<jlv[m]>
Anyone have a good real example of a NixOps configuration? I'm having trouble figuring out how to structure my NixOps setup. I'm currently trying to destructure it into a few parts: one part for the NixOps machine configurations, one part for domain configuration, and one part for the backend configuration of a website. I'm not just jamming it all together because I will have multiple websites under this domain, possibly
<jlv[m]>
multiple websites from multiple domains on the same machine, and depending on load, I may need multiple machines for one website. Ideally, I want to keep the parts decoupled, but I'm having a hard time with that, unless I use containers for the domain and website configurations, but I'd prefer to avoid the redundant NGINX instances.
<jlv[m]>
How can I run a Steam game without the Steam client? The game runs fine when I open it from Steam, but if I try to run the '.sh' file directly, it gives an error. I assume it has something to do with the way Steam is wrapped.
detran has quit [Ping timeout: 265 seconds]
<clever>
jlv[m]: some games have some DRM in place, which makes it very difficult to launch outside of steam
<clever>
that also makes it very difficult to diagnose compatability problems
<hexa->
that's outside the steam client, but inside the steam environment iiui
<hexa->
c
<clever>
yeah, thats basically to handle the FHS layer, to make it look more like debian
orivej has quit [Ping timeout: 256 seconds]
<hyper_ch>
ahmmm.... do I read this wrong: https://www.theregister.com/2020/06/03/lenovo_certifies_all_workstations_for_linux/ - Lenovo is serious about this: the company says its workstations will “offer full end-to-end support – from security patches and updates to better secure and verify hardware drivers, firmware and bios optimizations.” Lenovo will also upstream device drivers into the Linux kernel. ???
orivej has joined #nixos
drakonis has quit [Read error: Connection reset by peer]
<energizer>
i'm trying to use a yubikey. afaik to get a key i'm supposed to run `pamu2fcfg` but that says "timeout error".
<hyper_ch>
energizer: what do you want to use the yubikey for?
<energizer>
hyper_ch: i want to authorize nfs shares with it
<hexa->
hyper_ch: firmware updates have been a reality for a while through fwupd
<hyper_ch>
so you're not using it in general for passwords and stuff (fido2)?
<hyper_ch>
hexa-: I have E-series lenovo :)
<hyper_ch>
hexa-: but it seems they really want to support linux now on the p-series
<hyper_ch>
energizer: good luck
<energizer>
`pamu2fcfg` is in nixpkgs, it just doesn't seem to work
<jlv[m]>
clever: thanks :) I was thinking `steam-run` was included in the `steam` package.
<energizer>
eadwu[m]: i do have that
<energizer>
on second thought, maybe this plan doesn't make sense
<energizer>
what's a good way to do something like nfs (share files from my server to my laptop) without getting pwned too hard
ninjin has joined #nixos
<energizer>
options i can think of: samba, nfs, sshfs
<DigitalKiwi>
syncthing?
<pjt_014>
^
<jlv[m]>
energizer: nfs isn't really secure over a public network. sshfs is easy to setup and secure. sambda is there if you're using WIndows.
<pjt_014>
energizer: or git-annex if you want a swiss army chainsaw
<energizer>
DigitalKiwi: the problem with syncthing is i have to keep all the files on the laptop, but that's too much data for a laptop
<hyper_ch>
energizer: I use samba instead of nfs and I just only allow connections from predefined ip addresses (which are all wireguard vpn addresses where the same server is also the wireguard server)
<hyper_ch>
that way I ensure only computers connected to the server's vpn are allowed to access the samba shares
<jlv[m]>
Syncthing is only really an option if you can store all of the server files on your laptop, and it can have it's own issues with inconsistent syncing.
<hyper_ch>
syncthing has been running fine for me... I use it to distribute music/videos to my notebook, tablet and cellphone mostly
<energizer>
i haven't spent much time with git-annex-assistant, does it do transparent file-access like sshfs does?
<jlv[m]>
I haven't used Syncthing personally. I've just done research and have heard reports of it mis-syncing occasionally.
<hyper_ch>
question is: can you limit nfs to some IPs as well or not?
<spagetios>
hey guys what are the typical use cases for nixos is it aimed at ppl that jst wanna sandbox everything or can;practical? to use as an everyday?
<jlv[m]>
spagetios: I use NixOS everyday on multiple machines. I think most of the people here do.
<energizer>
there's still a fair amount of mutable stuff in that setup, namely in /persist and /home
<hyper_ch>
energizer: that's the data you want to keep usually ;)
<energizer>
why would i put something i want to keep in a minefield like mutable filesystem :P
<hyper_ch>
energizer: so can you restrict access to nfs to given ips? If so, have it all limited to a vpn
<energizer>
hyper_ch: i think i can do that. it just feels ...flimsy
<spagetios>
thank you both
<hyper_ch>
energizer: why feel flimsy?
<energizer>
hyper_ch: i'm not assigning clients' ip addresses on the nfs server machine, what if they change and some other device takes those ips
<hyper_ch>
energizer: that's what a vpn is for
<hyper_ch>
they can change their ip but you can still assign them their vpn ip ;) well, it was just a suggestion
<energizer>
hyper_ch: that means keeping the vpn config in sync with the nfs config, i'm not confident i can maintain that
<hyper_ch>
have more confidence ;)
<quinn>
energizer: i'm no expert, but i think you should be VLANing different classes of IPs and managing NFS security that way
o1lo01ol1o has joined #nixos
<spagetios>
energizer, hyper_ch-nfs used only by a server(not clients-or both)? and is it deprecated? watching a video on it now from 2016
<quinn>
(rather than statically assigning individual IPs, because if someone sees your vpn config and realizes that the "right IP" for getting NFS access is x.x.y.z they can just manually set it and get past that layer of security)
<energizer>
spagetios: it's not deprecated afaik
<quinn>
i don't think nfs is deprecated either. i'm not sure what the more modern alternative is
<energizer>
quinn: that is the kind of concern i'm wondering about
sarcasticadmin has quit [Ping timeout: 240 seconds]
<quinn>
energizer: then pony up for a managed switch? or use a different authentication method
<energizer>
quinn: i was looking into using yubikeys but couldn't get it to work. do you have another method?
