<emily>
elvishjerricco: my OpenPGP key exists on two yubikey tokens and an extremely long two-page handwritten paper dump and nowhere else
<emily>
don't need to worry about backing it up if you make not having the ability to back it up part of your seucrity model [taps forehead]
jbrock has quit [Client Quit]
<niso>
emily: i assume linked repos havn't been audited?
* cole-h
is still waiting for SoloKeys rev2 to get on the security key hype train
jbrock has joined #nixos
<rotaerk>
notgne2, okay, nm; if I just run firefox, without nvidia-offload, about:support doesn't seem to have errors (aside from notes that certain things are disabled, like HW_COMPOSITING, OPENGL_COMPOSITING, GPU_PROCESS, etc), but all the WebGL lines seem fine. However, the WebGL 1 and 2 Driver Renderer lines say "Mesa Intel" is what's being used
<emily>
niso: I don't think minisign or age have been audited (perhaps OpenBSD's signify that minisign is based on has been?), but they're simple codebases based on established crypto written by Real™ cryptographic engineers. tbh if you "audit" gnupg you will find that it's a colossal broken mess
<rotaerk>
but if I `nvidia-offload firefox`, suddenly I just get errors in that section
<energizer>
emily: why handwritten??
<emily>
niso: there's plenty of flaws in pgp that are just part of the fundamental design and will never be fixed. it relies on SHA-1 pervasively. "short key IDs" are totally broken, but so are "long key IDs"
<gchristensen>
(rip)
<energizer>
agree `age` is nice
<emily>
niso: long-term unrotated keys are insecure but pgp's entire model is based on them (subkeys are a bad hack on top and rotating them regularly is a pain). key servers are fundamentally broken. the web of trust is a practical non-starter for a bunch of reasons
<gchristensen>
emily: I wish there was an alternative to gpg signing commits
<elvishjerricco>
emily: Kinda disappointed the repos you linked don't do both signing and encryption in one tool
<emily>
niso: openpgp is just a mess all the way up, from the crypto it's based on to the protocol on top to the software that implements it to the general culture of use it promotes. you can see a lot of ~thinkpieces~ about this from famous crypto-y people like https://moxie.org/blog/gpg-and-me/https://blog.filippo.io/giving-up-on-long-term-pgp/
<energizer>
gchristensen: minisign has been proposed
vanillaicecream has joined #nixos
<elvishjerricco>
gchristensen: I wonder if that's just a matter of someone doing the work to implement another signing mechanism
<niso>
emily: alright, thanks, i'll read into it :)
<emily>
gchristensen: fun fact: there's nothing stopping you using the openpgp smart card protocol to produce minisign/signify signatures from a hardware token. I have vague plans to implement this sans gnupg code at some point
<camlriot42>
Cole Mickens: I removed the videoDriver line. Its back to its previous display resolution
<gchristensen>
nice
<emily>
I think there's also nothing stopping you doing the same for age or similar
<emily>
I think the main caveat for signing is that you'd need to use an openpgp "Authentication" key because signing ones have restrictions on the kind of blob they can sign
<emily>
but I'm not actually sure if that is implemented in software or the protocol
<vanillaicecream>
manveru: I was already running `nixos-unstable` (this is back to Crystal). The issue was that the Crystal compiler was using `pkg-config` to try to resolve which version to link against, and defaulted to using symbols from `openssl-1.0.2`, which were absent from `openssl-1.1.0`. I added `pkg-config` as a build input and the Crystal compiler was
<vanillaicecream>
able to properly detect the required `openssl` version, so that was that. I'm going to write all of this up
<niso>
semi related question: when it comes to hardware-keys i've noticed yubikey is mentioned a lot, however they seem to be proprietary. How do open solutions compare? do they share an interface, or will each key need it's own driver (or something like that)?
<emily>
and if you only publish it as a minisign/signify/... key, then it doesn't really matter what your openpgp card thinks of it as
<emily>
niso: the protocols are generally standardized. the ones you're likely to care about are u2f/fido2 (for use in browsers and SSH), openpgp, and pkcs#11
<elvishjerricco>
emily: I'm curious. Is it just gnupg that's bad, or the entire openpgp standard?
<emily>
niso: solokeys and nitrokey are two "open" solutions worth investigating. neither of them have as good hardware security as yubikeys
<emily>
unfortunately, "good cryptographic enclave chip" generally implies "annoying NDA"
<niso>
emily: what's the metric of "godo hardware security"?
<emily>
right, it depends heavily on your threat model
<niso>
emily: alright, thus security by obvuscation?
<colemickens>
camlriot: and you have the right option selected in the virt-viewer window? (Sorry not sure how familiar you are with virt-manager)
<emily>
niso: like, for some of these it's "if you hand me a security token implemented with simple persistent storage and a microcontroller I can exfiltrate your private key in a few minutes"
<emily>
niso: for a yubikey it's many orders of magnitude harder
<camlriot42>
Cole Mickens: yes I am newbie to virt-manager.
<emily>
honestly, I think the main useful property in practice is just tamper-evidence: it'd be hard to get anything out of a yubikey without visibly destroying it
<camlriot42>
Cole Mickens: What option to choose?
<emily>
protecting against key compromise once you lose the hardware in the long-run is kind of hopeless. but many people spend a few hours away from their hotel room and assume their security token didn't get jacked
<colemickens>
camlriot: :/ I think its the one that size "Auto resize VM to window"
<emily>
niso: it's not just obfuscation but also the amount of code, hardware, etc. that has physical access to the key
<colemickens>
camlriot: sometimes I also have to resize the virt-viewer window to trigger it?
<emily>
niso: if you don't care about hardware security I would say the main disadvantage of solokeys/nitrokey is just that afaik there's nothing that gets you fido2 + openpgp in one device like yubikey has
<emily>
niso: you might also be interested in trezor and ledger, which are varying degress of open but generally more more flexible (because they're designed around the cryptocurrency wallet case which is a bit more elaborate than a simple authentication token like u2f)
<niso>
emily: kinda makes me wonder if there is some open source project i can just flash on some random fpga - coat it in epoxy and call it a day :P
<emily>
elvishjerricco: the protocol and formats are unfixably broken too
<camlriot42>
Cole Mickens: donesnt work. it just resized to the wallpaper size. tried to change the kde settings for display resolution. but it again got back to its original size
<emily>
niso: sadly I think all the turnkey stuff like that is microcontroller-based rather than fpga. a pure fpga u2f token would be cool
<colemickens>
camlriot: you chose the checkbox and not "Resize to VM" right?
<niso>
oh realy? i assumed they moved to fpgas due to security reasons
<emily>
niso: if you want to go down that route there's tomu (and the fpga version fomu). tbh the only thing that hardware is good for with its complete lack of IO is implementing the world's most insecure security tokens, so it's at least making good use of the hw :p
<camlriot42>
Cole Mickens: yes
<colemickens>
we publish virtualbox images and not pre-installed qemu images?
<evelyn>
trezor's openpgp thing is a steaming pile of dung
<colemickens>
surely this can't be
<emily>
elvishjerricco: I don't know if all parts of it are as bad as the rest, I was hoping that the smartcard protocol might be okay so I wouldn't have too much of a horrible time implementing it,
<evelyn>
it's not a generic openpgp device, they have their own ad-hoc agent thing
<emily>
not even iterated SHA-2, just "repeat the source a bunch and shove it into SHA-2", and also, the way they specify the amount to repeat it by is ridiculous and means that longer keys get stretched less, and there's a few special cases I didn't even implement there, and,
<camlriot42>
Cole Mickens: sorry I chose the resize to VM.
<emily>
elvishjerricco: the unfortunate reality is that the only people who invest significant amounts of effort into openpgp/gnupg at this point are true believers, because everyone else sees enough and nopes out
jbrock has quit [Client Quit]
jbrock has joined #nixos
<qyliss>
there are plenty of extremely heavily-invested non true believers
<camlriot42>
Cole Mickens: It works! with Autoresize window with VM checkbox ticked.
<evelyn>
the trezor thing is an order of magnitude worse than gnupg itself and that's saying something
<colemickens>
camlriot: excellent, happy to hear it!
<camlriot42>
thanks!
<qyliss>
like, when you get close enough to see what a shit show development of it is
<emily>
evelyn: it's all python, right? doesn't inspire confidence
<colemickens>
emily: my understanding is that solokeys v2 will be oss and do fido2+pkcs11+piv
<emily>
colemickens: cool. do you know if they have any plans to use any kind of secure element/tpm/hsm/... chip? there are non-NDA'd options out there that can do ecc incl ed25519
<evelyn>
it both manages to be worse than gpg and also not compatible with all the stuff that's already out there
<emily>
not great options, though
<emily>
(think "designed to be a laptop EC chip", and those tend to not have great security standards, hence Google and Apple making their own)
<evelyn>
for open source pgp cards, there has been gnuk for years and that is not that unreasonable, and it's super fast for ed25519 operations
<emily>
evelyn: oh this doesn't even implement pgp on the card
<evelyn>
it's the only OSS ed25519 pgp card I know of and it's really great
<emily>
it's just using it as a weird passphrase store I guess?
