<zn85>
Hi, I'm attempting to install nixos (for the first time) as the only os on a system. When I get to the "reboot" step in the manual, booting fails saying "a bootable device has not been detected".
<zn85>
-including the modifications to `configuration.nix` and including the correct UUID in the correct spot.
<moet>
ok, that's what I was going to suggest. maybe that's not the issue then
<zn85>
Also, the `hardware-configuration.nix` seemed to have the right info.
<zn85>
Is the error message I see a grub message or a bios message?
<zn85>
-or something later in the boot process?
<moet>
If you hit grub you'll get a menu from which you can select a nixos version
<moet>
If you never see such a menu, my guess is that you're seeing a bios message
<zn85>
Oh, I noticed a discrepancy between the wiki page for luks and the nixos manual: the wiki said to mount the efi partition as `/boot/efi` but the manual says to mount to `/mnt/boot`. I followed the manual.
astronavt has left #nixos [#nixos]
Rusty1 has left #nixos ["WeeChat 2.9"]
<zn85>
hrm, glancing at `grub.cfg` I can't tell if there's any misconfiguration.
<zn85>
Current suspect from the wiki page which says to add this option in `configuration.nix`: `boot.loader.efi.efiSysMountPoint = "/boot/efi";`
mkaito has quit [Quit: WeeChat 3.0]
<zn85>
-aha, that was it!
<moet>
Weird! I don't have that in my configuration and i'm efy booted into luk on lvm
<zn85>
So is the manual incorrect for uefi? Or is it only inconsistent with the disk encryption wiki page (which is a bit messy and confusing, tbh)?
proofofkeags has quit [Ping timeout: 264 seconds]
<moet>
zn85: I'm not sure; you mount boot / efi in different places .. that part of the manual is definitely confusing and I feel like I do it differently every time i set up a new system
<moet>
** you can mount boot or efi in different places
<zn85>
Awesome! It boots. For some reason both grub and a later stage ask for the disk password.
<moet>
yes, that's normal.. you have to do some work to only get a single password prompt..
fuzzypixelz has quit [Quit: Connection closed]
astronavt has joined #nixos
<moet>
i think that's because your boot partition is encrypted?
<zn85>
Ah… huh... yeah, maybe I have `/boot` inside the encrypted lvm partition, then `/boot/efi` on a normal disk partition…doh.
gustavderdrache has joined #nixos
<moet>
yeah, i can't remember the details.. i set up my systems without an encrypted boot partition and i mount at /boot not at /boot/efi .. i get only one password prompt, but my kernel is sitting out there on unecrypted fat32
rb2k has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
rb2k has joined #nixos
<apache8080>
I am booting nixos on ARM with fips enabled and I get into a situation where the kernel will hang forever after outputting `random: crng init done`. It seems like raspberry pi's have had similar issues but I can't seem to find an actual solution for this. By throwing prints in the kernel the function that it seems to keep on getting called is
<apache8080>
add_interrupt_randomness. Has anyone seen this before?
rajivr has joined #nixos
zjuyk has left #nixos ["WeeChat 3.0"]
cole-h has quit [Ping timeout: 260 seconds]
<simpson>
Well, at risk of making both of us look a bit silly, do you have a peripheral attached? Like, a mouse that you could shake a bit?
<simpson>
I don't know how your particular board is configured to get entropy.
<apache8080>
unfortunately no
<apache8080>
where in the actual kernel does entropy get configured?
nhs has joined #nixos
plumm has quit [Quit: My Mac Pro has gone to sleep. ZZZzzz…]
<rmcgibbo[m]>
If I have a particular package that contains 1 binary, can anyone point me to an example configuration of the NixOS `sudo` module that would allow that binary to run as root w/o requiring a password?
nhs has quit [Ping timeout: 240 seconds]
marcusr has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @SuperSandro2000 merged pull request #113265 → remove many unused input, add many pythonImportsCheck, others cleanups → https://github.com/NixOS/nixpkgs/pull/113265
<V>
rmcgibbo[m]: do you want the binary itself to run as root, when run by any user, or to allow a specific to run `sudo binary` without providing a password?