<quinn>
energizer: i use syncthing for some NFS-ish tasks, which is key-based. sshfs will probably do the trick for you right?
<energizer>
quinn: syncthing requires the laptop to hold all the data, which is too much
<quinn>
energizer: then sshfs it is right?
<quinn>
just set that up, expose the port, set up authorized_keys and you should be good
<energizer>
quinn: i think sshfs would work. maybe smb.
<quinn>
samba is more of a windows thing to me knowledge, i also don't know how the client support is for linux. i remember reading CIFS support is not very good
<quinn>
sshfs is really easy to set up and test so why not try that and then benchmark it. samba is probably going to take you longer to configure
<energizer>
i'm seeing `services.samba.shares` in man configuration.nix
<quinn>
i mean if you really want to, go for it. but sshfs is literally just setting up ssh + providing a mountpoint
kvda has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
justanotheruser has quit [Ping timeout: 260 seconds]
<quinn>
and setting up ssh is just adding a line to authorized_keys on the host
<energizer>
if i have networking.firewall.enable = true, why do i also have iptables with `nixos-fw-accept all -- anywhere anywhere `
<quinn>
i mean obvious answer but if you have iptables off then you don't need any iptables commands. i can't tell which module is forming that specific command though
orivej has quit [Quit: No Ping reply in 180 seconds.]
<energizer>
oh verbose shows that was only for lo interface
<quinn>
oh haha that makes sense
proofofkeags has quit [Ping timeout: 272 seconds]
orivej has joined #nixos
<dkjii>
quinn: thanks, thats what i was looking for
<quinn>
dkjii: o7 enjoy
stolyaroleh has joined #nixos
skrzyp has quit [Ping timeout: 260 seconds]
skrzyp has joined #nixos
<clever>
energizer: i find it much easier to read the output of `iptables-save`
<clever>
energizer: nixos-fw-accept is a special chain used to accept packets, and things only go there if another rule in INPUT related chains decides to allow it
<clever>
energizer: INPUT says packets have to first go thru nixos-fw, and nixos-fw then defines the primary rules, ultimately ending in `-j nixos-fw-log-refuse`
alexherbo2 has joined #nixos
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #nixos
<energizer>
i get it, i really just meant "i have the firewall enabled, shouldnt it be blocking everything by default" and my iptables looked like it wasn't, so i sshed and that got through and i was like uhoh but then verbose showed the `lo` and remembered ssh was special cased
<hyper_ch>
as said, making nfs only availbe through the vpn will ensure that no outsider can access it. That's what the routing of the vpn does... no other machine can just pretend to have a vpn ip... because each client and the vpn server will forward such things through the vpn
<hyper_ch>
quinn: cifs works good on linux... never had issues
cole-h has quit [Quit: Goodbye]
<hyper_ch>
dkjii: you want to completely install nixos on a remove server?
xO1 has joined #nixos
<quinn>
hyper_ch: are you talking about an interface on the local machine, or just the ip? i thought you were talking about ip restricting to a vpn reserved ip, which i don't think would work without additional security measures
<quinn>
if you're talking about a openvpn setup on the local machine, i'm sure you could make that work securely with iptables
<hyper_ch>
quinn: not sure what you talk about...
orivej_ has joined #nixos
orivej has quit [Ping timeout: 258 seconds]
m0rphism has joined #nixos
<quinn>
re: making nfs only available through the vpn
kvda has joined #nixos
<{^_^}>
[nixpkgs] @kampka closed pull request #75263 → coturn: Support secrets file for configuring the static-auth-secret → https://git.io/JeSOt
<hyper_ch>
quinn: yes, so?
<quinn>
you said making nfs "only available through the vpn will ensure that no outsider can access it" i assume in contradiction to what i said earlier about either wanting VLANs or other kind of auth. i'm saying that if you just make an iptables rule that lets through traffic from the vpn subnet, i don't think that is enough to prevent unauthorized access
eoli3n_ has joined #nixos
<hyper_ch>
vpn
<hyper_ch>
you have a vpn server, that authenticates clients (in wg based on public/private keys)
<hyper_ch>
and it adds also routing so that data from/to a vpn ip only goes through according interface
<hyper_ch>
energizer: that's the output of ip route
<energizer>
i see
<quinn>
hyper_ch: i was confused because i wasn't considering a setup that dependend on vpn and nfs on the same box. i'm sure that will work fine, but ip only authentication cannot because non-vpn clients can still send arp packets and such with their ip set to the designated vpn subnet
<hyper_ch>
quinn: ah... I setup all machines in a vpn and communicate between them only through vpn
<quinn>
you set up a vpn daemon on every server?
<hyper_ch>
and wireguard is simple to setup and has almost no overhead
<hyper_ch>
contrary to openvpn
<hyper_ch>
quinn: I only run a few server, and vms :)
<hyper_ch>
currently it's 7 servers
<quinn>
is there any reason why you prefer this setup to vlans?
<hyper_ch>
less headache
<hyper_ch>
also works easy on android
<quinn>
the PKI on this sounds like a headache to me, but if it works for you that's good i guess
<hyper_ch>
quinn: wg is very simple
kvda has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<energizer>
i want a couple more layers of defense
<quinn>
ohhh, right. i've only used openvpn. is the PKI a lot better for wg?
<energizer>
cany you also have nfs only listen on that interface?
<hyper_ch>
wg has one drawback: every client needs to be added to the server
<hyper_ch>
quinn: you understand german?
