anderslundstedt has quit [Ping timeout: 240 seconds]
hexa- has joined #nixos
<DigitalKiwi>
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ # This variable allows the user to pass additional options to curl "NIX_CURL_FLAGS" <-- oh sure now i find this
<jackdk>
does anyone have experience using dockerTools.buildImage to make a container that doesn't run as uid 0? I've seen examples that do a `useradd` in a `runAsRoot` block, but given that I don't really need to build from a whole OS base image, I'm looking for something leaner
monotux has quit [Remote host closed the connection]
<pie_>
while evaluating anonymous function at /nix/store/4rh4diy1ig7y82ixp34vcqlb4p5mrcj9-nixpkgs-src/lib/modules.nix:321:18, called from /nix/store/4rh4diy1ig7y82ixp34vcqlb4p5mrcj9-nixpkgs-src/lib/modules.nix:321:5:
<pie_>
The option `containers' in `/nix/store/4rh4diy1ig7y82ixp34vcqlb4p5mrcj9-nixpkgs-src/nixos/modules/virtualisation/containers.nix' is already declared in `/bakery7/oven7/ephemeral/contianers/nixos-containers.nix' and `<unknown-file>'. [...]
<pie_>
are modules sensitive to load order or something?
<pie_>
so like.. containers.nix and nixos-containers.nix are two separate modules that seem to both be evaled in unpatched nixpkgs, so i dont know why disabling one and using a patched version somehow ends up with this declaration conflict...
<kim366>
Hi, there! I've just sucessfully built my first Nix derivation and it works perfectly. Now I am wondering how I can put it in the global store, since nix-build creates the output in the current path
bahamas has joined #nixos
bahamas has quit [Changing host]
bahamas has joined #nixos
orivej has quit [Ping timeout: 240 seconds]
lopsided98 has quit [Ping timeout: 258 seconds]
<eon`>
kim366: nix-build just put a symbolic link in the current path
<eon`>
the result is actually in the store
lopsided98 has joined #nixos
<kim366>
Oh, you're right. But the bin folder in there hasn't been added to PATH
VideoGameEnjoyer has quit [Remote host closed the connection]
<feathers>
heya. we're seeing sshd dumping core after being SIGSYS'd by a seccomp filter. can't find anything in the bug tracker about it though; is this known/expected?
VideoGameEnjoyer has joined #nixos
<feathers>
seems to be an authentication process trying to socket(), but getting a denial
<feathers>
can't reproduce it either, only shows up every few hours due to the internet being filled with assholes
<feathers>
at least it appears to be a benign bug, not some ACE in the auth path :)
exfalso has joined #nixos
fendor has joined #nixos
__monty__ has joined #nixos
<exfalso>
hi, i just bumped our pinned nixpkgs to a fairly new one that includes systemd 246.6, and I see systemd-portabled is not in the systemd package anymore? Is there a package it was wrapped into perhaps?
<{^_^}>
[nix] @regnat pushed to fix-remote-registerDrvOutput « Fix registerDrvOutput with the daemon »: https://git.io/JOmFh
<eyJhb>
exfalso: I am not sure which script I should check. The drv?
<eyJhb>
Because I get no "output" script, since it fails.
<eyJhb>
.. Found the issue I think
<exfalso>
eyJhb: i meant `nix-build -K bla.nix` -> will print a build folder path something like /run/something-build, and then check the .attr-0 script in there
<eyJhb>
exfalso: The issue was that my public key file had a `\n` in it ie. I had to use `publicKey = (lib.removeSuffix "\n" (builtins.readFile wgpub));`
<exfalso>
ouch, had similar issues before, quite annoying
<eyJhb>
Oh, thanks. I ovelooked that. Didn't see the -1 after the .drv. So I thought it was just drvs. That is quite useful!
<eyJhb>
Yeah, annoying... But that is how it is. Not sure if such thing should be "upstreamed" as a bug?
<exfalso>
worth submitting an issue imo, at the very least to give visibility so other people stumbling on this can find the cause
<exfalso>
hmmpf the withPortabled flag was added to the systemd package right after stable 20.09 so it's only in unstable... and the systemd in unstable doesn't build
<sterni>
feathers: yeah editline doesn't really cope with unicode too well, but unicode and TUI is an unsolved problem (arguably unsolvable even)
<sterni>
although probably switching to GNU readline could already improve things
<feathers>
readline apps seem to work fine with emoji, yes
attila_lendvai has joined #nixos
<sterni>
well
zebrag has joined #nixos
<sterni>
wait until you try 👨👨👧👦 with a terminal emulator which support ZWJ emoji sequences
<sterni>
it either breaks with a font having the glyph or a font without the glyph
<sterni>
basically all readline can do is apply heuristics how many cells a character will consume, but you can only be sure about that after you do font rendering
<sterni>
but GNU readline doesn't know anything about the terminal's font rendering
<sterni>
supersandro2000: as what is the emoji rendered
<dutchie>
anybody tried getting zswap working with zstd? I have `boot.kernelParams = [ "zswap.enabled=1" "zswap.compressor=zstd" ];` but in dmesg i get "zswap: compressor zstd not available, using default lzo". i've tried adding zstd to all different permutations of boot.initrd.kernelModules and availableKernelModules but it still doesn't seem to be available
<dutchie>
i can use zstd after boot, presumably because the module's loaded by then
<qyliss>
is this perhaps a conversation that should move to #nixos-chat?