<colemickens>
emily: I definitely don't know that level of detail. in fact, discussion of security is absent from the v2 blog post where they outline new features.
<evelyn>
yeah it's not an openpgp card at all, it's just python hacks
<emily>
right, I meant to link gnuk
<emily>
otoh I just feel bad recommending it, because, well, it's openpgp and nothing else
<emily>
unless someone implemented fido2
<evelyn>
it's really fast, and the developer designed the fst-01 USB token too
<evelyn>
(it = gnuk not trezor)
<evelyn>
and it's in nixpkgs!
<evelyn>
gnuk
<colemickens>
fido2 emulator backed by openpgp protected something something something...?
* colemickens
is full of good ideas today
<evelyn>
that is a bad idea, because it introduces openpgp into a new project
reallymemorable has joined #nixos
<evelyn>
if you do that, you may go insane
<colemickens>
I guess I'll got to #nixos-chat, but I have a question about gpg-less hardware token auth stuff
reallymemorable has quit [Client Quit]
<elvishjerricco>
Is there an option to have Nix ONLY start fetching from substituters, and stop before doing any local building?
<energizer>
elvishjerricco: -j0
<elvishjerricco>
energizer: I believe that's equivalent to --max-jobs 0, which I just tried and it won't even do fetching
<elvishjerricco>
`error: 130 derivations need to be built, but neither local builds ('--max-jobs') nor remote builds ('--builders') are enabled`
<energizer>
you dont want to do any building, local or remote?
tobeportable has quit [Remote host closed the connection]
<elvishjerricco>
Right. I just want it to download prerequisite dependencies from cache.nixos.org before starting any manual builds
<MichaelRaskin>
I think --option build-max-jobs 0 fetches but does not build
<elvishjerricco>
MichaelRaskin: I don't see that option in `nix --help-config`... I'll give it a shot
<elvishjerricco>
Well I didn't get warning: unknown setting
<elvishjerricco>
Same issue
<elvishjerricco>
`error: 130 derivations need to be built, but neither local builds ('--max-jobs') nor remote builds ('--builders') are enabled`
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage-packages.nix: automatic Haskell package set update »: https://git.io/JfqJl
<MichaelRaskin>
elvishjerricco: Are you sure there is anything to fetch from cache?
<elvishjerricco>
MichaelRaskin: Yes. --dry-run tells me like a hundred derivations will be fetched
<MichaelRaskin>
Hm. For me it does fetch and does not build
<MichaelRaskin>
So does -j 0
<elvishjerricco>
MichaelRaskin: I'm on a slightly old version of nix. 2.3, and nixos 19.09. Maybe it's changed
<MichaelRaskin>
Maybe add -k ?
<elvishjerricco>
Interesting idea
<MichaelRaskin>
(to tell you want to go as far as possible even if failure is known earlier)
<elvishjerricco>
Did not work
<elvishjerricco>
MichaelRaskin: What version of nix do you have?
<MichaelRaskin>
I now understand that I tested fetching on things where top-level derivation is also fetchable
<MichaelRaskin>
2.3.3
virus_dave has quit [Quit: virus_dave]
reis-r has quit [Read error: Connection reset by peer]
<elvishjerricco>
Onto other problems... `error: anonymous function at /nix/store/973xp5ri36ldji0vmd0d33d1jzc00nsm-source/pkgs/top-level/default.nix:20:1 called with unexpected argument 'initialSystem', at /nix/store/973xp5ri36ldji0vmd0d33d1jzc00nsm-source/pkgs/top-level/impure.nix:84:1` wtf
reallymemorable has joined #nixos
hio has quit [Quit: Connection closed for inactivity]
codygman has quit [Read error: Connection reset by peer]
codygman has joined #nixos
dingenskirchen has quit [Remote host closed the connection]
dingenskirchen has joined #nixos
markus1199 has joined #nixos
markus1189 has quit [Ping timeout: 244 seconds]
m0rphism has quit [Ping timeout: 260 seconds]
reis-r has quit [Remote host closed the connection]
<bqv>
oh!
smatting_ has joined #nixos
<bqv>
you can't use derivations directly in runCommand?
<bqv>
how are you meant to use them?
<elvishjerricco>
bqv: Course you can
<bqv>
i'm trying to interpolate
<elvishjerricco>
That would be how to do it, yes
<bqv>
e.g. runCommand "" {} '' ${boost.out} ''
<bqv>
this fails as soon as i add the ${boost} part
<bqv>
so clearly that's an issue
<elvishjerricco>
bqv: Wouldn't the commands be in `${boost.out}/bin`?
<bqv>
i'm not after the commands, that's just a mini example of what i'm trying to do
<bqv>
regardless, it fails at the *evaluation* step not execution
<cole-h>
Unless that was just for an example, you definitely need a name for the derivation lol
<elvishjerricco>
bqv: I'll have to see a more concrete example.
<cole-h>
What errors? Can you paste the error somewhere?
<mvnetbiz_>
error: attribute 'npm' missing, at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/programs/npm.nix:19:19
vanillaicecream has quit [Ping timeout: 240 seconds]
<mvnetbiz_>
I guess I can just set the package to something else but I don't think that will even help becaues the error is when it is evaluating the options in that module.
<bqv>
what channel are you on?
<cole-h>
Is this a new install?
<mvnetbiz_>
unstable and no.
kugal has joined #nixos
<bqv>
> pkgs.nodePackages.npm.version
<{^_^}>
"6.14.4"
<bqv>
sumting wrong
<bqv>
but i've never used that option and i don't know anyone that does
<mvnetbiz_>
I don't use it either
<bqv>
well, you do, transitivtely, by having programs.npm.enable = true
<mvnetbiz_>
$ nixos-option programs.npm.enable
<mvnetbiz_>
Value:
<mvnetbiz_>
false
<bqv>
oh christ
horek has quit [Ping timeout: 246 seconds]
<mvnetbiz_>
What? haha
<bqv>
something's very wrong then
<mvnetbiz_>
Yeah I think its do to a recent change in lib/modules.nix maybe
<bqv>
that package option shouldn't even be evaluated if that's false
kugal has quit [Remote host closed the connection]
<mvnetbiz_>
How do I tell what git commit my channel comes from?
kugal has joined #nixos
<bqv>
i don't use channels, but probably easiest to just update again and check github at the same time
<bqv>
that said, my gut instinct is just to exorcise your machine
sigmundv_ has quit [Ping timeout: 260 seconds]
<kalbasit>
does `nix-instantiate shell.nix` download everything a `nix-shell` needs?
<mvnetbiz_>
bqv, Do you use a local git repo or do you do a fetchGit in your config?
<cole-h>
No, it just generates a .drv with that information, IIRC kalbasit
<cole-h>
`nix-instantiate -E 'with import <nixpkgs> {}; gtk3'` didn't do any downloading for me
<kalbasit>
I always thought it does 🤔
<bqv>
mvnetbiz_: huh? for what?
<mvnetbiz_>
You said you don't use channels. maybe you don't use nixos you just use nixpkgs?
Fare has quit [Ping timeout: 244 seconds]
<cole-h>
They use flakes instead of channels
<bqv>
oh, no, i use nixos, just ^
<bqv>
experimental alternative to flakes
<bqv>
experimental alternative to channels *
<rotaerk>
sounds flakey to me
<mvnetbiz_>
oh ok.
<mvnetbiz_>
you scared me when you said experimental alternate to flakes
<bqv>
an experimental alternative to an experiment
<bqv>
i'm in
<pjt_014>
experimental is the best kind of anything
<pjt_014>
especially music
<bqv>
oh another schoenberg fan?
<pjt_014>
If that's not experimental rap/rock/metal or John Cage I probably don't know them
<bqv>
was a joke, but it probably won't hit unless you google the name
h0m1 has quit [Ping timeout: 244 seconds]
<pjt_014>
oh, hmm
peelz_ has quit [Quit: Leaving]
<pjt_014>
atonal--good keyword off that bat.
<mvnetbiz_>
I think I watched a youtube documentary on him or something
<djanatyn>
i see "patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker)" in derivations a lot, but "${NIX_CC}" isn't part of my environment
<djanatyn>
is that part of stdenv?
waleee-cl has quit [Quit: Connection closed for inactivity]
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
rogue_koder has quit [Ping timeout: 240 seconds]
<clever>
djanatyn: yes
<clever>
djanatyn: if you do `nix-shell -p` youll get a $NIX_CC var
<energizer>
why does nix-locate not find vlc?
justanotheruser has quit [Ping timeout: 240 seconds]
Supersonic has quit [Disconnected by services]
Supersonic112 has joined #nixos
Supersonic112 is now known as Supersonic
<simpson>
> libsForQt5.vlc.meta
<{^_^}>
{ available = <CODE>; description = "Cross-platform media player and streaming server"; homepage = "http://www.videolan.org/vlc/"; license = <CODE>; name = <CODE>; outputsToInstall = <CODE>; platforms...
