<{^_^}>
[nixpkgs] @marsam pushed 3 commits to release-20.03: https://git.io/Jf4b6
<lovesegfault>
I have a foo.nix file that I want to rename to bar.nix. I want to keep the original foo.nix so as not to disrupt users' workflows for a while, but I want to add a deprecations notice. How can I do that?
<aiverson>
Is the nixos systemd units module missing the user and group options? systemd documents them, but they seem to be missing in the nixos option definition.
<edef>
you can set serviceConfig.User
vika_nezrimaya has quit [Ping timeout: 258 seconds]
<aiverson>
I don't see it. Is that `systemd.services.whatever.user`?
felixfoertsch23 has joined #nixos
felixfoertsch has quit [Ping timeout: 240 seconds]
felixfoertsch23 is now known as felixfoertsch
<notgne2>
avalenn: the `serviceConfig` attr set option just serializes to the config file iir
<notgne2>
*iirc
<notgne2>
so any of the fields probably wont be under any NixOS documentation, it's just plainly mapped into the SystemD config
<notgne2>
imo those options should all be overlayed through another Nix layer, but abstracting SystemD in any way seems deeply political
<jasom>
so I was looking into getting NIS to work with NixOS, and I have everything working *except* login shells not named /bin/sh; I see there's already an LDAP module, does anyone know how it addresses that problem?
sarcasticadmin has quit [Ping timeout: 240 seconds]
<jasom>
e.g. user "foo" has a login shell of "/bin/tcsh" and there is no /bin/tcsh, nor is /bin/tcsh in /etc/shells so the login is rejected because of an invalid shell.
domogled has quit [Ping timeout: 256 seconds]
drakonis1 has quit [Quit: WeeChat 2.8]
LysergicDreams has quit [Ping timeout: 256 seconds]
<cransom>
for the very short period i was dealing with ldap and nixos, i was setting nixos users shells to /run/current-system/sw/bin/$theirshell . that doesn't do well for other systems, but what i had at the time.
<jasom>
I suppose I can always make an overlay that puts the shells I need in /bin
<quinn>
it's a search from nixos configurations from the wiki
<jasom>
now the question is, does anyone *want* NIS in NixOS besides me? Right now it "Works on My Machine"(TM)
<jasom>
FWIW doing this made me fall in love with nix all over again. It was surprisingly easy to get everything working. The only part of nixos I had to actually modify was nsswitch.nix.
<jasom>
The only part I haven't figured out is to require either nscd or sssd to be running; NixOS has nscd on by default, so I'm not super worried about it, but systemd-logind and NIS do not play well together without a caching server
bastion-tester has quit [Ping timeout: 272 seconds]
<jackdk>
emily: you want to build a derivation of the source, or rebuild the same derivation with different patches?
orivej has quit [Ping timeout: 256 seconds]
<emily>
the former, a derivation of the patched unpacked source
<{^_^}>
[nixpkgs] @doronbehar opened pull request #87790 → krop: move libsForQt5.poppler out of propagatedBuildInputs → https://git.io/JfBJ6
eoli3n__ has joined #nixos
<jtojnar>
emily I do not think there is any nice way
knupfer has quit [Ping timeout: 256 seconds]
shafox has quit [Ping timeout: 265 seconds]
rauno has joined #nixos
<jtojnar>
it would be nice to have applyPatches combinator but IIRC the issue with it is the copying between store and /build and store again and /build again is slow
alp has quit [Remote host closed the connection]
alp has joined #nixos
rogue_koder_ has quit [Remote host closed the connection]
mallox has joined #nixos
hmpffff has joined #nixos
hmpffff_ has quit [Ping timeout: 265 seconds]
<{^_^}>
[nixpkgs] @vbgl opened pull request #87791 → ocamlPackages.batteries: fix for OCaml 4.10 → https://git.io/JfBU8
xantoz has quit [Ping timeout: 272 seconds]
<{^_^}>
[nixpkgs] @lheckemann merged pull request #87219 → postgres: Do not log timestamp → https://git.io/JfcJT
<aiverson>
How would I troubleshoot why, in a nixops deployment containing a key and a service, the service can't access the key? All the users and groups seem to line up, but trying to read the content of the file into an environment variable results in a `Permission denied` error message.
hmpffff_ has quit [Ping timeout: 256 seconds]
<clever>
aiverson: if you `sudo -u <foo> -i` to that user, and then try to `ls -l` the key, what happens?
lsix has joined #nixos
<aiverson>
`This account is currently not available.`
<clever>
aiverson: `sudo -u foo bash`
<aiverson>
`ls: cannot open directory '/run/keys/': Permission denied`
hmpffff_ has joined #nixos
<aiverson>
Ah, I need to add the `keys` group to the user. That should be documented.
zeenk has joined #nixos
hmpffff has quit [Ping timeout: 265 seconds]
hyper_ch2 has quit [Quit: Connection closed]
matthiaskrgr has quit [Quit: Free ZNC ~ Powered by LunarBNC: https://LunarBNC.net - currently broken?]