<rmcgibbo[m]>
Either way is fine
<V>
rmcgibbo[m]: add it to security.wrappers, then
<V>
please ensure you're doing this while understanding the implications, however
nhs has joined #nixos
<V>
and that the binary in question is minimal and secure, and written with being setuid root in mind
<rmcgibbo[m]>
Thanks, I'll look that up.
<rmcgibbo[m]>
Yeah -- it's my little BPF program :)
<V>
if you don't know how to judge whether the answer to these questions is "yes", I would choose to whitelist specifically the users that need it in sudo
<V>
which you can find out how in sudoers(5) IIRC
Jackneill has joined #nixos
<V>
+ set via security.sudo.*
<rmcgibbo[m]>
The other way I suppose is to run it as a systemd service, since I know how to do those.
<V>
that's probably a much better idea, assuming it's long-running
<V>
suid binaries are a massive footgun
<hexa->
rmcgibbo[m]: CAP_BPF?
<hexa->
since 5.8
<V>
oh, yeah
<V>
if it's just a specific capability you need then that is also an option
slack1256 has joined #nixos
<hexa->
the least invasive one :)
<rmcgibbo[m]>
okay, well i need to learn what that is now
<V>
I was even thinking of capabilities while writing that! Just not the kind that Linux has
<rmcgibbo[m]>
I can give a non-root user CAP_PERFMON and then they could run this binary w/o being root?
<hexa->
rmcgibbo[m]: if your program is running in a systemd unit set AmbientCapabilities = [ "CAP_BPF" ]; and just run your BPF programs
<hexa->
you can, yes
<zn85>
On my attempt to install nixos w/ disk encryption, I get past grub and I get a prompt for the passphrase and it mentions the correct `/dev/disk/by-uuid/…` path. But when I type there is no feedback at all. When I hit enter, no change. I waited a long time and there's no update. Could it be that `nixos stage 1` doesn't listen to a USB keyboard?
<zn85>
What else would prevent keyboard input or any kind of feedback? I guess it could be locked up, also, somehow.
<zn85>
Oh, I could hunt down a ps2 keyboard and see if that works…
<hexa->
zn85: yeah, sounds like you are missing a kmod
<zn85>
Ah, is that something specified in `hardware-configuration.nix`?
<zn85>
No, it's a microsoft something something, pretty old ergonomic wireless keyboard with a usb dongle.
<hexa->
ok
<zn85>
The thing is the keyboard works with the bios and the nixos installer, so shouldn't `nixos-generate-config` see any module that was necessary?
<hexa->
there is hid_microsoft
gustavderdrache has quit [Quit: Leaving.]
<rmcgibbo[m]>
Are the capabilities inherited -- like if I have my main program run from systemd as a non-root user with AmbientCapability = CAP_PERFMON, and then it execs some other program which subpocesses some other program -- that capability would be inherited, right?
<hexa->
yeah, thats the plan, we're lacking an implementation
<hexa->
set boot.initrd.kernelModules = [ "hid_microsoft" ];
<hexa->
rmcgibbo[m]: ambient provides them capabilityboundingset allows your program to request them
<zn85>
hexa- Thanks! I just tried a wired usb keyboard and that worked. After booting, the wireless keyboard works, so the only time it doesn't work is during the luks pw prompt. I'll follow up on that issue.
<fiveseven[m]>
nouveau acts even worse if you wanna go that route
<hexa->
that is also nvidias fault :)
<samueldr>
there's not much NixOS can do here, the kernel is EOL, it is removed
<fiveseven[m]>
and I've had major issues with all major GPU vendors, doesn't really matter who you wanna bash
<samueldr>
but what a user can do is use one of the different methods of picking back up that kernel
mjsir911 has quit [Ping timeout: 256 seconds]
mjsir911 has joined #nixos
<rmcgibbo[m]>
Yeah -- I'm not trying to use anything EOL, just trying to start from 20.09 and build a machine image for amazon with a 5.8-or-later kernel.