FRidh has joined #nixos
<energizer>
i'm worried that one day i'll mindlessly turn off the firewall and expose everything
<{^_^}>
[nixpkgs] @kampka opened pull request #89386 → kops: 1.16.2 -> 1.16.3, init at 1.17.0 → https://git.io/JfP4h
<energizer>
so i want more than just the firewall protecting my goodies
<quinn>
hyper_ch: sorry, nope. technically took almost a year of german but it's all gone now. and definitely not swiss german
<quinn>
energizer: you have a firewall on/in front of your modem too right??
proofofkeags has joined #nixos
<energizer>
quinn: behind it, sure. but with enough computers on the network, some of them will usually be pwned and aggressive
<quinn>
also you might be able to set the bind address to the wg address rather than 0.0.0.0. if you run wireguard and `ip a` that should tell you. no promises though
<quinn>
energizer: i haven't managed a network of that size but i believe you. hopefully you have VLANs in place if you're managing one of those
<energizer>
ah services.nfs.server.hostName might be that
<quinn>
looks like it to me (but no promises i'm not a networking security guy)
<hyper_ch>
quinn: of course not adjusted to nixos, as you can define that all in he configuration.nix
proofofkeags has quit [Ping timeout: 240 seconds]
<hyper_ch>
I've been using openvpn for 10+ years and wrote severa bash script for easy deploy of configs and stuff
<hyper_ch>
but wg just makes it so much simpler
<quinn>
hyper_ch: thanks! i don't remember openvpn well enough to compare, but i'm glad it works out well for you
orivej has quit [Quit: No Ping reply in 180 seconds.]
<quinn>
i just put it on my pfsense box so that dealt with the (mediocre) pki and then it was set and forget you know
orivej has joined #nixos
<hyper_ch>
quinn: on openvpn I didn't reach above 200mbit, while with wg I reach around 900mbit (iperf3)
mallox has joined #nixos
<dkjii>
hyper_ch: I'm planning on bootstrapping my vms using an existing box
cybrian has quit [Quit: cya]
<dkjii>
hyper_ch: i know theres nixops too which ill take a look but am evaluating nixos rn
<quinn>
hyper_ch: that's pretty promising, promising enough to make me look at my vpn setup soon. ty
<quinn>
dkjii: https://nixos.wiki/wiki/Configuration_Collection there is a configuration collection and a search tool, you can look through a few example configs to see how people are using certain features. a lot is undocumented and even unused everywhere but the source code so i would recommend asking here about specific topics if you're evaluating for sysadmin or dev/ops stuff
<hyper_ch>
dkjii: well, I used clever's kexec to boot a small nixos with zfs drivers included, then I setup the disks/partitions, configuration.nix and did install nixos
cybrian has joined #nixos
ph88^ has joined #nixos
lsix has joined #nixos
cfricke has joined #nixos
maxdevjs has quit [Ping timeout: 272 seconds]
<dkjii>
hyper_ch: you used kexec to boot the stage3?
<kenran>
When trying to build https://pastebin.com/x1KFsfh2, I'm getting "java.lang.Exception: Couldn't create directories: /homeless-shelter/.lein". Is there something I'm doing wrong in my nix expression?
<{^_^}>
[nixpkgs] @Mic92 pushed commit from @mpickering to master « tracy: init at 0.6.3 (#89292) »: https://git.io/JfPEx
hiberno has joined #nixos
proofofkeags has quit [Ping timeout: 246 seconds]
hiberno has left #nixos [#nixos]
hbrn has joined #nixos
<hbrn>
Hey! I am currently in the process of installing NixOS on a laptop currently running Arch. I want to keep the partitioning and want to keep an encrypted boot. The laptop uses UEFI. My Arch installation uses an unencrypted EFI partition on which GRUB is installed. Grub then asks for a passphrase to decrypt the device containing /boot and the
<hbrn>
initramfs contains a keyfile to decrypt it again to mount /root. Works like a charm.
johnnyfive has quit [Quit: I quit now.]
<hbrn>
When reading through the installation guide I read that when using UEFI I "must use systemd-boot", which would not support such a setup.
johnnyfive has joined #nixos
<hbrn>
The guide does not say however, why I would have to use systemd-boot and can't use GRUB...
<hbrn>
I couldn't find an explanation elsewhere so I came here to ask :)
<{^_^}>
[nixpkgs] @peterhoeg opened pull request #89395 → <!-- To help with the large amounts of pull requests, we would appreciate your reviews of other pull requests, especiall… → https://git.io/JfPan
<teto>
any objection to removing the aws package ? last meaningful commit seems to be ~ 2016 and it kinda impersonates the `awscli`. Their definitions are not close in all-packages.nix either which doesn't help
<{^_^}>
[nixpkgs] @groodt opened pull request #89399 → buildkite-cli: init at 1.1.0 → https://git.io/JfPwi
<{^_^}>
[nixpkgs] @OPNA2608 opened pull request #89400 → Parallel building fixes → https://git.io/JfPwM
<bahamas>
manveru: thanks. looking into it
alp has quit [Ping timeout: 246 seconds]
<manveru>
bahamas: also LnL knows most about this stuff i think :)
<LnL>
you'll need a linux build host
<LnL>
but if you really want something local a vm also works
<bahamas>
LnL: I tried building in a virtualbox vm. the process fails with this line "qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory"
<LnL>
bahamas: btw you can build any custom iso like that, define a configuration.nix which imports that installation cd module and define everything else you want to customize there
<{^_^}>
[nixpkgs] @romildo opened pull request #89401 → mint-x-icons: init at 1.5.5 → https://git.io/JfPrP
<bahamas>
LnL: I'm actually interested in building a minimal image of NixOS. but I assume the channel is copied into the store, right? so there's a minimum amount of space taken by the channel
zupo has joined #nixos
zupo has quit [Client Quit]
<LnL>
not sure what's in there exactly
<LnL>
but you might be able to eliminate some extra stuff with eg. documentation.man.enable = false;
Ridout has quit [Read error: No route to host]
Ridout has joined #nixos
<{^_^}>
[patchelf] @rpurdie opened pull request #202 → Fix shared library corruption when rerunning patchelf → https://git.io/JfPr7
<FRidh>
manveru: alright thanks!
j-k has joined #nixos
<j-k>
Why is my machine building libreoffice from source :/ I don't have an overlay for it or anything... Just nothing on cache.nixos.org?
