<clever>
ivan: basically, once you have nix installed in the rescue environment, you can use this to copy to /mnt/nix/store on a remote machine, over ssh
<aoeu>
PyroLagus: yep each user owns their own nfs folder which is mounted at /users/home or whatever macos has
m0rphism has quit [Ping timeout: 268 seconds]
lovesegfault has joined #nixos
<clever>
ivan: the main benefit over your tar idea, is that it can deal with a nix store already existing there, and do an incremental copy, and merge things in, if that happens to be needed
<clever>
ivan: and just being able to skip creating a tar
o1lo01ol1o has quit [Remote host closed the connection]
<ashkitten>
clever: possibly! we shall see
polmaan has quit [Excess Flood]
<clever>
ashkitten: i recently discovered, that you can `exit` when at the grub command prompt, and the bios will treat that as the drive being non-bootable
<ashkitten>
i'd like to hopefully get this done today so i can have my mastodon instance back up and such
<ashkitten>
huh
<clever>
ashkitten: and it will then try the next device in your boot order
<{^_^}>
[nixpkgs] @BadDecisionsAlex opened pull request #63545 → pythonPackages.{hiredis,aioredis,channels_redis,django-crispy-forms,django-filter}: init; Added baddecisionsalex to main… → https://git.io/fjVV5
<ashkitten>
i'm using kimsufi, i hope that's the same as the other ovh dedi hosts
o1lo01ol1o has joined #nixos
<clever>
ashkitten: ive got a soyoustart machine, but ive yet to migrate it to nixos
jgt has quit [Ping timeout: 252 seconds]
* monokrome
throws tomatoes at xrandr
<ashkitten>
i looked at soyoustart but everything there was out of my price range and i don't actually have any concrete plans for what i want to do with the thing, i ended up getting the $30/month one on kimsufi because it was the only one available with redundant disks in canada
<clever>
ashkitten: but even if you do forget, its using a delayed shutdown, which alerts to every console, and you can `shutdown -c` to cancel it, 5 minute warning period
<ashkitten>
thank you
endformationage has quit [Ping timeout: 268 seconds]
o1lo01ol1o has quit [Remote host closed the connection]
<clever>
ashkitten: this puts the entire nixos installer in /boot/ and adds a grub entry for it
<clever>
ashkitten: it uses the exact same type of kernel+initrd your booting with kexec
<clever>
so its just as fat
<clever>
would your tar fit into a 500mb /boot/ ?
ajs124 has joined #nixos
<ashkitten>
clever: on my desktop i have a 4 gig /boot because i was planning on having several recovery isos i could loop-mount in grub and boot if needed
<ashkitten>
never got around to doing that
<clever>
ashkitten: ah, this works even without loop-mount
<ashkitten>
but the rest is less than 100mb
<clever>
ashkitten: the entire rootfs is a single file inside the initrd
<ashkitten>
anyways idk what im doing exactly
<ashkitten>
what should i do to get this system off the ground to start
<clever>
ashkitten: youll mostly want to read the generated justdoit script, and use it as a guide on how to install nixos with zfs
<clever>
ashkitten: main one is to find the block or io size for your disk, fdisk -l /dev/sda should show it
selfsymmetric-mu has joined #nixos
<ashkitten>
clever: alright, i feel like there were more especially for linux hosts
<adamantium>
k
<adamantium>
argh
<clever>
ashkitten: ashift is about the only one i ever set
<ashkitten>
okay
drakonis has joined #nixos
selfsymmetric-mu has left #nixos ["gone to the land of dead hiccups and extinguished light bulbs"]
psque has quit [Ping timeout: 268 seconds]
<Shados>
ashkitten: compression=lz4, xattr=sa, acltype=posixacl, optionally atime=off (or relatime=on otherwise). Build the pool, then use fio to benchmark various use-cases. Then repeat that for a whole range of ashift and recordsize values, analyse the results, and pick something that fits your workload :p. The reported physical sector size usually corresponds to the best ashift, but not always. Especially on flash devices.
<Shados>
But yeah, those are dataset options aside from ashift
drakonis1 has joined #nixos
<clever>
Shados: oh, xattr=sa looks nice
<Shados>
Yeah. It is.
drakonis_ has quit [Ping timeout: 250 seconds]
<adamantium>
normalization=formD
<adamantium>
ashift=12
<adamantium>
i set those with the before mentioned.
<{^_^}>
[nixpkgs] @jonringer opened pull request #63548 → pythonPackages.imgaug: mark as broken → https://git.io/fjVw2
<Shados>
I think you do get a potential perf loss in cases where your xattrs on a file are >64K total, due to indirection, but if you have a use-case where that is common I assume you know what you are doing (or you really, really don't and nothing can save you)
lovesegfault has quit [Ping timeout: 252 seconds]
XMatrix has quit [Read error: Connection reset by peer]
<Shados>
adamantium: Huh. Didn't know systemd used acls for that. Never ran into the problem because I was already configuring my pools with posixacl from before I used NixOS...
justanotheruser has joined #nixos
<clever>
i always have a `sudo -i` open, and switch to that tab in screen if i get any permission errors
kvda has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<adamantium>
Shados: yes, lol. One time IIRC I was looking at journalctl and noticed some weird errors. So after that I googled, found that bug, and always just turned on posixacl for my pools and never looked again
<clever>
Shados: `Consider setting dnodesize to auto if the dataset uses the xattr=sa property setting and the workload makes heavy use of extended attributes.`
fusion809 has quit [Remote host closed the connection]
<adamantium>
clever: do you use kexec with zfs?
fusion809 has joined #nixos
<clever>
adamantium: i mostly use kexec on systems that are about to be wiped, and then use zfs within the kexec image, as i format the disk
growpotkin has quit [Remote host closed the connection]
<adamantium>
I was just trying to imagine a zfs server that never needed to be "rebooted"
<clever>
adamantium: ah, i mostly just use `kexec -e`, which triggers an improper shutdown of the current os
<clever>
adamantium: i believe you can also `systemctl kexec` to do a clean shutdown, and then execute at the end
<ashkitten>
hmm
<clever>
but ive not tested it much, and that relies on you already having systemd on the host
<ashkitten>
i feel like i don't need swap, but someone will probably tell me i'll be sorry without it
trevorriles has joined #nixos
<clever>
ashkitten: i have 64gig of swap on my desktop, and am currently using 49gig of it.....
