<{^_^}>
[nixpkgs] @neilmayhew opened pull request #91699 → file-rename: Fix an incorrect test that misidentifies Darwin as Windows → https://git.io/JJed5
<dkess>
hi, this question feels like it should have an obvious/intuitive answer but i can't really find it anywhere. when an option is suppposed to take a filename (for a config file) as a parameter, how can i have the contents of that file be "managed" by nixos?
<matthuszagh>
hi, i recently changed my declarative nixos config to look in a src path (~/src/dotfiles/nixos) instead of /etc/nixos. When I try to rebuild my computer runs out of memory. The computer has 64GB memory, but no swap file (I have a btrfs filesystem across 2 devices) and no swap partition. Is there a way to fix this memory issue?
rajivr has joined #nixos
user_0x58 has quit [Quit: Leaving]
chreeus has quit [Quit: sleep]
nabataeus has quit [Read error: Connection reset by peer]
<matthuszagh>
i'm a bit surprised simply changing the config file location introduced this issue. Does this seem plausible? It's also certainly possible this is instead the result of something else I inadvertently changed.
<hazel[m]1>
gosh does NixOS not cache aarch64 builds?
<hazel[m]1>
I'm compiling significantly more than I do on x86
<hazel[m]1>
what do I do to avoid constantly compiling, if anything?
leah2 has quit [Ping timeout: 260 seconds]
Narice has joined #nixos
zupo has joined #nixos
orivej has quit [Ping timeout: 240 seconds]
Narice has quit [Ping timeout: 258 seconds]
orivej has joined #nixos
zupo has quit [Client Quit]
Narice has joined #nixos
<multun>
how would you build a chroot environment with only some nix packages inside?
<matthuszagh>
ok i was able to create a swapfile (64GB) on a separate storage device and use that. it ate through the entire 128G and failed. is this normal?
<samueldr>
matthuszagh: without investigation, my intution tells me the most likely culprit is you're accidentally importing something in the nix store using a nix path
<samueldr>
maybe something like your whole home
<samueldr>
something big at least
<matthuszagh>
samueldr: cool thanks for the suggestion i'll look for that
<samueldr>
multun: check in nixpkgs how the steam chroot is done maybe?
<samueldr>
buildFHSUserEnv maybe, multun
<multun>
pretty darn cool huhu
Narice has quit [Ping timeout: 240 seconds]
<kmplsv>
ahhh, nixos. i was thrust into it head-first upon my return to re-learn linux/unix after a decade hiatus.
<kmplsv>
a good friend who is a linux/unix guru said he would only help me if i used nixos. heh.
<{^_^}>
[nix] @dependabot[bot] pushed to dependabot/github_actions/cachix/install-nix-action-v10 « Bump cachix/install-nix-action from v8 to v10 »: https://git.io/JJvvn
<{^_^}>
[nix] @dependabot[bot] opened pull request #3758 → Bump cachix/install-nix-action from v8 to v10 → https://git.io/JJvvc
<hazel[m]1>
i know `builtins.currentSystem` exists but I just want the arch
<{^_^}>
[nix] @dependabot[bot] pushed 0 commits to dependabot/github_actions/cachix/install-nix-action-v10: https://git.io/JJvvy
<hazel[m]1>
...I guess the system isn't that important to guard against, I'm only running NixOS. whatever.
simba2 has joined #nixos
kleisli_ has joined #nixos
Narice has quit [Ping timeout: 240 seconds]
kleisli has quit [Ping timeout: 240 seconds]
alexherbo2 has joined #nixos
domogled has quit [Quit: domogled]
mrosenbe has joined #nixos
waleee-cl has joined #nixos
mrosenbe has quit [Ping timeout: 256 seconds]
cr4y1 has quit [Remote host closed the connection]
dermetfan has joined #nixos
drakonis has quit [Quit: WeeChat 2.8]
veleiro has quit [Remote host closed the connection]
<matthuszagh>
samueldr: thanks for the tip you were spot on
<samueldr>
what were you importing? the whole home? something else big?
<samueldr>
:)
<matthuszagh>
my whole src dir path haha
<matthuszagh>
it's a few hundred g's
<matthuszagh>
had src-path = /home/matt/src and used it like nixPath = ["nur=${src-path}/NUR"]
<matthuszagh>
quotes around it is what i wanted
Narice has joined #nixos
matthuszagh has left #nixos ["ERC (IRC client for Emacs 28.0.50)"]
ryzokuken has joined #nixos
ryzokuken_ has joined #nixos
<samueldr>
indeed
Narice has quit [Ping timeout: 240 seconds]
MidHotaru has joined #nixos
<colemickens>
is there a way to check if I am using flakes powered nix without access to 'lib' to check getFlake?
Heirlung has quit [Read error: Connection reset by peer]
Narice has joined #nixos
<notgne2>
I'm not really familiar with Linux too much, but is there a way to use Nix to build an in-tree driver as a module? I wanted to get Anbox working on 5.7 but I don't like having to compile the entire kernel to do so (to enable some android/ashmem/binder options)
lambda-11235 has quit [Quit: Bye]
Narice has quit [Ping timeout: 264 seconds]
alexherbo26 has joined #nixos
Heirlung has joined #nixos
alexherbo2 has quit [Ping timeout: 240 seconds]
alexherbo26 is now known as alexherbo2
turlando has quit [Ping timeout: 256 seconds]
simba2 has quit [Ping timeout: 246 seconds]
<kmplsv>
ehhh, hey guys, nixos super-n00b here. isn't there a command that will output the contents of a file to a generated pastebin-like webpage?
<energizer>
some people use curl -F 'f:1=<-' ix.io but i can never remember that
<kmplsv>
ok yeah i remember sprunge.us now i've used it before, but it isn't the one my friend (person who shoved me into the nixos pool when he knew full well that i can't even swim yet ;-p) had me using...
o1lo01ol1o has joined #nixos
<kmplsv>
because i remember using sprunge and he was like "!!!!NO, DO IT HOW I SHOWED YOU!"
<kmplsv>
yeah yeah
<kmplsv>
its curl and some other command string
mrosenbe has joined #nixos
<kmplsv>
and i'm talking about DigitalKiwi lol, in case any of you know him
<energizer>
there's logs in the /topic
<kmplsv>
?
<kmplsv>
logs for what
mallox has joined #nixos
<multun>
if DigitalKiwi talked about it here, you can find it in the log :)
<multun>
if not, well, too bad
WIII has joined #nixos
Narice has joined #nixos
<kmplsv>
haha oh im sure he has at some point
o1lo01ol1o has quit [Ping timeout: 260 seconds]
<kmplsv>
oh i just went to ix.io and i'm going to see if i can figure it out from there.