<Uma>
I'm trying to use udev to mount a luks drive when I connect it through usb. The rule gets triggered successfully, but using cryptsetup open on the device gives an error saying the device doesn't exist or access is denied. I call whoami from the script, that says I'm root. I tried adding a sleep 10 delay, but nothing. What's happening here?
<monokrome>
Does anyone know how to release/renew my IP in NixOS? It keeps using an old lease >.<
apple_at_cha has joined #nixos
<dminuoso>
monokrome: That's not up to nixos..
zebrag has joined #nixos
inkbottle has quit [Ping timeout: 246 seconds]
<dminuoso>
You can change your mac address if you like, that should do the trick
<dminuoso>
DHCP servers have a tendency to give stable address assignments whenever possible
<dminuoso>
Based on your mac address.
<monokrome>
ah
<monokrome>
it's a router thing
<monokrome>
I thought releasing asked DHCP to clear the lease
<dminuoso>
Well, DHCP server - but if your router also runs the DHCP server then yes.
<monokrome>
sorry >.<
<dminuoso>
That might or might not work.
<monokrome>
yes obviously >.<
<dminuoso>
Depending on the DHCP server implementation, it might use a stable algorithm that gives you the same IP address back.
<monokrome>
yeah it's openwrt
oida has quit [Ping timeout: 240 seconds]
oida has joined #nixos
<TZander>
monokrome: notice that after telling the dhcp server you want x.42 (for instance), it might still take a reconnect or even the original dhcp timeout to get reassigned. Works instant on my netgear, though.
b42 has quit [Quit: WeeChat 2.7.1]
bahamas has joined #nixos
<TZander>
I'm just looking at nix and the first thing I'm pondering is if anyone figured out how to set up aliases for the obvious things. 'nix-env -e' -> 'nix-env rm'
b42 has joined #nixos
proofofkeags has joined #nixos
__monty__ has quit [Ping timeout: 265 seconds]
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #nixos
__monty__ has joined #nixos
bahamas has quit [Ping timeout: 258 seconds]
proofofkeags has quit [Ping timeout: 246 seconds]
Rusty1 has joined #nixos
bvdw has quit [Remote host closed the connection]
KindTwo has joined #nixos
bvdw has joined #nixos
LevelChart8 has joined #nixos
<monokrome>
dminuoso, TZander: I'm pretty sure that I just need to renew, but restarting dhcpcd doesn't renew my devices
<monokrome>
how do I renew?
KindOne has quit [Ping timeout: 272 seconds]
<TZander>
disconnect and reconnect to your basestation.
<monokrome>
you mean remove the network cable?
<monokrome>
The machine isn't nearby :/ There's no command for it?
<TZander>
no, typically a network manager action. if you run KDE I can tell you, otherwise I have no idea.
<monokrome>
it's a server
<monokrome>
restarting dhcpcd used to work :/
<TZander>
then just restart the network manager systemd
<monokrome>
seems something changed
<monokrome>
using networkmanager on a server is like taking dynamite to go fishing
<TZander>
hehe, agreed
<monokrome>
lol
<wavirc22_>
I'm on macos. I've unzipped flutter and when I try and run it, dart fails with "taskgated: no signature for pid=41521 (cannot make code: UNIX[No such process])". I think I have to sign the executable. Is there an approach to this?
KindTwo is now known as KindOne
* monokrome
wonders what a flutter is
<TZander>
I expect you will regret wondering (mubles google)
<TZander>
btw, I'm just here to learn nix a little. nix-env is beautiful so far. Simple.
<kenran>
I'm having trouble getting a nix derivation to work inside a container and I don't know why. The derivation uses leiningen to build a minimal clojure project and works just fine on my local machine: https://pastebin.com/x5AjKP6Z
<kenran>
I found out that I have to export HOME in some way, or else leiningen won't build even on my machine. But after that it works fine locally.
<TZander>
wavirc22_: actually, I looked it up just last week by accident. As a non-web-dev I will never have need for that info :)
<kenran>
I think it might be a permission problem, but I don't really know where to look for help. The project was created via `lein new bla`, and then I wrote the default.nix. Running it inside a docker container is where it fails (docker run -v $(pwd):/app -it nixos/nix:2.3.4 sh -c "cd app && sh", followed by nix-build).
<TZander>
any wikipedian here? The https://en.wikipedia.org/wiki/NixOS states that nixOs is MIT license (in the box on the right). Which is why I ignored it at first. But the nix tools are LGPL, so I'd say that wikipedia needs to be changed.
<{^_^}>
[nix] @edolstra pushed 0 commits to refs/tags/2.3.6: https://git.io/JfPiM
<ikwildrpepper>
TZander: nixpkgs and nixos are MIT
<{^_^}>
[nixos-homepage] @edolstra pushed to master « Nix 2.3.6 released »: https://git.io/JfPi9
<TZander>
oh, there is a separate page for the package manager. Yeah, that one is right.
<TZander>
its kinda hard to google for 'nix' ;)
<makefu>
true :)
<infinisil>
niksnut: too late, but the nixpkgs commit message has 2.3.6 twice :)
<{^_^}>
[nixos-homepage] @github-actions[bot] pushed commit from @edolstra to master « Update flake.lock and blogs.xml [ci skip] »: https://git.io/JfPPJ
magnetophon has joined #nixos
bahamas has joined #nixos
<TZander>
infinisil: I guess he does his nick honor.
<niksnut>
doh
bahamas has quit [Ping timeout: 272 seconds]
<wavirc22_>
wavirc22: Worked out, on macos, to use a binary, like flutter from the nix store, I have to run "sudo codesign -s "Mac Developer" -f /nix/store/.../bin/dart"
orivej has quit [Quit: No Ping reply in 180 seconds.]