<simpson>
energizer: Looks like it's working fine; some derivations are exposed under multiple names.
<freeman42x[m]>
is there a Nix package for: https://mpv.io/ ?
<energizer>
,locate bin/mpv
<bqv>
> pkgs.mpv.version
<cole-h>
Yes
<clever>
freeman42x[m]: pkgs.mpv
<{^_^}>
"0.32.0"
<{^_^}>
Found in packages: mpv, mpv-with-scripts
proofofkeags has quit [Remote host closed the connection]
rogue_koder has joined #nixos
<cole-h>
Why not just try `nix-shell -p <package>` instead of asking here? :P
<cole-h>
99% of the time, it'll find what you want.
<bqv>
or better yet, `nix search mpv`!
<energizer>
simpson: that's nice. i wonder why it doesn't show the alias
<energizer>
> libsForQt5.vlc == vlc
<{^_^}>
true
<bqv>
wait, there's an equality operator over derivations?
<freeman42x[m]>
cole-h: bqv I got bad memory, will remember this time since I tool note of how to search for a package. I was using the online search and that missed it. bqv++
<energizer>
bqv: there's an equality operator over derivations, didn't we already know that from the fact that there's a cryptographic hash function over derivations?
<bqv>
never seen it used, i'd no reason to expect it was a thing
<bqv>
in terms of objects, derivations aren't equal, so it's a special case implementation that i just wasn't aware of
<energizer>
aha
<emily>
how does the flakes bootstrap story look like? hydra doesn't publish a standalone nixFlakes tarball or anything, so you either have to go through an existing nix or manually trace deps and extract NAR, right?
<emily>
thinking about the CI usecase
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
vanillaicecream has quit [Ping timeout: 240 seconds]
slack1256 has joined #nixos
<djanatyn>
it looks like "${NIX_CC}/nix-support/dynamic-linker" points to a 64bit package: /nix/store/v9j0bsl1bv7ngijmvnvnj9h3qrb1p3mf-glibc-2.30/lib/ld-linux-x86-64.so.2
<djanatyn>
how can I find the equivalent 32bit ld-linux.so?
<{^_^}>
[nixpkgs] @DamienCassou pushed 3 commits to master: https://git.io/JfqOL
nschoe has joined #nixos
smatting_ has joined #nixos
konobi_ has quit [Ping timeout: 256 seconds]
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
jbrock has quit [Client Quit]
jbrock has joined #nixos
konobi has joined #nixos
bukkitgerman8608 has quit [Ping timeout: 256 seconds]
<betaboon>
anyone has a good pointer for achieving the following: i want to be able to use specific extra-substituters within a project that is using lorri. (so i would like to be able to set extra-substitutes in the shell.nix)
<emmanuelrosa[m]>
What is the proper attribute for accessing coreutils within a Nice overlay? For example, if I use super.coreutils then nix-build begins to compile coreutils, which suggests the real coreutils is under some other attribute.
bukkitgerman8608 has joined #nixos
civodul has joined #nixos
<srk>
emmanuelrosa[m]: I think it's just pkgs.coreutils, does the overlay use the same nixpkgs as a system?
nschoe has quit [Quit: No Ping reply in 180 seconds.]
<srk>
peelz: I would try debugging that with xev and dmesg -Hw
<{^_^}>
[nixpkgs] @Mic92 opened pull request #86110 → PULL_REQUEST_TEMPLATE: try to simplify call-for-review → https://git.io/Jfqsn
<peelz>
srk: right. it seems to happen infrequently though. I'll be typing in vim or my terminal and suddenlyyyyyyyyyyyyyyyyyyyyyyyyyyyyy...
<peelz>
not sure how to reproduce it
Avaq has joined #nixos
linarcx has joined #nixos
<srk>
I'm getting infrequent [ +7.553053] usb 1-12: reset high-speed USB device number 7 using xhci_hcd
nschoe has joined #nixos
<srk>
not sure which device it is since it's not keyboard/mouse or soundcard :D
<peelz>
weird
<evils>
just to add noise to that topic: i get key repeats if i do `key+compose`, but only in telegram-desktop
<evils>
i haven't ruled out that being a feature...
DigitalKiwi has quit [Quit: quite.]
DigitalKiwi has joined #nixos
peelz has quit [Remote host closed the connection]
ashkitten has quit [Ping timeout: 272 seconds]
peelz has joined #nixos
ashkitten has joined #nixos
Avaq has quit [Quit: Leaving.]
thc202 has joined #nixos
<peelz>
oh it just happened again, with spacebar this time though
Avaq has joined #nixos
<peelz>
I let it continue and it stopped after a second or two
<Avaq>
Hi folks! Something odd happened on one of my nixops manached machines, and now most nix commands error out with: "error: reading symbolic link '/nix/var/nix/profiles/system-31-link': Bad message"
<Avaq>
Does anyone know how I might recover from this state? I am inclined just to remove the corrupted file, but fear that it might only make things worse.
<Avaq>
I took a screenshot [https://uploadpie.com/PMHDrH] of my `ls -la /nix/var/nix/profiles` output where the first and last lines seem the most relevant.
<ikwildrpepper>
Avaq: not sure, but that looks like a file(system) corruptiom
<ikwildrpepper>
-m+n
<ikwildrpepper>
Avaq: as that file seems to be an old generation, you could try to remove it?
<Avaq>
`rm: cannot remove 'system-31-link': Bad message` heh
<ikwildrpepper>
:(
<shreyansh_k>
Hello, It is possible to build `nix` with this command "nix build -f channel:nixos-unstable hello". How do I build `system` in a similar way? I'm trying to run "nix build -f channel:nixos-unstable system" but it gives me error: "error: expression does not evaluate to a derivation (or a set or list of those)". Thank you for your help.
<manveru>
Avaq: can you read its inode?
<manveru>
Avaq: using `ls -il`
<shreyansh_k>
s/possible to build/possible to build a package with
<energizer>
hyper_ch: what are you trying to prevent with fail2ban?
<hyper_ch>
energizer: well, on debian fail2ban comes with a plethora of pre-configured jails (like ssh, apache, postifx and others). But my impression on nixos is, you have to create every jail yourself
o1lo01ol1o has quit [Ping timeout: 260 seconds]
<ikwildrpepper>
hyper_ch: I think the ssh jail is default on fail2ban
<hyper_ch>
oh well, I'll just have to try it then
obadz has quit [Quit: WeeChat 2.8]
o1lo01ol1o has joined #nixos
<energizer>
if you have password auth disabled i'm not sure i see the point of fail2ban for ssh
<Valodim>
might still be useful to catch brute force attackers in the firewall instead of ssh, to 1) not give that info to attackers, and 2) save some system resources
<Valodim>
update to markhor broke my gnupg :( it complains about "no pinentry" now
GuilloteauQ has joined #nixos
<Izorkin>
hyper_ch: i use fail2ban
obadz has joined #nixos
<energizer>
Valodim: to 1) not give that info to attackers | not give what info?
<Valodim>
that you are unconcerned about password logins
o1lo01ol1o has quit [Ping timeout: 260 seconds]
zakkor has joined #nixos
GuilloteauQ has quit [Remote host closed the connection]
<hyper_ch>
Izorkin: so are any jails preconfigured or do you need to do all on your own?
<zakkor>
is it ok to change system.stateVersion from 19.09 to 20.03?
orivej has joined #nixos
<immae>
Zakkor: you should read the release notes for that
<immae>
(it will impact at least your postgresql install)
<hyper_ch>
(just have a snapshot/backup before you change it)
<immae>
note that if you change just that string and nothing rebuilds, then you’re probably fine. Otherwise you can look at what change and decide what to do of it
mrte has quit [Ping timeout: 240 seconds]
<zakkor>
how were you able to figure out that "Postgresql for NixOS service now defaults to v11." means that a systemVersion might not work?
<zakkor>
like why doesn't it apply to every version bump? 🤔
<immae>
Zakkor: habits, I admit it could have been specified on the release note
<Izorkin>
hyper_ch: used nftables firewall
<zakkor>
i'm asking because I also knew something about postgres and systemVersion, but that's pretty much it lol
<immae>
Yes that’s it, I know that stateVersion affects postgres and when I read about the upgrade I "knew" it was that, but it’s not obvious as said in the release note
Fare has quit [Ping timeout: 240 seconds]
<immae>
In any case, just changing the stateVersion and rebuilding should tell you everything that would change
Jackneill has quit [Ping timeout: 244 seconds]
<immae>
(and as hyper_ch said, be super wary about postgresql in particular)
<edcragg>
qyliss: well, I got to the bottom of it in the end, it was simply that the project's cmake sets OPENSSL_USE_STATIC_LIBS by default, and there were no static libs available. grr...