<energizer>
are you sure i didnt give the answer already?
mrosenbe has quit [Ping timeout: 260 seconds]
<kmplsv>
probably
asymptotically has joined #nixos
<energizer>
i avoid ix.io and sprunge because their highlighted pages dont allow copying text. i prefer bpa.st
<WIII>
Hello, I would like to know if there's a way to display all log when using nix-build, I found `nix build -f .` but it doesn't help much. Thanks in advance
<kmplsv>
yay! (yeah, it's the little things for me at this point in the game lol)
<clever>
WIII: `nix build -f . -L`
<WIII>
Ho nice thanks a lot
Narice has quit [Ping timeout: 264 seconds]
bbb has joined #nixos
<kmplsv>
energizer: huh, i'm checkin it out right now.
bbb is now known as Guest74496
inkbottle has quit [Quit: Konversation terminated!]
inkbottle has joined #nixos
Narice has joined #nixos
<patagonicus>
I'd like to use a local git clone of nixpkgs as the nixos channel for my system - how do I do that? Can I just nix-channel --add /path/to/nixpkgs nixos?
<kmplsv>
energizer: so what would the syntax for outputting a the contents of a file to bpa.st look like? i tried the curl command i used with ix.io but no dice.
<clever>
patagonicus: simplest is to just ignore channels, and use nix.nixPath to setup NIX_PATH to point nixpkgs=/path/to/nixpkgs
<patagonicus>
clever: Ah, thanks. Didn't think to check the options for nix. :)
cransom has quit [Ping timeout: 260 seconds]
revtintin has joined #nixos
cransom has joined #nixos
alexherbo2 has quit [Read error: Connection reset by peer]
<typetetris>
Can I somehow add a channel, that just points to a github/gitlab repository (without creating that exprs tar, but just a plain nixpkgs clone)? Or do I need to do `nixos-... -Inixpkgs=...` manually always for that?
<typetetris>
clever: Thanks, you mean, I should just create a file like `.nix-defexpr/test/foo/default.nix` ?
<clever>
typetetris: if you want nix-env to see it, yes
<typetetris>
clever: What about `nixos-rebuild`, will it also see that channel?
<clever>
typetetris: that only looks at $NIX_PATH
<clever>
typetetris: 2020-06-28 04:48:02 < clever> patagonicus: simplest is to just ignore channels, and use nix.nixPath to setup NIX_PATH to point nixpkgs=/path/to/nixpkgs
Narice has joined #nixos
NeoCron has joined #nixos
tmaekawa has quit [Client Quit]
tmaekawa has joined #nixos
<typetetris>
clever: That ties a knot in my head. So `nixos-rebuild` reads `/etc/nixos/configuration.nix` and respects that `nix.nixPath` entry?
<{^_^}>
[nixpkgs] @DavHau opened pull request #91707 → python-jsonrpc-server: remove ujson version contraint → https://git.io/JJvUI
<clever>
typetetris: no, nixos-rebuild reads $NIX_PATH, which is set by the value of nix.nixPath the PREVIOUS time you ran nixos-rebuild
<clever>
typetetris: and changes only take effect when you re-open the shell
Narice has quit [Ping timeout: 246 seconds]
<typetetris>
clever: So initially I will need to run nixos-rebuild twice?
<clever>
typetetris: or use -I nixpkgs=something, to affect the first run
Narice has joined #nixos
<typetetris>
clever: But I will have to include `nixos-config=/etc/nixos/configuration.nix` on my own in `nix.nixPath` now, that I changed it, won't I?
<clever>
typetetris: correct
<typetetris>
clever: Thanks!
<patagonicus>
typetetris: https://nixos.org/nixos/options.html#nix.nixpath lists the default. I copied that and then replace nixpkgs=/var/… with the path to my local git checkout.
<patagonicus>
I also removed the existing channel with nix-channel --remove as I don't need it anymore.
<LambdaDuck>
Nix wants to build a lot of packages from source (including Cabal and cabal2nix) since I ran nix-channel --update. I'm on darwin with nixpkgs-unstable (nixpkgs-20.09pre231837.2cd2e7267e5). How do I debug why that is the case?
werner291 has joined #nixos
<delroth>
nix-prefetch-url is a giant footgun when trying to use it for patches :(
<delroth>
turns out fetchpatch will almost always end up giving a different sha256, but you won't notice it until a GC run since nix-prefetch-url conveniently put something that matches the sha256 in the store
<clever>
delroth: pkgs.fetchpatch mangles the file a lot, to make it more predictable
<delroth>
yeah, I know that now
<clever>
,tofu
<{^_^}>
To get a sha256 hash of a new source, you can use the Trust On First Use model: use probably-wrong hash (for example: 0000000000000000000000000000000000000000000000000000) then replace it with the correct hash Nix expected. See: tofu-vim
<{^_^}>
[nixpkgs] @nilp0inter opened pull request #91714 → hdl-dump: init at v0.9.2-43-gb0d7467 → https://git.io/JJvkL
gxt_ has quit [Ping timeout: 240 seconds]
thc202 has joined #nixos
Narice has joined #nixos
noudle has quit []
KarlJoad has joined #nixos
Narice has quit [Ping timeout: 240 seconds]
arahael2 is now known as Arahael
Guest74496 has quit [Ping timeout: 246 seconds]
Guest74496 has joined #nixos
Narice has joined #nixos
MidHotaru has quit [Quit: Connection closed for inactivity]
tmaekawa has joined #nixos
piegames has left #nixos ["WeeChat 2.7"]
thomasjm has quit [Quit: WeeChat 2.8]
<quidome[m]>
does anyone here have experience with unlocking crypted storage using ssh/dropbear on a static interface? Documentation says: "The network may be configured using the ip kernel parameter, as described in the kernel documentation."
<quidome[m]>
I have no idea what format this is supposed to be in and where it should go
<quidome[m]>
hmm, boot.kernelParams maybe ...
sty86[m] has joined #nixos
<patagonicus>
quidome[m]: I'm not sure if I use static or dynamic assignment on my server, but I've used both before (although only one with NixOS). Let me check.
<patagonicus>
Ah. I use boot.kernelParams = [ "ip=dhcp" ]; (and boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.enable = true;).
cosimone has joined #nixos
<patagonicus>
quidome[m]: https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt is the docs for how to build the ip= line. It's a bit messy as it's so many fields. All you really need is client-ip, gw-ip, netmask and device. gw-ip is probably optional if you only need SSH to work on the local network, but I'd set it.
<patagonicus>
dns{0,1}-ip and ntp0-ip can be useful, but aren't strictly necessary.
<quidome[m]>
interesting ... Need to make sure it's on the proper interface though, I'll give it a shot
<patagonicus>
Yeah - I just disable predictable interface names and use eth0 …
<fps>
what's the recommended way to run a daily job at midnight local time?
cr4y1 has joined #nixos
<patagonicus>
quidome[m]: Btw, I recommend setting initrd.luks.devices.<name>.device = "/dev/your_luks_partition", then you can just SSH to the machine, run cryptsetup-askpass, enter the password, wait for a bit and it'll automatically continue to boot.
