pull request #47910 → nixos/emby : use the dataDir option → https://git.io/fxOYH
Diagon has quit [Read error: Connection reset by peer]
tg has quit [Excess Flood]
<Acou_Bass>
hyper_ch: comment out packages a block at a time, then do a final rebuild with them all activated (once youve got them all downloaded/stored in your nix store)?
<bgamari>
hyper_ch, right
<Acou_Bass>
orrrr store your nix store remotely
<{^_^}>
[nixos-artwork] @Ericson2314 opened pull request #39 → Rename some SVG identifers for clarity → https://git.io/fxsHT
fendor has joined #nixos
<bgamari>
I would try to pare down my installation as much as possible
Piece_Maker has joined #nixos
<bgamari>
hyper_ch, actually, perhaps you can just upgrade nix?
<bgamari>
hyper_ch, the version in 18.09 should hopefully better from the space usage perspective
<bgamari>
hyper_ch, so if you `nix build nixpkgs.nix` and then use result/bin/nixos-rebuild to build your new system things might work out
Acou_Bass has quit [Ping timeout: 252 seconds]
Piece_Maker is now known as Acou_Bass
tg has joined #nixos
<sphalerite>
dhess: how to get your PR merged. 1. Complain on IRC
<dhess>
sphalerite: hehehe
<hodapp>
if complaining on IRC got PRs merged, I'd have millions
<sphalerite>
hodapp: it might take several attempts ;)
<dhess>
Hey I've got a question about a feature mentioned in the 18.09 release notes. Specifically, it's this bit: "A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs."
<dhess>
and then there's the example that starts "inherit (pkgs.nixos) .."
<dhess>
I don't really follow. Anyone got an example of that?
kreisys has quit [Ping timeout: 268 seconds]
trevorriles has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Diagon has joined #nixos
<hyper_ch>
on low memory systems - how to not make Nix daemon out of memory when trying to upgrade?
<hyper_ch>
it aborts at busybox
<Acou_Bass>
is it RAM youre running out of, or HDD space...? and if its HDD space, how small of a HDD are you trying this on?
<Acou_Bass>
and if it is HDD... you could probably run a really aggressive garbage collect command first, then it shouldnt take up any more space than a standard upgrade
lassulus has joined #nixos
patrl has joined #nixos
<hyper_ch>
it's ram - no swap
<hyper_ch>
4gb ram
<Acou_Bass>
and why cant you add swap again? this should use HDD space
<bgamari>
hyper_ch, I would try using a newer nix
<bgamari>
there have been some recent fixes in this area
random_yanek has joined #nixos
<hyper_ch>
bgamari: I'm trying to upgrade and it just keeps running out of memory
<{^_^}>
[nixos-weekly] @domenkozar pushed 2 commits to master: https://git.io/fxsHj
<clever>
ive ran nixos on a machine with 4gig of SSD, and thats it
<Mic92>
hyper_ch: if the problem is evaluation you can use nixops to deploy from a stronger machine.
<clever>
it barely had room for 2 nixos generations
orivej has joined #nixos
<gchristensen>
heh I know that feeling
BlessJah has left #nixos [#nixos]
<Acou_Bass>
i wasnt even aware that using nix on a (running) system used so much RAM... i know the liveCD installer does because the entire system runs in RAM, but an installed system?
<typetetris>
is there any advantage to booting in uefi+secure boot to booting with legacy mode?
<clever>
Acou_Bass: when downloading a .nar and unpacking it, the entire nar was held in a std::string
<hyper_ch>
so, finally was able to upgrade... dropping arc cache helped
<clever>
typetetris: when booting in legacy, a virus can in theory replace your bootloader, and then boot your OS inside a VM
<clever>
typetetris: and then its basically imposible to detect what its doing
<clever>
uefi also suffers from that, if secureboot is off
<typetetris>
clever: ok, so there at least is a reason to torturing myself with that :)
<typetetris>
So every time systemd-boot or the kernel gets updated, i will need to add a new trusted efi file via my bios.
lopsided98 has quit [Quit: Disconnected]
<clever>
typetetris: if using public/private keys, then you just need to add the public to the bios once, and then sign everything with the private
<clever>
and ensure systemd-boot validates the kernel before booting it
lopsided98 has joined #nixos
lopsided98 has quit [Client Quit]
<typetetris>
clever: Hmm, having the private key around on the same machine opens up that attack vector again. Even if it was encrypted, the virus infecting my system could keylog the password or something. Maybe its better to live with the inconvenience.