<ashkitten>
yeah but will 2 gigs of swap really help in that case
<adamantium>
I have been swapless for over a year with my zfs workstations
<adamantium>
if it was a server, i'd do it for good measure, though .. :)
<ashkitten>
idk!
<ashkitten>
also this is a disk based system soooo
<ashkitten>
anyways, who wants to name this server
<jackdk>
"steve"
<Shados>
clever: Interesting, although I'm certain I don't qualify for "heavy use" haha
<clever>
ashkitten: aha, the "memory footprint" according to chrome's task manager, is not the RSS usage!
<clever>
the pid managing a single instance of slack, is only using 156mb of ram, and 2gig of swap, but chrome claims its using 2.2gig of "memory"
<clever>
chrome also says that its using 2gig of JS memory!
<Shados>
ashkitten: you can run OK w/o swap. TBH having swap causes more issues than not having it causes, in my experience.
<clever>
and simply hitting refresh makes it drop off so much i cant find it now
<Shados>
clever: ...so slack has a leak? Or something that shouldn't be a leak, but effectively is because chrome doesn't reclaim that memory until something like a page change?
<clever>
the weirdest part, is that the 2 slacks i use the least, where using the most ram
<clever>
and the most active slack, isnt even visible in the first page of the memory usage
rprije has joined #nixos
<clever>
Shados: i think slack keeps the scrollback history loaded, ive noticed in a free slack, that my desktop can see back going weeks, but my laptop cant even seen a single msg, due to the free msg cut-off
<Church->
Huh this the web app or?
<clever>
Church-: the web app
<Church->
I've never had a prob with the non-electron client
<Church->
Huh...
kvda has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
jgt has joined #nixos
jgt has quit [Ping timeout: 258 seconds]
<addfjhsd>
Hi, I'm using nixops. Is there a way to set up my /var directory (I need to send/recieve email) in my nix file?
<ashkitten>
sure wish i had a serial console view in the kimsufi dashboard...
<samueldr>
(though not that hard to do) I don't think we have a script that, given a derivation, lists all derivations it depends on, including build, and all metadata, right?
<samueldr>
the main scenario being license compliance or security overview
<ldlework>
i have `config.nixpkgs.config.allowUnfree = true;` in my config, yet i can't `nix-env -i vscode`
<tilpner>
,-A
<tilpner>
ldlework: Use -iA nixpkgs.vscode or -iA nixos.vscode
yili has joined #nixos
<yili>
hey all
<yili>
are there any rand functions in the default nixos packages?
<yili>
specifically, i'd like to be able to generate random strings
<simpson>
yili: For what purpose? Usually I need something password-like, so I'd reach for something like apg.
<yili>
that's exactly what i need
<yili>
for cases where i've got a frontend/backend that need a shared password...i don't want to store the password in my nix files (which are checked in to version control)
<yili>
i don't actually _care_ what the password is
<yili>
so the ideal solution seems to be: generate a random password at build time and embed it in the configs where necessary
<simpson>
Aha, fun. That sounds workable.
<yili>
but i don't see any random functions in nix :/
<yili>
i can understand why, it kind of runs against the idea of repeatable builts for most uses
<simpson>
Could you pass in the password as an argument with --arg or --argstr?
<yili>
but in this specific case it doesn't seem to me like it would hurt, and it would help (because i could check my nix code in with no worries)
<yili>
ooh, i didn't know about that...that might work
<ldlework>
tilpner: that gives me the same error about unfree... when i add it to my system.environmentPackages or my home.packages i get a new generation but no vscode... it's like it doesn't even download it
Yakulu has joined #nixos
[Leary] has joined #nixos
Lears has quit [Ping timeout: 245 seconds]
<ashkitten>
i'm trying to test my nixos install by booting it through qemu since kimsufi doesn't give me any video output monitor or whatever, but the only output i'm getting over qemu serial is "Booting from Hard Disk..." and then "GRUB" and then it seems to not do anything more
ajirx has joined #nixos
<ldlework>
oh god
<ldlework>
the binary is called "code"
<adamantium>
lol
jgt has joined #nixos
Rusty1 has quit [Quit: Konversation terminated!]
<zacts>
lol
fusion809 has quit [Remote host closed the connection]
orivej has joined #nixos
jgt has quit [Ping timeout: 252 seconds]
endformationage has quit [Ping timeout: 246 seconds]
wfranzini has quit [Remote host closed the connection]
o1lo01ol1o has joined #nixos
orivej has quit [Ping timeout: 268 seconds]
<tilpner>
ldlework: Use cd $(nix-build --no-out-link '<nixpkgs>' -A foo) to inspect the output of a package
<clacke_movim>
samueldr: nixos-unstable has a smaller gate set of packages than nixpkgs-unstable?
<tilpner>
clacke_movim: Not necessarily smaller, but different
bgamari_ has quit [Ping timeout: 252 seconds]
<tilpner>
clacke_movim: nixpkgs-unstable is the only officially supported Darwin channel AFAIK, so it needs to block on Darwin failures, while nixos-unstable doesn't care about those
<clacke_movim>
Ah, makes sense
<ldlework>
i'm pretty sure i will never get a .NET Core development environment working on nixos
<mdash>
ldlework: why so pessimistic
<clacke_movim>
Different criteria, and maybe neither is a subset of the other
<ldlework>
well i try every few months, that seems optimistic
<mdash>
never is a long time
<clacke_movim>
And then there's also the -small channels
<ldlework>
'in time before i completely give up'
<zacts>
ldlework: I got vscode working
o1lo01ol1o has quit [Ping timeout: 268 seconds]
<ldlework>
zacts: that's easy -- i was just running the wrong binary
<zacts>
I did it via nix-env
<zacts>
ok
<clacke_movim>
When reactOS started I was pretty sure they would never be a working alternative to Windows
<ldlework>
now compile C# over .NET core
<ldlework>
using VSCode
<zacts>
ok
<ldlework>
/home/ldlework/.vscode/extensions/ms-vscode.csharp-1.20.0/.omnisharp/1.32.20/run: line 27: /home/ldlework/.vscode/extensions/ms-vscode.csharp-1.20.0/.omnisharp/1.32.20/bin/mono: No such file or directory
<zacts>
looks like VSCode supports Haskell which is neat
<zacts>
anyway
<clacke_movim>
20 years later I have realized that a century from now, reactOS will be the onlu working Windows. :-D
<ldlework>
zacts: does VSCode support haskell in the places that nixos puts it though
<zacts>
ldlework: don't know quite yet
<zacts>
I'll try it out
<zacts>
I have to go to bed soon though.