<TZander>
niksnut: just playing around with nix-env for the first time. Its beautiful :) Just wanted to say. Dank!
orivej has joined #nixos
<gchristensen>
TZander: I just recently started playing with nix-env too. some cool stuff there
<TZander>
hmm, I kinda understand this, but why is nix making an issue about a library used that (I guess) isn't put in my profile. https://paste.debian.net/1149932/
LevelChart8 has quit [Ping timeout: 264 seconds]
<TZander>
^- I'm installing an old boost, which fails due to nix using boost
orivej has quit [Quit: No Ping reply in 180 seconds.]
waleee-cl has joined #nixos
<infinisil>
,libraries TZander
<{^_^}>
TZander: Don't install libraries through nix-env or systemPackages, use nix-shell instead. See https://nixos.wiki/wiki/FAQ/Libraries for details.
Diagon has joined #nixos
orivej has joined #nixos
<TZander>
awesome :)
<{^_^}>
[nixpkgs] @primeos opened pull request #89407 → nixos: Allow empty hostnames again → https://git.io/JfPPx
<Philipp[m]1>
So the status.nixos.org page is lying right now?
<evanjs>
I opened this issue https://github.com/glennmatthews/cot/issues/80, but does anybody know enough about the image creation in nix to tell me how I might accomplish this in nix?
<{^_^}>
glennmatthews/cot#80 (by evanjs, 5 days ago, open): Support editing (or removing) auxiliary devices from ovf
<evanjs>
I can't just generate an OVA for virtualbox from the virtualbox-image, as vssd:VirtualSystemType and the soundcard prevent it from being imported in e.g. ESXi
<evanjs>
Is `VBoxManage export` the only OVA utility we have in nixpkgs right now?
<{^_^}>
[nixpkgs] @offlinehacker pushed 2 commits to master: https://git.io/JfPD0
<{^_^}>
[nixpkgs] @offlinehacker closed pull request #28924 → docker module: add overlay to kernelModule if overlay is storage driver → https://git.io/v50DY
cr4y1 has joined #nixos
bahamas has joined #nixos
fendor_ has joined #nixos
<evanjs>
I wonder if there should be a generic, more extensible "create OV(F/A)" function in nixpkgs?
<evanjs>
lassulus: an extensible option for nixos-generators sounds sort of complicated right now, but I think it would be super helpful to be able to create generic OV(A/F) images with nixos
<evanjs>
Unless there's already a way to do so that I'm not seeing now
<{^_^}>
[nixos-search] @adisbladis pushed to nixos-options-analyzer « Add custom analyzer for nixos option names »: https://git.io/JfPDd
bahamas has quit [Ping timeout: 256 seconds]
<{^_^}>
[nixos-search] @adisbladis opened pull request #55 → Add custom analyzer for nixos option names → https://git.io/JfPDp
<lassulus>
evanjs: what needs to be done to have more generic images? what is not generic enough with the current ones?
<{^_^}>
[nixpkgs] @Kloenk opened pull request #89416 → nixos/autoUpgrade: add flake support → https://git.io/JfPDh
<evanjs>
lassulus: so when I say "more generic", I mean something like "ova-image.nix" rather than "virtualbox-image.nix"
<evanjs>
In the end, I'd like to modify the virtual machine before it comes out as an OVA, to ensure it works on whatever platform I'm packaging it for
<evanjs>
In this case, the stubborn ESXi platform that gets angry when it e.g. doesn't say it's of type "vmx-14" or such, or has a sound card, etc
incognito9999_ has quit [Ping timeout: 256 seconds]
drakonis has joined #nixos
<{^_^}>
[nixpkgs] @romildo opened pull request #89420 → lxappearance: default to Gtk3 → https://git.io/JfP9t
drakonis_ has quit [Ping timeout: 260 seconds]
ph88 has quit [Ping timeout: 246 seconds]
endformationage has joined #nixos
<monokrome>
Does anyone know thoughts on what kind of filesystem I should use for a NAS that needs to be able to grow/shrink in NixOS? I set up a RAIDZ2 ZFS but then realized it can't grow, but I need to migrate 22TB off one device and onto this NixOS one
<monokrome>
(meaning I don't have enough discs to do it all at once)
<pistache>
monokrome: ZFS can grow, it just cannot shrink
user_0x58 has joined #nixos
lpsmith has joined #nixos
<monokrome>
RAIDZ2 can't though
incognito9999 has joined #nixos
{^_^} has quit [Ping timeout: 260 seconds]
<monokrome>
pistache: ^
<gchristensen>
it can as long as your adding another full vdev, like another raidz2 (I'm sure you know this already -- just for the channel.) I know some people like to use just a bunch of mirrored drives to reduce the cost of each incremental growth
<monokrome>
I wanted to grow 1 pool
<monokrome>
maybe I don't understand zsh enogh
<monokrome>
but from what I can tell, if I add more hard disks then I can't grow a RAIDZ2 pool
<pistache>
monokrome: ah yes, in RAIDz2 you'd need to add other raidz2 vdev as gchristensen said
<monokrome>
vdev is a pool?
<pistache>
you cannot add the disks to the existing vdev, but you can create another vdev in the same pool
AWizzArd has quit [Read error: Connection reset by peer]
<gchristensen>
a pool has any number of vdevs
<monokrome>
oh
<gchristensen>
raidz2 is a type of vdev
<monokrome>
so I can still keep it in the same mountpoint ?
<gchristensen>
yeah
<monokrome>
then I jsut create another vdev from 3 drives?
AWizzArd has joined #nixos
<gchristensen>
yeah
<gchristensen>
but monokrome
<gchristensen>
try it with file-based pools to practice, you can't undo it if you make a mistake
<monokrome>
file-based?
<gchristensen>
you can make a new zpool using files as disks
<cole-h>
fmzakari: What does your derivation look like? Does it have something like `{ stdenv, somedep1, dep2 }:` at the top, or is it `with import <nixpkgs> {};`?
plutes has joined #nixos
<fmzakari>
I have with import <nixpkgs> {}; but i don't even know if i need it
<fmzakari>
im just using bash
asymptotically has quit [Quit: Leaving]
<{^_^}>
[nixos-homepage] @garbas pushed to landing-page « fix search boxes on mobile »: https://git.io/JfPb1
<cole-h>
energizer: `-I nixos-config=/tmp/configuration.nix` works as well
<energizer>
cole-h: do you know if there's a difference?