<clever>
typetetris: yeah, M$ gets away with it being easy, because the kernels are compiled and signed in a secure place, and the end-user never has the keys
lopsided98 has joined #nixos
<clever>
apple too
<{^_^}>
[nixpkgs] @erictapen opened pull request #48020 → buildRustPackage: fix regex for separating lib and bin → https://git.io/fxsQu
<typetetris>
clever: "secure" translates to "single point of failure" in this case, so tinfoil hat much, we are screwed either way.
<clever>
you can still use uefi without secureboot
<clever>
typetetris: oh, the bootloader M$ signed with those keys, they forgot to disable a debug option that leads to executing unsigned code
<clever>
so the M$ keys are basically useless now
<clever>
and if they revoked those keys, every single install disk would become invalid
<typetetris>
clever: didn't work for me, without secureboot, I only got the "no operating system found error" or similar.
<clever>
you need to boot with efi to config the efivars, to be able to boot with efi
<clever>
chicken in the egg problem
<clever>
boot.loader.grub.efiInstallAsRemovable = true; gets around it, by claiming your on a removable disk
<clever>
and /boot needs to be a fat32 partition, flagged as the efi system partition, in the gpt tables
<pareidolia>
Where does Nix unpack sources to build? I'm getting no space left errors so I'd need to mount an external drive on there
<clever>
pareidolia: usually /tmp
<typetetris>
clever: I am booted with uefi + secure boot now, why do I need this efiInstallAsRemovable thing (which I don't understand) then?
endformationage has quit [Ping timeout: 246 seconds]
<clever>
typetetris: oh, your in nixos, with secureboot and systemd-boot?
<typetetris>
yes.
<pareidolia>
clever: Thanks!
<clever>
typetetris: wasnt aware that actually worked
<typetetris>
It wasn't pleasent.
<clever>
typetetris: many bios also horribly mislabel things in the options
<clever>
my desktop doesnt even give me the option to whitelist a file
<clever>
secureboot is either microsoft, or custom
<clever>
and custom has zero options
<typetetris>
clever: the bios gives me the option to whitelist a file.
<clever>
yeah, my laptop gives me that
<typetetris>
clever: not some tool in nixos.
<typetetris>
acer travelmate x here.
<clever>
in my case, i was able to whitelist only grub, and then it booted
<clever>
which means grub is not verifying the next stage (linux) and is running unsigned code
<clever>
a quick google implies that systemd-boot also doesnt support secureboot by itelf
<clever>
so systemd-boot is probably running unsigned code
Lears has joined #nixos
[Leary] has quit [Read error: No route to host]
<typetetris>
For me it went like this: 1) Configure the systemd-boot stuff in nixos 2) delete /boot/* 3) nixos-rebuild boot 4) bootctl --path=/boot install (nixos-rebuild boot didn't do it and I had to boot from an usb stick with a minimal installer and run a chroot to do it) 5) reboot and add /boot/EFI/systemd/*.efi and /boot/EFI/nixos/vmlinuz.*efi (so the systemd-boot efi file and the kernel efistub file). I needed to select reset TPM
<typetetris>
stuff midway through, dunno why, maybe the bios is buggy.
<clever>
typetetris: step 4 sounds like the chicken in the egg problem i mentioned
<typetetris>
I first had a configuration, there only the systemd-boot efi file was trusted, my computer didn't boot because systemd-boot tried to load the kernel efistub file, which my computer noticed wasn't trusted.
<pareidolia>
Can someone send me a NAR of /nix/store/bmh2s8hlc3jmllajarl1f9f3y38mvc9x-0a3755c1799d3a4dc1875d4c59c7c568a64c8456.patch ?
<clever>
typetetris: ah, that implies systemd-boot does support secureboot
<typetetris>
or maybe the bios is super smart? (ok ok, probably not)
<elvishjerricco>
clever: I think systemd-boot just asks efi to load the kernel as an application, which I thought secure boot checked for a signature
<pareidolia>
Anyone?