<supersandro2000>
press to 😀 to continue
<DavHau[m]>
<matthewcroughan "DavHau: Heyo, I'm using mach-nix"> I didn't have this issue before. Feel free to open an issue on github.
<pie_>
wait we arent in- oh.
<supersandro2000>
how well does nixos support emojis?
<pie_>
sigh, brings new meaning to fnt rendering exploits
Dr8128 has quit [Ping timeout: 268 seconds]
avaq has joined #nixos
<DavHau[m]>
<matthewcroughan "DavHau: An equivalent alpine doc"> I need to see the nix expression to be able to judge that. You might be mixing different nixpkgs versions, and therefore bloating the image? Feel free to open an issue as well and we can discuss on github.
<EmoSpice>
Good morning. I have a Ubuntu box where my user is managed by LDAP. I'd like to manage my user's configuration with nix/home-manager, but I'm facing an issue whereby git and ssh seem unaware of the IPA/sssd configuration on the host itself. I recognize why this is happening (the store these tools use is unaware of the host configuratrion entirely), but I'm not sure how I might go about fixing this
<EmoSpice>
other than by replicating the entire sssd configuration in my user's nix config. Does anyone have any tips on how I might do this simply?
<nly>
is there any option for different group for every user, instead of lumping all in generic 'users' group?
rprije has quit [Ping timeout: 240 seconds]
<Ke>
with nix generating those groups is trivial
<EmoSpice>
actually - it looks like my problems are deeper, as there's seemingly very little support for users with no entry in /etc/passwd in at least home-manager. Trying to rebuild my configuration results in some errors about /run/user/<uid>/... not existing
<EmoSpice>
nly: If you're using `users.users`, just set `users.users.<name>.group` to `<name>`
attila_lendvai has quit [Ping timeout: 252 seconds]
beertoagunfight has joined #nixos
gustavderdrache has joined #nixos
<evanjs>
On that note... is there any real difference between users and extraUsers atm? Same question for groups, etc
<EmoSpice>
Well, `users.extraUsers` is an alias of `users.users`. `users.extraGroups` are auxillary groups traditionally. Users have one primary group and any number (I think?) of auxillary groups.
<EmoSpice>
It looks like I misread the docs. I'm not sure the point of `users.groups`
<ij>
I have a precompiled libz.so.1 not being found for an executable that I'm trying after installing it with mkDerivation. I ran fixupPhase in the buildPhase, but it didn't help
<EmoSpice>
(and also users.extraGroups. I'm still working on my coffee...Please excuse my verbosity and stupidity)
<nly>
thanks
<sterni>
EmoSpice: you can use users.groups to add additional groups
<sterni>
EmoSpice: and you can use users.users.<user>.group to set the primary group of an user
<ij>
I think I found sandervanderbug's blogposts elaborating on what to do here
<EmoSpice>
sterni: Right. I had confused those two and explained the second as the first. The question was about the distinction between `users.groups` and `users.extraGroups`
<sterni>
EmoSpice: users.extraGroups has been renamed to users.groups
<sterni>
EmoSpice: users.users.<user>.extraGroups adds non primary groups to an user
ddellaco_ has quit [Remote host closed the connection]
rj has quit [Ping timeout: 240 seconds]
LilleCarl has joined #nixos
le0taku has quit [Ping timeout: 246 seconds]
leotaku has joined #nixos
MichaelRaskin has quit [Ping timeout: 240 seconds]
hiro99 has joined #nixos
ddellaco_ has joined #nixos
rj has joined #nixos
hiro98 has quit [Ping timeout: 268 seconds]
whatisRT has quit [Ping timeout: 246 seconds]
ruptwelve has quit [Ping timeout: 258 seconds]
hiro99 has quit [Ping timeout: 246 seconds]
rawtaz has quit [Remote host closed the connection]
rj has quit [Remote host closed the connection]
rj has joined #nixos
<pinpox>
Hi, has anyone here got hardware acceleration working with (integrated) Intel GPUs and could share his config? I tried to follow https://nixos.wiki/wiki/Accelerated_Video_Playback but firefox and wezterm both seem not to be using hardware acceleration
<noonien>
oh, that's super great! thanks for taking the time!
<LinuxHackerman>
(the first is more about migrating from a metal windows installation to the libvirt setup, the second is about GPU passthrough and performance tweaks)
<noonien>
do you stream from it? or do you have a monitor connected to the machine?
<LinuxHackerman>
monitor on hte machine
<LinuxHackerman>
a colleague of mine streams from it though
<noonien>
i see, super. eventually, i'll look for some streaming apps, so i can game from my tablet/laptop
attila_lendvai has quit [Remote host closed the connection]
attila_lendvai has joined #nixos
<noonien>
to connect remotely to libvirt, do you connect via ssh, and, if so, do you connect as the root user, or your own? if your own user, does that mean you have the user in the libvirt group? is that not as bad for security as being in the docker group?