<{^_^}>
[nixpkgs] @vbgl pushed commit from @sternenseemann to master « ocamlPackages.jingoo: 1.2.18 → 1.3.4 »: https://git.io/JfBtt
<sephii>
I'm struggling trying to list all versions of a Python package. I tried `nix-env -qa django` and `nix-env -qa python37Packages.django` but both don't yield any result. How do you search for such packages?
cr4y1 has quit [Remote host closed the connection]
<ebopp>
for what reason do some sources in nixpkgs have a sha256 = "sha256-V8bXam33..." hash including uppercase characters? is this just base64 vs base32?
cr4y1 has joined #nixos
<jtojnar>
ebopp correct
<jtojnar>
recent nix prints SRI hashes on mismatch so people just copy those
<ebopp>
any reason to choose one over the other? or is it arbitrary?
CMCDragonkai1 has joined #nixos
<sshow>
does anyone have a successful deluge daemon setup?
<niksnut>
ebopp: it's wrong, it should be hash = "sha256-V8bXam33..."
<MichaelRaskin>
I think it still does work as sha256 = …
<ebopp>
niksnut: inside fetchFromGitHub?
<niksnut>
it works, but it's ugly
<niksnut>
especially since you could write sha256 = "sha512-..."
<ebopp>
niksnut: oh, yes that makes sense. there are a ton of packages using sha256 on nixpkgs though.
<ebopp>
interestingly, the hash syntax seems to be hash = "sha256:<base32>" and hash = "sha256-<base64>"… not exactly intuitive
zupo has joined #nixos
<niksnut>
yeah the sha256:<base32> syntax is old
fendor has quit [Ping timeout: 256 seconds]
simba1 has quit [Quit: WeeChat 2.8]
<pjt_014>
while using nix-copy-closure I just got "error: cannot add path '/nix/store/...' because it lacks a valid signature", yet I have an ssh connection to the same device. What's that about
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage-packages.nix: automatic Haskell package set update »: https://git.io/JfBOM
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<saurabhkukade>
I am having issue while building haskell project. I am doing nix-build release.nix and getting error while building as `Setup: Encountered missing or private dependencies:
<saurabhkukade>
base ==4.11.*`
<{^_^}>
[nixpkgs] @peti pushed 7 commits to haskell-updates: https://git.io/JfBOH
<bqv>
I need it to be possible to reboot a machine without manual intervention, and to reboot into a new config without manual intervention. With those two restraints, it follows that nix is able to access the secrets independently, which means they are in the store
corpix has quit [Remote host closed the connection]
<immae>
bqv: they need to be in "a store", but they don’t need to be in the local store. I made a module that I use via nixops where only the local store will contain the secrets, the distant ones will never have them (it comes with a script that installs them in /var/secrets with proper permissions, so it’s resilient accross reboots)
<bqv>
So you build a configuration, but it depends on something not in the same store?
zupo_ has joined #nixos
matthiaskrgr has quit [Quit: Free ZNC ~ Powered by LunarBNC: https://LunarBNC.net - currently broken?]
<bqv>
Thats no better than having files lying around, imo
<bqv>
And id rather not use nixops for this
<niso>
bqv: having the keys in the store makes them accessible for everyone, having them in another directory allows you to set appropriate permissions
<bqv>
But then you have to keep that separate store in sync with your config/system
<niso>
bqv: if you use nixops you can use deployment.keys.your-secret-key.destDir which will somewhat sync your keys
<niso>
bqv: as in: it will sync your key to the server (and place it in the dir) but it won't remove it from there
steshaw has quit [Remote host closed the connection]
<immae>
bqv: the activationScript is responsible for synchronising /var/secrets
<immae>
It’s either that or having the keys in the store...
matthiaskrgr has joined #nixos
<bqv>
Hmm
<bqv>
Ok I'm intrigued, do you have an example immae?
nikivi has joined #nixos
<immae>
bqv: Hold on. Again, I’m using nixops, it’s an important part of the process
<bqv>
Oh, nevermind then
<immae>
ok
<bqv>
Screw it, keys in the store
<immae>
Otherwise Infinisl made some work to have a similar feature locally, but it is less flexible (as in: as far as I understood, you need one file per secret and this "file" cannot be built via a nix expression, which was important for me)
<niso>
bqv: uhm, maybe rsync your keys to a remote dir?
<niso>
bqv: giving all your software access to your secrets is a realy bad idea :/
<bqv>
Yes, it is, but in the name of convenience I am willing to sacrifice it. That said, I like the idea of maintaining a "secret store" and having activation actually be an operation that acts on both stores
<bqv>
I'll probably steal some ideas from that module
<bqv>
Its quite cool
<{^_^}>
[nixpkgs] @thefloweringash closed pull request #86525 → binutils: backport fix for 'invalid string offset' on arm → https://git.io/Jf38r
<niso>
bqv: in the name of convenince some people also version their secrets in git :P
<{^_^}>
[nixpkgs] @FRidh opened pull request #87814 → Staging next → https://git.io/JfBZ9
hlisp has joined #nixos
<{^_^}>
[nix] @edolstra pushed to auto-uid-allocation « canonicalisePathMetaData(): Support a UID range »: https://git.io/JfBnq
<manveru>
what are ya'll using for exception monitoring? afaict neither Sentry nor Errbit are packaged and all other services I could find are SaaS only
<bqv>
yeah i had that issue a while back
<bqv>
i just settled for not bothering
hlisp has quit [Read error: Connection reset by peer]
orbekk1 is now known as orbekk
mthst has quit [Ping timeout: 260 seconds]
<niso>
manveru: for log monitoring in general i'm using grafana
<manveru>
yeah, i use that already
<manveru>
but this is for sending exceptions directly from applications to a place that allows you to associate it with issues, see the backtrace, environment, etc...