<elvishjerricco>
But that won't secure the command line for the kernel
<clever>
elvishjerricco: ah, that might be it, i was expecting it to just load it as a file, and then pass control over without using the efi specs
<{^_^}>
[nixpkgs] @timokau closed pull request #48008 → gramps: added support for recommended packages. → https://git.io/fxs66
<elvishjerricco>
Not sure about the initrd....
<typetetris>
elvishjerricco: hmm, but if systemd-boot doesn't let you edit the kernel boot commad line, you should be golden, or not?
<clever>
typetetris: edit the config on /boot
orivej has quit [Ping timeout: 246 seconds]
<elvishjerricco>
pareidolia: I'd just fix the broken hash. If it uses fetchurl, it should use fetchpatch instead since that does some normalization on the patch in case the remote changes its format
<clever>
elvishjerricco: another factor of secureboot, is that the kernel should probably confirm signatures on all loadable modules
<pareidolia>
elvishjerricco: How do I do that? I'm on 18.09
<typetetris>
good night!
<{^_^}>
Night!
<pareidolia>
How do I fix a broken hash? I just point to channel 18.09
<elvishjerricco>
clever: At this point I'm convinced the right way is to encrypt /boot and have grub decrypt it.
astronavt has joined #nixos
<clever>
elvishjerricco: but grub itself wont be encrypted, and is still a weak point
<elvishjerricco>
pareidolia: You just have to track down the Nix expression that's wrong in nixpkgs
<elvishjerricco>
clever: But it'll be signed for secureboot
<pareidolia>
elvishjerricco: But I can't edit /nix/... files right?
<clever>
pareidolia: edit it in a `git clone` of nixpkgs
<pareidolia>
clever: How do I point my system channel to that?
<clever>
pareidolia: `nixos-rebuild -I nixpkgs=/path/to/nixpkgs test` i believe
<elvishjerricco>
Is there a section in the manual about making changes to nixpkgs on NixOS?
<pareidolia>
I can't rebuild! I don't have Git, I don't have SSH
<clever>
pareidolia: nix-env -iA nixos.git ?
<pareidolia>
Ah, thank goodness that works
<clever>
pareidolia: you may also want to `git checkout` the rev shown by `nixos-version`
<pareidolia>
clever: That one says 19.03.git.ca2ba44cab4
<pareidolia>
Th
<pareidolia>
There's no channel named 19.03 though
<clever>
git checkout ca2ba44cab4
<clever>
19.03 is the name of nixos-unstable, which will eventually become 19.03 next march
<elvishjerricco>
pareidolia: FYI, you can use `nix edit -f . PKGNAME` to quickly find the source of the broken package in your local checkout of nixpkgs
<elvishjerricco>
Doesn't always work, but usually does
<pareidolia>
elvishjerricco: From within a checkout?
<clever>
yeah
<elvishjerricco>
pareidolia: Yea
<pareidolia>
I'm still stumped why I'm the only one having difficulty building NetworkManager from 18.09 though
<elvishjerricco>
pareidolia: Maybe others just already have that patch file on their system. I'll give it a shot real quick
<pareidolia>
elvishjerricco: That's why I thought a NAR from the store would be useful
<elvishjerricco>
pareidolia: What command do I need to try to reproduce this?
<pareidolia>
I'm not sure, I'm just trying nixos-rebuild switch
<elvishjerricco>
pareidolia: What settings are enabled in your configuration that might be causing the requirement on that file?
<elvishjerricco>
(does nix why-depends work on drvs yet?)
<elvishjerricco>
It does work on drvs! That'll make this easier.
<clever>
elvishjerricco: nice
fragamus has joined #nixos
<pareidolia>
Ok, but maybe we should be doing this with fixed-output derivation produced path '/nix/store/b532v0f48jbhw151h7v8v6ab8vshlj4z-autoconf-2.69.tar.xz' with sha256 hash '05s19ghbic9whsqsgja87qfjibm0i350daz8i2dawd2xymyc6yjg' instead of the expected hash '113nlmidxy9kjr45kg9x3ngar4951mvag1js2a3j8nxcz34wxsv4'
magnetophon has joined #nixos
<pareidolia>
Because the SD card image is based on the unstable channel
<pareidolia>
And this is the error I get with the unstable channel
<elvishjerricco>
pareidolia: Wait are you installing 18.09 or unstable?
infty has left #nixos ["WeeChat 1.4"]
<pareidolia>
The SD card images for Raspberry are based on unstable
<clever>
pareidolia: what does `file /nix/store/b532v0f48jbhw151h7v8v6ab8vshlj4z-autoconf-2.69.tar.xz` output?