<noonien>
i want to submit a PR fixing this, however, i'm not sure what are the usual ways that other packages provide a default config file content
qyliss has quit [Quit: bye]
<noonien>
from what i remember, other packages either provide default, configurable options that end up in config files, or, sometimes, they provide a way to fully override the configuration file content.
ddellacosta has quit [Remote host closed the connection]
<BlackBeans>
Or should I install every package system-wide, like on other distros?
kini has joined #nixos
<LinuxHackerman>
BlackBeans: you can install packages as a user using nix-env, but there are some caveats to using nix-env directly
<LinuxHackerman>
,imperative
<{^_^}>
nix-env has multiple drawbacks as an imperative package manager. nix-env -u will sometimes upgrade to the wrong thing; the outputs to install are very finicky to override; and packages that have been removed or are otherwise unavailable will remain in your profile without any warnings. Consider using a ,declarative setup instead.
<BlackBeans>
yes
<BlackBeans>
this is what I wanted to do too
<LinuxHackerman>
But user-specific can definitely make sense, especially on multi-user machines
<BlackBeans>
I'm an a personal machine
<BlackBeans>
there's only my account, mine
<BlackBeans>
but I'm not sure if there would be reasons to install as user
<LinuxHackerman>
I'm also the only user of my laptop, but I do use nix-env with a declarative setup because that allows me to use the same expressions on other machines where I might not want to apply it system-wide
<BlackBeans>
I have read that nix-env is to separate environments that hold specific packages
<BlackBeans>
ok, but for example if I want to use firefox, should I install it as a user or system-wide?
ManiacOfMadness has quit [Ping timeout: 268 seconds]
<LinuxHackerman>
so if I have a machine that I don't usually work on but it has nix, I can do `nix-env -f https://sphalerite.org/dotfiles.tar.gz -iA basic` and have the tools I like with their config
<BlackBeans>
ah! that's nice
<LinuxHackerman>
It depends entirely on how you want to manage it
<LinuxHackerman>
if you want to be able to upgrade it without upgrading the whole system, install it in a user profile
<BlackBeans>
ok
<LinuxHackerman>
if you want to make sure it's kept up-to-date with the rest of the system, install it system-wide
<BlackBeans>
ok, and how can I install declaratevely as a user?
<BlackBeans>
I have tried with .config/nixpkgs/config.nix, but it doesn't seem to be working
ram19890 has quit [Quit: Konversation terminated!]
<LinuxHackerman>
,declarative
<{^_^}>
There are multiple ways of managing a user declaratively. 1) nix-env -ir, compatible with "temporary" imperative use of nix-env; 2) buildEnv, providing more control over the paths that are linked into the profile; 3) home-manager, providing nixos-like config for your ~. https://git.io/fp0aU contains a comparison of the three methods and a sample expression for option 2.
<noonien>
Is there a way to fast-track very simple PRs getting merged, and perhaps backported?
EmoSpice has quit [Quit: WeeChat 3.1]
<BlackBeans>
If I want to use packages that are not in the nix repo, which one is the simplest?
justan0theruser has joined #nixos
justanotheruser has quit [Ping timeout: 250 seconds]
<SumnerEvans[m]>
It's easy to create your own packages in both home-manager and when using a global nixos config.
<BlackBeans>
ok
<gchristensen>
I should give home manager a shot for this new laptop
<BlackBeans>
on the comparison between the three methods (buildEnv, home-manager and nix-env) it says that build-env doesn't have declarative config like NixOS
<LinuxHackerman>
The other options only allow you to install packages. I apply some configuration to these packages in my expressions as well (just by installing wrapper scripts instead of the packages directly), and it is declarative, but it isn't as comfortable. I probably will switch to home-manager eventually as well
<BlackBeans>
so you recommend me to use home-manager, if I understand well?
veegee has joined #nixos
<numkem>
anyone having issues with since firefox 87 with the popup menus? like the main menu and the menu for extensions?
<gchristensen>
wayland?
<SumnerEvans[m]>
<numkem "anyone having issues with since "> On Sway?
<numkem>
for my main window they only show about 5% of them
<gchristensen>
haha SumnerEvans[m] knows whats up
<numkem>
SumnerEvans[m]: no, X with awesomewm
ddellacosta has joined #nixos
raccoonasdf has quit [Ping timeout: 240 seconds]
<numkem>
Wonder if it's related, like a bad fix or something
<LinuxHackerman>
BlackBeans: it depends on what you want, but yeah it would probably work well for you.
<BlackBeans>
my programs usually have the same dependencies, I don't think I would use the env feature a lot
<SumnerEvans[m]>
BlackBeans: I like home-manager, but like I said, it's easy to also do that declarative approach for package installation with the system-wide configuration. Personally, I like home-manager because it also handles creating my user dotfiles.
<BlackBeans>
you mean you can handle stuff like .emacs.d directly from nix configuration?
<LinuxHackerman>
yes
ddellacosta has quit [Ping timeout: 265 seconds]
<noonien>
what happens after all the PR checks are done?
<BlackBeans>
wow, that's amazing...
<BlackBeans>
no more git-half-of-home to keep one's configuration
<BlackBeans>
no more git-half-of-home to keep one's configuration over multiple machines
sangoma has quit [Ping timeout: 268 seconds]
<SumnerEvans[m]>
BlackBeans: I migrated from chezmoi over to pure Nix home-manager and I like it a lot.