agsdheidjd has quit [Ping timeout: 256 seconds]
corpix has joined #nixos
<niso>
oh, i see. i've neither a setup for that, nor a usecase
agsdheidjd has joined #nixos
dm9 has joined #nixos
mthst has joined #nixos
dguibert has joined #nixos
eoli3n_ has quit [Remote host closed the connection]
<{^_^}>
[hydra] @knl opened pull request #760 → Correct the link to hydra-api.yml file → https://git.io/JfBcy
<d4rkshad0w>
When one is writing a nixos service module that needs to generate a .yaml config, is there a way to generate a part of the code from the example configuration? Or do I have to do this by hand?
Khetzal has quit [Quit: \o/]
coco has quit [Quit: WeeChat 2.6]
<etu>
d4rkshad0w: you can probably use builtins.toJSON to generate the file, json is a subset of yaml so if the software use a yaml parser it should be able to read the json file
jtobin has joined #nixos
maddo has quit [Remote host closed the connection]
<d4rkshad0w>
I probably meant it the other way around. Can I generate the implementation (or rather the `options.services.service` part) pulling structure and description (from comments) from the yaml file?
maddo has joined #nixos
coco has joined #nixos
jtobin has quit [Remote host closed the connection]
coco has quit [Client Quit]
bebarker has joined #nixos
evanjs has quit [Ping timeout: 256 seconds]
jtobin has joined #nixos
<d4rkshad0w>
I want to create a module running mautrix telegram, which is configured by a big yaml file. It would be cool to take the example configuration run a script over it, and have a .nix file containing the `options.services.mautrix-telegram` with correct options, default values and description set.
coco has joined #nixos
evanjs has joined #nixos
<manveru>
d4rkshad0w: yeah... you'd have to write that script
<coco>
newbie question: i upgraded nixos and home-manager to 20.03. now i can't log in anymore; i get "failed to start session" in lightdm. i'm using x11 + i3. any pointers to where i look for the problem?
<d4rkshad0w>
I'll have a look into it...
<{^_^}>
[nixpkgs] @nhey opened pull request #87820 → nixosTests.kubernetes: port tests to python → https://git.io/JfBR6
<infinisil>
Though other than bash script ugliness with process handling, it's working well for me :)
<immae>
infinisil the topic earlier this morning was about secrets, am I right in that your system doesn’t permit to generate a secret via a nix expression or did I miss something?
<infinisil>
I guess it still allows it with `secrets.foo.file = pkgs.writeText "foo" "SECRET"`, but the intention is to use `secrets.foo.file = ./secret` instead
<infinisil>
And then the secret won't end up in the store
<immae>
yes I was thinking more of secrets.foo.source = "some static text ${some_dynamic_variable}"; which I use in many places
aswanson has joined #nixos
<infinisil>
Yeah that's not possible without writing it to the store
<{^_^}>
[nixos-search] @garbas pushed commit from @Mic92 to master « import name as keyword (#30) »: https://git.io/JfB2h
<sMuNiX>
cole-h: nix (Nix) 2.4pre20200501_941f952
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #nixos
drakonis_ has quit [Ping timeout: 265 seconds]
<balsoft>
infinisil: I looked at your nixoses thing, it's pretty interesting. Do you think it would be within the spirit of the project to add an "separate service" option? I.e. have a profile that can be updated separately from the rest of the system and a systemd service that would run an executable from that profile. We could still keep the system reproducible, but move some of the activation logic to the client (to reduce
<balsoft>
unneccessary system rebuilds and uploads).
<infinisil>
balsoft: Yes I'm very interested in something like that!
<infinisil>
Having multiple Nix profiles for separate things. The best example is having one hardware profile and one config profile. This would allow you to roll back the config even if you upgraded hardware
opticnerve has joined #nixos
<balsoft>
Yep
<balsoft>
infinisil: We're working on our own deploy script that does that, but if we could integrate our work into your nixoses that would be pretty awesome
<balsoft>
Because that would mean more features for you and less maintenance for us :)
nschoe has quit [Remote host closed the connection]
<balsoft>
Both :) We have a bash version that we're using for most things and we also have a Haskell version we're trying out
<balsoft>
They aren't as full-featured as your project, though.
<infinisil>
Oh nice
<infinisil>
Even with the little amount of bash there is in nixoses, it's already been the cause of some headaches
morgrimm_ has quit [Ping timeout: 246 seconds]
<infinisil>
So I really don't think that's the way forward
nschoe has joined #nixos
<balsoft>
It's basically "build locally, ssh to a remote user, do stuff", where "stuff" is either sudo switch-to-configuration switch or nix-env --set ... && systemctl restart ...
KendyChat has joined #nixos
<infinisil>
I see
cr4y1 has quit [Quit: Leaving]
<flokli>
balsoft: you might want to join #nixos-systemd for the "systemd units" discussion. This has been popping up recently.
<balsoft>
flokli: thanks
cr4y1 has joined #nixos
<infinisil>
flokli: What's the discussion about?