<{^_^}>
[nixpkgs] @bennofs pushed commit from @alexfmpe to master « ocamlPackages.bigstring: init at 0.2 »: https://git.io/JfqWR
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
ptotter[m] has joined #nixos
<{^_^}>
[nixpkgs] @xaverdh opened pull request #86118 → [20.03] treewide: add types to boolean / enable options → https://git.io/JfqWz
<alexbakker>
hi, I'm trying to use the uid/gid of my user in my nixos config, but for some reason nix gives me this error: cannot coerce null to a string
<zakkor>
i just upgraded to 20.03, and I'm getting really big lag whatever I do using a GUI
<zakkor>
like opening a terminal could take 3 seconds, or switching worksapces could be instant or it could take 5 seconds
<zakkor>
lag when typing too
jbrock has quit [Quit: jbrock]
<lukegb>
bah
<lukegb>
hydra.nixos.org isn't configured in a way that's compatible with netboot.xyz fwict
obadz has quit [Quit: brb]
alp has joined #nixos
obadz has joined #nixos
<zakkor>
my lag was from picom
<manveru>
Zakkor: anything eating your CPU?
<manveru>
ah :)
<zakkor>
i was using compton, it seems like it was changed to picom, and something is breaking
asdf1245 has joined #nixos
<manveru>
yeah, because compton is abandonware i guess
<asdf1245>
I have a game on nixos, and I'm trying to do `steam-run executable`, after I did `export LD_LIBRARY_PATH=./assets:$LD_LIBRARY_PATH`
<simpson>
Not abandoned, but done. Its original authors are the Xorg folks.
<asdf1245>
I get the error: ./StoneShard: relocation error: /nix/store/hbf36v96854fsv068m7f4jv7rpkgi2sj-gnutls-3.6.8/lib/libgnutls.so.30: symbol nettle_rsa_pss_sha384_sign_digest_tr version HOGWEED_4 not defined in file libhogweed.so.4 with link time reference
<asdf1245>
which i think happens because I'm not using the gnutls file that's in the `asset` directory. Do you have any pointers on how to proceed?
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<zakkor>
it was because of `backend = "glx"`, which used to work, but now creates lag
<manveru>
asdf1245: i think you want the export inside the `steam-run`?
cosimone has joined #nixos
<asdf1245>
manveru: how can I do that?
<simpson>
Zakkor: Play around until you find a working backend. There is no one single answer, which is why compton et al. ship with so many backends.
<manveru>
asdf1245: `steam-run bash`
<fgaz>
Hi all. Could someone help me understand why this expression returns different results in `nix repl -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-19.09.tar.gz` and `nix repl -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz`:
<sphalerite>
manveru: wait, compton is abandoned? Argh, why can't people just pass on maintainership rather than constantly making forks and renaming them xP
<manveru>
sphalerite: apparently it wasn't, it was forked a long time ago, but they finally decided to change the name of the fork?
<clever>
noonien: all of my config imports load-secrets.nix, which provides defaults for CI and other users to use as examples
<clever>
noonien: the real secrets.nix is in .gitignore
<sphalerite>
fgaz: yeah that sounds like some pretty internal details you're trying to get at, what are you trying to do? :)
<clever>
so the config can still build if the secrets happen to be missing, it just wont do anything secret
<noonien>
hmm, that makes sense, i'm not a big fan of having a layer of indirection though. is there a reason why you don't just have secrets.nix be a module?
<clever>
noonien: some things like the github tokens for hydra arent proper options, they are mixed in with the extraConfig
<clever>
noonien: also, some of the secrets are used multiple times
<noonien>
you could still have a module for that, no?
<clever>
and that would make the secrets.nix contain a lot more config
<noonien>
i see
<clever>
and then i have complex state that i have to manage without git
<clever>
though, i could make a custom nixos module, to manage secrets.token1 as a normal nixos option
<clever>
and then do what you said
<noonien>
yeah, that's what i'm thinking of doing
<fgaz>
sphalerite: which at one point does `map (m: m.submodule) users.type.getSubModules`
avn has quit [Ping timeout: 244 seconds]
<fgaz>
to define another type
<noonien>
btw, are you guys using flakes today?
numkem has joined #nixos
<fgaz>
sphalerite: the full thing is: `type = lib.types.submodule (map (m: m.submodule) nixos.options.users.users.type.getSubModules)`
avn has joined #nixos
obadz has quit [Quit: brb]
obadz has joined #nixos
<{^_^}>
[nixpkgs] @gnidorah opened pull request #86127 → nixos/systemd-udev-trigger: don't restart on upgrades → https://git.io/JfqzU
<fgaz>
qknight (IRC): any pointers? I don't really understand why the m.submodule is there or what it was supposed to do (shouldn't it work without it?) and the docs aren't helping much
<jakobrs>
What is the nix-command alternative to nix-store -q --deriver?
<gchristensen>
probably in `nix path-info`?
<dmj`>
srk: shellFor is exactly it it seems
<dmj`>
srk: so if I have two packages (one ghc and ghcjs) how do I invoke shellFor? it seems like shellFor hangs off an existing derivation
<{^_^}>
[nixpkgs] @markuskowa opened pull request #86132 → hpcg: init at 3.1 → https://git.io/JfqaM
<jakobrs>
It doesn't seem like it is
<jakobrs>
The only available flags to nix path-info are: --all --arg --argstr -SfhIrs --json and --sigs
cosimone has quit [Ping timeout: 244 seconds]
<srk>
dmj`: shellFor = { packages, withHoogle ? false, ... } @ args: suggest it accepts multiple packages but I haven't used it yet
<dmj`>
srk: ah it seems to be in pkgs.haskellPackages.shellFor
<srk>
yeah :D
<srk>
was about to post that ;)
* srk
needs a repl right bellow irssi
<jakobrs>
* srk learns about tmux /s
<srk>
jakobrs: not my cup of tea due to xmonad :D
dingenskirchen has quit [Ping timeout: 244 seconds]
cosimone has joined #nixos
zeorin48 has joined #nixos
jakobrs has left #nixos ["WeeChat 2.8"]
<zeorin48>
Hey all, I'm upgrading my system from 19.09 to 20.03 and I'm getting a deprecation warning for config.boot.initrd.luks.devices. It says to use a set instead of a list, because of a deprecated type.
<zeorin48>
I made the change, and it still complains even though I've now got a set instead of a list. What's interesting is that before the change, the error showed me how to make the change, and it managed to include the names as keys in its suggestion, but after the change the same error shows up but it's suggestion is now to use an empty set instead of
<zeorin48>
an empty list.
<zeorin48>
I.E. it used to say `Do boot.initrd.luks.devices = { cryptkey = {...}; cryptroot = {...}; } instead of boot.initrd.luks.devices = [ { name = "cryptkey"; ...} { name = "cryptroot"; ...} ]`
<zeorin48>
and now it says `Do boot.initrd.luks.devices = { } instead of boot.initrd.luks.devices = [ ]`
<sphalerite>
fgaz: the irc matrix bridge doesn't consider quits as leaving the channel
<sphalerite>
so if someone quits their irc client and doesn't restart it, they're still shown as there unless they left the channel before disconnecting from the IRC server
<rooke>
direnv + lorri is complaining that the evaluation_root doesn't exist. Googling the error has turned up nothing, any idea whats gone wrong/how to fix that?
erasmas has joined #nixos
<rooke>
manually calling lorri shell properly builds the enviroment, it just doesn't seem to want to load it on entering the directory
<evanjs>
I usually just `systemctl restart --user lorri.socket`... but that's setup dependent I guess
<evanjs>
have you tried `direnv remove && direnv add`?
drakonis has quit [Quit: WeeChat 2.8]
<evanjs>
(I think the . is implicit..?)
<rooke>
I have tried the first one, not the second one
numkem has joined #nixos
<evanjs>
First as in the systemctl line or `direnv remove` but not `direnv add`?
<rooke>
systemctl line
<evanjs>
ah gotcha, so it _is_ a service on your system as well. that does help :D
<rooke>
It is yeup
dingenskirchen has joined #nixos
<evanjs>
have you checked `journalctl --efu lorri --user` to see if there's any other helpful info?