<LinuxHackerman>
BlackBeans: not necessarily, only if you want to install it by using an overlay or packageOverrides (packageOverrides is the older mechanism for doing the same thing as overlays)
MatrixBot25 has quit [Quit: Bridge terminating on SIGTERM]
<BlackBeans>
so what are the other options?
<LinuxHackerman>
BlackBeans: I personally just have it lying in ~/dotfiles and install using `nix-env -f ~/dotfiles -irA desktop-full` (where desktop-full is a collection of stuff that's defined in dotfiles/default.nix)
<LinuxHackerman>
Or if it's not my laptop, I grab the latest version using the command that makes nix just fetch the tarball and build it from there
<LinuxHackerman>
that I shared above
zupo has joined #nixos
<BlackBeans>
that's the nix-env, imperative version, right?
<LinuxHackerman>
not quite, since I still declare everything I want in my nix expressions, and after applying it using nix-env -ir nothing else is installed
svrana has joined #nixos
<LinuxHackerman>
but yes in the sense that I can still install stuff after the fact using other nix-env commands
<LinuxHackerman>
with -r, nix-env will remove everything that's not specified in the install command, which makes it sort-of-declarative without completely preventing imperative use
<BlackBeans>
ok
<BlackBeans>
it essentially does the same job as home-manager, right?
<eyJhb>
Anyone has a config for wireguard in a network namespace? (bonus points if it includes systemd service that uses that namespace)
<LinuxHackerman>
BlackBeans: not quite, since it doesn't provide the nice easy wrapping
<LinuxHackerman>
it's a lot less neat than if I were using home-manager, I think :)
<LinuxHackerman>
I'd say if you want to just have a decision and not have to worry about what you choose anymore, go for home-manager ;)
<BlackBeans>
well, I'll worry about the choices I'm making in the future
<SumnerEvans[m]>
Also, there's a home-manager channel on IRC #home-manager
sumner has joined #nixos
<lukegb>
wow, sourcehut's syntax highlighting for nix configs is bad
<BlackBeans>
when I'll have understood nix a bit better
<SumnerEvans[m]>
<lukegb "wow, sourcehut's syntax highligh"> I think it's just because it's a bunch of strings...
<lukegb>
even gitlab does a better job
<LinuxHackerman>
lukegb: uuuuh yep.
<lukegb>
SumnerEvans[m]: err, it isn't, though
<lukegb>
it _thinks_ it is, but it isn't :P
<BlackBeans>
LinuxHackerman does home-manager allow you to write the actual emacs config file?
<gchristensen>
github's linguist library is open source, sourcehut could borrow it
nixusr has joined #nixos
<BlackBeans>
does github's linguist library do a better job?
ScottHDev has quit [Ping timeout: 265 seconds]
<nixusr>
Hi, I'm trying to follow the NixOS manual, but there seems to be an error pretty eraly on
ram19890 has joined #nixos
<gchristensen>
up to you
<LinuxHackerman>
sourcehut is open source, someone could implement using linguist :p
diamondbond has quit [Ping timeout: 260 seconds]
<nixusr>
in the UEFI configuration it says: "You must set the option boot.loader.systemd-boot.enable to true" but there is no such line in /mnt/etc/nixos/configuration.nix
<ajshell1>
I have a question. I'm looking into installing NixOS on a ZFS root. Some ZFS guides I've seen suggest creating a separate boot pool for GRUB, and Ubuntu does this when using their guided installer. Do you recommend doing this for NixOS too?
<gchristensen>
I skip it and use vfat for /boot
<lordcirth>
ajshell1, I didn't. I just have a tiny vfat EFI partition. But I'm not using ZFS encryption, you might need a seperate /boot for that
<gchristensen>
you don't need a separate /boot for zfs encryption
<ajshell1>
I know that systemd-boot requires that the kernels be on the EFI partition to boot. I'm assuming that's also where GRUB will place kernel images if it isn't installed onto a separate boot pool. However, I'm under the assumption that this doesn't matter due to the way NixOS works, right?
<LinuxHackerman>
personal opinion: avoid accessing zfs from grub though :)
<gchristensen>
+1
<ajshell1>
That said, if half of what I've read about NixOS is true, snapshots of the system itself aren't really necessary (although it's nice to have for personal data)
Qwerky has quit [Remote host closed the connection]
zakame has joined #nixos
rajivr has quit [Quit: Connection closed for inactivity]
<nixusr>
also I booted virtualbox without boot.initrd.checkJournalingFS = false; and security.rngd.enable = false; which the documentation says I must add, and everything works ok
<milahu>
how can i do a regex string replace in nix? in bash i would do `res=$(echo 1.1.26.501.gbe11e53b-15 | sed -E 's/-[0-9]+$//')` to get the substring 1.1.26.501.gbe11e53b
kini has quit [Remote host closed the connection]
lukegb has joined #nixos
Qwerky has quit [Ping timeout: 240 seconds]
kini has joined #nixos
<lordcirth>
milahu, there is builtins.match and builtins.replaceStrings, but neither seem to do what you want. You might be able to combine them?
<lordcirth>
Or there might be something in the nixpkgs lib
<nixusr>
ok, i'm installing gnome 3 from the 500MB ISO
<milahu>
... so builtins.match returns a list of capture groups: `builtins.match "(.+)-.+" "1.1.26.501.gbe11e53b-15"` -> `[ "1.1.26.501.gbe11e53b" ]` ... how can i get the first item in the list?