<pareidolia>
I don't have file
<elvishjerricco>
pareidolia: Ok, but which version are you installing? You can install 18.09 from an unstable SD disk
<pareidolia>
That's a relief
<clever>
pareidolia: try just less then, is it binary?
<pareidolia>
clever: Yes, it is
<clever>
then its not a 404 page
<pareidolia>
But I'm going to change back to 18.09 since I prefer a stable channel, and we're back at the NetworkManager thing
<pareidolia>
clever: I find it puzzling that it's even in the store
<pareidolia>
Why would Nix keep it in the store if the hash doesn't check out?
<elvishjerricco>
pareidolia: Maybe let's try installing 18.09 directly rather than downgrading after unstable
<clever>
pareidolia: it leaves it in the store, but doesnt register it as valid
<elvishjerricco>
pareidolia: Nix keeps failed builds in the store for some reason
<clever>
pareidolia: that allows you to inspect it and see why its wrong
<elvishjerricco>
I don't like that about it
<elvishjerricco>
Wish it only did that with --keep-failed
<pareidolia>
elvishjerricco: But there is no 18.09 SD image AFAIK
<elvishjerricco>
pareidolia: You can install 18.09 from the unstable SD image
<pareidolia>
Then I run into the Networkmanager thing
patrl has quit [Ping timeout: 264 seconds]
infty has joined #nixos
<elvishjerricco>
pareidolia: I'm confused... I thought that was just when you tried installing normally, i.e. unstable
<pareidolia>
When I'm on the 18.09 channel, and I try rebuild, then I get the Networkmanager patch thing
<elvishjerricco>
pareidolia: rebuild? Like this is post-installation?
<pareidolia>
Well, there's this image you dump on the SD card, then you boot from it, edit the configuration.nix and rebuild
<elvishjerricco>
ooohhh
<elvishjerricco>
Right, i forgot aarch64 is weird
<pareidolia>
I'm on armv7
<pareidolia>
Not aarch64
<elvishjerricco>
Sure, same weirdness
lostman has joined #nixos
<pareidolia>
The documentation makes it seem very simple
<elvishjerricco>
I'm used to the x86(_64) stuff where you have a separate install CD and run nixos-install to install the thing
<elvishjerricco>
pareidolia: Ok, I understand now. We need to track down which option is actually causing the patch to be required so we can fix it. Let me try to conjure the proper why-depends command
<dhess>
You can do that with the ARMs as well (/install CD/SD card/)
<pareidolia>
dhess: Raspberry Pi can boot from CD?
<elvishjerricco>
nix why-depends $(nix-instantiate "<nixpkgs/nixos>" -A system) /nix/store/bmh2s8hlc3jmllajarl1f9f3y38mvc9x-0a3755c1799d3a4dc1875d4c59c7c568a64c8456.patch
<dhess>
pareidolia: maybe. But what I meant is, you can boot off and SD card and then install to a fresh medium
<elvishjerricco>
pareidolia: What does that do?
<dhess>
if you have some other form of storage available like an eMMC or a SATA disk (or even an nVMe card if you have a PCIe slot)
<pareidolia>
I have an USB disk attached for swap
<clever>
the rpi doesnt have pci or sata
<pareidolia>
elvishjerricco: It's rumbling now. What does "nix-instantiate "<nixpkgs/nixos>" -A system" do?
<dhess>
clever: no, but other aarch64's do
<dhess>
like the Jetson sseries
<pareidolia>
elvishjerricco: Does it make all the DRV files for the entire system?
<elvishjerricco>
pareidolia: rumbling? nix-instantiate gives you the drv file of a derivation. In this case the nixos system config
<elvishjerricco>
Yea that shouldn't go to download anything I thought...
<pareidolia>
Can I just remove the cache from configuration.nix
<elvishjerricco>
pareidolia: Oh, I think we need the drv of the patch, not the patch itself. What happens if you run `nix-store -qd /nix/store/bmh2s8hlc3jmllajarl1f9f3y38mvc9x-0a3755c1799d3a4dc1875d4c59c7c568a64c8456.patch`?