<rooke>
`direnv remove` is saying `direnv: error command "direnv remove" not found`
<rooke>
Let me check the journal real quick
<dmj`>
srk: nix-shell on shellFor gives error: attempt to call something which is not a function but a set
<dmj`>
srk: blasphemy
<evanjs>
OH
<rooke>
Yeah theres a BuildEvent failure in the journal
<evanjs>
yeah it's allow and deny
justanotheruser has joined #nixos
<evanjs>
my bad
<evanjs>
so `direnv deny && direnv allow`
<rooke>
You're good, yeah I had tried that as well to no avail
<evanjs>
alright those are the first things I do is all. Anything more specific in the BuildEvent failure?
<evanjs>
Often times it will fail to build something and thus have no valid shell for me to enter
<rooke>
The journal is showing lorri complain about a build failure due to not being able to find something in `$HOME/.cache/lorri/cas/`
<rooke>
Yeah, I can `lorri shell` to enter the shell. So I think the shell.nix is valid, this also suddenly broke without a change to the shell.nix
<evanjs>
hrmmmm. interesting
<evanjs>
typical me would consider rebooting but I'm not sure why it would work on one end and not the other, save maybe non-interactive-TTY-specific behavior? Which sounds super unlikely IMO
<rooke>
yeah, haven't attempted the reboot yet just because I'd like to know what went wrong if possible
<{^_^}>
[nix] @alyssais opened pull request #3541 → Fix long paths permanently breaking GC → https://git.io/Jfqww
<gchristensen>
heck yeah qyliss nice work
<qyliss>
had lots of help from puck
<dmj`>
srk: shellFor seems to remove all dependencies in a ghcjs project
<evanjs>
Some of the PRs I see scare me a little, knowing what issues we've had :P it's good they're getting fixed and etc, but x_x
arahael2 has quit [Ping timeout: 246 seconds]
<srk>
dmj`: unfortunate :(
ddellacosta has quit [Ping timeout: 246 seconds]
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
zeorin48 has quit [Remote host closed the connection]
jbrock has quit [Remote host closed the connection]
jbrock has joined #nixos
stree has quit [Read error: Connection reset by peer]
acowley has joined #nixos
stree has joined #nixos
<acowley>
I added "v4l2loopback" to boot.kernelModules but I'm not seeing it in lsmod output. Can anyone think of a likely thing I've done wrong?
<puck>
acowley: it's not in the main kernel tree, you need to add the package that contains the module too
<puck>
(yes, there's no checking if boot.kernelModules contains a non-existing kernel module. idk even why)
<acowley>
puck: Thank you! That should go in the manual. I had no idea what was happening, and actually I didn't know about using `config.boog.kernelPackages` like that, either. I've been writing a much more error-prone construction to do that.
jbrock has quit [Quit: jbrock]
est has quit [Ping timeout: 240 seconds]
jbrock has joined #nixos
est31 has joined #nixos
<acowley>
s/boog/boot/ :|
<dmj`>
srk: why must the universe be so cruel
arahael2 has joined #nixos
CMCDragonkai has joined #nixos
jbrock has quit [Client Quit]
<{^_^}>
[nixops] @adisbladis opened pull request #1325 → tests: Add functional tests using NixOS in Docker → https://git.io/JfqrE
asdf1245 has quit [Remote host closed the connection]
zeorin75 has joined #nixos
<zeorin75>
immae: I just saw this on the error: warning: In file /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/tasks/encrypted-devices.nix a list is being assigned to the option config.boot.initrd.luks.devices.
<immae>
zeorin75: Ah well that was my first hypothesis, but well hidden. You can propose a PR to fix it then :)
<mpickering>
I have no idea how to begin debugging this, at least I got my sound working at least
<ocharles>
gchristensen: DBI Exception: DBD::Pg::st execute failed: ERROR: column "jobset_id" does not exist when doing this Hydra migration
<ocharles>
What am I doing wrong? I copied hydra-migration with nix-copy-closure from my machine to the Hydra machine and ran the script and it crashed with that
<ocharles>
The query is `SELECT COUNT(*) FROM jobs WHERE jobset_id IS NULL`
<evanjs>
mpickering: doesn't the highlight and click depend on your terminal?
<gchristensen>
ocharles: you'll need to runthe migrations which hydra-init runs
<gchristensen>
and that'll runs some migrations, then run the backfiller
<ornxka>
i did nixos-rebuild switch and its hanging on building the initrd?
<ocharles>
ok, how would I do that?
<ocharles>
Do I have to work out what to apply manually?
<clever>
ornxka: what does `top` say its doing?
<gchristensen>
no, one sec ocharles
<ocharles>
thanks!
<ornxka>
nix-build <nixpkgs/nixos> --out-out-link -A system --show-trace
<ornxka>
0% cpu
<clever>
ornxka: is anything using a lot of cpu?
<ocharles>
It looks a bit like hydra-init already checks if it's ran and if so just does migrations
<clever>
ornxka: can you pastebin the output of `ps -eH x` ?
gxt has quit [Quit: WeeChat 2.8]
<ornxka>
building '/nix/store/nrrw204rqc9pzydwa1wnz2iy2by1lf6y-initrd-linux-5.4.35.drv'... 63886 blocks are the last two lines its printed
<ocharles>
gchristensen: We run a patched Hydra, so if I deploy that specific revision, can I just run hydra-init, without actually switching our hydra instance to it? That is, just nix-copy-closure that revision
<mpickering>
evanjs: That sounds plausible I will look into it
<mpickering>
so I need to work out how to enable the highlight and copy as well
<mpickering>
I set all these settings in my configuration.nix
<evanjs>
mpickering: what terminal are you using, anyhow?
<clever>
mpickering: have you tried middle click?
<ocharles>
Also a glass of wine in, that's probably not the best state to be in when applying database upgrades :}
<gchristensen>
ocharles: oops, I'm in a meeting*
<ocharles>
oh, hahaha
<ornxka>
clever: is it okay if i just paste the tree pertaining to the nix-build process itself?
<ornxka>
it appears to be running some unit tests
<clever>
ornxka: sure
<mpickering>
rxvt-unicode
<mpickering>
clever: That's the issue, middle click isn't working
<clever>
mpickering: ah
<gchristensen>
ocharles: you'll definitely want to update your fork to the middle revision and do a deploy, and then update your fork to the final revision and do a deploy
<jluttine>
there doesn't seem to be /run/current-system/sw/share/fonts directory. where are currently installed fonts located?
<armin>
so i changed the value of users.users.armin.openssh.authorizedKeys.keys in my /etc/nixos/configuration.nix and ran a nixos-rebuild switch. i would have expected this to result in my ~/.ssh/authorized_keys being changed, but that doesn't happen. any hint what's going on?
<fendor>
Yaniel, thank you! how would I tell that?
FRidh has quit [Ping timeout: 260 seconds]
<{^_^}>
[nixpkgs] @FRidh pushed 193 commits to staging-next: https://git.io/JfqP9
<{^_^}>
[nixpkgs] @FRidh pushed commit from @jonringer to python-unstable « pythonPackages.pytestCheckHook: disable setuptoolsCheckPhase »: https://git.io/JfqXI
<cole-h>
Side note: all nixGL does (on nouveau, at least) is modify LD_LIBRARY_PATH and LIBGL_DRIVERS_PATH to be able to find mesa stuff
<davidak[m]>
worldofpeace i noticed some days ago that xdg-open x.html opens in pantheons web browser instead of my default chromium. I'm still on 19.09. could that be related to mimetype issue?
<cole-h>
The internals are interesting, yet simple.
<tokudan>
armin, those generated files are stored in /etc/ssh/authorized_keys.d
<{^_^}>
[nixpkgs] @FRidh pushed commit from @knedlsepp to python-unstable « python: Fix creating RPMs from Python packages »: https://git.io/JfqXZ
<davidak[m]>
worldofpeace yes, there is chromium set
plutes has joined #nixos
<davidak[m]>
si i create another issue
user9348 has quit [Remote host closed the connection]
<davidak[m]>
after testing on 20.03 :D
<worldofpeace>
davidak:yep :D, also check if /run/current-system/sw/share/applications/pantheon-mimeapps.list exists
<numkem>
I've got an annoying bug, not sure if it's related to nix or KDE itself. When you go to audio settings (either through the applet or through system settings), and try to check either or both `Add virtual output...` and `Automatically switch all...` they don't "stick" and don't apply any changes. Leaving and coming back to those settings shows the boxes unchecked.
KeiraT has joined #nixos
<worldofpeace>
numkem: perhaps try running it in a terminal and seeing if there's output, and perhaps in the journal also. I know pulseaudio can be weird there (sometimes)
<{^_^}>
[nixpkgs] @FRidh pushed 5 commits to python-unstable: https://git.io/JfqX4
lordcirth has quit [Remote host closed the connection]
rednaZ has joined #nixos
lordcirth has joined #nixos
<numkem>
worldofpeace: nothing special showing in the logs `journalctl -f ?`
<davidak[m]>
worldofpeace yes, it exists. application/xhtml+xml=org.gnome.Epiphany.desktop
<numkem>
worldofpeace: checking the equivalent on the command line
<davidak[m]>
text/html=org.gnome.Epiphany.desktop
Avaq has joined #nixos
<hyperfekt>
what is the canonical way to explore possible kernel config options on nixos?