<ldlework>
i'm just gonna use my windows machine
<clacke_movim>
ldlework: I would have expected vscode to be the kind of thing that would run reasonably well under wine?
<ldlework>
the problem is not using vscode, but .net core tooling through it, or at all really
<clacke_movim>
Not that native (whatever that means, as we're talking a CLR IDE written in JS and HTML) isn't preferable
<ldlework>
id just compile in docker but the whole point is that sweet sweet intellisense
<clacke_movim>
Ah, I guess VSCode that thinks it is running in Windows would like to use MS csc rather than mono. And that would be less surprising if it has wine issues.
<ldlework>
sick of using my windows gaming machine for dev tho hehe
<clacke_movim>
Yeah, it's always nice to be able to use a professional OS rather than a gaming platform ;-)
mexisme_ has joined #nixos
<ldlework>
i suspect more professionals use windows than nixos but that's neither here nor there
sdfs has joined #nixos
sdfs has quit [Client Quit]
hmpffff has joined #nixos
<ldlework>
kuznero[m]: have you gotten .net core development working for you on NixOS?
<{^_^}>
[nixpkgs] @doronbehar opened pull request #63552 → Add Go package pdfcpu → https://git.io/fjVoB
<kuznero[m]>
ldlework: I switched away from dotnet quite long time ago. But it was working then if I remember right.
<ldlework>
Microsoft.Build.Exceptions.InvalidProjectFileException: The imported project "/nix/store/hq229p9rjhssracwbmc7wvipnj2mz5xz-mono-5.16.0.220/lib/mono/xbuild/15.0/Microsoft.Common.props" was not found. Confirm that the path in the <Import> declaration is correct, and that the file exists on disk. /nix/store/bkrkm7fia7f3vfjk7j9hplag9r7l4bp9-dotnet-sdk-2.2.103/sdk/2.2.103/Sdks/Microsoft.NET.Sdk/Sdk/Sdk.props
jgt has quit [Ping timeout: 258 seconds]
<ldlework>
doh
<{^_^}>
[nixpkgs] @vcunat opened pull request #63555 → gnumeric: try fixing darwin build by upstream patch → https://git.io/fjVo2
<ldlework>
hmm i updated to the latest mono and the same issue
<ldlework>
missing Microsoft.Common.props
vmandela has quit [Quit: Leaving]
<ldlework>
rizary: you around?
vmandela has joined #nixos
jbgi_ has joined #nixos
bgamari has joined #nixos
ambro718 has joined #nixos
hoijui has joined #nixos
MichaelRaskin has quit [Ping timeout: 258 seconds]
<ldlework>
Well. I'm seemingly able to compile C# apps from the command-line. Same problem above though using Omnisharp though. I even installed the Omnisharp-rosyln from nixpkgs
hyper_ch has quit [Read error: Connection reset by peer]
drakonis1 has quit [Quit: WeeChat 2.5]
mkoenig has quit [Ping timeout: 248 seconds]
mkoenig has joined #nixos
Yakulu has left #nixos ["Disconnected: Replaced by new connection"]
Yakulu has joined #nixos
<ldlework>
Well... Omnisharp wont load my project due to the above error, but it seems like it presses ahead and just loads each file individually. I'm not sure how well that will work, but by configuring a custom build-task to use the nix dotnet command it seems I have some Intellisense and the ability to compile and run.
<johanot>
how does wrapPythonPackages "know" which dependencies to include on path for the wrapped program? Is that "just" what's on $PYTHONPATH in the build env?
stranger___ has quit [Quit: Connection closed for inactivity]
ericsagnes has quit [Ping timeout: 258 seconds]
<gchristensen>
balsoft[m]: yay :)
ilmu has joined #nixos
grumble is now known as blockchain
veske has joined #nixos
ericsagnes has joined #nixos
<ashkitten>
how can i get a virtual serial terminal to attach qemu to? i tried just giving it another pty which works for output but the shell running in said pty still captures input so idk how to get like, a character device with no shell running basically
pbb has joined #nixos
pie__ has quit [Ping timeout: 258 seconds]
linarcx has joined #nixos
<ashkitten>
i think i can use socat to create a pair of pty devices and attach qemu to one end and screen to the other?
<{^_^}>
[nixpkgs] @IvanMalison opened pull request #63558 → Set taffybar version for now → https://git.io/fjV6g
<cocreature>
Is there an easy way to get a newer version of the macos SDK on nixos 19.03? It still seems to use 10.10 whereas I need a newer version. It looks like unstable has 10.12 which should be new enough but the patches seem to have fairly wide-reaching implications so I’m not sure how realistic a backport is
jasongrossman has quit [Remote host closed the connection]
hoijui has quit [Quit: Leaving]
<ashkitten>
i see
<ashkitten>
`socat pty,raw,echo=0 pty,raw,echo=0`
<ashkitten>
creates 2 linked pty devices that i can connect each end to the appropriate program
thc202 has joined #nixos
Shoubit has joined #nixos
Shoubit has quit [Client Quit]
Shoubit has joined #nixos
<Izorkin>
Shados: found new error in prosody, please help to fix error - error work packages LuaExpat
adamantium has quit [Ping timeout: 252 seconds]
m0rphism has joined #nixos
<ldlework>
huh. rider "just works" for like.. everything .net
ajirx has quit [Remote host closed the connection]
Synthetica has joined #nixos
nikivi has joined #nixos
turion has joined #nixos
Tucky has joined #nixos
sigmundv has joined #nixos
jfroche has joined #nixos
<zacts>
can I copy over downloaded nix packages to another computer?
<wucke13>
When running a build command in a nix-shell, the compiler fails with "impure path `/home/wucke13/... used in link". I guess, the nix-shell is setting something, which alters the compilers behaviour. What could it be?
<Taneb>
gchristensen: it seems to be a problem with some DNSs. I've had to "fix" the issue in the office by making nixos.org resolve through a different DNS server
<johanot>
yeah, did the same.
<gchristensen>
people where it is down: where are you? and, what is your upstream DNS server's IP?