<elvishjerricco>
pareidolia: Removing the cache would be a bad idea :P
<dhess>
elvishjerricco: I think I saw a GitHub issue somewhere that you've been cross-compiling Haskell for android or something like that?
slack1256 has joined #nixos
<elvishjerricco>
dhess: Yea a bit.
<dhess>
elvishjerricco: how does that work with TH?
<pareidolia>
elvishjerricco: It says /nix/store/kqm33bcikjn3g9p9axfysiy7qiy48kdj-0a3755c1799d3a4dc1875d4c59c7c568a64
<elvishjerricco>
The guys at obsidian systems have been doing it a lot. I just helped out getting it started, and have since cross compiled NixOS itself to aarch64
<elvishjerricco>
dhess: TH does not work yet, but they're working on a hack
<elvishjerricco>
pareidolia: Whaa... It should have given a .drv file
<pareidolia>
elvishjerricco: I'm sorry
<clever>
elvishjerricco: only for valid outputs
<pareidolia>
elvishjerricco: Forgive my swearing but I'm on fucking SERIAL TTY
<dhess>
elvishjerricco: you can't get very far in the ecosystem without TH, can you?
<clever>
pareidolia: can you pastebin the whole output of nixos-rebuild when it fails?
<pareidolia>
elvishjerricco: It cut off the output because nix uses less
<elvishjerricco>
dhess: Surprisingly, you can
<clever>
dhess: iserv-proxy can help with TH
<dhess>
elvishjerricco: huh, interesting! I'll have to give it a try then
<dhess>
elvishjerricco: have you done any ios cross-compiling with aarch64, or only android?
<clever>
dhess: running iserv-proxy under nodejs solves it for ghcjs, and under wine solves it for linux->windows
<elvishjerricco>
dhess: Yea reflex gets by without it entirely OK. But they're working on splicing TH splices from native builds into cross builds
<elvishjerricco>
pareidolia: Ah, great
<pareidolia>
I pasted it wrong
<pareidolia>
Damn!
<clever>
dhess: i think angerman has done x86->ios cross-compiles with TH
<elvishjerricco>
pareidolia: Ok, now try the `nix why-depends` command but replace the .patch path with that path
<dhess>
clever: yeah but not with Nixpkgs as far as I know
<elvishjerricco>
clever: Yea, but I can't imagine being able to automated that with nix
<pareidolia>
I think it's still wrong since it doesn't exist
<pareidolia>
I'm going crazy in this fucking picocom shit
simukis has quit [Quit: simukis]
<elvishjerricco>
Since it requires an iphone to be connected and to dish out builds to the phone
<clever>
elvishjerricco: yeah, you would need to use qemu-user-arm, and not a real ios device
<elvishjerricco>
pareidolia: Oh the .drv path doesn't exist?
astronavt has quit [Read error: Connection reset by peer]
<dhess>
I actually don't care *that* much about TH at this point, I just want to start putting a toe in the water to test Nixpkgs-based GHC cross builds to iOS
<elvishjerricco>
clever: Couldn't really run ios-bound objects there, could you?
<dhess>
I'd settle for a little "hello world" at this stage.
<pareidolia>
elvishjerricco: It does
<elvishjerricco>
dhess: reflex-platform can do that out of the box
<pareidolia>
elvishjerricco: Now that I pasted it correctly
<dhess>
elvishjerricco: to iOS?
<elvishjerricco>
dhess: Yea
<clever>
elvishjerricco: if your TH is touching ios objects, your probably doing something wrong
<elvishjerricco>
clever: No, the actual machine object files that iserv has to load and execute
<dhess>
elvishjerricco: cool! Does this work with mainline Nixpkgs or do you have a fork of some kind?
<elvishjerricco>
clever: Like, they're going to be apple/ios formatted and depend on apple/ios libs
<pareidolia>
elvishjerricco: Ok, it's running
<clever>
elvishjerricco: yeah, you would need a non-ios arm os, to run iserv under
<elvishjerricco>
dhess: The effort to bring reflex-platform to mainline nixpkgs is... ongoing.