<fps>
what comes to mind are either systemd units or mabye cron. "cron" has a single hit in the nixos manual. so i guess maybe not the recommended thing :)
<fps>
oh the wiki mentions cron though.. maybe i'll try that first then..
<quidome[m]>
patagonicus: It's actually native zfs encryption that I'm unlocking
zupo has joined #nixos
<patagonicus>
quidome[m]: Ah, ok. I don't use zfs, but the SSH part should be the same.
orivej has joined #nixos
<quidome[m]>
I think so , yes
<patagonicus>
fps: systemd units for that are pretty easy to configure using systemd.timers.<name> in your NixOS config.
<{^_^}>
[nixpkgs] @cdepillabout pushed 3 commits to haskell-updates: https://git.io/JJvLw
knupfer1 is now known as knupfer
<quidome[m]>
where you have to use the colons but can leave the value empty. And just stopping after <device> worked for me
<patagonicus>
quidome[m]: Ah, yes, that's what I meant by linking the docs. Good to hear that it's working, just counting the number of colons always confuses me.
<fps>
patagonicus: ok, thanks for that configuration hint :)
<das_j>
hm just came to think of it. how does the unfree stuff work with flakes? because there is no way to input NIXPKGS_ALLOW_UNFREE=1
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Narice has quit [Ping timeout: 264 seconds]
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #nixos
<sty86[m]>
hey nixos newbie here
<sty86[m]>
any ideas?
<sty86[m]>
I'm trying to get some steam gaming to work and most games run so far, but some (csgo, warframe, ...) I just cant get to work
orivej has quit [Quit: No Ping reply in 180 seconds.]
kenran has joined #nixos
orivej has joined #nixos
Narice has quit [Ping timeout: 260 seconds]
<kenran>
This might be a stupid question, but why am I not seeing any nix channel with `nix-channel --list` on NixOS unstable, but am still able to use `nix-env -f '<nixpkgs>' -A ...`?
<symphorien>
The second only uses NIX_PATH I think
<{^_^}>
[nixpkgs] @kevingriffin opened pull request #91717 → pythonPackages.pyscard: Fix build on Darwin → https://git.io/JJvt8
alexherbo24 has joined #nixos
<kenran>
symphorien: So there is a channel "underneath" the system alright, as it should be. But how can I update it? When I do `nix-channel --update` I only see output regarding my home-manager channel. Is it still happening under the hood?
<symphorien>
Might be root's channel
alexherbo2 has quit [Ping timeout: 265 seconds]
alexherbo24 is now known as alexherbo2
<kenran>
Ahhhhh that explains it, thanks!
sputny has joined #nixos
<kenran>
Is adding the nixos-unstable for my user a good idea then? It would basically just be to be able to do `nix-env -iA nixpkgs.some-pkg`, which is somewhat more comfortable
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
orivej has quit [Quit: No Ping reply in 180 seconds.]
Narice has joined #nixos
tokudan has quit [Remote host closed the connection]
orivej has joined #nixos
<quidome[m]>
<patagonicus "quidome: Ah, yes, that's what I "> I copied the entire line from the nfsroot.txt doc and replaced what I needed to replace :)
<patagonicus>
quidome[m]: Wow. Why didn't I ever think of that? :D
o1lo01ol1o has quit [Remote host closed the connection]
mrosenbe has joined #nixos
<quidome[m]>
:D
orivej has quit [Ping timeout: 264 seconds]
<kmplsv>
"might" be a stupid question? c'mon. don't sell yourself short.
orivej_ has joined #nixos
<kmplsv>
bet dollars to donuts i'm more of a noob than you and probably anyone else here heh.
mrosenbe has quit [Ping timeout: 265 seconds]
kenran has quit [Quit: leaving]
<dutchie>
sty86[m]: i found that i had to put xorg.xrandr as an extra package to get dota 2 to work, so could be you are missing some other package like that
<hsngrmpf[m]>
Hey guys. Is there any nix tool which can show the resulting dependency graph of a build without actually building?
<betaboon>
hsngrmpf[m]: you can run `nix-store -q --tree --include-outputs $DRV_PATH` on the .drv-file
<betaboon>
hsngrmpf[m]: so you could do `nix-instantiate '<nixpkgs>' -A hello` to get the drv-path, and thenn us that drv-path with he aforementioned command
ehmry has joined #nixos
knupfer has quit [Quit: knupfer]
knupfer has joined #nixos
knupfer has quit [Client Quit]
knupfer has joined #nixos
zanc has quit [Read error: Connection reset by peer]
knupfer has quit [Client Quit]
_ris is now known as ris
knupfer has joined #nixos
<ris>
of course that would just give you the build-time deps
zanc has joined #nixos
<ris>
the runtime closure could be smaller
<hsngrmpf[m]>
Cool, thanks that helps a lot! And i guess the runtime deps cannot be computed without actually building? I don't really need tem, but I'm asking out of curiosity
Chiliparrot has joined #nixos
lollo has quit [Ping timeout: 246 seconds]
turion has joined #nixos
zanc has left #nixos ["WeeChat 2.3"]
o1lo01ol1o has joined #nixos
<patagonicus>
betaboon++ thanks, I was looking for the same thing recently. :)
<{^_^}>
betaboon's karma got increased to 6
maxter has quit [Ping timeout: 264 seconds]
sputny has quit [Ping timeout: 272 seconds]
<symphorien>
hsngrmpf[m]: yes, runtime deps are defined are those which remain mentionned in the build outputs, so you need to build
orivej_ has quit [Ping timeout: 260 seconds]
orivej has joined #nixos
nabataeus has joined #nixos
<hsngrmpf[m]>
Thanks a lot. Now i found out that the derivation i was wondering about is at the top level of my tree. But i have no idea why. Is there a way to see which part of the nix expression is responsible for this derivation?
<hsngrmpf[m]>
I'd like to get rid of that failing package but i don't know how ;)
<hsngrmpf[m]>
I guess I have to use `nix why-depends`. But it fails, because the build fails.
omfgwhofarted has quit [Remote host closed the connection]
civodul has joined #nixos
cybrian has joined #nixos
waleee-cl has joined #nixos
<m1cr0m4n>
Hey folks. Any ideas why a package I've added to all-packages.nix isn't showing up? I am using nix-env to install my package, and I have tried setting NIX_PATH and using the -I flag
Rusty1 has quit [Remote host closed the connection]
Rusty1 has joined #nixos
<nh2[m]>
m1cr0m4n: hey, how do you invoke `nix-env`? If it's with just `-i`, it'll try to find it by the `name`/`pname` attribute, if you give `-iA`, you can give the name you've defined with `yourpackage = callPackage ...` in `all-packages.nix`.
<nh2[m]>
m1cr0m4n: and what's the error message you get?