<cole-h>
energizer: There is none.
<pittma>
Is there way to set the `FONTCONFIG_FILE` in a sane way in a `shell.nix` file? Like, is the path to that file available via some kind of query?
<energizer>
cole-h: thanks
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #nixos
<cole-h>
fmzakari: Since you use `with import...`, you'll want to do something like `let rbenv = import ./rbenv.nix; in ...` and then you can add rbenv to your packages list.
<energizer>
cole-h: i think there's some difference
<cole-h>
pittma: `FONTCONFIG_FILE = "${pkgs.fontconfig}/etc/fonts/fonts.conf";` should work
<cole-h>
Adjust as necessary
<energizer>
because it fails with NIXOS_CONFIG and succeeds with -I
<cole-h>
energizer: What if you `NIX_PATH= NIXOS_CONFIG=...`
zupo has joined #nixos
<fmzakari>
is there a part of the Nix doc that explains that well ? Unclear why `with import` affects how to call it.
<pittma>
sweet, that's exactly what I was hoping for.
<cole-h>
nixos-config in NIX_PATH might have higher precedence than NIXOS_CONFIG
<cole-h>
fmzakari: Because `with import <nixpkgs> {};` brings all of nixpkgs into scope.
viric has quit [Remote host closed the connection]
<jasom>
pinkieval: git-crypt looks like a good solution. FWIW, I use sops because it's what I use for other things so I was already setup for it. The main advantage it would have over git-crypt would be key-management, but it sounds like that's not a problem for you.
<cole-h>
fmzakari: Where as all the packages in nixpkgs will have a line at the top like `{ stdenv, dep1, dep2 }:`, declaring all the dependencies it needs and nothing more.
<fmzakari>
ah should i change it to that ?
aanderse_ has joined #nixos
aanderse_ has quit [Client Quit]
<fmzakari>
i can change it to { stdenv, fetchFromGitHubUrl, bash }
<cole-h>
If you like.
<fmzakari>
does that change how i refer to it then in the main file?
<cole-h>
If it's just going to be used on your system and not contributed to nixpkgs, then it doesn't really matter.
<cole-h>
Yes.
<fmzakari>
what would it be in that case ? O.o
<cole-h>
You will need to `let rbenv = pkgs.callPackage ./path/to/rbenv.nix { }; in ....`
<fmzakari>
i see -- so if i have a lot of custom packages; i'll be continously nesting the `let`
<jasom>
tudorr: glad to hear that worked! NSCD is, in general, a better solution than having libc dynamically load DLLs for authentication and nameservice lookup anyways
<tudorr>
i didn't know about its existence at all
<exarkun>
energizer: That looks cool, hadn't seen that. But, yea, I have CI already, I want CD.
LevelChart8 has quit [Ping timeout: 240 seconds]
<energizer>
might be worth chatting up #nixops about it
<simpson>
exarkun: system.autoUpgrade can be given channels, and otherwise configured to give something sort of like CD. But you probably want something that is more flexible?
avidd- has joined #nixos
parkway-gong has joined #nixos
<exarkun>
The workflow I imagine would be pleasant is one where a CI job on a specified branch completes successfully and then a CD system is poked and the CD system switches some hosts to the new, just-tested.
<exarkun>
Plus support for separate staging/production environments plus rollback plus good operational visibility.
<exarkun>
If I were going to build something myself I'd probably make some half-baked service that can receive a GitHub webhook and then turn around and get the source, do the build, and run some `morph` command.
<fmzakari>
problem with ncsd is it's not portable ? I'm trying to write a home script for darwin + linux
mounty has joined #nixos
chloekek has joined #nixos
radvendii has joined #nixos
pamplemousse has quit [Ping timeout: 258 seconds]
<radvendii>
Hey all, I'm trying to cross-compile an SDL project of mine for windows I've followed a bunch of stuff I found online, and nothing seems to be working. I wanted to check here to make sure I was doing things correctly. To start out with: is cross-compilation for windows even work in theory at the moment? It seemed like it's had varying levels of success over the years and I couldn't tell what the
<radvendii>
current state was
rail has quit [Quit: gone...]
proofofkeags has quit [Remote host closed the connection]
rail has joined #nixos
proofofkeags has joined #nixos
<radvendii>
TL;DR: How well supported is using nix to cross-compile for windows?
<balsoft>
radvendii: it does work
<balsoft>
I have successfully cross-compiled a couple of haskell apps for windows, with nixpkgs haskell infra.
<balsoft>
SDL might be tricky though, because it doesn't work OOTB and you'll have to fix it.
<balsoft>
I'm not sure how hard it would be.
<radvendii>
like SDL itself doesn't work OOTB for windows, or the nix package for SDL?
<radvendii>
(by the way, if it makes any difference, I'm using SDL2)
alexherbo24 has joined #nixos
proofofkeags has quit [Ping timeout: 256 seconds]
<balsoft>
Nix package for SDL
alexherbo2 has quit [Ping timeout: 260 seconds]
alexherbo24 is now known as alexherbo2
<radvendii>
Okay, at least it's not my imagination.
<radvendii>
Okay, I guess I'll take a stab at fixing the SDL package so it compiles for windows
<radvendii>
I know very little about cross-compilation or windows programming. Here goes nothing =D
<tudorr>
whenever i run a program installed by nix that uses fontconfig, i get the following error: `Fontconfig error: "/etc/fonts/fonts.conf", line 6: invalid attribute 'translate'`
<tudorr>
what can i do?
<TheSirC[m]>
Why even having `cargo-edit` in my `configuration.nix` does `cargo add` sends back `error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory` ?
<cole-h>
Set FONTCONFIG_FILE to point to nixpkgs' fonts.conf.
<cole-h>
It's because we're still on 2.12, while you're probably on 2.13
<exarkun>
maybe I should invent my own package name, "acmepkgs" or something, require NIX_PATH to be set, and import <acmepkgs> everywhere?