<samueldr>
(yeah, that was generally said)
<samueldr>
rmcgibbo[m]: can you try building with that on top of 20.09 and open a backport PR if it works?
<rmcgibbo[m]>
;) can you help me figure out the incantation to set `boot.kernelPackages = pkgs.linuxPackages_latest` but then specifically override `ena`? should i do `boot.kernelPackages.ena = (import from unstable...)`?
<samueldr>
rmcgibbo[m]: the easiest route here would be cloning nixpkgs, checking out nixos-20.09 (assuming you're building against the tip) and apply the changes to the checkout
<rauno>
Hum, when enabling networking.firewall my docker services break when they use exposed ports to communicate? Is this expected ? Saw few open/closed issues to similar issue also..but nothing quite right
<Rovanion>
Does anyone recognise this error. I've not found one cause yet online, most of it seems te be from bugs in nix source. But on my machine it also happens when I run with `-A slurm`, a test I'm currently writing.
<Rovanion>
This issue could be with my installation. Running `nix-build nixos/tests/slurm.nix` has the same result. This is on a Guix System with Nix installed through Guix (functional package managers all the way down).
<hyper_ch>
actually, addnig the line into packageOverrides { stdenv = pkgs.gcc8.stdenv ....} works..... well, not sure if gcc8 is being used right now, but it does not complain right now
<hyper_ch>
I can't get it to compile anymore... I thought it's because of newer gcc but still... not sure
<makefu>
hyper_ch: you can add a preBuild Phase and run gcc --version or something similar
<hyper_ch>
makefu: I get this now: /build/rtorrent-0.9.6/src/display/window_file_list.cc:72: undefined reference to `bool std::isprint<char>(char, std::locale const&)' --> I thought it was because of some change in gcc......
<attila_lendvai>
i'm having great trouble compiling with clang using -m32 on a 64bit host. i'm using multiStdenv.mkDerivation, but the linker complains that "cannot find libgcc_s.so.1", and i cannot come up with a shell.nix to resolve that. any hints/pointers?
ris has joined #nixos
n-osborne has quit [Remote host closed the connection]
* attila_lendvai
has found clangMultiStdenv and clang_multi, but it only has shifted the error to "crtbegin.o' is incompatible with i386 output"
<aranea>
I know how nixos merges sets that are defined by multiple modules. But how can I make a module *remove* a key from a set that has been defined by a different module?
n-osborne has quit [Remote host closed the connection]
nhs has joined #nixos
Qwerky has joined #nixos
n-osborne has joined #nixos
hiro98 has quit [Quit: hiro98]
hiro99 has joined #nixos
n-osborne has quit [Remote host closed the connection]
<bqv>
aranea: I hate that problem. The module system's great until that happens
n-osborne has joined #nixos
hiro99 is now known as hiro98
<aranea>
the set which I'm trying to override here is security.wrappers; I guess I could try to get a patch upstreamed that adds an 'enable' key to wrapper definitions.
meh` has joined #nixos
<aranea>
I could also just set permissions to a bogus value to make it create useless wrappers, but meh.
<infinisil>
Currently the way to get around this is on the module definition itself, where one could introduce a special value like `null` which has the same meaning as there being no key at all
<infinisil>
(problematic when `null` already has a meaning though, e.g. for config files formats that support null)
<aranea>
right, or an enable key
domogled1 has joined #nixos
nhs has joined #nixos
domogled has quit [Ping timeout: 272 seconds]
domogled1 is now known as domogled
thc202 has quit [Ping timeout: 240 seconds]
<aranea>
hrm, I'm confused
<aranea>
there are multiple other places in my config file where I'm overriding values with lib.mkOverride and it works perfectly fine
<ronthecookie>
i'm trying to get meshroom running (python27 app, from source) and it is complaining it cant find enum even when i add enum to my shell.nix: https://termbin.com/r8rk
sigmundv has quit [Read error: Connection reset by peer]
marcusr has quit [Remote host closed the connection]
sigmundv has joined #nixos
marcusr has joined #nixos
<attila_lendvai>
how can i reference the final directory of my package in a postInstall script? i assume susbstituteAll and @out@ won't work, because $out is a temp directory?