<flokli>
infinisil: I'll add an introduction there. the logbot should also have logs
staxatl has quit [Remote host closed the connection]
KendyChat has quit []
KendyChat has joined #nixos
sarcasticadmin has quit [Ping timeout: 258 seconds]
<Guest493>
I've been facing a few issues when upgrading from 19.09 to 20.03. The largest ones so far is that the Terminus font is no longer recognized on my system (I'm using the terminus_font package) and the xfce power manager plugin has disappeared. How should I fix this?
dm9 has quit [Quit: WeeChat 2.8]
hlisp has quit [Ping timeout: 265 seconds]
<Guest493>
The other extra fonts specified in my nix config are still being recognized
Soo_Slow has joined #nixos
<ar>
that sounds like removal of bitmap font support
<{^_^}>
[nixpkgs] @flokli merged pull request #87684 → nixos/manual: document use of systemd to mount filesystems → https://git.io/Jf8K5
<{^_^}>
[nixpkgs] @flokli pushed commit from @glasserc to master « nixos/manual: document use of systemd to mount filesystems (#87684) »: https://git.io/JfBVc
<siers>
I added gnupg.agent.enable = true; but I can't still decrypt
<siers>
I get errors about pinentry
vidbina has quit [Ping timeout: 256 seconds]
<niso>
siers: you want to add gnupg.agpend.pinentryFlavor = "curses"; (as an example)
<siers>
ah, alright :) it said "it'll pick the right flavor" in the description of the option :D it lied!
<Guest493>
ar: Setting allowBitmaps and useEmbeddedBitmaps didn't change anything. What's weird is that it doesn't complain if I specify a bitmap font but set allowBitmaps to false
<Guest493>
Do I need to reboot?
never_released_ has quit [Read error: Connection reset by peer]
<aanderse>
i can't seem to recall... can i make `mkRemovedOptionModule` work with submodule options? what is the recommendation there?
astraliam[m] has joined #nixos
<siers>
niso, hm, gtk2 didn't work
<siers>
even after restarting display-manager
<siers>
and a gpg-agent reload
xcmw has joined #nixos
<Guest493>
Does anyone know if the xfce4-power-manager panel plugin needs to be explicitly enabled in 20.03? After the upgrade the panel plugin disappeared
justanotheruser has joined #nixos
hlisp has joined #nixos
morgrimm has joined #nixos
<niso>
siers: did you install pinentry_gtk2 ?
<siers>
niso, I assumed that'd install the package implicitly
<niso>
siers: looks like all it took for me was reloading gpg-agend via "gpgconf --reload gpg-agent" (either that or i did a reboot - according to my history file)
<eadwu[m]>
ldlework: I haven't used Proton, but it should work just launching it from what I read on different subreddits, maybe the envs aren't passed?
dingenskirchen has quit [Remote host closed the connection]
dingenskirchen has joined #nixos
turlando has joined #nixos
knupfer has quit [Remote host closed the connection]
<Twey>
Hey… if I want to override the buildInputs to a Ruby gem on an application produced with bundlerApp to add a new native dependency (specifically — asciidoctor in nixpkgs depends on the `mathematical` gem, but its support for the gem is broken because `mathematical` includes a .so that needs `liblasem` in its RPATH)
<Twey>
Can I just do bundlerApp.override { gemConfig = defaultGemConfig // …; } ?
phreedom has quit [Remote host closed the connection]
<virus_dave>
Hello! I am repeatedly running into the problem at the top of https://logs.nix.samueldr.com/nix-darwin/2020-02-03 ("cannot link ....: File exists"). Before i go about nuking this by following @clever's suggestion, is there anything i can do to hel pdebug this problem? FWIW my /nix/store/.links has 348089 entries
sigmundv has quit [Read error: Connection reset by peer]
_kwstas has joined #nixos
phreedom has joined #nixos
turion has joined #nixos
OmnipotentEntity has joined #nixos
turion has quit [Client Quit]
sigmundv has joined #nixos
rogue_koder has quit [Remote host closed the connection]
<cyris212>
I've tried osprober with GRUB. As a result my system stop booting...
<bqv>
oh btw, immae, niso, infinisil, i decided on a better solution for secrets - I'll indeed have them in the store, but encrypted by a keyfile, which is also stored in the flake, but in .hg so it's filtered out whenever nix dumps the flake to the store, and copied somewhere as part of operations. so the master keyfile is encrypted in the repo, and never in the store, and also on each machine. keys are
<bqv>
encrypted in the repo and in the store, and can be decrypted to tmpfs as part of activation/init. means apart from that initial bootstrap of having the master key on each machine, all requirements are met and it's reasonably safe.
<{^_^}>
[nixpkgs] @Izorkin opened pull request #87833 → Sandbox mysql → https://git.io/JfBih
<danderson>
bqv: is this setup in a public repo somewhere? Very curious how you're doing both flakes and the secrets management part
<bqv>
no, cause i literally just thought it up
<danderson>
heh
<bqv>
i'm going to implement it shortly
<bqv>
and it will be in my repo
<danderson>
sweet, got a link I can throw in my to-read list?