<gchristensen>
I don't think we can actually do anything, since DNS takes a long time to switch to a different provider
<gchristensen>
so I think the only thing we can do would be protect from a "next time"
<betaboon_>
translation of that twitter post regarding uniteddomains: "There are disruptions on several ISPs and there is a DDoS-attack on parts of our infrastructure. Therefore several services are not reachable from some networks. we are working on a solution. we apologize for limited reachability"
<palo>
nh2[m]: true, I will merge it before sunday. github is just a CDN for me, you will see the pull-request merged, when I do a new release, which I'm intending to do this weekend.
<nh2[m]>
palo: awesome! terranix is super useful for me btw, I've already infrastructure-as-code'd a lot of our stuff yesterday night because of it :)
ajirx has quit [Ping timeout: 245 seconds]
<palo>
nh2[m]: sweet! that is good to hear
<betaboon>
still have to get around to try terranix :)
<palo>
nh2[m]: do you use terraform 0.12 ?
<nh2[m]>
palo: yes
<palo>
betaboon: I'm creating theses examples to make the start easier.
<palo>
nh2[m]: kewl I'm still on 0.11.x but when it works on 0.12 than they just changed their hcl parser :D
<nh2[m]>
betaboon: it is ultra easy if you know terraform, just "better" syntax where you can use `map` and stuff
ericsagnes has quit [Ping timeout: 268 seconds]
<palo>
yeah it's meant for people who know terraform and felt the pain of hcl
cfricke has joined #nixos
<palo>
(and know the nix language)
<betaboon>
I'm currently using nixops. at some point i will have to experiment with terraform and therefore try terranix :)
<nh2[m]>
palo: the examples need one that reminds you to escape the dollar $ when you want terraform string interpolation instead of nix variables
<palo>
betaboon: sure, no rush. btw terraform is not only to create machines. It is an "API provisioner", for example to configure your github account.
<karetsu>
as a lay-person, what are the big differences between them? My work are moving toward this kind of deployment type (not that I have any say in it, not my job)
<nh2[m]>
betaboon: I am also using nixops, and plan to continue to do so. I use terranix for the stuff that nixops can't manage, like Route53 health checks, CloudWatch alarms, StatusCake tests and so on
<palo>
nh2[m]: I wanted to put that in the readme.
<palo>
but I see I have no task about this topic, .... created
__monty__ has quit [Quit: Restarting irssi to check locale issues.]
__monty__ has joined #nixos
<palo>
karetsu: hcl and terranix generate json, which is interpreted by terraform. (this is not entirly true, but helps to compare them). And hcl is nothing more than a convenient json generator, while terranix can use the nixos module system.
<karetsu>
and these json would be interpreted in the same kind of way nixops would read the nix version?
<palo>
nh2[m]: btw in terranix there is no possiblity to use "terraform-modules" Do you think that is needed?
ajirx has joined #nixos
<palo>
karetsu: I don't know how nixops is doing stuff under the hood, but I guess they generated json instead of hcl, iff they are using terraform in the background.
<palo>
but of course you can use the nixos module system.
Neo-- has joined #nixos
<nh2[m]>
palo: why is that, is module+source not supported in terraform's JSON language? Or do you mean you can't point it at a nix file?
<palo>
I think I will put the terraform-modules in there. sometimes situations are crazy and dirty hacks are not a good thing. (for example you could do that module stuff in a hcl file in the same folder, but this is not nice)
<palo>
nh2[m]: I did not put it in there, because I had not time so far (it needs to be tested and all)
<palo>
I will do this in the next release (most likely on sunday)
justanotheruser has quit [Ping timeout: 248 seconds]
<nh2[m]>
palo: still don't understand, doesn't it 1:1 translate the nix to json in that case?
silver has joined #nixos
gratto has quit [Read error: Connection reset by peer]
<palo>
I guess so, but I did not test it yet. I guess back than I tried to autogenerate all providers and this one was to complicated and than I just forgotit.
<{^_^}>
[nixpkgs] @Shados opened pull request #63566 → luaPackages.luaexpat: Downgrade to fix prosody issue and match typical distros → https://git.io/fjVDy
fnords has joined #nixos
<{^_^}>
[nixpkgs] @knl opened pull request #63567 → (backport) fswatch: Enable FSEvents API on Darwin → https://git.io/fjVDS
<infinisil>
alex``: SDK = software development kit, there's about a million SDK's out there, you gotta be a bit more specific
<kisik21>
Ok so... I want to build my Java program with nix. I'm using nix to wrap gradle, but... dependencies. Normally gradle downloads dependencies from the internet, which is really useful. However, the nix environment is fully sandboxed. How can I provide dependencies to gradle in the nix way?
<kisik21>
Suggestions to replace gradle with something else are accepted too :3
<kisik21>
Taneb: I did. It doesn't touch that topic.
<kisik21>
I actually set my Nix build file using that manual. And when I used no dependencies it worked fairly well :3
andi- has quit [Quit: WeeChat 2.5]
<Taneb>
Ah, I'm sorry I can't help beyond that
<kisik21>
It's ok, not everyone is a Java person :3
<kisik21>
I'm personally more of a Python coder
<kisik21>
and Python support in Nixpkgs is awesome
<__monty__>
,ifd
<{^_^}>
import-from-derivation (IFD) is when you evaluate nix from a derivation result, for example `import (pkgs.writeText "n" "1 + 1")` will evaluate to 2. This is sometimes problematic because it requires evaluating some, building some, and then evaluating the build result.
dansho has quit [Quit: Leaving]
fusion809 has joined #nixos
Ariakenom has joined #nixos
andi- has joined #nixos
inquisitiv3 has quit [Remote host closed the connection]
inquisitiv3 has joined #nixos
xkapastel has quit [Quit: Connection closed for inactivity]
domogled has joined #nixos
knupfer has joined #nixos
IRCsum has joined #nixos
alp has quit [Ping timeout: 258 seconds]
<{^_^}>
[nix] @edolstra merged pull request #2963 → Nix uses the CPP SDK, not Java → https://git.io/fjVDZ
jasongrossman has quit [Ping timeout: 245 seconds]
BoipiSigre has joined #nixos
knupfer has quit [Remote host closed the connection]
<Okinan>
Hello, so uh, I have a potentially huge refactor and rebuild of nixpkgs due to a potential vulnerability with fetchFromGitHub, not really sure what's the best way to approach this, could some of the devs here look at nixpkgs/issues/63564?
civodul has quit [Ping timeout: 258 seconds]
<simpson>
Okinan: What's your actual threat model? Who is attacking, and what would they do?