rb2k has quit [Ping timeout: 265 seconds]
<ronthecookie>
hell yeah i don't have to suffer! there's a docker image!
n-osborne has quit [Remote host closed the connection]
rb2k has joined #nixos
<supersandro2000>
bqv: taking a look at that later
poscat has joined #nixos
<supersandro2000>
ronthecookie: I don't think you created the python environment the right way
<veleiro>
if i have a postgres module enabled, when I enable another module that also says "service.postgres.enable = true;" and maybe more postgres settings, are they merged or is one ignored?
<{^_^}>
[nixpkgs] @NeQuissimus pushed 7 commits to release-20.09: https://git.io/JtMov
xelxebar has quit [Remote host closed the connection]
<ambroisie>
lordcirth: not quite, I'm using `10.0.0.0/24` subnet
<{^_^}>
[nixpkgs] @ajs124 pushed to master « projectm: remove myself as maintainer »: https://git.io/JtMPA
mallox has quit [Quit: WeeChat 3.0.1]
<lordcirth>
ambroisie, and the clients get an address correctly? Their route gets set? They can ping the VPN's internal IP, but not the internet?
<ambroisie>
Yeah I can ping the server's internal IP, I also checked with the netcat command from the Arch Wiki so I am sure the tunnel is working correctly
<ambroisie>
Similarly the server can ping the phone's internal IP
zupo has joined #nixos
<{^_^}>
[nixpkgs] @flokli pushed to master « casync: update license from lgpl21 to lgpl21Plus »: https://git.io/JtMXJ
<ambroisie>
But I cannot do `ping 8.8.8.8` from the phone
mallox has joined #nixos
<ambroisie>
How can I check if the routes get set properly ?
<lordcirth>
ambroisie, on a Linux client, "ip route" or "route".
<{^_^}>
[rfc39-record] @grahamc pushed commit from rfc39 to main « Automated team sync results. »: https://git.io/JtMXO
<lordcirth>
an android terminal would probably work if you can plug in a full keyboard
<ambroisie>
lordcirth: but when I am using wireguard on another server (which *does* allow me to connect to the internet) I do not see any difference on the phone
lord| has quit [Ping timeout: 272 seconds]
nly has left #nixos ["ERC (IRC client for Emacs 27.1)"]
<lordcirth>
ambroisie, well, perhaps there is android weirdness going on
<ambroisie>
Mmmmh...
<ambroisie>
I'll try with the laptop real quick, see if anything changes
lord| has joined #nixos
plumm has joined #nixos
<{^_^}>
[nix] @edolstra pushed to master « Make 'nix --version -vv' work »: https://git.io/JtMXV
<lordcirth>
ambroisie, what about with the working server?
<ambroisie>
And the routes are once again the exact same wheteher I am using the NixOS server or the previous server
ManiacOfMadness` has quit [Ping timeout: 272 seconds]
<sterni>
veleiro: module configurations get merged usually
o1lo01ol1o has joined #nixos
<lordcirth>
ambroisie, weird. I'm not familiar with wireguard specifically, but normally a VPN needs to replace the default route to send traffic down the tunnel.
<lordcirth>
Must be some shenanigans happening inside the kernel.