<danderson>
(once you've implemented, that is)
<bqv>
github:bqv/nixos
hlisp has quit [Ping timeout: 260 seconds]
<bqv>
and yeah can't promise it'll be done immediately
<danderson>
thanks!
<bqv>
np
<danderson>
no worries, I'm not in a hurry :)
<danderson>
still planning how to get nixos into prod over here, and I think both nixops improvements and flakes are kinda necessary at this point
<danderson>
so I need to play with flakes, and having examples is very useful.
<bqv>
there are many, now :) i think at this point the best way to find some is to just search github...
<superbaloo>
danderson: I got a yubikey to sign both kernel and its modules
<danderson>
ah, so it works!
<danderson>
excellent
<superbaloo>
but I can't get it integrated in a nix-build
<danderson>
aah, I see.
<danderson>
yeah, that's also where I wasn't sure what to do. One rough idea I had was to make that happen in the activation script rather than the build
nixbitcoindev_ has quit [Quit: nixbitcoin out]
<cyris212>
Woot, I just replaced systemd-boot with GRUB and it still boots through systemd-boot.
<danderson>
but that has the obvious downside of requiring the signature to happen on the machine trying to install the kernel
<danderson>
one derivation produces the unsigned kernel. Then outside nix entirely, you take that kernel, sign it, and store it somewhere as a binary blob.
alp has joined #nixos
<danderson>
Then your signed kernel derivation just downloads that file and places it in the derivation.
<superbaloo>
danderson: yeah, I got to that point too
hlisp has joined #nixos
<danderson>
upside is it's entirely reproducible by anyone. Downside is the process of upgrading kernels is harder now, you have to first ratchet the version in the source derivation, then do a manual operation, then ratchet the version on the signed build :/
<danderson>
hm, does the derivation hash include hashes of its outputs?
<danderson>
I can't remember if yes, or if it's only a hash of the inputs
<superbaloo>
not that I know
KindTwo is now known as KindOne
<superbaloo>
you can get the hash of a derivation before building it
<superbaloo>
I'd guess not
<danderson>
if it's a hash of the inputs, and you're willing to sacrifice perfect binary reproducibility, then you can skip the manual step
<superbaloo>
well, to be fair, signature should be reproducible
<danderson>
have your signed kernel derivation grab the unsigned kernel and make a signature. Random people building from source can't reproduce the exact signature (because of IVs and other random elements)
<danderson>
but they can still pull the cached derivation, assuming you have a cache somewhere
<superbaloo>
one other alternative would be to use a network-hsm-like behavior
<superbaloo>
expose the yubikey on the network, and build with network exposed
<danderson>
then the only thing you need is some way to keep the yubikey session open during the entire nix-build, so it doesn't pause and prompt you
<danderson>
(or maybe a prompt is fine, I dunno)
<danderson>
yeah, so, exposing the key over the network creates a signing oracle
<danderson>
so now you have a much larger problem where you have to prove that the requestor is trustworthy :)
<superbaloo>
:)
<danderson>
you _can_ do it with TPM and secure boot attestations, but it's quite hard.
<superbaloo>
not saying this is perfect!
hlisp has quit [Ping timeout: 240 seconds]
<danderson>
Alternatively, make your signing oracle have a list of exact hashes that it's willing to sign
<superbaloo>
I was thinking of giving the build a "client-key" to authenticate to the signing server
<danderson>
then if someone asks you to sign a specific hash for a kernel you know you've built, you can do it safely
<superbaloo>
(tls like)
<danderson>
right, but now you're trusting the entire userspace of the client machines to be uncompromised
<{^_^}>
[nixpkgs] @emilazy opened pull request #87837 → treewide: remove uses of p7zip → https://git.io/JfBPQ
<danderson>
if I can get root on your box, I can use the client key to sign my malware'd kernel and subvert your secure boot
<superbaloo>
yup
<superbaloo>
not saying this is anywhere perfect
<danderson>
(to be clear, once you have root it's game over already, it's just a question of how deeply you can become persistent on the box)
<superbaloo>
I'm just exposing my thoughs here
<superbaloo>
thoughts
<danderson>
yup yup
<danderson>
this all depends on your threat model, what are you trying to defend against :)
<superbaloo>
very much :)
<danderson>
I assumed if you're trying to distribute signed kernels, you're defending against not trusting the machines to do the right thing
<danderson>
otherwise you'd do what I did on my arch laptop, and just have the signing key on the machine
<danderson>
(on an encrypted drive, so if the laptop is off you can't persuade it to secure-boot into a hostile kernel, but if you have root on my machine you can sign whatever you want)
<srhb>
mica[m]: That does sound odd, considering most of the UI(?) is probably in wx, and looks like it's properly depending on it at runtime
<srhb>
I don't have a calibratythingy to test anything but that with though..
sMuNiX has quit [Ping timeout: 265 seconds]
<skrzyp>
I'm making a headless storage/music/media server with nixOS, and there's a question now - can I declaratively "pair" with my Bluetooth speakers in Nix?
ssdd has joined #nixos
<skrzyp>
or just put their HCI addresses and let Nix automatically pair with them each time?
<srhb>
skrzyp: I would guess "no" to the former and "you could run `bluetoothctl pair $someaddress` when some conditions are met to the latter
dongcarl has quit [Ping timeout: 272 seconds]
<srhb>
skrzyp: I'm not sure why you really want this though. afaik you _need_ to do the one-time interaction with the other end at least once, and from then on I would think bluetoothd does the connection automatically and without intervention.