AmandaC has joined #nixos
<TheSirC[m]>
<cole-h "It's because we're still on 2.12"> cole-h: You mean the version of openssl ?
<cole-h>
No?
<cole-h>
I was talking about fontconfig... openssl is still in 1.0, not even 2.0 yet...
<TheSirC[m]>
That's what I thought too...
jorin has joined #nixos
<jorin>
Hello.
<tudorr>
cole-h: i don't even have /etc/fonts in nix and i don't know what do i need to install for it
<tudorr>
i run nix only for home
<dgpratt>
if I configure a shell via e.g. a default.nix file and then decide I want to include more packages, I suppose it's necessary to exit and re-enter the shell? I mean there is no "reload shell" command?
<cole-h>
tudorr: Scroll up. I already instructed someone on how to set the FONTCONFIG_FILE env variable earlier.
<cole-h>
dgpratt: Not that I know of.
<radvendii>
balsoft: I'm also getting type redefinition errors trying to build SDL2 for windows. Are you on the unstable channel?
<jorin>
What does it mean if GRUB can't be embedded on a partition?
<balsoft>
radvendii: Hmm, what? It shouldn't really build X11 packages...
<balsoft>
I'm running nix repl "<nixpkgs>" and :b ..... inside that, where ..... is the command
<balsoft>
It evaluates and starts to build things
<balsoft>
The fact that it fails is something I leave to you to fix, because sadly I'm not interested in that at all, and the effort seems to be more than something I would do just for fun.
<fmzakari>
For those using home manager, typically it uses a `home.nix` file. What's the best way to then choose appropriate nix files depending on the platform or even machine configuration
<jorin>
Every time, it seems, I wind up with a partition that starts at 1049kB instead of one megabyte.
<balsoft>
fmzakari: you can conditionally import things from home.nix
<fmzakari>
ah cool -- is there a good reference example to learn from ?
<tudorr>
cole-h: is there any way to make nixGL the default?
<tudorr>
so i don't have to explicitly invoke it
<cole-h>
tudorr: You could look at the code and set the env vars that it sets.
<radvendii>
balsoft: oh, that's fair. I thought you were saying it built completely for you. thanks for the help :)
<lovesegfault>
can I nix-copy-closure from cachix? (cc. domenkozar[m] )
<fmzakari>
balsoft: what's the solution for making dynamic nix files ? I would like the gitconfig portion to be shared across a few developers
<fmzakari>
should i generate some variables.nix on first setup ?
agsdheidjd has quit [Ping timeout: 264 seconds]
<colemickens>
lovesegfault: are you just trying to get a store path to be downloaded? I think you can do nix-store -r /nix/.... for that sort of use-case.
<chloekek>
lovesegfault: configure cachix as a cache in nix.conf on the target machine, then pass --use-substitutes to nix-copy-closure
<balsoft>
fmzakari: You can just separate the common part into a file and then import it
<balsoft>
And then you can simply builtins.fromJSON (builtins.readFile ...)
<balsoft>
Generating JSON is easier than generating nix, because there are utilities such as jq that do it.
<{^_^}>
[nixpkgs] @priegger opened pull request #89440 → factorio-utils: fix recursive mod dependency resolution → https://git.io/JfPpc
<{^_^}>
[nixos-homepage] @garbas pushed to landing-page-fixes « fix some landing page issues »: https://git.io/JfPp8
<{^_^}>
[nixos-homepage] @garbas opened pull request #434 → fix some landing page issues → https://git.io/JfPpB
<lovesegfault>
chloekek: the thing is I have the drv path, like /nix/store/avk7w4gz4bk5y332cvkaacdm2spa62m9-deploy.drv, and I want to fetch the drv and all of it's dependencies
<clever>
lovesegfault: run `nix-store -r` on it
<lovesegfault>
don't know how to build these paths:
<{^_^}>
[nixos-homepage] @garbas pushed 3 commits to master: https://git.io/JfPhs
<{^_^}>
[nixos-homepage] @garbas pushed 0 commits to landing-page-fixes: https://git.io/JfPhG
<{^_^}>
[nixos-homepage] @garbas pushed to report-hourly-failures « report hourly failures to webmaster email »: https://git.io/JfPhc
<fragamus_>
im running nixos in a docker container; I want to run the container interactively; what is the connand at the end of the docker run line that kicks off an interactive shell
<fragamus_>
in nixos
shibboleth has joined #nixos
<fragamus_>
for example in ubuntu I use /bin/bash
<{^_^}>
[nixos-homepage] @garbas opened pull request #435 → report hourly failures to webmaster email → https://git.io/JfPhW
radvendii has quit [Quit: WeeChat 2.8]
acowley has quit [Ping timeout: 260 seconds]
<adisbladis>
fragamus_: Are you running actual NixOS or Nix?
<fragamus_>
but I want to use nixos coolness so i need the nixos equivalent of /bin/bash
<energizer>
is there a do-nothing value that'll merge with anything?
<fragamus_>
nixos in the container
<energizer>
so i can have x = 5 and x = nothing which merges to x = 5
<cole-h>
energizer: `x = lib.mkDefault 5;` maybe? Not understanding the "merge" part, though./
<energizer>
cole-h: in a nixos module, two lists get merged by concatenation. so if i have x = [1] and x = [2], i'll end up with x = [1 2]; but that doesn't happen with ints and other types
<fragamus_>
adisbladis: I'm running actual nixos in the container
<{^_^}>
[nixos-homepage] @garbas pushed 2 commits to master: https://git.io/JfPh2
<{^_^}>
[nixos-homepage] @garbas pushed 0 commits to report-hourly-failures: https://git.io/JfPha
<ldlework>
cole-h: some options get merged if defined multiple times
<cole-h>
Yeah, I understand that. I don't understand how not setting `x` would "merge" to 5...