<numkem>
worldofpeace: doesn't look like it's making any difference through either paprefs or pavucontrol. oh well
<{^_^}>
[nixpkgs] @teto pushed commit from @worldofpeace to master « nixos/qemu-vm: don't set -vga std »: https://git.io/Jfq1U
<worldofpeace>
davidak: that file sets the default app to epiphany (if the desktop is pantheon) if no other is set. when you set a default app the .config/mimeapps.list is changed
<{^_^}>
[nixpkgs] @FRidh pushed commit from @xfix to staging « libfido2: make builds reproducible »: https://git.io/Jfq1u
<bdju>
cole-h: oh wow, that's a surprise. It tends to update pretty often... Well, I've hit 5-10 vids that don't play at all anymore, and I watch 100% of my YouTube videos via mpv on a normal day so this really sucks.
<worldofpeace>
davidak: I can't reproduce on master with just firefox and epiphany, so maybe it has been fixed
<davidak[m]>
worldofpeace thanks. i will test
<cole-h>
bdju: You could make an overlay for the git version.
<bdju>
oh, I've got it figured out now. thanks for linking me to the github. I hadn't checked there yet for some reason
<nschoe>
Hello everyone, I'm trying to cross-compile a haskell package for my rPi from my laptop, so it must compile GHC (yeah... 6+ hrs).
<nschoe>
But it fails with '/build/ghc23187_0/ghc_10.s: Fatal error: can't close /build/ghc23187_0/ghc_11.p_o: No space left on device'
<nschoe>
I still have tons of place on my '/ partition, so I am guessing this means something in tmpfs. I've relaunched the command with a 'watch df -h', but maybe you can help: where are packages build ?
<nschoe>
Is it /run/user/1000?
<nschoe>
Note that I have boot.tmpOnTmpfs
seanparsons has joined #nixos
emilsp has joined #nixos
ardumont has joined #nixos
plutes has joined #nixos
knupfer has quit [Quit: knupfer]
<nschoe>
Or is it /tmp
knupfer has joined #nixos
<srk>
that could be it, can you remount with larger tmpfs?
endocrimes has quit [Quit: running from the computers]
endocrimes has joined #nixos
plutes has quit [Max SendQ exceeded]
KeiraT has quit [Ping timeout: 240 seconds]
plutes has joined #nixos
<nschoe>
srk: probably, but I wonder where this gets decided? I have nothing regarding "/tmp" in my hardware-configuration.nix nor in my configuration.nix, apart from 'boot.cleanTmpDir = true;' and 'boot.tmpOnTmpfs = true;'
<nschoe>
yorick: well... as I said: answer i n5 hours :D :D
<yorick>
nschoe: is this pkgsCross.raspberryPi.ghc from nixos-unstable?
<nschoe>
yorick: alsmost. 'raspberryPi' is for armv6 raspberrypi 1 only. So this is 'pkgsCross.aarch64-multiplatform.haskellPakages.callPackage' for me
cmacrae has left #nixos ["ERC (IRC client for Emacs 27.0.90)"]
<nschoe>
Gotta go, my RAM is filling up, will try to keep everything low to gives space to the build process.
<nschoe>
Will try to report either success or failure.
pamplemousse has quit [Ping timeout: 260 seconds]
<davidak[m]>
i use 32 GB RAM and 70 GB swap to build hundreds of containers :D
chloekek has quit [Ping timeout: 240 seconds]
<JameySharp[m]>
out of curiosity, what triggered a mass rebuild in 20.03 yesterday?
<yorick>
staging merge, possibly?
infandum has joined #nixos
<yorick>
oh, 20.03
shafox__ has quit [Remote host closed the connection]
<cole-h>
openssl maybe?
<infandum>
Is there a --file-watch for nix-env or build such that it will rebuild for every change to the package that default.nix references? I'm thinking like stack --file-watch for haskell.
<cole-h>
Most of the big names involved in Nix + OS work at Tweag
ddellacosta has joined #nixos
AliciaAway has quit [Client Quit]
<{^_^}>
[nixpkgs] @nagisa opened pull request #86143 → Add `jq` into path for `nix-prefetch-docker` → https://git.io/JfqSr
Baughn has joined #nixos
<infandum>
I'm familiar with tweag's haskellR
<numkem>
just curious, anyone running 3+ monitors on a RX 580?
<wkral>
cole-h: That conversation helped, yeah it seems the channel is updating it's just not status.nixos.org
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
jbrock has quit [Client Quit]
jbrock has joined #nixos
<wkral>
as well as whatever is reporting that check-time metric to prometheus
Ashy has quit [Ping timeout: 272 seconds]
mallox has quit [Quit: WeeChat 2.8]
Ashy has joined #nixos
Miyu-saki has quit [Ping timeout: 272 seconds]
Miyu-saki has joined #nixos
Miyu-saki is now known as Guest23688
rogue_koder has quit [Ping timeout: 244 seconds]
o1lo01ol1o has quit [Remote host closed the connection]
Kyndig has quit [Remote host closed the connection]
leah2 has quit [Ping timeout: 246 seconds]
rogue_koder has joined #nixos
alp has quit [Ping timeout: 265 seconds]
o1lo01ol1o has joined #nixos
endformationage has joined #nixos
zupo has joined #nixos
wkral has quit [Remote host closed the connection]
leah2 has joined #nixos
wkral has joined #nixos
o1lo01ol1o has quit [Ping timeout: 246 seconds]
noonien has quit [Quit: Connection closed for inactivity]
zupo has quit [Client Quit]
<{^_^}>
[nixpkgs] @matthewbauer merged pull request #85945 → llvm/compiler-rt.nix: add i{4,5,6}86 to X86 architecture → https://git.io/JfLa1
<{^_^}>
[nixpkgs] @matthewbauer pushed 2 commits to staging: https://git.io/Jfq9u
<{^_^}>
[nixpkgs] @matthewbauer merged pull request #85246 → python.pkgs.grpcio: use system openssl, zlib, and c-ares → https://git.io/JfeFD
<{^_^}>
[nixpkgs] @matthewbauer pushed 2 commits to master: https://git.io/Jfq92
edrex has joined #nixos
wkral has quit [Remote host closed the connection]
jbrock has quit [Quit: jbrock]
zupo has joined #nixos
konobi has quit [Remote host closed the connection]
jbrock has joined #nixos
jbrock has quit [Client Quit]
jgeerds has joined #nixos
konobi has joined #nixos
jbrock has joined #nixos
drozdziak1[m] has joined #nixos
<drozdziak1[m]>
I'm trying to get a vim plugin (vim-hug-neovim-rpc) to work on my system. The plugin requires pynvim Python module at runtime in order to work. How can I override vim to achieve this?
<drozdziak1[m]>
I'd prefer not to manage my editor config with Nix
<drozdziak1[m]>
but only alter the package instead
<dmj`>
how do I install nix as root?
andi- has quit [Ping timeout: 240 seconds]
<edrex>
Install support Qs ok here?
<edrex>
I'll need a boot partition for grub. I read that grub doesn't support LUKS2. Can I work around that by putting initrd on boot? I do this infrequently enough (and it's been awhile since I did a non-EFI boot) that I don't feel 100% confident.
<edrex>
Seeking docs for legacy MBR boot with encrypted root (LVM-on-LUKS).
rogue_koder has quit [Remote host closed the connection]
plutes has quit [Remote host closed the connection]
plutes has joined #nixos
oida has quit [Ping timeout: 240 seconds]
<{^_^}>
[nixops] @adisbladis opened pull request #1326 → tests: Add functional tests using NixOS in Docker → https://git.io/JfqQ4
alp has joined #nixos
knupfer has quit [Remote host closed the connection]
knupfer has joined #nixos
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
jbrock has quit [Remote host closed the connection]
oida has joined #nixos
jbrock has joined #nixos
phreedom_ has joined #nixos
phreedom has quit [Quit: No Ping reply in 180 seconds.]
xkapastel has joined #nixos
o1lo01ol1o has joined #nixos
lassulus has quit [Ping timeout: 250 seconds]
lassulus has joined #nixos
<energizer>
boot.initrd.network.ssh.hostKeys is a list of paths. If i'm remotely deploying a configuration to another system, are those paths resolved to files that are on my local system or on the target system?