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<marcinkuzminski>
we've updated out nix from 18.03 to 20.03, in our python build stack we've got some custom code that inherited other package and copied some information over, before the build $PWD was something like: `/tmp/nix-build-python2.7` now it's `/build/XXX` this causes some filesystem access problems, i cannot find it in the changelog, was that changed, and is that configurable ?
<simpson>
Cadey: Looks like it starts, at least, if ldd can examine it. strace maybe?
<Cadey>
execve("./deno", ["./deno"], 0x7ffd09cd9d10 /* 100 vars */) = -1 ENOENT (No such file or directory)
<LnL>
marcinkuzminski: that has been the case for quite some time now
<LnL>
oh 18.03
<marcinkuzminski>
Gaelan: thanks, let us check it
<{^_^}>
[nixos-hardware] @00-matt opened pull request #163 → dell/xps/13-9360: Stop using i18n.consoleFont → https://git.io/JfB1q
<LnL>
I'm not sure the sandbox influences that, and I'd highly recommend to keep that enabled especially for python stuff
<mica[m]>
srhb: yes, unfortunate. I'm trying to update displaycal, but the DRV fails trying to copy something from the source.
eoli3n_ has quit [Remote host closed the connection]
<srhb>
mica[m]: Oh?
eoli3n_ has joined #nixos
<Gaelan>
marcinkuzminski, slightly longer answer: nix sandboxes builds to prevent them from accessing anything other than their inputs, as declared in nix. The idea is to make sure you know exactly what goes into your builds, which makes it more likely that you'll be able to reproduce them. Long-term, it'd probably be a good idea to figure out how to get files into the build within the confines of nix instead of going around it, but useSandbox = false should
<Gaelan>
work OK as a workaround
<mica[m]>
srhb: yes, the copyright file. I can't tell what part of the build script thinks that file is there though
<marcinkuzminski>
LnL: 18.03 is quite old, i think it didn't have an sandbox... and we're doing very custom stuff on a "big" python app
<simpson>
Cadey: Huh. That suggests bogus linkage or bad interpreter, but everything looks fine. You could ask the `file` command; it will spit out the interpreter path, and maybe that's hardcoded and will need a patchelf.
<Cadey>
./deno: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=b914ea3fdbf0a4300975e7f314d7e7d8d7f44c2a, with debug_info, not stripped
<marcinkuzminski>
Gaelan: we're doing exactly what sandbox is preventing, but it's for a reason that our two apps work in such way that one overwrite the other, and it needs some of its file for building JS, it's complicated :D
<simpson>
Cadey: Huh, funky. I don't see the problem offhand; upstream will have to help. You can try various tricks listed under "I've downloaded a binary, but can't run it" at https://nixos.wiki/wiki/FAQ
zaeph1 has joined #nixos
<marcinkuzminski>
LnL: thanks for that commit, it's exactly what we're having and it generates a problem for us
<pikajude>
long shot but does anyone have any idea what this is about
<Gaelan>
btw is the workflow for staging documented anywhere? my current understanding: big rebuilds get merged into staging, which then gets merged into master…when someone feels like it? also something something staging-next?
<marcinkuzminski>
Gaelan: is there a way to disable sandbox via CLI /env flag ?
o1lo01ol1o has quit [Ping timeout: 256 seconds]
<{^_^}>
[nixpkgs] @dywedir merged pull request #87838 → newsboat: fix on darwin → https://git.io/JfBXZ
<spinlock[m]>
Is it possible to make a haskell package with a font dependency?
<spinlock[m]>
I see a lot of packages doing something like `FONTCONFIG_FILE = makeFontsConf { fontDirectories = [ freefont_ttf ]; };`, but this raises `called with unexpected argument 'FONTCONFIG_FILE'` when used with `haskellPackages.callPackage`
evils has quit [Quit: Lost terminal]
hmpffff has joined #nixos
<{^_^}>
[nixos-homepage] @github-actions[bot] pushed commit from @edolstra to master « Update flake.lock and blogs.xml [ci skip] »: https://git.io/JfBMI
knupfer has joined #nixos
hmpffff_ has quit [Ping timeout: 265 seconds]
<Asmadeus>
So.. I like the idea of the test VMs and been trying to use it for tests in my own stuff, it works well, but sometimes I need to debug stuff: how do you go around to that? I've thought of setting up openssh in the vm together with `forward_port` in python driver but I never see the port being opened (which I find odd, even checked entering qemu's netns just in case, but I have no clue about vde really..)
<Asmadeus>
how do you folks do it?