ThatDocsLady has joined #nixos
rauno has joined #nixos
<MichaelRaskin>
Let's make bot provide a summary… #63564
<clever>
Okinan: one problem i can see, is that you must unpack the zip, to check the hash, so you dont know if the hash is valid or not until after its unpacked
<Okinan>
My threat model isn't really relevant, but my ideas for this would be MITM and hacked cdn/website serving infected files
<clever>
Okinan: but this unpacking happens inside a nix sandbox, so it cant do much else
<clever>
Okinan: and if the hash is wrong, nix wont register the output as valid, so no other nix builds will ever make use of it
<Okinan>
Does that still apply with the stuff like meltdown or the various ryzenfall exploits? Remember, it would be unzip or tar or gzip potentially being exploited.
<clever>
Okinan: that same argument applies to curl itself and the entire ssl/tls layer
<simpson>
Okinan: Well, let's be concrete, since AFAIK fetchFromGitHub can only fetch from GH. The idea, then, is that somebody MITMs or hacks GH?
<clever>
simpson: nix disables CA checking when fetching, because it assumes the hash of the output is enough
<Okinan>
Unlikely, probably not even currently plausible, but very possible.
<simpson>
Okinan: Hm, wouldn't those be bugs in unzip then?
<clever>
simpson: so if you are in the right place on the network, you can mitm fetchFromGitHub
<Okinan>
Yes, but there's no reason to leave a glaring vulnerability or defective behavior unfixed either.
<simpson>
clever: That is a curious choice to make; were "encrypt everything" and "let's encrypt" not sufficient memes in this case? It seems strange to deliberately *avoid* doing TLS. But yeah, that's not as big of a deal as it could be.
<MichaelRaskin>
clever: wasn't the CA-check behaviour eventually changed?
<clever>
simpson: i think its more that we dont care about hiding what we download and ensuring the server is authentic, because we validate the result directly
<clever>
MichaelRaskin: *looks*
<simpson>
Okinan: What's the glaring vuln? Corrupted ZIP plus vuln in unzip leads to...? File system overuse? Nix sandbox break?
<simpson>
clever: Sure. The big reason to use TLS anyway is for the herd-immunity effects; our traffic is drops in the ocean of packets.
<Okinan>
Anyway, to clarify, the issue is that the archive is being opened by a program before ensuring the hash is correct, and that archive might have a zero day in it that is loaded through potentially buggy code in the program that's unpacking it.
<simpson>
Okinan: Do you have a PoC for this? This really *really* sounds unzip-oriented.
<clever>
MichaelRaskin: line 18 results in it ignoring all ssl errors
<MichaelRaskin>
I would bet that curl (that has to do TLS even if it doesn't check CA — or if it does, BGP attacks on LE _are_ feasible) is a larger problem than unzip
<LnL>
unpacking happens in a sandboxed and unprivileged process
jD91mZM2 has joined #nixos
<Okinan>
Please define PoC for me, I'm not aware of the meaning.
<MichaelRaskin>
clever: I remember trying to push for fixing that
d10n-work has joined #nixos
<clever>
Okinan: the hash is over the result of unpacking, so you cant verify the hash until after you unpack
<Okinan>
Yes, however you github offers other options for source.
<simpson>
Okinan: A "proof of concept", a chunk of code which demonstrates the vuln.
<Okinan>
So the idea is to have github get a tar.gz or so instead of zip, verify the hash, then open
<Okinan>
No, I don't.
<MichaelRaskin>
You cannot verify hash because GtiHub cannot do deterministic archives
<MichaelRaskin>
I think there were problems with tarballs, too
<simpson>
I had thought that the same GH backend system produced tarballs and zipballs.
psyanticy has joined #nixos
<LnL>
fetchzip works for all archives, just has a bit of a confusing name
<clever>
simpson: github can produce both, but i dont think it does it deterministicly
<clever>
simpson: so we must hash after unpacking
<simpson>
FWIW .gz headers can be zip-bombed as well, creating as much as 1GiB of garbage, IIUC, although I can't find a demonstration of the attack.
rauno has quit [Ping timeout: 252 seconds]
<clever>
and the problem remains, if the unpacked gets exploited
<clever>
simpson: http itself supports gzip encoding, so i could gz bomb you over a simple index.html
<simpson>
clever: Sure. But that's not a big deal, still, because unpacker bugs aren't necessarily security compromises.
<clever>
the Content-Encoding: header
<simpson>
Ha, nice.
<MichaelRaskin>
As for outright exploits, given that unpacking changes _very_ slowly, and actual fetching is _forced_ to use new an relatively little-tested code …
<clever>
nginx can also be configured to serve pre-gz'd content, and they claim its gzip'd, so the client decodes
<clever>
and the server saves cpu cycles
<simpson>
Oh, wait, you said "unpacked", not "unpacker". Like, if somebody slipstreams a vuln into the code being downloaded? *That* is guarded against by Nix-level hashes.
<clever>
simpson: i'm saying, if an exploit against unzip is inserted into the stream, you can exploit the nix builder, before the hash is validated
<clever>
simpson: and i already have working examples of getting a reverse shell from a fixed-output derivation
<simpson>
clever: Sure, but I'm suggesting that that be treated as a (critical, CVE-worthy) bug in unzip.
ThatDocsLady has quit [Quit: Leaving]
Ariakenom has quit [Quit: Leaving]
<clever>
simpson: yeah, i would also just fix unzip, rather then break fetchFromGithub globally
<simpson>
Okinan: This is why threat modelling is relevant. Are there other parts of your concern that we haven't covered yet?
IRCsum has quit [Remote host closed the connection]
<Okinan>
My concern is that unverified data is being loaded and transformed through any undecompressor program.
IRCsum has joined #nixos
<clever>
Okinan: the only way to prevent that, is to convince github to make the zip's deterministic
BoipiSigre has quit [Quit: Konversation terminated!]
srid63908 has quit [Read error: Connection reset by peer]
srid63908 has joined #nixos
<mpickering>
Does anyone use `language: nix` on travis? The performance is terrible for me. It takes 20x longer than on my local machine
<MichaelRaskin>
Okinan: does the fact that unverified data is processed by curl in the process of loading not concern you more?