<clever>
hmmm, but ghc may still have trouble targeting 2 arm at once
<dhess>
ok
<elvishjerricco>
clever: Can a different OS load object files compiled for iOS?
<elvishjerricco>
clever: Right, the whole reason we need an iOS device is because GHC can only target one triple
<elvishjerricco>
Otherwise we'd just run the TH on the build platform
<clever>
elvishjerricco: another solution is to compile the TH with a different ghc
<dhess>
I can't imagine that TH is actually platform-dependent in like 99% of the use cases
<elvishjerricco>
dhess: The amount of time and work that's been required to get reflex-platform on a newer nixpkgs has been a serious deterrent for me. And I say that as someone who's been a strong proponent for it. But if it takes a year of work to update it every time... no thanks.
<elvishjerricco>
clever: Yea that's the splicing trick obsidian is trying to do now
<dhess>
elvishjerricco: yeah I know. That makes me sad.
<elvishjerricco>
They patched GHC to be able to serialize TH splices so that they can be loaded by a cross compiler
<dhess>
I totally understand, it just sucks that it's the reality of developing with nixpkgs sometimes.
<elvishjerricco>
dhess: Honestly I think it's just the absurd weight of the excessive number of things reflex-platform does
<dhess>
elvishjerricco: yes, if I'm honest, I'm a bit reluctant to try it out as a fast path to getting iOS GHC binaries :)
<dhess>
I don't need the reflex bits at this point (though I might in the future)
<elvishjerricco>
Like, ideally reflex-platform would hardly exist. We'd just have reflex-dom on Hackage, so it'd be in nixpkgs, and it'd build automatically on GHC and GHCJS, and we'd just use the mobile cross support in nixpkgs to get cross builds for free
<pareidolia>
elvishjerricco: Can't I just import a NAR from somewhere?
<dhess>
elvishjerricco: are you not able to get to that point because there is functionality missing in Nixpkgs, or is it because you were doing all this cross stuff before it was mainstreamed and now there are just so many differences?
<elvishjerricco>
pareidolia: Someone's going to have to show up with one. But you're not the only one who will have this issue, so I'd rather fix it
<elvishjerricco>
dhess: The latter. The reunification branch of reflex-platform is the attempt to switch to the upstream stuff
<elvishjerricco>
And it's just a lot of work
<dhess>
right
<dhess>
technical debt :(
<elvishjerricco>
Plus there's a ton of other things that it does that also need updating
<elvishjerricco>
pareidolia: Is it the why-depends command or the nix-instantiate command that's hanging?
<dhess>
elvishjerricco: are you using reflex-platform commercially?
<elvishjerricco>
dhess: My company is, yea
<elvishjerricco>
er
<dhess>
interesting.
<elvishjerricco>
the company i work for
<elvishjerricco>
Formation AI
<elvishjerricco>
(I do not own Formation AI :P)
<srhb>
elvishjerricco: ;P
<elvishjerricco>
dhess: But even the team using it isn't using it wholesale. Just pulling bits and pieces, since they only care about the GHCJS build
orivej has joined #nixos
<elvishjerricco>
pareidolia: Oh
<elvishjerricco>
I just had a silly simple idea
<elvishjerricco>
What's the error message about the wrong hash? We can use the expected hash to grep the source code of nixpkgs for the package definition
<clever>
it should be using fetchpatch, not fetchurl
<elvishjerricco>
clever: Yea, I guess gitlab changed their patch format/
<elvishjerricco>
?
<clever>
yeah, thats likely it
<pareidolia>
So I do git checkout 6a3f5bcb
fragamus has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<pareidolia>
I change fetchurl to fetchpath
astronavt has joined #nixos
<clever>
the hash will also need to be updated, and then it should build
<clever>
fetchpatch will normalize the patch to prevent this kind of issue from occuring again
astronavt has quit [Max SendQ exceeded]
<pareidolia>
Can I just do a nix-prefetch-url ?
<elvishjerricco>
Hm
<gchristensen>
no
<elvishjerricco>
That derivation builds fine for me though
<clever>
nix-prefetch-url cant normalize the patch
<gchristensen>
,tofu pareidolia
<{^_^}>
pareidolia: To get a sha256 hash of a new source, you can use the Trust On First Use model: use probably-wrong hash (for example: 0000000000000000000000000000000000000000000000000000) then replace it with the correct hash Nix expected.