<ambroisie>
Probably... I'll go see if the #wireguard people can help
<ambroisie>
Thanks for your time lordcirth
<dutchie>
with wireguard, the AllowedIPs for a remote host are punned to be the routes used for outgoing traffic
<dutchie>
so you should set that to 0.0.0.0/0 and ::/0 if you want all traffic to go down the tunnel
zn81 has joined #nixos
<zn81>
Why does the nixos install manual say that the first step on the initial post-install reboot is to run `passwd` as root? I'm confused because `nixos-install` prompted for a root password as the final step.
fendor has quit [Remote host closed the connection]
mallox has quit [Quit: WeeChat 3.0.1]
g-w1 has joined #nixos
<g-w1>
are there some hacks to get AppImages to work on nixos? I get no file or directory which I assumed was a dynamic linking error but ldd says its statically linked?
greety has joined #nixos
jimmiehansson has quit [Remote host closed the connection]
ahmedelgabri has quit [Ping timeout: 265 seconds]
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<sterni>
g-w1: there is appImageTools in nixpkgs, to wrap AppImages in order to make them work
nomeata has quit [Quit: Client exiting]
<g-w1>
ah thx
<g-w1>
what is it called? nix search doesn't yeild it
<ToxicFrog>
You can insert arbitrary iptables commands into the nixos firewall configuration, so if you know iptables you can presumably do it that way
<mcint>
I'm building a nixos container, and having issues booting it. "kernel does not support pidfs" and "__safe_mount_beneath_at - function not implemented" for the basic devices (null, tty, console, ...)
<simpson>
mcint: Keep in mind that we don't actually support those techniques, so you're somewhat on your own. Do you *really* need NixOS inside the container, or is it enough to have anything from nixpkgs?
ahmedelgabri has joined #nixos
slack1256 has quit [Ping timeout: 265 seconds]
n-osborne has quit [Remote host closed the connection]
<zn81>
Can I configure the nixos boot sequence so that it does _not_ block on DHCP while still continuing to establish an IP address asynchronously?
shibboleth has joined #nixos
nhs has quit [Ping timeout: 260 seconds]
malook has joined #nixos
malook has quit [Quit: malook]
<hyper_ch>
zn81: what are you trying to achieve?
<mcint>
simpson: thanks, i get that. I use nixpkgs directly on my own machines, and I'm so happy with it, that I want to package things myself to install them on darwin. but in this case, yes, for a shared machine, and showing off the ease of use...once i have it working
<bqv>
Ericson2314: hello, any news on nix-ipfs? you said to ping (again) :)
nhs has joined #nixos
<bqv>
oh look, even the NHS uses nixos
<tpw_rules>
so i can override an input to a flake that's an input to my flake with .follows. but how can i set my flake to use that other flake's input?
<zn81>
On `nixos-rebuild build` I get a `trace` warning that the password hash of a user may be invalid. I cannot log in as that user. I generated the password with `mkpasswd -m sha512crypt -R <big number> > /path/to/password/file`, then in `configuration.nix` in that user entry I have `hashedPassword = builtins.readFile /path/to/password/file`.
ahmedelgabri has joined #nixos
<zn81>
Do I need to select different options for `mkpasswd` or can I somehow enable support for sha512 passwords with big round counts?
<zn81>
I get the same error if I do not use any special args for `mkpasswd`.
<zn81>
-oh, I should look up `hashedPassword`. I just assumed it'd be a string that was the output of `mkpasswd` based on the nixos install manual…
<zn81>
Oh, looks like I must use exactly `-m sha-512` with no `-R` as the arguments. Might be nice to inline an example in the manual's user config section. Where is the source to the nixos manual?
nhs has quit [Ping timeout: 246 seconds]
<zn81>
Hm, this time there was no warning message but I still can't log in…
ahmedelgabri has quit [Ping timeout: 265 seconds]
Darkmatter66 has joined #nixos
zupo has joined #nixos
iqubic` has joined #nixos
IRCsum has quit [Remote host closed the connection]
rajivr has quit [Quit: Connection closed for inactivity]
<domenkozar[m]>
tpw_rules: DNS issues with storage provider
zupo has joined #nixos
<bqv>
ah, so that wasn't just me
<tpw_rules>
is that a thing i can do anything about? passing --fallback just causes nix develop to crash shortly thereafter: "terminate called after throwing an instance of 'nix::SubstituterDisabled'"
<Ankhers>
I am trying to use virtualbox for something. However, whenever I try to start a VM, I get an error saying that the kernel driver is not accessible. I used https://nixos.wiki/wiki/Virtualbox to install it. I also installed the extensions just because, but it is still not working.