<clever>
mpickering: i believe travis will automatically switch from containers to full VM's based on certain flags you set
<clever>
mpickering: and full VM's perform worse
<Okinan>
That might be a fight worth fighting, but for now, if we absolutely can't find a way to get deterministic zips/tarballs from github, perhaps we need to remove getting releases/archives from fetchGitHub, and instead only fetch the git and compile every time.
<clever>
mpickering: that can even happen if you put sudo anywhere in your script, and dont change any flags
<clever>
Okinan: pkgs.fetchgit had the exact same problem
<clever>
Okinan: your cloning the entire git repo, and then getting the dir at a given rev
<clever>
Okinan: what if git has an exploit?
<Okinan>
AFAIK, fetchgit checks the sha256 before doing anything with it.
<mpickering>
clever: I though they removed the sudo keyword
<clever>
Okinan: nope, it checks the hash after unpacking everything
<clever>
mpickering: this is different from the sudo flag, this is just a string search of sudo in your script!
<clever>
mpickering: it will silently enable sudo support if it thinks your trying to use it
<Okinan>
That's a good point, I haven't looked at fetchgit.
<MichaelRaskin>
Git fetching is not deterministic as a whole
xok has joined #nixos
<xok>
hello all...
<Okinan>
hi
<xok>
in my configuration for nixops I want to use a boolean value...
ilmu has quit [Ping timeout: 245 seconds]
<xok>
I don't have problem passing the variable...
<xok>
I just don't know how to catch it...
domogled has quit [Quit: domogled]
<clever>
mpickering: and i discovered this, because the container and vm are different versions of ubuntu, and that broke nixops
<xok>
I've got something like this: 98 enableACME = ${cfg.enableSSL};
<MichaelRaskin>
Okinan: the only safe way to fetch is unencrypted HTTP/FTP (or Gopher?) — old enough and simple enough to be implemented correctly and never touched without reason
<xok>
and the $cfg variable is declared like this: 4 cfg = config.services.webapp;
<Okinan>
Anyway, so from what I can gather, the internet is a giant zeroday just waiting.
<xok>
can anyone help me figure out how to use boolean variables?...
<arianvp>
xok: could you post a full example?
<arianvp>
did you define an option for the enableSSL variable?
<xok>
the strings can be used with quotes : "${cfg.variable}" works...
<arianvp>
like, post it on gist.github.com
<MichaelRaskin>
Okinan: please read about BGP. It is not even zero day waiting to happen, it is a huge vulnerability being exploited in a well-known way that is not fixed
<mpickering>
clever: You don't happen to know if circle CI has similar issues?
<mpickering>
I tried removing the sudos now
<Okinan>
I haven't read this, thanks for telling me about it.
<clever>
mpickering: ive been using buildkite lately and it works great
<arianvp>
just do this : enableACME = cfg.enableSSL;
<arianvp>
instead of with ${} around it
<xok>
oh, that's awesome...
<mpickering>
clever: Thanks I will try that
<xok>
thanks a lot...
<Okinan>
Anyway, should I close the issue, or does anyone have any ideas on how to remedy this, if possible?
<mpickering>
Is there native nix support or is it container based?
<arianvp>
${} only works inside strings
<arianvp>
it's string interpolation syntax
<clever>
and with keys
<clever>
> let key = "foo"; in { ${key} = 42; }
<{^_^}>
{ foo = 42; }
<xok>
arianvp: thank you very much, it worked like a charm... 8-)
<arianvp>
clever: lol TIL
<arianvp>
I always write "${key}" = blah
<arianvp>
It also works in accessor syntax right? like blah.${lol}
<clever>
> let key = "foo"; set.foo = 42; in set.${key}
<{^_^}>
42
adfaure has joined #nixos
WizBright has quit [Ping timeout: 248 seconds]
WizBright has joined #nixos
<adfaure>
Hello, I am trying to understand the differences between packages and derivations. The first nix pill states that the difference is subtle without describing it :) Does someone has a clear definition please?
<__monty__>
adfaure: Not afaik. The term "package" isn't really a thing in nixpkgs.
<xok>
arianvp: can you help with lists too?..
<xok>
arianvp: imagine I have to pass virtual hosts to the web service which should be set up separately...
<__monty__>
adfaure: A derivation could build an entire development environment for example. It's hard to call that a "package". Similarly, a derivation could build an internal project dependency, hard to call that a "package" either.
<fendor>
,locate libpcre.so
<{^_^}>
Found in packages: pcre, pcre16, pcre-cpp, scilab-bin
<adfaure>
__monty__: Ok, thank you. So in short, a derivation is a build process for something, could be a package, a set of packages, a file etc
<__monty__>
adfaure: Basically, yes. AFAIUI at least.
<adfaure>
__monty__: Thank you !
<fendor>
i am trying to build a derivation that depends on libpcre. I tried it with buildInputs = [pcre]. Do I have to modify the LD_LIBRARY_PATH?
st4ll1 has joined #nixos
o1lo01ol1o has quit [Remote host closed the connection]
<romildo>
wxGTK31.override { withGtk2 = false; withWebKit = true; }; gives an error, while a similar override for wxGT30 works? Is that a bug?
v0|d has joined #nixos
<romildo>
error: anonymous function at /alt/nixpkgs/pkgs/development/libraries/wxwidgets/3.1/default.nix:1:1 called with unexpected argument 'withGtk2', at /alt/nixpkgs/lib/customisation.nix:69:12
DerGuteMoritz has joined #nixos
zaphar_ps[m] has joined #nixos
Cale has joined #nixos
MayeulC_backup has joined #nixos
meck has joined #nixos
linarcx has joined #nixos
ubert has quit [Quit: Leaving]
m0rphism has quit [Quit: WeeChat 2.4]
m0rphism has joined #nixos
erasmas has quit [Quit: Lost terminal]
erasmas has joined #nixos
o1lo01ol1o has joined #nixos
o1lo01ol1o has quit [Remote host closed the connection]
o1lo01ol1o has joined #nixos
knupfer has quit [Remote host closed the connection]
knupfer has joined #nixos
<ashkitten>
clever: me @ kimsufi: hey i just want the dashboard to stop prompting me to install an os after i already have one its just not a templated os // them: hello, you can only install an os through our templates but if you get an ovh dedi you get a kvm to mount isos with
<ashkitten>
that's... not what i asked
<clever>
ashkitten: lol
<clever>
ashkitten: tell them that its already installed and to shut up, lol
<clever>
ashkitten: that reminds me, a few years ago at another datacenter, i was looking for an old server
<clever>
ashkitten: i had the ip, but couldnt remember if it had been terminated, or was on a 2nd account
<clever>
ashkitten: so i asked the via a support ticket
<clever>
the answer, is that for privacy reasons, they cant tell me what the ip is connected to
<clever>
however
<clever>
without telling me anything, they also rebooted every machine in my account, thinking it was connectivity problems and they where doing me a favor :P
<ashkitten>
wow
<mdash>
how helpful
orivej has quit [Ping timeout: 245 seconds]
<clever>
at the same datacenter, i had tried to install nixos in a vm, but the vm and baremetal machines had differing network setup, so bricked the guest
<clever>
when getting errors from them, i got back a screenshot of virtualbox running on windows, lol
<ashkitten>
pff
<clever>
so, i just whipped up a virtualbox disk image, with the fixes done, and sent them the whole disk image!