<cole-h>
> builtins.elemAt [ "asdf" ] 0
<{^_^}>
"asdf"
<sterni>
builtins.head …
<milahu>
aah, thx : )
<cole-h>
> builtins.head [ "asdf" ] # guess that also works lol
<rg3376>
Is it possible to zip a nix closure and send it to someone? I have closure which takes hours and hours to compile and would like to send it to someone. We aren't on the same network so nix-copy-closure doesn't work.
<EmoSpice>
Is anyone using Nix on an non-NixOS system that also happens to be managed by LDAP/AD? I'm seeing myriad problems with the fact that tools installed via Nix (and home-manager, but that's not terribly relevant, I don't think) are not aware that the user cannot be looked up in, say, /etc/passwd. I'm unsure if there's a solution to this problem or what it would be if it existed.
ManiacOfMadness has quit []
dev_mohe has joined #nixos
dev_mohe has quit [Client Quit]
ddellaco_ has quit [Remote host closed the connection]
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Lord_of_Life_ is now known as Lord_of_Life
hlz has quit [Ping timeout: 260 seconds]
<srhb>
EmoSpice: Could you come up with an example of a problematic program? I would have thought getent would be used and it'd just work on the system.
hlz has joined #nixos
ddellacosta has joined #nixos
nicoo has quit [Ping timeout: 240 seconds]
<EmoSpice>
bash, zsh, openssh
nicoo has joined #nixos
hyper_ch2 has quit [Read error: Connection reset by peer]
<LinuxHackerman>
rg3376: you can use `nix copy --to file:///tmp/my-binary-cache` to create a flat-file binary cache in /tmp/my-binary-cache, then zip that and transfer it (or use something like syncthing to transfer it more smartly) and use `nix-build --extra-substituters file:///tmp/rg3376s-binary-cache …` at the other end
ajshell1 has quit [Quit: Connection closed]
<LinuxHackerman>
rg3376: or make a public binary cache of some description and upload it there — you can just put files on a simple static HTTP server, or use an S3 bucket, or cachix
<LinuxHackerman>
rg3376: you may also want to sign the paths so that the other end can verify that you're the one who built them
orivej has quit [Ping timeout: 240 seconds]
<sshow>
What should i set my system.stateVersion to for nixos-unstable now? 21.05 or 21.05pre, or the full name 21.05pre279456.04a2b269d89 ?
<cole-h>
You should read the comment
<sshow>
cole-h: thanks. it _does_ say "did you read the comment", which I did.. but then I read it again. I guess I'll put 21.05 then :)
<cole-h>
uh
<cole-h>
the comment says "you shouldn't change this unless you know why you need to change this"
<EmoSpice>
sshow: You don't actually need to modify that variable at all.
<cole-h>
basically
ahmed_elgabri has joined #nixos
<EmoSpice>
@srhb: I suspect that the problem is that the execution environment is sufficiently isolated that it is problematic? running `getent passwd <username>` works, but the problematic programs are still...well, problematic.
sid_cypher has joined #nixos
<sshow>
I thought I might end up with incompatabilites if I didn't change that for too long
<cole-h>
no
<cole-h>
that's the whole reason ite xists
<cole-h>
to limit incompatibilities
<cole-h>
e.g. if you used containers on 20.09, and changed your state version, we use a different state directory, which could potentially break your containers
<cole-h>
(I don't remember if we migrate the state dir, but I presume we don't)
<cole-h>
It‘s perfectly fine and recommended to leave
<cole-h>
19 # this value at the release version of the first install of this system.
<sphalerite>
system.stateVersion is "what version of NixOS was first installed on this system"
<sid_cypher>
hi everyone o/
<srhb>
Or does nsswitch affect it...
vidbina has joined #nixos
<srhb>
EmoSpice: I think essentially glibc needs to be told to get that information from sssd when nscd isn't responsible.
sangoma has quit [Ping timeout: 265 seconds]
<srhb>
EmoSpice: Whether this can be done at runtime I'm not sure
<sphalerite>
yeah nsswitch.conf should be respected AFAIU
<EmoSpice>
I wonder if our nsswitch.conf is somehow subtly wrong...
<sphalerite>
checking (on nixos so YMMV), `getent passwd linus` uses nscd if it's running, and reads /etc/nsswitch.conf itself if it's not
<sid_cypher>
anybody knows how to invalidate "cached failure of attribute" message on nixFlakes? Trying to migrate my configuration.nix, get complaint aboute bluetooth.nix but no --show-trace
<srhb>
EmoSpice: does it have eg `passwd: files sss` ?
<EmoSpice>
"passwd: compat systemd sss"
<srhb>
hrmmm.
Reiko2 has quit [Read error: Connection reset by peer]
<sphalerite>
aaah. Our glibc doesn't support sss.
seku has joined #nixos
<EmoSpice>
Oh. That's good to know! That's something I might be able to resolve eventually!
<srhb>
So it's nscd or bust.
<sphalerite>
and I'm guessing it will be using the nss modules from the nixpkgs glibc, and there simply is no sss module there, so it fails
<sshow>
is there a way to print out the system dependency graph/hierarchy? I'm trying to figure out why a specific package is being added to my system
<sphalerite>
either that or it tries to load the one from the host system but also fails because lol ABIs
hiro98 has quit [Remote host closed the connection]
<EmoSpice>
srhb, sphalerite: Thank you for the handholding. I was digging around for answers, but they're hard to come by if you're in unfamiliar territory.