<m1cr0m4n>
nh2[m]: error: attribute 'minica' in selection path 'nixos.minica' not found
whatisRT has joined #nixos
<nh2[m]>
m1cr0m4n: I suspect the `nixos` attribute is not what you expect. On NixOS, the default channel is called `nixos` and points to a nixpkgs, but if you use `-I` that may not be the case. Try removing `nixos.` so that it's just `-A minica`
gokkun has quit [Quit: Leaving]
<m1cr0m4n>
nh2[m]: Oh right! That's interesting to know actually. Well, I tried removing it and no dice. I'm going to try without the -A flag and see if it can find it itself
<AmandaC>
ooc, how much of the universe would I be responsible for compiling if I wanted to swap mesa out with an older version on my laptop? I think something's fucky with my iGPU and newer mesas, where if there's a OpenGL application running while I'm on battery, occasionally the gPU will just hang.THis is espically bad when under wayland.
<AmandaC>
is there any tooling I can look at to get an ideaof how much of an undertaking that'd be?
<MichaelRaskin>
You could ask nix-store -q --referrers-closure
<MichaelRaskin>
Rough answer is «everything GUI»
<AmandaC>
oh, onluy 5041 things, according to a dumb wc -l
<AmandaC>
That's nothing! /s
<m1cr0m4n>
Lol, I hope your laptop has a nice CPU!
<AmandaC>
Guess I should do some more research in the mesa bug trackers to see if this has been isolated by someone with more knowledge than me
lollo has joined #nixos
<nh2[m]>
m1cr0m4n: another possible explanation is that you accidentally added it as a child of some other attribute in `all-packages.nix` (e.g. check if the indentation is 2)
<nh2[m]>
AmandaC: if you do not recompile the whole GUI (e.g. exclude browsers) and only build an environment in which you can reproduce it (e.g. simple X / Wayland with glxgears or a similar simple OpenGL application), then compilation should be affordably small effort.
<m1cr0m4n>
nh2[m]: Ah, man I just figured it out XD I needed to use the -f flag, like so: nix-env -f ./nixpkgs -A minica So a combination of your first suggestion plus -f :)
<m1cr0m4n>
(+ -i flag)
<nh2[m]>
m1cr0m4n: ah sorry, you are right. I did not pay enough attention to the fact that this is `nix-env`, not `nix-build`. Yes, your solution is the right one
<m1cr0m4n>
nh2[m]: Thanks for sticking with me on that :) I always appreciate responsive helpers on here!
<nh2[m]>
yeah, so do I :D
<CRTified[m]>
Hi, I'm currently writing a test for a module, but have some problems with `boot.initrd.secrets`. I have a known (fixed) path as destination and either a string or a path as source, but in both cases there is no file in the known path (checking with `ls` in `boot.initrd.network.postCommands`)
<AmandaC>
nh2[m]: I'm convinced it's got something to do with being on/off battery, but I've not been able to find any link other than that. I used to get similar issues in PopOS! when I was using a newer mesa than was packaged for it, but the issues went away when I switched back to the s76 packaged ones. It's def. not reliably, sometimes I'd be abel to be on battery for hours without an issues, other times it chokes and dies within 5 min of
<AmandaC>
being on battery. Sometimes it lasts fine on battery,then dies 5m after I plug back in. It's maddening
MidHotaru has quit [Quit: Connection closed for inactivity]
mrosenbe has joined #nixos
wiml has joined #nixos
<patagonicus>
CRTified[m]: the nixos.org options search doesn't know about boot.initrd.secrets. Can you paste (part of) your config, maybe? Without the actual secrets, of course.
<nh2[m]>
AmandaC: I'd do what you're planning then, running with an old version and seeing how that goes. You might do a very slow, real-life git bisect, where at each step you run with the system for a couple of days. First bisect on easily available mesa releases, then when you have it narrowed down between which releases the issue is, post it on the mesa issue tracker and follow up with a git-level bisect
<AmandaC>
nh2[m]: WE'll see, I've got an Intel NUC in the mail to be used as a server, plan to throw hydra on it, if it doesn't take too long to build everything with an older mesa on it, I'll do that.
<CRTified[m]>
patagonicus: I currently want to write a test for PR #63165 (and want to get it in a working and mergable state again). Right now, it is basically `boot.initrd.secrets."/etc/initrd.ovpn" = ./config.ovpn`, and my implementation uses the one from initrd-ssh as guideline: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix#L206
<nh2[m]>
AmandaC: IMO Hydra is overkill for that, just use the `--builders yourserver --max-jobs 0` argument to build of a server of your choice instead of on your laptop. You could get a 20 EUR/month Hetzner dedicated for that, or ask Rickard from https://nixbuild.net/ for a test account
<AmandaC>
nh2[m]: I've already got a hydra instance set up testing my configs regardless. IT's just currently on a VM on my gaming rig, which means it's got 1/2 cores and limited ram
<AmandaC>
so I guess it's less "throw hydra on it" as "move hydra to it"
iyzsong has quit [Ping timeout: 240 seconds]
<bqv>
I wanted to set up hydra, for custom flakes I own
<nh2[m]>
AmandaC: I'm just saying I'm not sure if Hydra really helps with the task at hand. It watches git repos, builds things from them, and then reports build statistics and collects outputs. But you need none of that for just sharding off nix-builds; building locally with `--builders` appended, against any NixOS machine, or even just any Linux system with nix installed, would be enough.
zaeph has quit [Ping timeout: 240 seconds]
<AmandaC>
nh2[m]: true, but I've already got it setup to try and anticipate breakages when I'm more spoonful, and fix them, and also make sure that I'm not pegging my laptop's CPU to compile stuff that I'm not going to be tweaking myself. I have all my machine's nix configs in a repo which hydra is testing for me. :P
iyzsong has joined #nixos
<gchristensen>
fwiw AmandaC I have a bunch of stuff that pegs my laptop's CPU, but conditioned to only run when it is plugged in to AC. maybe a model you'd like
<AmandaC>
plus, it's just fun to CI/CD all the things sometimes. :P
knupfer has joined #nixos
<AmandaC>
Strictly, do I need it? Nah, but it was fun to configure and tweak to my liking
simba2 has joined #nixos
zaeph has joined #nixos
<nh2[m]>
AmandaC: I see. Note though that with `--max-jobs 0` you are guaranteed to use only the remote builders, so it will not peg your laptop.
<AmandaC>
And as a bonus if I run out of spoons while doing an update, I'm not stopped from relaixng to a chill game or similar because the CPU is running a million miles a minute
<Quick_Wango>
Hi everyone! I'm pretty much inexperienced with NixOS, but from my understanding of it, it might be a good fit as the OS for RKE (Rancher Kubernetes Engine) nodes. Has anyone any experience with this?
<eyJhb>
Is it actually recommended to have a root PW?
<VulNix>
I can't speak for security experts in general but it does create one more credential that can be used to get root
<VulNix>
You can mitigate that by disabling root SSH login, but I've found disabling the root account and using sudo -i when I need it works well enough
<bqv>
If the root account is disabled, what happens in single user runlevel?