<ashkitten>
ahahaha
<clever>
after they installed it, they asked for the root pw, so they could login and fix /etc/networking/interfaces to match my static ip
<ashkitten>
what no
<clever>
then they realized, its already got the right ip....
<clever>
i was one step ahead of them :P
<clever>
also, its nixos, and the interfaces file doesnt do anything
<ashkitten>
this is why i wish i could have my own hardware
romildo has quit [Quit: Leaving]
<ashkitten>
alas, i don't have the money to buy a server better than what i could get from them
<ashkitten>
and it'd be $69.69 a month to rack it with my friend, which i don't want to do if i could get a decent server for half that with kimsufi
<ivan>
OVH did a motherboard swap on my soyoustart because I panicked my kernel with a buggy IO scheduler
<ivan>
then had to swap it again because they grabbed that one from their bad motherboard pile
<PyroLagus>
ashkitten: that's an oddly specific price
<ashkitten>
PyroLagus: that's the price she set
<PyroLagus>
lol
<ashkitten>
it's double nice
<clever>
ashkitten: every time i go to speedtest.net, damn
<clever>
ashkitten: the needle on the guage just pegs, lol
<ashkitten>
clever: i have 250 down but only 15 up ;-;
<clever>
it reads from 0-100, it just slams into the end, and reads 500
o1lo01ol1o has quit [Remote host closed the connection]
o1lo01ol1o has joined #nixos
ashkitten has joined #nixos
o1lo01ol1o has quit [Remote host closed the connection]
ashkitten has quit [Client Quit]
<aminechikhaoui>
Hey, I'm seeing a weird behavior where the result partition of cryptsetup luksFormat is interpreted as an "atari" partition and thus the mkfs.* call after that fails
<aminechikhaoui>
some report similar issues in the internet where blkid can wrongly parse random data as "atari"
<aminechikhaoui>
did anyone see similar issues ?
<clever>
aminechikhaoui: there is wipefs to erase known signatures, and you can also just dd /dev/zero into the device to wipe it fully
hyper_ch has joined #nixos
<aminechikhaoui>
clever: yeah I was using nixops's auto-luks so it breaks deployments, I guess I can use formatOptions = "-f" but it's a weird issue
<clever>
aminechikhaoui: ahh
madjar has quit [Quit: Connection closed for inactivity]
<aminechikhaoui>
clever I want to understand the issue a bit tho', do you think luksFormat generates random data that somehow matched a signature of an "atari" partition
<clever>
aminechikhaoui: i believe luksformat just sets up the header, with a random encryption key, and your passphrase
<clever>
aminechikhaoui: and it then tries to decrypt whatever was already on the disk, using that key
<clever>
so the existing data, turns into random garbage after you decrypt it with the "wrong" key
<hyper_ch>
can't you just zfs send / recv the dead server?
gratto has joined #nixos
<clever>
hyper_ch: the irc server, not client
<clever>
hyper_ch: the initial failure was on freenode's end
<hyper_ch>
clever: and they don't use zfs? oO :)
<clever>
hyper_ch: the secondary failure is likely that the irc client doesnt reconnect right
fendor has joined #nixos
mexisme_ has quit [Ping timeout: 268 seconds]
psque has joined #nixos
<psque>
Which commands pay attention to `keep-outputs`? If `nix-store --gc --print-dead` says an output is dead, will the actual garbage collector collect it?
fenedor has joined #nixos
jbgi_ has joined #nixos
fendor has quit [Quit: Leaving]
mexisme_ has joined #nixos
zacts has quit [Quit: WeeChat 1.9.1]
DRW_ has joined #nixos
<DRW_>
I'd like to install ghcjs (a Haskell complier). I can find it like this: 'nix-env -f '<nixpkgs>' -qaP -A haskell.compiler' but I can't figure out the syntax to install it. Can anyone provide the correct syntax?
zacts has joined #nixos
asheshambasta_m has quit [Quit: Leaving.]
xkapastel has quit [Quit: Connection closed for inactivity]
psyanticy has quit [Quit: Connection closed for inactivity]
shibboleth has joined #nixos
romildo has joined #nixos
cjpbirkbeck has quit [Quit: Quitting now.]
FRidh has quit [Quit: Konversation terminated!]
shibboleth has quit [Remote host closed the connection]
waleee-cl has joined #nixos
jgt has joined #nixos
<romildo>
I am packaging CodeLite IDE. Its source code has many FHS hard coded paths for optional components. For instance, it can handle several terminals (like xterm, gnome-terminal, mate-terminal, konsole, etc.) and the FHS path to the executable is hard coded (/usr/bin/gnome-terminal, for instance). How to handle this in nixpkgs?
eph^ has quit [Ping timeout: 245 seconds]
v88m has quit [Ping timeout: 246 seconds]
<romildo>
If they were not optional, I would change it to something like ${gnome3.gnome-terminal}/bin/gnome-terminal. But that would mandate a dependency on gnome3.gnome-terminal.
lovesegfault has quit [Ping timeout: 252 seconds]
equivrel has quit [Remote host closed the connection]
<ivan>
romildo: you could remove the /usr/bin part
equivrel has joined #nixos
<ivan>
assuming it's in a thing where PATH lookup works
jbgi_ has quit [Ping timeout: 268 seconds]
lsyoyom has quit [Ping timeout: 248 seconds]
<adisbladis>
romildo: Have you considered buildFHSUserEnv ?
trevorriles has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<ashkitten>
i need to tunnel a local port to a remote server automatically. how do people usually do that? i was thinking of just setting up a systemd service with `autossh -R` and a passwordless ssh key that gets me auth for an unprivileged user, but i figured i'd ask if anyone has suggestions
<qyliss>
wireguard?