<sterni>
matthewcroughan: you could use that to pass an overlay to nixpkgs: nix-build -A lzma --arg overlays "[ (self: super: { lzma = super.lzma.override { enableStatic = true; }; }) ]"
__monty__ has quit [Quit: leaving]
Qwerky has joined #nixos
<sterni>
the plus of an overlay is that lzma is then overridden for every package you build even for packages which depend on lzma
<tpw_rules>
what is the meaning of multiple licenses in the meta attribute? is it a list of choices?
n-osborne has quit [Remote host closed the connection]
<qyliss>
depends on the package
<qyliss>
sometimes it's a choice, sometimes it means the package contains code licensed under each of the licenses, so you have to follow the combination
<lordcirth_>
packages can be released under multiple licenses, or different parts under different licenses
<sterni>
tpw_rules: in most cases it is multiple licenses apply at the same time / for different parts of the package under different licenses
<sterni>
we should probably support SPDX license expressions :p
<matthewcroughan>
sterni: it all ends up being dynamically linked, seems not to do what we think it does.
<qyliss>
sterni: the difficult thing there is that then you have to parse them
<sterni>
qyliss: I know right
<qyliss>
but it would be nice if we could maybe have some DSL for SPDX syntax trees
ATuin has quit [Ping timeout: 240 seconds]
<sterni>
qyliss: I actually really want to write an spdx id parser in nix, probably because I hate myself
<qyliss>
I don't think I can think of anything worse for eval time/memory lol
<sterni>
qyliss: yeah it's nothing that should be in nixpkgs definitely
<sterni>
but it'd be probably be nice if we can represent this stuff in a better way
<qyliss>
yeah
<sterni>
although I'm not sure if we want to completely translate the spdx expr semantics into a attrset based thingy
<sterni>
because some of SPDX expressions feels just overengineered
<sterni>
qyliss: the WITH operator felt odd to me, but maybe it really does simplify stuff
<qyliss>
WITH is definitely important
<sterni>
qyliss: what bugs me about it is that you have to keep a list around of compatible exceptions I'd think?!
<sterni>
but maybe the lesser of two evils of having an exploding list of licenses
<tpw_rules>
sterni: this would be to fix CHOLMOD. currently the derivation tries to compile it but it doesn't include some prerequisites so it doesn't happen. do you think i have to change the licnese or add a note?
<qyliss>
I wrote some code yesterday that was AGPL-3.0-or-later WITH GPL-3.0-linking-exception and was very happy I was able to represent that
<{^_^}>
[nixpkgs] @SuperSandro2000 opened pull request #113522 → collection: remove unused inputs, stale substituteInPlace, mark some python packages broken for darwin → https://github.com/NixOS/nixpkgs/pull/113522
<sterni>
simpson: I just wish licenses were about boolean logic 😔
<zn10>
I'm a new nixos user, new install. I'm in the configuration section of the manual and I'm trying out `users.mutableUsers = false` and hitting multiple snags.
fabian_a has quit [Ping timeout: 260 seconds]
litschi has quit [Quit: WeeChat 2.9]
<zn10>
So far, I've never seen the user I specified appear in `/etc/passwd` after `nixos-rebuild build`, even when that command completes without any obvious error message.
<zn10>
In the latest attempt, while whittling down pieces, I get an error that the root password is not set and no user is in the `wheel` group. How can I set the root password? More importantly, how can I discover this from the manual? It's not mentioned in the user config section AFAIK, and the config options appendix is very difficult to navigate in my
<zn10>
browser (chrome on a chromebook) maybe due to its size.