<sphalerite>
sshow: you can use nix-store -q --graph /run/current-system to see a full graph, or `nix why-depends /run/current-system /nix/store/saidufhaisdufhasdf-gtk-3.x` to see exactly why you have a dependency
<srhb>
EmoSpice: For sure :)
<EmoSpice>
I have to run, but I appreciate the pointers. I'll see if there's anything I can dig up about how to get some more information :)
<srhb>
sshow: nix-store -q --tree might be easier to parse at a glance than --graph
EmoSpice has quit [Quit: "Headed home"]
<srhb>
(--grap is actual dot output)
<sphalerite>
I find the dot output more helpful often, because you can use plain-text search to track down dependency links
<sphalerite>
whereas for big dependency trees, the ascii-art --tree involves a lot of non-trivial eye work
<srhb>
It's fun how workflows differ :D
<sphalerite>
but I think we can agree that nix why-depends is the nicest solution, when applicable :D
<srhb>
frankly nix-tree is excellent, use that :P
<sphalerite>
or that. Especially if it's a size concern.
<srhb>
It does get a little memory heavy in why-depends mode if you analyze something everything depends on however :P
<srhb>
I think that might actually be a mem leak
<sid_cypher>
found the answer to flake evaluation cache blocking errors, "rm ~/.cache/nix/eval-cache-v2/*" helped. Sorry for the bother :)
<sid_cypher>
gotta try nix-tree by the way
<sphalerite>
much hermetic, many reproducible, wow
<cole-h>
sid_cypher: you can also run with --impure
<sid_cypher>
cole-h: somehow that seemed like a heresy to me, haha
<cole-h>
basically the same as removing the eval-cache
lsix has quit [Ping timeout: 250 seconds]
<jmercouris>
can anyone imagine why: services.xserver.videoDrivers = [ "intel" "nvidia" ]; would break GPG???
<cole-h>
you'll have to be more specific
<jmercouris>
the appearance of KDE changes slightly for me as well... I don't see why that's possible
<cole-h>
what about gpg is broken?
<jmercouris>
it says that I have no secret keys
<jmercouris>
and yet gpg list secret keys shows them
<cole-h>
"it says that" <- what is "it"?
srk has quit [Ping timeout: 260 seconds]
<jmercouris>
I'll be back in one second when I reboot the broken build
<jmercouris>
and I'll tell you exactly what it says
<ivan>
1) which of two acutally breaks it? 2) strace might help see some difference
<cole-h>
I'm more interested in what "it" is, than what "it" says
<jmercouris>
Meads
<jmercouris>
Emacs*
<jmercouris>
And Kmail
<sid_cypher>
i've had gpg-agent asking me the passphrase in a ctrl-alt-f2 vterm several times, silently waiting for input in a place i don't see :)
<jmercouris>
I just checked the other TTYs they don't show anything
<sid_cypher>
End Of File might mean the file you're decrypting in shorter than expected, maybe empty
<jmercouris>
well, I know that's not true
<cole-h>
maybe your pinentry isn't popping up?
<genevino>
Error in file "/nix/store/qf4wwhxjqvhmrc53s9bxvbj77bzi27g4-system-path/share/applications/krita_jpeg.desktop": "jpeg/jfif" is an invalid MIME type ("jpeg" is an unregistered media type)
<genevino>
o.O
<jmercouris>
pinentry is in fact NOT popping up
<cole-h>
that's where I'd start investigating. which pinentry are you using?
<jmercouris>
so my entire Qt system changes appearance when I change the graphics card drivers as well
<{^_^}>
[nixpkgs] @mweinelt pushed to revert-118719-home-assistant-tests « Revert "nixos/home-assistant: use overridePythonAttrs" »: https://git.io/JOOX7
<jmercouris>
everything becomes more transparent
<jmercouris>
when I call "pinentry-qt" from the command line it does not bring up a graphical GUI
<cole-h>
jmercouris: what if you try the following -- 1) try to run `gpg-connect-agent updatestartuptty /bye` in emacs; 2) change your pinentry to gnome2 and try that
<cole-h>
pinentry does nothing when called from the command line anyways -- it should just say "OK Please to meet you"
Reiko2 has joined #nixos
<jmercouris>
that is what it says
<cole-h>
jmercouris: sorry, `gtk2` is the flavor
<jmercouris>
OK i'll try changing it to gt2k
<jmercouris>
hm, no luck
<jmercouris>
maybe I need to reboot
<jmercouris>
let me try that
<cole-h>
(probably not)
<jmercouris>
Rebooting worked
<jmercouris>
And now the prompt looks different, but at least it appears
<jmercouris>
Thanks cole-h
<cole-h>
hm
<jmercouris>
I wonder why changing my drivers would effect gpg
<jmercouris>
Seems very random
<cole-h>
it shouldn't
<cole-h>
but
<cole-h>
technology
<cole-h>
¯\_(ツ)_/¯
<jmercouris>
:-)
<sshow>
sphalerite++ srhb++ thanks. `nix-store -q --tree /run/current-system` gave me exactly what I needed. (FWIW: python2 datadog is brought in by nixops :P)
<{^_^}>
sphalerite's karma got increased to 123
<{^_^}>
srhb's karma got increased to 147
<jmercouris>
cole-h++
<{^_^}>
cole-h's karma got increased to 0b10001110
<nixperson>
i have a question regarding root zfs encryption on a server
<nixperson>
basically, i would like to use zfs native encryption because it works better with multiple devices than running luks on everything, and im using zfs over btrfs because it has more features like per dataset compression. my best idea is to have a luks partition (because luks has much better support and options for headless encryption keys over zfs)
<nixperson>
before zfs that contains the raw encryption key used to decrypt the zfs. i would like this to be headless so no prompt or something
amosbird has joined #nixos
<nixperson>
my problem lies: how to i get zfs to retrieve the key from the unlocked luks partition (/dev/mapper/zfskey) before mounting the zpool at /
<nixperson>
thanks!