<m1cr0m4n>
eyJhb: From an administration perspective, it depends on your environment. If you have KVM access in the event of total network failure on a host, you will want to have a root password somewhere. From a security POV, so long as it is sufficiently complex no one's really going to get in through that vector.
<eyJhb>
This is a laptop, not a server so I would normally disable it.
<eyJhb>
But I keep getting warnings from Nix
<m1cr0m4n>
eyJhb: Oh right, I've never seen those warnings. It would seem odd to recommend a password, I would be more inclinded to check does that mean some form of passwordless auth is enabled for root?
<{^_^}>
[nixpkgs] @kraem closed pull request #85064 → exa: include patch to group dir symlinks with regular dirs → https://git.io/JvjtQ
<patagonicus>
eyJhb: Did you set the hashedPassword for root? Or are you including something that might in your config? It's complaining that the value has an invalid format, not that root doesn't have a password.
o1lo01ol1o has joined #nixos
<eyJhb>
patagonicus: not that I can see, only for my own user
<{^_^}>
#91238 (by rnhmjoj, 1 week ago, open): nixos/users-groups: do not check validity of special hashes
<dminuoso>
typetetris: no
rsoeldner has joined #nixos
<typetetris>
dminuoso: hmm have several domains and all the acme-*.service units had been started concurrently, they failed. `systemctl start ...service` one by one succeeded then. That's why I thought of a race condition or something.
gustavderdrache has joined #nixos
<dminuoso>
typetetris: Mmm let me look at the systemd unit
<eyJhb>
pbogdan: could be!
<eyJhb>
It is a pretty "new" error
<dminuoso>
typetetris: Its definitely not due to overlapping acmeRoots.
<typetetris>
dminuoso: ok, that is good to know.
<{^_^}>
[nixpkgs] @flokli merged pull request #91046 → test-driver.py: delete VM state directory after test run → https://git.io/JfFZa
<idontgetoutmuch[>
`*** abort because of serious configure-time warning from Cabal`
drakonis has joined #nixos
ashesham` has joined #nixos
Humanoid has joined #nixos
<idontgetoutmuch[>
So stack just worked but nix-build complains about lots of things
<idontgetoutmuch[>
Ah but it lied
<Humanoid>
Installing the package fbpanel failed because of a missing header. How do I add gdk-pixbuf as a build dependency to fbpanel?
<aleph->
Hmm, when adding packages to the path in a systemd service. Can I just do `path = with pkgs; [ bash ]; Or do I need to do `path = [ "${pkgs.bash}" ];`
<bqv>
the former is fine
<aleph->
Got it, would the latter work?
<bqv>
at a guess, yes? unless there's some mechanism i'm not aware of
<aleph->
Nod, got it.
<aleph->
Thanks bqv
<aleph->
Well that's a fun error. `error: fork/exec /run/current-system/sw/bin/bash: operation not permitted error: ssh: could not start shell`
jim97 has quit [Ping timeout: 260 seconds]
<idontgetoutmuch[>
Why is there a random in hackage-packages.nix and also a random-1.2.0? Why doesn't random point at the latest version of random?
<bqv>
:-D
<aleph->
Hmm, my package has access to bash and openssh...
<aleph->
Wonder what else the issue could be...
<bqv>
once you add .path, i think you have to refer to bash directly
<bqv>
rather than via /run/current-system
<bqv>
or at least just via 'bash'
<idontgetoutmuch[>
Maybe I should raise an issue about it
<aleph->
I don't believe I am. I'll need to check the source for teleport I guess...
<bqv>
idontgetoutmuch[: grep for random-1.2.0, sometimes multiple versions are around cause it helps unbreak other stuff
<idontgetoutmuch[>
I can there is a random-1.2.0 in hackage-packages.nix - I want to use it but if I do then nix decides to build ghc
<idontgetoutmuch[>
bqv: ^
<idontgetoutmuch[>
1.2 is x1000 faster than 1.1
<patagonicus>
I'm not sure, but if you use "${pkgs.bash}" doesn't that give you the path in the nix store and you need to add /bin for the dir that binary is in?
<patagonicus>
aleph-: I'd check the generated systemd file and see what dirs it actually lists for path.
<bqv>
idontgetoutmuch[: you can probably use it, it's unlikely to be removed
<aleph->
patagonicus: I'm fairly certain it's a perm issue now that I'm thinking about it.
<bqv>
maybe grep hackage-packages.nix to see what uses it
<aleph->
Think I'll need a capabillity and that should do it.
andreas303 has quit [Ping timeout: 240 seconds]
<aleph->
Now which one is the question...
<aleph->
Maybe CAP_SYSADMIN.
andreas303 has joined #nixos
magnetophon has quit [Read error: Connection reset by peer]
m4ts has quit [Quit: bye]
m4ts has joined #nixos
quinn has quit [Ping timeout: 258 seconds]
magnetophon has joined #nixos
orivej has quit [Ping timeout: 256 seconds]
magnetophon has quit [Read error: Connection reset by peer]
orivej has joined #nixos
bennofs has joined #nixos
magnetophon has joined #nixos
bennofs_ has quit [Ping timeout: 264 seconds]
kmplsv has quit [Quit: weeeeeeeeeeeeeeeeeeee.]
philr_ has quit [Ping timeout: 264 seconds]
quinn has joined #nixos
MarcWeber has joined #nixos
<CRTified[m]>
patagonicus: regarading that `boot.initrd.secrets`-problem: Even the `initrd-network-ssh` test fails for me, because `/etc/ssh/sh_host_ed25519_key` is not copied into the initrd. I'm running `nix-build nixos/tests/initrd-network-ssh/default.nix` on a local checkout of nixpkgs, last commit db5bbef31fa05b9634fa6ea9a5afbea463da88ea
<mpiechotka>
How to add package to gc root but not user environment?
sangoma has joined #nixos
simba2 has quit [Ping timeout: 246 seconds]
Chiliparrot has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
MarcWeber has quit [Ping timeout: 258 seconds]
MarcWeber has joined #nixos
simba2 has joined #nixos
pinecamp has joined #nixos
<Humanoid>
How do I add a single package locally, that is kept separate from the main channel?
orivej has quit [Ping timeout: 260 seconds]
orivej has joined #nixos
wiml has quit [Ping timeout: 265 seconds]
<infinisil>
mpiechotka: Can you give more context?
<mpiechotka>
infinisil: stack installs ghc which is subsequently uninstalled by nix-garbage-collect
<mpiechotka>
I want to 'pin' ghcs so they don't get uninstalled
<infinisil>
Oh, stacks' Nix support
<infinisil>
mpiechotka: Does it output a ./result symlink?
<mpiechotka>
infinisil: Path to nix store? Yes
<infinisil>
mpiechotka: Then I think setting `keep-outputs = true` in /etc/nix/nix.conf will work
<infinisil>
Humanoid: What do you mean by "locally" and "main channel"?