<ldlework>
because one place defines null, one place defines 5
<ldlework>
with the result config being 5
<ldlework>
iiuc
thc202 has quit [Ping timeout: 256 seconds]
<energizer>
cole-h: i want `{x = 5; x = ignoreMe;}` would merge to `{x=5;`}
agsdheidjd has joined #nixos
<cole-h>
Pretty sure you can't have duplicate keys
alp has quit [Ping timeout: 246 seconds]
<energizer>
not in the same file, sure. but that's just syntax
<fmzakari>
balsoft: once i have my JSON or `variables.nix` what's the best way to import it in my `home.nix` and reference them.
<fmzakari>
is it with the let and then nesting ?
radvendii has joined #nixos
<balsoft>
fmzakari: there's no generic "best" way to do this, it depends on what exactly you need to change and even your personal taste and preference.
<balsoft>
I'd do it with a let, yes.
<adisbladis>
fragamus_: Alright, then there isn't really a well-defined place where bash is located. All well-known paths (like /run/current-system & friends) are set up by the init scripts.
<fragamus_>
adisbladis: but surely people run nixos in containers and occasionally get into the shell interactively
<adisbladis>
fragamus_: Yes, sure. You'd enter a running container with `docker exec`
<{^_^}>
[nixos-homepage] @garbas pushed to report-hourly-failures « testing »: https://git.io/JfPhS
<adisbladis>
By then the init scripts have done their thing.
<Yaniel>
you can always ask /usr/bin/env I think?
<Yaniel>
and even should
<adisbladis>
Yaniel: That only works if something is in $PATH.
<adisbladis>
In the case of `docker run` _nothing_ is in $PATH.
<adisbladis>
(unless defined by the container)
<fragamus_>
adisbladis: i never used that but I shall look at it
<adisbladis>
fragamus_: How are you building your nixos docker containers?
<fragamus_>
with a Dockerfile
<fragamus_>
and docker build
<adisbladis>
Hm, I've never tried that.
<adisbladis>
I've only used Nix to build NixOS docker containers before.
<{^_^}>
[nixos-homepage] @garbas pushed to report-hourly-failures « some more testing »: https://git.io/JfPhd
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #nixos
lord| has joined #nixos
<adisbladis>
There are a lot of details to get right for NixOS docker containers
<radvendii>
balsoft: Okay, I got SDL2 to compile for windows. If I want to use that modified version everywhere SDL2 shows up in a derivation, should I use packageOverrides?
<{^_^}>
radvendii: Overlays look like `self: super: { foo = ...; }`. Use the self argument to get dependencies, super for overriding things and library functions (including callPackage). More info: https://nixos.org/nixpkgs/manual/#sec-overlays-install
<radvendii>
oh. can I do that for just a local default.nix?
<balsoft>
radvendii: Overriding cross-compiled stuff is quite clunky
<radvendii>
Well it's a bit janky. I did the .override with ___Support = false; like you suggested, and then I also added --disable-video-opengles to the flags
<radvendii>
I'm not sure if that's a good long-term solution
civodul has quit [Quit: ERC (IRC client for Emacs 26.3)]
<balsoft>
Something like pkgsCross = super.pkgsCross // { mingwW64 = super.pkgsCross.mingwW64.extend (self': super': { SDL2 = super'.SDL2.overrideAttrs (...); }); } in that overlay...
<energizer>
is there a way to get something like `pkgs.withOverlays [overlay1 overlay2]`?
<balsoft>
infinisil: ah, cool. It makes sense that it uses super and not self, I'm just being a bit dumb lately...
<balsoft>
jorin: OK, thanks for clarifying. What is the _specific_ issue you're trying to solve? I.e. the command you're running and context for why you are doing it
<{^_^}>
[patchelf] @domenkozar merged pull request #104 → tests: Do not exit on an expected failure code. → https://git.io/JfPjK
<{^_^}>
[patchelf] @domenkozar pushed to ci-musl « run CI with musl as well »: https://git.io/JfPji
shibboleth has quit [Quit: shibboleth]
Rusty1 has joined #nixos
mtreca has joined #nixos
mtreca has quit [Remote host closed the connection]
<jorin>
When I try running the install command, it hangs up on Grub with the error: filesystem fat doesn't support embedding.
mtreca has joined #nixos
<jorin>
The exact command is sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt
<{^_^}>
[patchelf] @domenkozar pushed to ci-musl « run CI with musl as well »: https://git.io/JfPj5
mtreca- has joined #nixos
mtreca- has quit [Remote host closed the connection]
<energizer>
flakes does `inputs.nixpkgs.url = github:NixOS/nixpkgs/nixos-20.03;`. that's like pinning, right?
<cole-h>
Sorta. The pinning comes from the generated flake.lock file, which actually points to revision and hash of that input.
<energizer>
do they provide a way to let the user decide what nixpkgs version they want, or is that not allowed?
<balsoft>
energizer: you can pin the version by doing /gitcommitsha1 instead of /nixos-20.03 afaiu
<balsoft>
jorin: never heard of this before....
mtreca has quit [Remote host closed the connection]
<energizer>
balsoft: that's the opposite of what i'm asking :)
orivej_ has joined #nixos
<energizer>
the person who writes a library provides a flake. if they pick a nixpkgs version, but i want to use a different nixpkgs, can i?
<symphorien>
jorin: did you specify a partition as installation device ?
<energizer>
(i'm using the library)
<symphorien>
(as opposed to a full disk)
<jorin>
Yes, /dev/sda3
orivej has quit [Quit: No Ping reply in 180 seconds.]
lsix has quit [Quit: WeeChat 2.8]
<symphorien>
you must install to a full disk
<symphorien>
that is, /dev/sda
<jorin>
oh...
<energizer>
or maybe that's not how flakes are used..
<symphorien>
the error message alludes to the fact that grub can embed itself into an ext2 partition if you really can't provide space on the rest of the disk
<symphorien>
but it's discouraged and hidden under --force
<jorin>
Thank you.
<energizer>
who's got a nixos config with flakes that i can look at?
fendor has quit [Remote host closed the connection]
<jorin>
Ok... now it says I need a BIOS partition. Marvelous.