<elvishjerricco>
No I think there might be something else at play here... I am able to build that derivation exactly...
<elvishjerricco>
pareidolia: At this point I think it's easier (and more trustworthy than random ole elvishjerricco's binaries :P) to just change the hash and build off your checkout
<gchristensen>
no, since it is rpi2
<pareidolia>
But it's just a patch
<pareidolia>
I can get just the patch right?
<elvishjerricco>
gchristensen: Shouldn't they still be getting the binary from cache.nixos.org anyway, since it's a fixed output derivation?
<elvishjerricco>
Or does the arm SD image not use that cache?
kp__ has quit [Quit: WeeChat 2.2]
<elvishjerricco>
Also, how can I force Nix to try rebuilding this derivation not from the cache?
<elvishjerricco>
--no-substitute, duh.
<gchristensen>
(1) I don't know (2) I dn't think so because preferLocalBuild = true;
<elvishjerricco>
gchristensen: Weird. It grabbed that derivation from the nixos cache for me... I had to do --no-substitute to get the same build failure
<gchristensen>
so nix won't check but evidently hydra publishes it anyway
<gchristensen>
so maybe pareidolia can nix-store -r it
mayhewluke has quit [Ping timeout: 246 seconds]
<clever>
elvishjerricco: if you can get it from both the cache, and the failed path, try to diff them, confirm what has changed
<elvishjerricco>
gchristensen: ... but it did check for me. That's where I got it from :P
<pareidolia>
I'm the only one getting this problem because the rpi cache lacking the file forces me to fetch it from the originating url instead of cache.nixos.org
<elvishjerricco>
pareidolia: I guess. Does your system not use cache.nixos.org?
<clever>
pareidolia: grep subs /etc/nix/nix.conf
<gchristensen>
no, the derivation is marked as prefer local build so it doesn't look in caches for it
<elvishjerricco>
gchristensen: But it actually did for me
<clever>
pareidolia: adding cache.nixos.org to that may prevent the issue
<gchristensen>
you didn't try to build it, you skipped the evaluation step
<elvishjerricco>
gchristensen: Nope. I did `nix-build . -A networkmanager.patches`
<gchristensen>
preferLocalBuild is eval-time, nix has no idea how you decided o look for that store pathjust that you want it.
<gchristensen>
bizarre
<clever>
yeah
<pareidolia>
Maybe I should have just gotten a Rpi3 and have saved a lot of time on aarch64
<elvishjerricco>
Is this a bug in Nix then?
<pareidolia>
Because that one is compiled on Hydra right?
<pareidolia>
I'm downloading a lot of patches right now doing the rebuild, and so far so good
<{^_^}>
[nixpkgs] @catern opened pull request #48022 → pythonPackages.mypy_extensions: use typing from stdlib on >=3.5 → https://git.io/fxsFa
<gchristensen>
hydra builds for aarch64
<dhess>
pareidolia: I had a similar "come to Jesus" moment with my BeagleBone Black devices. They are so nice, but compiling for armv7l is sooo painful
<pareidolia>
"come to Jesus" ?
<pareidolia>
I'm going to save a log of this convo and keep a note of all these magical comands
siers has quit [Ping timeout: 252 seconds]
<elvishjerricco>
I'm going to go fix that patch expression :P
<dhess>
pareidolia: sorry, it's a common (American?) English expression, similar to, "saw the light."
<dhess>
yeah that's a better definition :) I didn't include the "unpleasant" connotation in my definition.
<dhess>
anyway, point is, I eventually just moved everything to aarch64, even though I like some of the armv7l hardware better.
<pareidolia>
Ok, I'm compiling all sorts of stuff now
<gchristensen>
it is much easier to get good (read: big) build hw for aarch64 anyway
<pareidolia>
Is probably going to take a long time, but since I'm on 18.09 I probably should have better cache availability than unstable
<dhess>
gchristensen: I wish it were cheaper! Sort of strange that it hasn't been commoditized yet. I suspect some of these OEMs thought there would be more interest from server/datacenter folks that hasn't materialized.
<gchristensen>
is there any cache for rpi2 at all?
<dhess>
gchristensen: Dezgeg's ?
<elvishjerricco>
gchristensen: I think they're using Dezgeg's cache
<pareidolia>
Seems so
<gchristensen>
ah...