<Humanoid>
One of the packages in the channel is not working. I have made a modification to the default.nix to see if it fixes the problem, and I want to try installing it.
<infinisil>
Humanoid: Ah so you have a nixpkgs checkout
<infinisil>
Humanoid: You can build packages from the nixpkgs root with `nix-build -A <package attribute>`
stteevveen has joined #nixos
endformationage has joined #nixos
ashesham` has quit [Ping timeout: 272 seconds]
<CRTified[m]>
patagonicus: That's simple: It bypasses the store and builds an additional initramfs. But it needs to be supported from the bootloader
lunaa has quit [Ping timeout: 256 seconds]
<patagonicus>
Ah, ok
<Humanoid>
infinisil: I'm getting this error: "error: cannot auto-call a function that has an argument without a default value ('stdenv')"
nikola_i has quit [Quit: Connection closed for inactivity]
quinn_ has joined #nixos
quinn has quit [Ping timeout: 260 seconds]
<mpiechotka>
infinisil: Thanks
mpiechotka has quit [Quit: mpiechotka]
<Humanoid>
infinisil: I'm trying to build the package without any modifications first, and I'm already getting an error.
cole-h has joined #nixos
<infinisil>
Humanoid: Go into the root directory
<stteevveen>
Any nix user programming in perl ? I'm learning perl, and as my scripts starts to get longer than 100 lines, I am learning the package/module functionnality in perl. Unfortunately it outputs the error: Can't locate MyConfig.pm in @INC (you may need to install the MyConfig module) (@INC contains:... And indeed the @INC does not contain the path
<stteevveen>
of the current directory where I'm executing my script, and where my mini config module MyConfig.pm is. How do in Perl with Nix so as to indicate to perl to also look for my module in the current directory ?
<Humanoid>
infinisil: Ok, it looks like it's working now. Thanks!
<infinisil>
:)
wiml has joined #nixos
<{^_^}>
[nixpkgs] @danieldk opened pull request #91735 → osmium-tools: run tests, install man pages and zsh completions → https://git.io/JJv4K
<{^_^}>
[nixpkgs] @vcunat pushed commit from @NeQuissimus to release-20.03 « linux_latest-libre: 17402 -> 17537 »: https://git.io/JJv4i
karetsu has quit [Quit: WeeChat 2.8]
MarcWeber has quit [Ping timeout: 240 seconds]
<marble_visions>
hi all, doing development with multiple sets of tools, i would like not to pollute my system-wide environment with gcc/python/rustc/etc tools. am i right to think that i can manage to create per-"project" nix environments by having a project.nix for every project, which includes the packages i would like available, and every time i want to work on the project i would invoke nix-shell with project.nix?
<marble_visions>
this will of course only play around with the generations / profiles / symlinks underneath
extends has joined #nixos
extends has quit [Client Quit]
<marble_visions>
but it's still fine as i know that the system-wide env is lean
<srhb>
marble_visions: That's the gist of it, yes.
<marble_visions>
srhb: nice, thanks
<philipp[m]>
Depending on your IDE needs you might want to check out lorri. Just cd into a dir and have a different env ready. Also works with emacs.
<AmandaC>
so it seems I'm going to have to wait for my NUC to do more mesa experiments. Changing just the system mesa, or just a single package's mesa doesn't work.
<AmandaC>
If they mis-match it'll die
<AmandaC>
at least, sway will
<Humanoid>
How do I add a library dependency to a nix expression? I tried adding it to the buildInputs list, but it doesn't seem to do anything.
<pingiun>
it doesn't seem to work when stage1 init was not run
<pingiun>
I'm testing out firecracker with a nixos image
<Humanoid>
There's a missing header: "gdk-pixbuf-xlib.h", so I tried adding gdk-pixbuf and gdk-pixbuf-xlib to the buildInputs of the nix expression, but it doesn't seem to do anything.
<CRTified[m]>
patagonicus: And I found the matching hydra job, the test for initrd-network-ssh fails since 2020-06-05
lunatera has quit [Ping timeout: 240 seconds]
<CRTified[m]>
(Well, at least it looks like that, but I'm not used to hydra so I might be wrong - at least the error is the same as my local error)
<infinisil>
marble_visions: Usually shell.nix files are used for this, calling `nix-shell` uses that file by default. And btw, nix-shell doesn't mess around with profiles and generations at all
<marble_visions>
Philipp[m] thanks, will check it out
<marble_visions>
infinisil interesting, i thought a nix-shell would create a generation... does it do it's magic on the fly with just environment variables in the opened shell?
<Humanoid>
How to specify in a nix expression that it needs to include the include directory of a library when compiling?
stteevveen has quit [Remote host closed the connection]
<infinisil>
marble_visions: Yup
justanotheruser has quit [Ping timeout: 260 seconds]
<infinisil>
Humanoid: Should be just with buildInputs, no idea why it doesn't work for you though
lollo has quit [Remote host closed the connection]
orivej has quit [Ping timeout: 264 seconds]
<marble_visions>
infinisil: what would happen if shell.nix contains a package that is not present yet in the current nix store and has to be downloaded?
<infinisil>
It would download/build it
<marble_visions>
that would definitely append to the store, but not the generations and profiles?
<infinisil>
Yup
<marble_visions>
aha, right.
<pinecamp>
are there established best practices to integrate home-manager files with configuration.nix? I have a few home-manager modules written that I use on darwin, and I recently finished a basic NixOS installation on a separate machine. what's the recommended way to use parts of my home-manager setup in configuration.nix, without manually copying it into
<pinecamp>
a `home-manager.users.pinecamp` block?
<pinecamp>
I've tried `home-manager.users.pinecamp = import ../home.nix { config, pkgs };`, but that seems not to have any effect
orivej has joined #nixos
<{^_^}>
[nixpkgs] @skykanin opened pull request #91738 → gtkcord: Init at 0.0.4 → https://git.io/JJvBQ
<energizer>
pinecamp: i have that without the {config, pkgs} and it works
waleee-cl has quit [Quit: Connection closed for inactivity]
<pinecamp>
energizer: do you still run `home-manager switch`, or is your home-manager configuration applied when you run `nixos-rebuild switch`?