lsix has joined #nixos
<cole-h>
this isn't really nixos related
<nixperson>
it is
orion has joined #nixos
<cole-h>
seems zfs related?
<tejing>
it's not my area of expertise, but I'd guess you need to add a few custom lines to the init shell script in the initrd
<nixperson>
basically what im asking is how do i add something to nixos initrf
<sphalerite>
It's nixos's boot process :)
<cole-h>
regardless, you'd want to set the keylocation property to `file:///dev/mapper/zfskey`
<cole-h>
probably
<nixperson>
ah
<nixperson>
i have no idea how to add something to the nixos boot process; this is my first time using nix
<orion>
Hi. I am experiencing a failed build in the repl: building '/nix/store/vn5jd2pqpnf62rgsr1grmk5jlcbmaj85-docker-layer-fullnode.drv'... No contents to add to layer. /private/tmp/nix-build-docker-layer-fullnode.drv-0/.attr-0: eval: line 19: syntax error: unexpected end of file
<srhb>
nixperson: If you can't do it directly there's a bunch of places you can hook into the initrd under boot.initrd pre/post
<srhb>
nixperson: But you'll likely not need that if there's a good option for specifying the key location
<orion>
The tmp directory is deleted before I can inspect it. Does anyone know how I can go about troubleshooting this?
<cole-h>
add -K
<cole-h>
it will keep the temporary directory
<orion>
nix -K repl ?
<tejing>
nixperson: there are configuration options that allow you to put arbitrary shell commands into the boot process at various points, though based on what cole-h said, I guess that isn't necessary for this
<tejing>
nouveau is much more in keeping with how this stuff is supposed to work in linux, but the performance is very noticeably worse
<cole-h>
for stuff like gaming sure
<sphalerite>
,tell EmoSpice so the way NixOS "solves" this is by running nscd with an LD_LIBRARY_PATH including the lib directory from the sssd package (which contains the relevant nss module) — and nss modules from outside glibc aren't supported in any other way. It's correctly commented as "hacky" in the implementation :D If you can get nscd set up on your host system, it should hopefully make nss resolution
<{^_^}>
sphalerite: I'll pass that on to EmoSpice
<sphalerite>
in nix packages work correctly.
<sphalerite>
srhb: ^
<srhb>
sphalerite: Thanks!
<tejing>
cole-h even just for stuff like web browsing or picom-composited desktop effects, the difference is enough to matter
<jmercouris>
how to clear all the generations but the current one?
<jmercouris>
e.g. get them out of grub etc
<jmercouris>
I have: nix.gc.automatic = true; nix.gc.options = "--delete-older-than 10d"; in my configuration file
<jmercouris>
but I want to perform the operation now to remove all but the current generation
<tejing>
nix-collect-garbage
<tejing>
with an option
<tejing>
I don't remember it off the top of my head
<cole-h>
tejing: on Wayland, it's not (for me, at least)
numkem has joined #nixos
<jmercouris>
could it be "--delete-old"?
beertoagunfight has joined #nixos
<tejing>
yeah, or just -d for short
<jmercouris>
thanks
<tejing>
cole-h: well I haven't tried wayland. my experience with nouveau is mostly just from when I hadn't reworked my config to use nvidia after switching some stuff
beertoagunfight has quit [Client Quit]
<cole-h>
yeah, it was pretty bad on X11, which is why I switched to Wayland
vidbina has quit [Ping timeout: 246 seconds]
<srhb>
jmercouris: fwiw grub cleanup happens at activation (it deletes all but the existing generations)
<jmercouris>
At activation?
<srhb>
Not activation, sorry, but eg. sudo nixos-rebuild boot
<jmercouris>
Ok
<jmercouris>
Thank you
<cole-h>
jmercouris: btw you could also try the gnome3 flavor of pinentry. I just use gtk2 because it works well in both tty (e.g. over ssh) and in graphical environments
<jmercouris>
I went back to qt and just disabled nvidia it was causing problems with my programming
<cole-h>
ah, ok
<jmercouris>
I still can’t get grub to clean up
<jmercouris>
Is there no explicit way to do that?
<jmercouris>
I did the garbage collect, and then a rebuild boot and rebuild switch
<jmercouris>
no luck in either case
<srhb>
jmercouris: Are the generations really gone?
eacameron has joined #nixos
attila_lendvai has quit [Ping timeout: 260 seconds]
<srhb>
ls -d /nix/var/nix/profiles/system*
Reiko2 has quit [Read error: Connection reset by peer]
<nixperson>
does nix have any sandboxing abilities for packages?