Henson has joined #nixos
goodwill has joined #nixos
eof has joined #nixos
<drozdziak1[m]>
Found it, `vim_configurable` has womething called `wrapPythonDrv` which appears to pull the needed packages in
user_0x58 has joined #nixos
<bqv>
hey, is there a nice painless way to turn a docker image into a nice clean nix derivation?
jbrock has quit [Quit: jbrock]
<freeman42x[m]>
trying XMonad. Do I need to use GHC with packages inside configuration.nix so that xmonad-contrib package is seen in the XMonad xmonad.hs file?
jbrock has joined #nixos
<bqv>
actually it makes sense if there isn't, that's a massive ask
<Raito_Bezarius>
Is there any way to debug why Mako does not display any notification under Sway?
<simukis_>
bqv: `fetchImage`?
<pbogdan_>
freeman42x[m]: there's `services.xserver.windowManager.xmonad.enableContribAndExtras` option, as well as `services.xserver.windowManager.xmonad.extraPackages` if you need to supply any other packages
<simukis_>
s/fetch/pull/
<Raito_Bezarius>
I cannot run mako BTW because it's complaining about user bus connection refused
<Raito_Bezarius>
Maybe, it has to do with the fact that sway has been launched by a login manager rather than in a user service
<bqv>
simukis_: so that fetches the docker image as-is i'm guessing...
ddellacosta has quit [Ping timeout: 246 seconds]
<bqv>
yeah i think i'll just repackage it properly, avoid all that cruft
<freeman42x[m]>
pbogdan_: so I set this to true to get it to use the contrib lib in xmonad.hs: services.xserver.windowManager.xmonad.enableContribAndExtras ? also, Romanian speaker?
<simukis_>
bqv: right, you would still need to do the patchelf rites, same ones, you’d do for typical binary-input derivations.
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #nixos
<freeman42x[m]>
pbogdan_: that gives: "failed to get option data"
<armin>
ok so even when using nix-shell -p i get this when trying to use the python "psutil" module: https://i.imgur.com/R7hnM7W.png so obviously i have some misunderstanding here, could someone enlighten me?
<armin>
ah, AH
<armin>
ok scratch that, i can just append the needed module
jluttine has quit [Ping timeout: 265 seconds]
bqv has quit [Ping timeout: 240 seconds]
<pbogdan_>
wfm but you can also look it up locally via man configuration.nix
<simpson>
armin: `pythonPackages.psutil` is packaged. More generally, when doing virtualenv, you've gotta remember to use the Python executable inside the virtualenv; that'll let you install and use pure-Python modules with pip.
proofofkeags has quit [Ping timeout: 246 seconds]
proofofkeags has joined #nixos
bqv has joined #nixos
infandum has quit [Remote host closed the connection]
<infinisil>
adisbladis: Hey, for poetry2nix, is there an easy way to install binaries from dependencies in the final output with mkPoetryApplication?
<avn>
ornxka: strace and `export LIBGL_DEBUG=verbose, look what it try to load, and why it missing
aszlig has quit [Ping timeout: 250 seconds]
aszlig has joined #nixos
<infinisil>
adisbladis: For now I've been using the [tool.poetry.scripts] section in pyproject.toml to define executable -> python module/function mappings. E.g. gunicorn = "gunicorn.app.wsgiapp:run"
<infinisil>
But that's not very nice
chloekek has joined #nixos
<davidak[m]>
worldofpeace updating fixed the xdg-open issue :) update with pantheon without problems. thanks for your work!
<ornxka>
openat(AT_FDCWD, "/nix/store/xdsjx0gba4id3yyqxv66bxnm2sqixkjj-glibc-2.27/lib/libGLX_indirect.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
<ornxka>
it cant find libglx etc
<ornxka>
normally theres some weird include path in the environment
klntsky_ has joined #nixos
<ornxka>
that points to like /sw/opengl/nvidia/libglx.so or something
<ornxka>
but its not there
<energizer>
infinisil: i feel like it's part of the concept of "application" that it doesn't inherit its dependencies console scripts, no?
<infinisil>
Hmm that's a good point..
<ornxka>
nvidia-smi is installed and says the driver is loaded
<ornxka>
but i cant find the userland libs anywhere
<infinisil>
energizer: In my case at least, one binary from a dependency (celery) is needed to run the final build, there is no binary by the project itself
<infinisil>
And if I just built an environment with the dependencies, celery wouldn't know about the python module from the project, so it couldn't run it
klntsky has quit [Ping timeout: 240 seconds]
civodul has quit [Quit: ERC (IRC client for Emacs 26.3)]
<ornxka>
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/nix/store/hhbwbmq85xzb05j47xjiy0xpc1jamrhn-nvidia-x11-440.82-5.6.7/lib if i do this manually it works, but im perplexed as to why its not in my environment by default...
<energizer>
infinisil: how many executables are rrunning in your project?
<infinisil>
Hmm two I guess, both come from the dependencies
<energizer>
just celery and your wsgi runner?
<infinisil>
Yea
<infinisil>
gunicorn
<infinisil>
I think only celery depends on knowing the python module of the application
<energizer>
how does gunicorn import your app unless they're both installed into the same environment?
<infinisil>
Never mind, gunicorn doesn't work if it's not in the same python env
<ornxka>
stuff like blender and chromium also work.. i wonder if just glxinfo is broken
<infinisil>
energizer: If you know of a way to "propagate" a python environment to a binary, that would be great
<cole-h>
`makeWrapper`? :P
<infinisil>
What do I wrap it with though?
<energizer>
infinisil: and the the celery server also needs to know about (be in the same python environment as) your app , right?
<energizer>
or not
<infinisil>
energizer: Yeah
<energizer>
ok
<JameySharp[m]>
ornxka: LD_LIBRARY_PATH used to get /run/opengl-driver/lib added to it automatically if you turn on opengl in nixos but looking at the module now, that apparently isn't necessary any more for drivers that support libglvnd (see hardware.opengl.setLdLibraryPath)
<ornxka>
ah
<ornxka>
so i should turn that on to make it work :p
<energizer>
infinisil: so maybe you jusst want `start-myapp-celery = celery.startwhateverthing`
<infinisil>
With which binaries appear to be in a python env
<infinisil>
energizer: Not sure what you mean by that
Henson has joined #nixos
proofofkeags has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @matthewbauer opened pull request #86147 → kde/{kate,konqueror,okular}: decrease text mimetype preference → https://git.io/Jfq5h
<infinisil>
I think for now I'll just add more dependency binaries manually to poetry's [tool.poetry.scripts] section
<infinisil>
If they need to be in the same environment as the app
<energizer>
infinisil: just like you originally said with `gunicorn = "gunicorn.app.wsgiapp:run"`, but just giving the script a different name so that it's clearly about your app instead of just a generic celery
<ornxka>
ah yes it works with the setldlibrarypath option
<energizer>
infinisil: it sounds like your app actually does have multiple commands for starting its various components, it's just a bit weird for those commands to inherit the same name as the dependency they're based on
<energizer>
you want an interface that hides the implementation like `myapp start-server` not `celery`
<energizer>
because the fact that your app uses celery is an implementation detail
<infinisil>
Hm yeah that makes sense, though I'm just a python noob and I'm struggling quite a bit
<infinisil>
I'll probably forward this to the people who wrote the thing
<energizer>
perhaps `myapp start-webapp` and `myapp start-queue`
<infinisil>
Yeah that sounds much nicer
proofofkeags has joined #nixos
<energizer>
otoh ....there's another view
<infinisil>
energizer: I've seen in docs that gunicorn and celery seem to indicate that the default mode of operation is to run the gunicorn/celery binaries and pass your app's module as an argument
<infinisil>
Is this not mandatory then?
<infinisil>
I kind of assumed it had to do with the python runtime somehow making this necessary
mydude has joined #nixos
shreyansh_k has quit [Ping timeout: 244 seconds]
<energizer>
there are two ways to do it. you can run gunicorn which runs your app, or you can have your app run gunicorn
<energizer>
the former is more common
<infinisil>
Hm I see, but I guess in this specific case it seems to cause a bit of unnecessary friction with peotry2nix
andi- has quit [Ping timeout: 244 seconds]
cr4y1 has quit [Ping timeout: 260 seconds]
<energizer>
if you do mkPoetryEnv does the gunicorn binary appear on your path?
<infinisil>
energizer: Yeah
<infinisil>
It has all the binaries from all dependencies in the built environment
<energizer>
that sounds like a solution then?
<bqv>
> pkgs.nheko.version
<{^_^}>
"0.6.4"
<infinisil>
Except it's not wrapped with the apps python env :)
<infinisil>
mkPoetryEnv actually doesn't even take your apps source
<infinisil>
It just takes the pyproject.toml and poetry.lock
<edrex>
so, I have two very different machines with nixos now, and I'd like to keep all their configs in a repo with common stuff factored out. Beginner-friendly suggestions? Should I just spend some time on https://search.tx0.co/ and come up with my own layout?