<energizer>
pinecamp: the latter
<pinecamp>
strange
<energizer>
i have imports = [<home-manager/nixos>];
pax-12 has joined #nixos
bastion-tester has quit [Ping timeout: 264 seconds]
<energizer>
#home-manager might know better
<pinecamp>
I'm using something similar... strange that it's not working
<pinecamp>
thanks, I'll ask there too :)
pinion[m] has joined #nixos
<pax-12>
when I try to enable nonfree software with { nixpkgs.config.allowUnfree = true; } in configuration .nix I get this error: error: anonymous function at /etc/nixos/configuration.nix:5:1 called with unexpected argument 'lib', at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:228:8
orivej_ has joined #nixos
orivej has quit [Ping timeout: 260 seconds]
<energizer>
pax-12: at the top of the file put {...}:
<pax-12>
I get the same error if I do so
<pax-12>
sorry, not the same ,,, error: attempt to call something which is not a function but a set, at /etc/nixos/configuration.nix:6:1(use '--show-trace' to show detailed location information)
<infinisil>
pax-12: That doesn't sound related. Try removing the `nixpkgs.config.allowUnfree = true` and see if it still errors
<pax-12>
infinisil, I now get this error instead: warning: the following units failed: wpa_supplicant.service
<pax-12>
Main PID: 5479 (code=exited, status=255/EXCEPTION)
<pax-12>
IP: 0B in, 0B out
<pax-12>
CPU: 4ms
<pax-12>
Jun 28 20:24:22 nixos-box systemd[1]: Started WPA Supplicant.
<pax-12>
Jun 28 20:24:22 nixos-box wpa_supplicant[5479]: Successfully initialized wpa_supplicant
<pax-12>
Jun 28 20:24:22 nixos-box wpa_supplicant[5479]: Failed to open config file '/etc/wpa_supplicant.conf', error: No such file or directory
<pax-12>
Jun 28 20:24:22 nixos-box wpa_supplicant[5479]: Failed to read or parse configuration '/etc/wpa_supplicant.conf'.
<pax-12>
Jun 28 20:24:22 nixos-box systemd[1]: wpa_supplicant.service: Main process exited, code=exited, status=255/EXCEPTION
<aleph->
Hmm, okay. So CAP_CHOWN and CAP_SETGID isn't enough to let a non-root user fork/exec shells for other users... so what else am I missing...
<pax-12>
Jun 28 20:24:22 nixos-box systemd[1]: wpa_supplicant.service: Failed with result 'exit-code'.
<pax-12>
warning: error(s) occurred while switching to the new configuration
<aleph->
pax-12: Use a pastebin please. :)
<pax-12>
aleph-, ok
<chiiba>
I want to populate data directories for a few stateful systemd services using a "data-restoration-service" at NixOps deploy-time. Obviously when restoration happens the stateful services have to be "down" and afterwards the services should restore their state. Would running `systemctl stop <stateful-services>` in my restoration service lead to NixOps deploy-time race conditions? (Is the sequence of service
<energizer>
"As an update to this thread, OpenSSH in version 7.5 deprecated the UsePrivilegeSeparation option, making it impossible to disable privilege separation. It appears that running SSHD as a user is now impossible."
<infinisil>
pax-12: Can you post your full configuration.nix and the output of `nix-info`?
<aleph->
energizer: Yeah I saw that. I'm not technically running an sshd daemon, running the teleport daemon.
<aleph->
Ah think I know what to do.
<energizer>
aleph-: do post an update if you figure it out
<aleph->
energizer: Think generating the user to run as, as `isSystemUser = true;` should do the trick.
<pingiun>
I'm trying to force a remote build with -j0, but I believe nix is refusing because my remote build is a linux machine and my local machine is macos
<pingiun>
how can I do a build on my linux machine with a nix expression from my local machine?
<aleph->
Hmm, okay system user didn't help it. Ugh
orivej has quit [Ping timeout: 258 seconds]
orivej has joined #nixos
<infinisil>
pax-12: Oh, well you can't just literally add { nixpkgs.config.allowUnfree = true; } anywhere in the file, that's not how Nix syntax works
<pax-12>
infinisil, where should I add it then?
<infinisil>
pax-12: If you see something like that, it means that nixpkgs.config.allowUnfree is an option, like any other option you set in the file
<infinisil>
So add just that option assignment like you have all others
thawes has joined #nixos
<aleph->
Hmm I wonder if something is mounted noexec...
thawes has left #nixos ["ERC (IRC client for Emacs 27.0.91)"]
pinecamp has quit [Ping timeout: 245 seconds]
pax-12 has joined #nixos
<pax-12>
when I try to install nonfree software with nixos-rebuild switch I get no error and I still cannot install nonfree software (I have ran sudo nixos-rebuild switch)
slack1256 has quit [Remote host closed the connection]
waleee-cl has joined #nixos
kenran has joined #nixos
<turion>
pax-12 but if that command succeeded, then apparently it worked..?
<infinisil>
pax-12: Your question is way too vague..
<pax-12>
turion, if I install nonfree software such as discord I get this error: Package ‘discord-0.0.10’ in /home/pax/.nix-defexpr/channels_root/nixos/pkgs/applications/networking/instant-messengers/discord/base.nix:72 has an unfree license (‘unfree’), refusing to evaluate.
<infinisil>
pax-12: What's the *full* error
<infinisil>
Well no need to tell me
<infinisil>
But read the full error, it tells you exactly what to do
<turion>
Well, that clearly is an error, right? :)
<{^_^}>
[nixpkgs] @jonringer pushed commit from @dmrauh to master « python3Packages.simpy: add missing dependency »: https://git.io/JJvE0
pi4 has quit [Quit: WeeChat 1.6]
<infinisil>
pax-12: It's completely separate. NixOS configuration.nix doesn't look at your users ~/.config, and nix-env doesn't look at NixOS configuration.nix
<infinisil>
You might want to install programs with configuration.nix instead
<infinisil>
That's generally preferred on NixOS
<pax-12>
infinisil, how do I do that?
<infinisil>
Should be in the manual
<pax-12>
I have to go now
pax-12 has quit [Quit: Leaving]
<turion>
Yeah, that amount of time is not enough to learn nix :D
asymptotically has quit [Quit: Leaving]
o1lo01ol1o has quit [Ping timeout: 260 seconds]
o1lo01ol1o has joined #nixos
rsoeldner has quit [Remote host closed the connection]
asymptotically has joined #nixos
mtn has joined #nixos
<fps>
hmm, for some reason after changing the systemCronJobs the first time a job should be executed i only get this in the log:
<fps>
Jun 28 22:44:01 cherry /nix/store/g6x0mhdirz8qvsiz3z0zfpgzbqiqdy5j-cron-4.1/bin/cron[18728]: (*system*) RELOAD (/etc/crontab)
<fps>
the second time the job should run it actually is run
o1lo01ol1o has quit [Ping timeout: 264 seconds]
<fps>
i would have expected the cron service to RELOAD the config directly after nixos-rebuild switch and the job to be executed the first time it should be executed
<fps>
oh, i see. the cron daemon only checks every minute if the crontab changed. then reloads it and then does not check if there was a job to be run with the same time spec as when the check happened..