<nixperson>
like permissions
<gchristensen>
nix doesn't have a runtime like that
<MichaelRaskin>
This sounds more like firejail / nsjail / bubblewrap (which are packaged)
<milahu>
https://github.com/NixOS/nixpkgs/pull/119367/files -> FIXME attribute 'version' missing -> (why) is `pkgs.spotify` not eval-ed at this point? ... or how can i get the version of a stdenv.mkDerivation buildInput?
turlando has quit [Ping timeout: 240 seconds]
Qwerky has joined #nixos
<simpson>
There are also kernel-level restricted-computation tools. I know that we have the Linux-specific BPF utilities packaged somewhere, and if we ever come to support FreeBSD then we get access to their Capcisum implementation.
kini has quit [Remote host closed the connection]
<milahu>
(assuming i dont want to pin the spotify version)
<cole-h>
milahu: try using pkgs.spotify.name and strip off the `spotify-` prefix
<nixperson>
because it seems like nix solves mostly everything flatpak solves except for: sandboxing
<srhb>
nixperson: Not really, and I feel like that's (rightly) out of scope of nix itself. Though it's easy enough to _generate_ various sandboxable environments.
<nixperson>
how so
<genevino>
nixperson: depends on what you're trying to do. if what you want is to walk from a to b, a wall might not be the best thing to put in between.
<cole-h>
because nix's scope is essentially hermetic builds, not hermetic runtimes
<srhb>
nixperson: As in generating containers or flatpaks etc.
fresheyeball has joined #nixos
<nixperson>
ah
<srhb>
nixperson: LEaving the runtime up to, well, whatever runtime.
<milahu>
MichaelRaskin, cole-h: using pkgs.spotify looks cleaner
<srhb>
nixperson: I really like that that's not a nix concern.
<cole-h>
milahu: then you'll want to use `parseDrvName` instead of using a regex capture group
<MichaelRaskin>
Me, sandboxing a ton of stuff on a Nix-managed system: I really like that sandboxing is per-launch, not per-build
<genevino>
i mean that's not the problem nix solves, that's correct, if you want to sandbox your stuff, use a sandbox, nix will still be happy to set that up for you if you tell it to.
<simpson>
nixperson: It might help to view sandboxing as fundamentally incomplete WRT the typical threat model. After all, sandboxed execution *can* escape, which is sort of a definitional problem.
<nixperson>
MichaelRaskin: how did you implement it
<srhb>
nixperson: In some ways NixOS implements sandboxing on top of Nix (by being an executor of various systemd stuff which may include various sandboxing) -- which again feels like a good separation of concerns.
<MichaelRaskin>
nixperson: A bit of Common Lisp code generating POSIX Shell code launching nsjail with correct parameters and also socat to pass through the specified subset of connectivity…
<nixperson>
simpson: i heard that linux namespaces have a relatively large attack surface compared to something like freebsd jails. is that true?
<simpson>
Rather, we want to imagine restricted execution as stemming from the program being written in ways which make it *impossible* to exercise certain capabilities. Unfortunately, typical CPUs can't help us with this, so we can only do this by writing code in sufficiently safe languages, or using kernel-level restricted runtimes.
malook has joined #nixos
<simpson>
nixperson: Yes. Linux namespaces are not an all-in-one restricted-execution environment. They can be used to build sandboxes, though. TBH I don't know whether jails truly restrict execution either; think about the difference between paravirtualization and emulation.
<MichaelRaskin>
nixperson: not sure what is the proper way to compare attack surface (in both cases most syscalls are technically available), but Linux namespaces were designed in relatively late, so it took a lot of time to stop catching logic bugs all the time
<MichaelRaskin>
With FreeBSD jails this time has started ticking way earlier, of course.
<genevino>
bsd jails are pretty awesome, no question.
ram19890 has quit [Ping timeout: 240 seconds]
<MichaelRaskin>
With absolute threat models, of course, you should always wonder what is more depressing: that speculative-execution-fuzzing of Intel CPU instruction decoder _works_, or that it _finds_ something interesting…
<nixperson>
MichaelRaskin: how much time or effort does it take to setup something similar to your implementation of sandboxing on nix and is there a guide for it?
malook has quit [Client Quit]
<MichaelRaskin>
Well, I am not sure what subset of it is even compatible with running systemd…
<MichaelRaskin>
Like, how many hours are you willing to invest into trying to separate what you want into something usable on NixOS? If the answer is at least double-digit, we could work together on cutting things up…
<nixperson>
honestly it would be nice to have something set up in 5 minutes which is why i use flatpak right now
exfalso has quit [Ping timeout: 240 seconds]
<nixperson>
sandboxing can also be a mental health thing though; having stuff that restricts applications and binaries lets me know that there is at least something there that might aid in stopping a possible attack
<MichaelRaskin>
nixperson: that's all complicated and conditional (although the weirder the sandboxing, the more chances that script-kiddie attacks just steal all the glorious contents of an empty $HOME)
<MichaelRaskin>
But mental health angles comes from another direction, I'd say: this damned program does not get to have hidden persistent state anymore