<energizer>
oh i took a guess `python -m gunicorn` would work because most packages provide that but it doesnt
<ornxka>
edrex: i just made /cfg and put it all in there
<ornxka>
/etc/nixos/configuration.nix is a symlink to /cfg/sys/$MACHINE.nix
<energizer>
but gunicorn doesnt provide one of those
<ornxka>
and then $MACHINE.nix does imports from elsewhere in /cfg
<energizer>
too bad
<infinisil>
Hm I see
<infinisil>
So maybe PYTHONPATH wrapping it is
<edrex>
ornxka: seems sensible and simple. thanks!
<ornxka>
np
<energizer>
you can follow the trail of `which gunicorn` (or just look in gunicorn's setup.py` to find out what it's actually running. in this case it's `from gunicorn.app.wsgiapp import run; run()`
<energizer>
PYTHONPATH will work iff you don't have C-extensions in your source and you're not using any packaging metadata. but because that's not a safe assumption in the general case, the proper thing to do is of course install your app. poetry2nix is fighting you here
maddo has quit [Quit: See ya]
mydude has quit [Remote host closed the connection]
<energizer>
(not its fault really, the "editable installs" spec for pyproject.toml is still under discussion)
jbrock has quit [Quit: jbrock]
<freeman42x[m]>
possibly stupid question incoming: `sudo nix-collect-garbage -d` or `nix-collect-garbage -d`? any functional difference?
jbrock has joined #nixos
jbrock has quit [Client Quit]
jbrock has joined #nixos
<energizer>
infinisil: so i think there's a question to ask yourself: are the celery and wsgi servers implementation details of your app, or are they external to the app, provided by the execution context
<energizer>
if they're part of your app, i'd provide console scripts for them under [tool.poetry.scripts]. if they're external, maybe install your app as a *package* and make another derivation that provides those external binaries
<ornxka>
wait, whats the difference between nix-store --gc and nix-collect-garbage?
<energizer>
simpson: would you sanity check my last suggestion to infinisi ^
jbrock has quit [Client Quit]
jbrock has joined #nixos
<infinisil>
Hmm lemme think about that..
plutes has quit [Ping timeout: 264 seconds]
Acou_Bass has quit [Ping timeout: 264 seconds]
Baughn has quit [Ping timeout: 246 seconds]
<infinisil>
energizer: What do you mean by "installing" the app?
<infinisil>
Actually `nix-env`-like installing?
seanparsons has quit [Ping timeout: 260 seconds]
peanutbutter144 has quit [Ping timeout: 260 seconds]
KeiraT has quit [Ping timeout: 240 seconds]
icey_ has quit [Ping timeout: 260 seconds]
lunik1 has quit [Ping timeout: 260 seconds]
ddellacosta has joined #nixos
<energizer>
in the sense of propagatedBuildInputs (aka setup.py's install_requires, aka [tool.poetry.dependencies])
<infinisil>
Ah, and I guess nixpkgs python tools would use propagatedBuildInputs in the python wrapping
<energizer>
right
<infinisil>
Hm still kind of very unsure how to do that
emilsp has quit [Ping timeout: 624 seconds]
<infinisil>
Maybe build the app with mkPoetryApplication and then override propagatedBuildInputs
<{^_^}>
[nixpkgs] @bcdarwin opened pull request #86151 → vtk: unbreak on OS X → https://git.io/JfqFR
<simpson>
energizer: I don't understand Poetry. I hear what you're saying, though.
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
jbrock has quit [Remote host closed the connection]
<infinisil>
Hm nah that doesn't work
jbrock has joined #nixos
<energizer>
simpson: you agree there are two reasonable ways to organize this, namely celery and gunicorn are either inside or outside the app?
lunik1 has joined #nixos
Acou_Bass has joined #nixos
<infinisil>
I think for now I'll just continue to use the [tool.poetry.scripts] section and make a TODO there saying to make a proper binary so this won't be needed anymore
icey_ has joined #nixos
seanparsons has joined #nixos
<energizer>
s/app/app derivation/
<simpson>
Yep. And, given how WSGI works, you probably need at least gunicorn to use the same Python environment as your WSGI app. Celery too, depending.
Baughn has joined #nixos
<energizer>
yeah ok cool
emilsp has joined #nixos
chloekek has quit [Ping timeout: 264 seconds]
<infinisil>
I think celery might work without it actually
<energizer>
infinisil: so pick inside or outside, and we can go from there
alp has quit [Ping timeout: 265 seconds]
peanutbutter144 has joined #nixos
KeiraT has joined #nixos
<infinisil>
Well currently it's outside, but I think inside would be better ideally
plutes has joined #nixos
<edrex>
ornxka: do you move your hardware-configuration.nix inside the device-specific file then?
<ornxka>
yeah
plutes has quit [Remote host closed the connection]
fendor has quit [Read error: Connection reset by peer]
<energizer>
infinisil: i can elaborate on usage of that if it interests you, lemme know
<infinisil>
Should be fine with this, thanks for all the help energizer :)
<infinisil>
energizer++
<{^_^}>
energizer's karma got increased to 11
<energizer>
np :)
thc202 has quit [Ping timeout: 244 seconds]
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Henson has joined #nixos
<Henson>
has anyone set up NixOS as a media center with a remote control? I'm trying to figure out how to get my IR remote to work. In the NixOS Wiki there are instructions for enabling LIRC in the kernel, which requires a recompile. I was wondering if there was another simpler way to do it.
<simpson>
Henson: There's a userspace IR stack, if you have something like a USB IR receiver, and it happens to be supported. But you're going to have a much better time by using the kernel-side drivers, IME.
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
pamplemousse has quit [Ping timeout: 260 seconds]
<Henson>
simpson: ok. Some things I've read say that LIRC has been deprecated and there's a input event system that has now replaced it. I experimented with this, noticing that it was enabled by default in the stock NixOS kernel, but the remote control decoders were not added so it wouldn't work. Recompiling the kernel to enable the decoders kind of worked.
philr_ has joined #nixos
<simpson>
Henson: Oh, yeah, if your remote can generate X input events, then that will be winning. So that should be your goal. At some level, that'll have to go through the kernel, but indeed there's multiple routes. You'll want to look carefully and make sure that your specific model of receiver is listed.
justanotheruser has quit [Ping timeout: 240 seconds]
<Henson>
simpson: ok. I got the IR event thing to work with the kernel decoders, but some buttons weren't working. I was just wondering if I was missing something else that I should be using instead.
lunik1 has quit [Ping timeout: 244 seconds]
<simpson>
Henson: You may have to hack at parts of the stack to get every button to work, unfortunately. You can test with tools like xev, in `xorg.xev`, which dumps all of the X events sent to its window.
Baughn has quit [Ping timeout: 260 seconds]
KeiraT has quit [Ping timeout: 240 seconds]
chagra_ has joined #nixos
lunik1 has joined #nixos
lemsip has joined #nixos
icey_ has quit [Ping timeout: 260 seconds]
Acou_Bass has quit [Ping timeout: 260 seconds]
Baughn has joined #nixos
seanparsons has quit [Ping timeout: 246 seconds]
seanpars- has joined #nixos
<Henson>
simpson: so should I aim to steer away from LIRC and more towards the IR event stuff? Is LIRC obsolete now?
Acou_Bass has joined #nixos
peanutbutter144 has quit [Ping timeout: 260 seconds]
KeiraT has joined #nixos
peanutbutter144 has joined #nixos
icey_ has joined #nixos
emilsp has quit [Read error: Connection reset by peer]
<simpson>
LIRC has always had a dated feel to it. But I think it still works. I currently don't have my IR receiver hooked up at all, but now that I think about it, I guess I'm using Bluetooth for my controller. So, Bluetooth happened, I guess?
<Henson>
simpson: do they have bluetooth remote controls now? I have an openelec media center system, but want to try moving to NixOS. The difficulties with the IR remote control made me give up.
<simpson>
Yeah, there's all kinds of cool stuff these days. I don't know what to recommend, though. Hacking on LIRC sounds about as good as anything else.
jbrock has quit [Quit: jbrock]
jbrock has joined #nixos
noonien has joined #nixos
justanotheruser has joined #nixos
mbrgm_ has joined #nixos
mbrgm_ is now known as mbrgm
o1lo01ol1o has quit [Remote host closed the connection]
<noonien>
hello folks!
<{^_^}>
[nixpkgs] @bhipple opened pull request #86154 → [20.03] python.pkgs.grpcio: use system openssl, zlib, and c-ares → https://git.io/Jfqbp
<noonien>
how can i get a gcc cross-compiler for thumbv7em-none-eabi?
<noonien>
i see in nixpkgs that there are some example systems in lib/systems/examples.nix
<noonien>
i see there's also arm-embedded, so i'm guessing crossPkgs.arm-embedded.gcc should work