<fps>
so when testing out jobs one needs to schedule them at least two minutes ahead, not one ;)
mtn82 has joined #nixos
mtn82 has quit [Remote host closed the connection]
<mog>
it was frustrating at first but once i had it all set correctly just worked
zupo has joined #nixos
orivej_ has joined #nixos
orivej has quit [Ping timeout: 265 seconds]
<mog>
i got stuck on multi domains for a bit , but setting one for my wild card and one for my root fixed the problem
<mtn>
gotcha -- one stupid thing I did yesterday was running lego on the command line I hit the duplicate cert limit, so now I'm setting it up on a different domain
<mtn>
do you know if it's possible to point at lets encrypt staging?
zupo has quit [Ping timeout: 240 seconds]
<mog>
i think it is, i hit that same wall before and just waited out. i use dns because i was running way to many sub domains and kept hitting the limit
gxt_ has joined #nixos
<mtn>
gotcha
<mog>
i wish people just allowed for trusting self signed certs.... i see so little value in the fact that letsencrypt validated i own the domain
<mtn>
oh one more random question
<mtn>
once everything's set up, do you have a problem hitting the renew limits from running nixos-rebuild switch?
<mog>
never
<mog>
i didnt have that problem before either though
<mog>
nixos handles systemd timers correctly
civodul has quit [Quit: ERC (IRC client for Emacs 26.3)]
<mtn>
ah ok, is that because you don't run it alot or it doesn't count against one of let's encrypts rate limits?
<multun>
mog: the value is that people can't just impersonate your domain and decrypt traffic
domogled has quit [Ping timeout: 258 seconds]
<mog>
multun, if i self signed my traffic people couldnt decrypt it. it only stops people from impersonating my domain
<mog>
an attack vector i care a lot less about.
<multun>
people can mitm
<mog>
the flip side is letsencrypt can mitm all of our traffic
<mog>
as we all use letsencrypt
<mog>
so randos mitm my traffic vs govt or lets encrypt going evil and mitm
<mog>
i prefer the randos
<multun>
randos includes the govts
<Yaniel>
randos includes govt and letsencrypt
<mog>
theyd have to be the dns provider for my random users
<multun>
no
<mog>
something i think is more difficult to fix across all the random spots i connect to the internet
<mog>
to mitm they need to convince me im connecting
<mog>
i trust ssh and fingerprints much more than i trust ssl
<mog>
and would have prefered web to go that same way
<multun>
good for you, I think I'll keep protecting my users from randos MITM the shit out of them
<mog>
its cool you can be wrong too ^__^
<multun>
I just don't get it
<multun>
having a signed cert just gives your user more protection
<multun>
what's the drawback?
<mog>
3 can keep a secret if 2 are dead
<mog>
less parties in my private conversations are better
<karetsu>
what's the correct nix way of package AppImages? Is falling back on `appimage-run` okay?
<karetsu>
what's the correct nix way of package AppImages? Is falling back on `appimage-run` okay?showKeybindings :: [((KeyMask, KeySym), NamedAction)] -> NamedAction
<karetsu>
showKeybindings x = addName "Show Keybindings" $ io $ do
<karetsu>
h <- spawnPipe "zenity --text-info --font=terminus"
<karetsu>
hPutStr h (unlines $ showKm x)
<karetsu>
hClose h
<karetsu>
return ()
<karetsu>
what's the correct nix way of package AppImages? Is falling back on `appimage-run` okay?showKeybindings :: [((KeyMask, KeySym), NamedAction)] -> NamedAction
<karetsu>
showKeybindings x = addName "Show Keybindings" $ io $ do
<karetsu>
h <- spawnPipe "zenity --text-info --font=terminus"
<karetsu>
hPutStr h (unlines $ showKm x)
<karetsu>
hClose h
EDGAR_ALLEN_FLOW has quit [Quit: leaving]
<karetsu>
return ()
<karetsu>
oh shit
<karetsu>
sorry
<Yaniel>
self-signed certs are not even secrets
Rusty1 has joined #nixos
<multun>
letsencrypt also doesn't have your private keys
<multun>
it only signs your public keys
justanotheruser has quit [Ping timeout: 258 seconds]
<multun>
it could emit a new certification signed for your domain, just like anybody could if you're using self signed certs
<mog>
it doesnt matter if they can sign new certs on my behalf
<Yaniel>
literally anybody can self-sign a cert on your behalf
<multun>
well with self signed certs anyone can
<mog>
im saying if browsers supported better use of self signed certs/pinning i think the web would have been a better place
<mog>
instead we all agreed that letsencrypt is validating the web
<multun>
indeed, but it's not there
<mog>
its like what 70% of all certs are now theirs
<mog>
its insane
<Yaniel>
and before letsencrypt it was a handful of expensive CAs
<mog>
and im part of problem i know because its easy
<mog>
but its not a good situation
<mog>
i just dont get why firefox doesnt care
<Yaniel>
who as the browser CA blacklists show weren't exactly "good" either
<multun>
how do you pin certificates when the web pages are served by the same server that provides the cert? if the cert is an impersonation, the pinning data can also be
pingiun has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<Yaniel>
you obviously remember the first cert you've seen
<Yaniel>
nobody would ever mitm that
<mog>
i think things would be better done like how ssh is, you are right the first time you connect its risky because no one will check everything
<mog>
but after its very secure
<Yaniel>
so is a cert generated by a 3rd party
<Yaniel>
if you pin it
<multun>
then when you have to change cert, all your users will get a message
<multun>
just like with ssh
<mog>
right , but with lets encrypt thats all the time
<mog>
so its not a real option
<Yaniel>
not any more "all the time" than with self-signed certs
<Yaniel>
well with self-signed you can specify a longer validity
<mog>
the problems i have are not techincal they are idealogical
<multun>
we can see that
<Yaniel>
but letsencrypt and TOFU are orthogonal problems
karetsu has quit [Quit: WeeChat 2.8]
<multun>
it seems like you'd rather accept weaker security rather than trusting letsencrypt, even if it only ratchets up sec
asymptotically has quit [Quit: Leaving]
<Yaniel>
you could also generate your own root cert, tell your users to install that as a CA and use it to generate proper signed certs
__monty__ has quit [Quit: leaving]
<Yaniel>
then you can renew your certs without annoying anyone
<mog>
i disagree that its weaker. if i have a self signed cert thats pinned. vs a letsencrypt thats pinned all the time. id argue the letsencrypt is weaker given the attack vectors, and letsencrypt has made the former harder to do because of how browsers see self signed certs
<Yaniel>
well unless your root cert gets leaked
<multun>
but you can't pin your cert
<multun>
(with web browsers at least)
zupo has joined #nixos
<mog>
right im arguing for something that doesnt exist
<mog>
browsers to be able to easily trust and pin a self signed cert
<multun>
do you realise that if browsers accept that, users are going to get used to clicking on "it's ok if the identity changed", as they'd have no way to know whether the change is legit?
<Yaniel>
they already were
<mog>
in same way they click through other secruity warnings sure
<Yaniel>
back when "permanently store exception" buttons still existed on the invalid certificate warning page
<mog>
unless browser didnt let you
zupo has quit [Ping timeout: 258 seconds]
<multun>
if browsers don't let you, then you can't change certs