<clever>
ashkitten: have you considered a vpn? either toxvpn or wireguard
<ashkitten>
hmm
<ashkitten>
no i had not
<ashkitten>
let me look into how to set that up, then
<qyliss>
the nixos.wiki page on wireguard is pretty good
<romildo>
adisbladis, with buildFHSUserEnv the dependencies with FHS hard coded paths still need to be specified, and wouldn't be optional, right? It would just alleviate the need of patching the source code.
<adisbladis>
romildo: Yes exactly.
ilmu has quit [Ping timeout: 250 seconds]
<adisbladis>
romildo: Though you should probably report that upstream.. That can't be correct behaviour regardless of distro/os.
<clever>
jbaum98: identical ssl cert to what i get
<jbaum98>
clever: so it's probably something wrong with my setup
gratto has quit [Read error: Connection reset by peer]
<edef>
joepie91: did you ever end up figuring out how to use steam-run with stuff that uses pango?
gratto has joined #nixos
<joepie91>
oof
<joepie91>
uh
<joepie91>
I'm... not sure
<joepie91>
I don't think so?
<joepie91>
I think I ended up just looking for screenshots of the installer and clicking vaguely correct-looking buttons
<edef>
oh no
<kisik21>
How to get a first element of a list in Nix? For example, first key in user's openssh.authorizedKeys.keys list
<qyliss>
lib.elemAt
<kisik21>
qyliss: thanks :3
<kisik21>
qyliss++
<kisik21>
ugh that doesn't work that way anymore?
<qyliss>
the bot died
jbgi_ has quit [Ping timeout: 245 seconds]
lsyoyom has quit [Ping timeout: 245 seconds]
<MichaelRaskin>
I think I have already seen infinisil restart the bot today
<infinisil>
Oh is it dead again, damnit
<infinisil>
Wait no it's running on my end
<infinisil>
Pinging gchristensen, it's on your side
ilmu has joined #nixos
<MichaelRaskin>
We need RAUB — Redundant Army of Unmonitored Bots
o1lo01ol1o has quit [Remote host closed the connection]
<MichaelRaskin>
The bots form a queue, and the n-th bot reacts if something is left unhandled in 3n seconds
<infinisil>
Hehe nice idea
<MichaelRaskin>
And synchronise the state by monitoring each other's replies
<MichaelRaskin>
(which would be depressingly better than Uber did putting their system on a Volvo with a preexisting limited but more reliable safety system)
o1lo01ol1o has joined #nixos
<DigitalKiwi>
when the bots fail they kill pedestrians?
<MichaelRaskin>
In this design only if _all_ bots fail at once a failure happens, though!
o1lo01ol1o has quit [Remote host closed the connection]
<DigitalKiwi>
like a netsplit?
<MichaelRaskin>
If the net breaks, the bot army gets to handle both halves
<DigitalKiwi>
i guess you just have to make sure they join different hosts
<MichaelRaskin>
That's true.
o1lo01ol1o has joined #nixos
<MichaelRaskin>
But you probably want them to run in different datacenters (not sharing a single operator) for true redundancy anyway, which improves the chances.
ashkitten has quit [Quit: WeeChat 2.5]
yili has quit [Remote host closed the connection]
lsyoyom has joined #nixos
<MichaelRaskin>
(now I imagined a redundant mirror of the channel itself with bots sitting in a channel on a different network and gossipping about the messages they noticed in the main channel; kind of an oral mythology)
<infinisil>
And I'm setting it a few lines further down with `nix.nixPath = [ "nixos-config=${nixosConfig}" ];`
alp has quit [Ping timeout: 258 seconds]
Anton-Latukha has quit [Quit: Leaving.]
<{^_^}>
[nixpkgs] @worldofpeace pushed 2 commits to master: https://git.io/fjVNN
<zachk>
I am working through nix pills , on section 7.2 I declare -xp
<zachk>
then echo foo > $out and it supposed to make a a builder.sh but I am getting this instead: -bash: $out: ambiguous redirect . what am I doing wrong?
ilmu has quit [Ping timeout: 258 seconds]
<chrisq2>
infinisil: Well that solves one problem, cool. Do you think it's salvageable?
ericsagnes has quit [Ping timeout: 252 seconds]
<infinisil>
chrisq2: So the current Nix you're having on the machine is the old one?
<{^_^}>
[nixpkgs] @worldofpeace pushed 2 commits to release-19.03: https://git.io/fjVAe
<chrisq2>
infinisil: Honestly have no idea, I tried to check the version but that fails with the error too. But it's odd as it's freshly installed a day ago? The only thing I thing might have been the cause is the `stateVersion` being set to an old 16.?? version.
<chrisq2>
And that 16.?? stateVersion was set on the remote machine.
<infinisil>
chrisq2: Nah stateVersion doesn't have anything to do with that (the name is confusing)
<infinisil>
chrisq2: So you should have a list of generations in /nix/var/nix/profiles/system-*
<infinisil>
And one of those should be the one from nixos-rebuilding
<infinisil>
And in there you should find a working nix version, under a path like /nix/var/nix/profiles/system-1234-link/sw/bin/nix-store
__monty__ has quit [Quit: leaving]
<chrisq2>
infinisil: Will give that a go.
zacts has quit [Quit: WeeChat 1.9.1]
<kisik21>
Any ways to have a location directive in nginx config that will apply to ALL server blocks? I need it for ACME stuff
<clever>
kisik21: the acme stuff is in a map function, that applies to every virtualhost
ericsagnes has joined #nixos
v88m has joined #nixos
<kisik21>
clever: oh, so the ACME challenge webroot is set up automatically? great :3
<clever>
kisik21: when you set enableACME = true; yep
<kisik21>
great! How can I test stuff without forwarding ports on my router via VM? how does it all react if it can't get real certificates, does everything stop or will it continue on with self-signed shims?
<clever>
kisik21: it will be stuck with the self-signed example.com certs until lets encrypt can access it, via the domain it claims to be
<kisik21>
Just what I need. Thanks :3
<kisik21>
because if I understand correctly, it's self-signed in dev, real certs in prod
<clever>
kisik21: there is a seperate option for that