<bqv>
that variable needs to be set at runtime, not build time, spinlock[m]
<bqv>
make a wrapper
<marcinkuzminski>
srhb, Gaelan, LnL thanks disabling sandbox made it to build, we're going to review that if we can have that with sandbox as recommended.
ebopp has quit [Remote host closed the connection]
<spinlock[m]>
bqv: Ahh. Thanks! Is that what `haskellPackages.shellFor` is used for? (sorry, still learning)
<bqv>
nah, that'll be for ad-hoc development. you want the tools provided by the 'make-wrapper' package. you'll see a lot of derivations do something with 'wrapprogram', that's what you'll want to use
<spinlock[m]>
thanks bunches 🍻
<{^_^}>
[nixpkgs] @andir merged pull request #87772 → [19.09] firefox: Add patch to fix AES GCM IV bit size → https://git.io/Jf49s
<{^_^}>
[nixpkgs] @andir pushed 3 commits to release-19.09: https://git.io/JfBMR
plp_ has quit [Read error: Connection reset by peer]
plp_ has joined #nixos
<emily>
Gaelan: unstable-YYYY-MM-DD
<emily>
is the nixpkgs convention
<emily>
(with the commit date)
<Gaelan>
emily++
<{^_^}>
emily's karma got increased to 26
redcedar[m] has joined #nixos
<LnL>
yeah, commit date in that case + -unstable so nix-env --upgrade doesn't prioritize it over stable versions
eoli3n_ has quit [Ping timeout: 272 seconds]
morgrimm has joined #nixos
eoli3n_ has joined #nixos
morgrimm has quit [Ping timeout: 260 seconds]
devalot has joined #nixos
<devalot>
This is a bit weird. I just upgraded to 20.03 and the `date' command and journalctl are reporting AM/PM on all my servers instead of the traditional 24-hour time. How do I restore the original behavior?
LysergicDreams has quit [Ping timeout: 256 seconds]
knupfer has quit [Ping timeout: 265 seconds]
<{^_^}>
[nixpkgs] @wishfort36 opened pull request #87842 → tamzen: init at 1.11.4 → https://git.io/JfBDQ
<clever>
qyliss: this will add another entry to the grub menu, for booting a kernel+initrd pair, that runs entirely from a ramdisk
<qyliss>
oh wow that's awesome
<clever>
qyliss: if you just swap out line 22 to do rescue-kernel = /path/to/zImage; then it will use your custom kernel (but not any of the modules)
Darkmatter66 has joined #nixos
<qyliss>
that should be fine
<qyliss>
I can compile in any modules I care about changing
<qyliss>
thanks!
codygman has quit [Read error: Connection reset by peer]
codygman has joined #nixos
lsix has quit [Quit: WeeChat 2.8]
<clever>
qyliss: and lines 9-13 would be the nixos config for the disk image it boots, so you can bake in anything needed for testing
<balsoft>
Hi everyone again! Does anybody know if there's a list of IP addresses to which nixos.org can resolve? I for sure know that some of them are (mistakenly) blocked in Russia by RKN, and would love to get them unblocked. The fact that sometimes it appears to be down is very confusing and concerning for new users.
mallox has quit [Quit: WeeChat 2.8]
<unclechu>
hi, can i somehow get path to current `*.nix` module?
<clever>
unclechu: ./. is always the dir the file is within
<balsoft>
And yes, I know that it's unlikely we'll achieve anything, but it's worth a try. Also, I know there are technical circumventions to the issue (e.g. VPN), but it's not always viable (and it's currently illegal to use VPN to access "blocked" resources, so there's that...)
<unclechu>
clever: but wouldn't it be resolved to a store path when converted to a string? hm... probably not
<MichaelRaskin>
Wait what? They actually passed responsibility _for user_, not for VPN operator?
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
wnklmnn has joined #nixos
<clever>
unclechu: it only gets copied to the store when you treat it as a string
<balsoft>
MichaelRaskin: I'm pretty sure that the "anonymiser" act actually adds some reposnibility to the user, yes
codygman has quit [Read error: Connection reset by peer]
<{^_^}>
[nixpkgs] @talyz opened pull request #87843 → nomachine-client: Add archive.org to source urls → https://git.io/JfByj
<clever>
unclechu: so it depends a lot on what you want to do after you get that path
<unclechu>
clever: anyway, `./.` is a dir? is there any way to get path to current *.nix file?