<elvishjerricco>
Dunno how populated that is though
<dhess>
hey speaking of caches, anyone here using Cachix?
jackdk has joined #nixos
<gchristensen>
dhess: yeah big money there to get aarch64 hw. I think they are finding big users in DCs but you don't hear about them
Ericson2314 has quit [Ping timeout: 260 seconds]
<bgamari>
oh dear
<bgamari>
has anyone seen this before: sudo: /run/current-system/sw/bin/sudo must be owned by uid 0 and have the setuid bit set ?
<dhess>
gchristensen: I would so so like one of my own, but damn it's hard to justify the cost.
<dhess>
that community builder is great! But there are a few packages I don't want to be building on it.
Ariakenom has quit [Read error: Connection reset by peer]
<gchristensen>
dhess: you can rent it for a couple hours?
<dhess>
but it's so much faster than my Jetson TX1 was, even for a single thread
<bgamari>
indeed somehow sudo doesn't have the setuid bit set
<dhess>
gchristensen: I'm running a bunch of CIs. It's not really practical to spin it up and then spin it down on demand
<dhess>
not with Hydra anyway
<clever>
bgamari: you need the sudo in /run/wrappers/bin
<dhess>
If it were possible to do that with Hydra I might look into it.
<pareidolia>
Anyway, thanks people!
<srhb>
bgamari: Only seen it with manual installs of sudo rather than security.sudo.enable, which would indeed break..
<dhess>
(I think there is something to do that with EC2 instances)
alex`` has quit [Quit: WeeChat 2.2]
<gchristensen>
dhess: yeah, and some work to mke hydra do it for Packet... but nothing done enough to share..
<dhess>
gchristensen: sorry, couldn't parse that. You mean you've got something like that working for the Packet aarch64 boxes?
<dhess>
behind closed doors?
<gchristensen>
not working, no, but no reason Packet couldn't be spun up & down dynamically using the spot market + user data to have it apply the customization automatically on boot.
fendor has quit [Quit: Leaving]
<{^_^}>
[nixpkgs] @ElvishJerricco opened pull request #48023 → Fix NetworkManager patches with fetchpatch and updated hashes → https://git.io/fxsbm
<gchristensen>
^ this repo is being updated to be more clearly user-facing and not hacker-facing
<dhess>
that's a pretty good idea to put a configuration.nix on a public URI somewhere!
<gchristensen>
note the intallation proces will not fetch the data from that URL, you have to copy-paste the contents in
<dhess>
yeah, got it.
<bgamari>
clever, srhb, strangely enough, it only appears broken in my X session
<dhess>
thanks for the pointer to the repo. I'll take a look at it. I think I'll need something kind of aarch64 auto-provisioner in the next couple of months.
<dhess>
/something/some/
<bgamari>
running sudo from another session in a VT works fine
<elvishjerricco>
bgamari: is `/run/wrappers/bin` on your path in the X session?
<gchristensen>
dhess: you don't need that repo btw
<gchristensen>
that repo is how I build the installers which Paceket.net then takes from me and deploys in their datacenter, to use when someone requests a nixos server
<jackdk>
how do people store secrets in a hydra setup? I am trying to set up CI against a non-public repo
<dhess>
gchristensen: right, got it
<dhess>
jackdk: I deploy my Hydra servers with NixOps, and I use NixOps's deployment.keys support to deploy the secrets to it.
jb55 has joined #nixos
<jackdk>
Interesting idea but I don't think I'll be able to do that - I don't have control over the hydra box, just an account
<gchristensen>
with jst an accont you can't do anything
<dhess>
I think in that case it won't be possible to do what you want, unless you can convince the Hydra owners to install the SSH key that Hydra needs to pull from your non-public repo.
<dhess>
and personally, I wouldn't be comfortable with that for other reasons :)
<dhess>
unless it's your company's Hydra or something and this is for company work
<jackdk>
that's basically the scenario - company hydra, company work
<dhess>
in that case, just ask the admins to install the private SSH key(s) you need for the repo(s) you need to pull
<dhess>
you'll need to put it in ~hydra/.ssh/id_ed25519 or whatever. Probably a good idea to make a private key dedicated to the Hydra rather than using your personal one, since this will be visible to other folks