codygman has joined #nixos
<clever>
unclechu: maybe using builtins.unsafeGetAttrPos
<balsoft>
energizer: thanks
<unclechu>
i have a bunch of scripts for which i use name which match either the name of current directory or *.nix file, i want to reduce duplication and the area for typos
<balsoft>
So basically ping Eelco then (which I don't really want to do)
<clever>
unclechu: (builtins.unsafeGetAttrPos "a" { a=1; }).file
cr4y1 has quit [Remote host closed the connection]
<MichaelRaskin>
balsoft: given that SPbSU failed to get the hosting of their e-learning platofrm excluded from a blanket-banned block…
cr4y1 has joined #nixos
<unclechu>
clever: it seems it's working, thanks, time for hacks
<unclechu>
i wish there would be normal way to do so
linarcx has quit [Ping timeout: 256 seconds]
<balsoft>
MichaelRaskin: I can't find any link to the fact that it's illegal for the user of the VPN. Still, I host my own VPN (mostly to access mistakenly blocked sites, like nixos.org), so technically speaking I'm breaking the law anyways
<balsoft>
unclechu: there isn't a "normal way" because nix is not always evaluated from a file
<MichaelRaskin>
balsoft: I am not sure you count as operator if you don't ever _offer_ it
<balsoft>
MichaelRaskin: I think it's still worth a shot, maybe they'll react better (yes, I know, I'm naive and infantile to think that a government agency will do anything after just a letter, but I still hope that they will)
zupo has joined #nixos
<MichaelRaskin>
balsoft: well, it takes days for them to unblock google.com IPs…
<{^_^}>
[nixpkgs] @SFrijters opened pull request #87846 → openbox: Use python3 instead of python2 → https://git.io/JfBSd
Bunogi has joined #nixos
cr4y1_ has joined #nixos
cr4y1 has quit [Read error: Connection reset by peer]
<unclechu>
clever: that was a bad idea since i cannot normally do `nix repl my-module.nix`
<clever>
unclechu: you have to load the module with the module tooling, something like `nix repl '<nixpkgs/nixos>'`
fendor_ has joined #nixos
morgrimm has quit [Ping timeout: 264 seconds]
fendor_ has quit [Client Quit]
<unclechu>
clever: this works, yes, `nix repl -I /etc/nixos '<somedir/my-module.nix>'`
<unclechu>
thanks again
<clever>
that looks a bit weird
<unclechu>
clever: why so? full path didn't work for me for some reason
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<unclechu>
it failed with `/etc/nixos/... was not found in the Nix search path (add it using $NIX_PATH or -I)`
<clever>
the module shouldnt be passed to nix repl
<clever>
except via -I nixos-config=
<clever>
`nix repl '<nixpkgs/nixos>'` will load <nixos-config> which is usually your configuration.nix
<clever>
and then that loads more via imports
<unclechu>
clever: well, in my case i prefer to skip all the modules i don't need in my REPL, my modules more or less independent and thus more composable (so later i can separate some non-invasive *rc-configs as `default.nix` files for those repos)
<clever>
unclechu: then youll want my module example
<clever>
that shows how to load a custom set of modules in a default.nix
<unclechu>
clever: thanks, i'll take a look later
<aiverson>
Is there a way to use nixops ssh to perform scp tasks? Or to ask about what I actually want, I have a service I'm trying to migrate from one place to another that stores some state in a file, and I want to move the state alongside the service so that the up to date copy on my local box goes to the server once, then the server gradually updates it, then the updated copy can come back to my local box rather than being
fendor has quit [Read error: Connection reset by peer]
civodul has quit [Quit: ERC (IRC client for Emacs 26.3)]
<energizer>
aiverson: #nixops
<keithy[m]>
emily: Hi, are there any docs on recommended us pattern for openresty (saw you on the maintainers list)
wnklmnn has quit [Ping timeout: 264 seconds]
<emily>
keithy: I believe you can use the nginx module with it by overriding the package setting. I don't use openresty myself though (currently on plain nginx, decided to move to either h2o or caddy instead, haven't decided which one yet)
<{^_^}>
[nixpkgs] @doronbehar opened pull request #87848 → ccls: Use latest llvmPackages → https://git.io/JfB9H
<{^_^}>
[nix] @edolstra pushed to auto-uid-allocation « Run builds in their own cgroup »: https://git.io/JfBHf
spacefrogg has quit [Quit: Gone.]
aw has quit [Quit: Quitting.]
MmeQuignon has quit [Ping timeout: 260 seconds]
aw has joined #nixos
spacefrogg has joined #nixos
orivej has quit [Ping timeout: 240 seconds]
LysergicDreams has quit [Ping timeout: 260 seconds]
LysergicDreams has joined #nixos
noudle has joined #nixos
opticnerve has quit [Ping timeout: 256 seconds]
__monty__ has quit [Quit: leaving]
<{^_^}>
[nixpkgs] @edolstra pushed to master « postgresql: Use runuser instead of sudo »: https://git.io/JfBHu
o1lo01ol1o has quit [Remote host closed the connection]
<ornxka>
i have a package that produces a .so file, just with cc `pkg-config blah blah` and then cp blah.so $out/lib/
<ornxka>
but when i do ldd result/lib/blah.so i get libusb-1.0.so.0 => not found
<ornxka>
i think i need to use patchelf to set rpath?
xcmw has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<ornxka>
i see rpath in NIX_LDFLAGS, am i supposed to refer to that in my fixupPhase or is there some way to get the nix stdenv machinery to do this for me?
<{^_^}>
[nix] @edolstra pushed to auto-uid-allocation « Reduce # of UIDs per build to 65536 »: https://git.io/JfBH5
o1lo01ol1o has joined #nixos
user_0x58 has quit [Ping timeout: 260 seconds]
<ornxka>
libc/libm/etc are correctly specified in there, just the buildinputs are not found...
<ornxka>
i needed nativeBuildInputs = [ autoPatchelfHook ];
<ornxka>
i cant believe i spent like 45 minutes tearing my hair out and writing wrapper scripts to set LD_LIBRARY_PATH manually when i could have put that one single line in and been done with it
LysergicDreams has quit [Ping timeout: 256 seconds]
LysergicDreams has joined #nixos
erasmas has quit [Quit: leaving]
<Robertof>
hey! stupid question -- is there a way to do something like this in a nixos config? `boot.supportedFilesystems = lib.remove "zfs" config.boot.supportedFilesystems;` This obviously fails due to infinite recursion, but I can't think of other ways to basically get the last evaluated value and remove "zfs" from it
<{^_^}>
[nixpkgs] @Mic92 merged pull request #87849 → gotify: adapt update script to use vendor sha → https://git.io/JfBQO