<matthewcroughan>
My desire is to make an embedded system. I would build an iso for this system like `nix build github:matthewcroughan/nixcfgs#embedded-system`, the output should be an iso image that I flash to a disk.
<matthewcroughan>
mic's nixos-aarch64-images provides a way of doing that, more or less.
<matthewcroughan>
colemickens: In your flake, you define a function called mkSystem, it takes 3 args. pkgs, system and hostname. But I don't see you do anything with pkgs, what is that about?
<matthewcroughan>
gcc gets its version number somehow at compile time, there's probably no way to purely nixify it
<matthewcroughan>
common problem really
Qwerky has quit [Ping timeout: 260 seconds]
<matthewcroughan>
like, imagine that the cmake file for gcc uses a curl script to set the version number, nix couldn't deal with that, it probably does something weird
<colemickens>
matthewcroughan: I do have a quip about `nix build ".#self.config.system.build.singularity"`. imagining my life as a reproducible set of states/events. :) but as far as I know I'm no escapee from Westworld!
<pennae>
matthewcroughan: have you seen the term "target triples" in compilers? (not that we know that that's the origin, but they look suspiciously like that)
<dxb[m]>
wrkzk: what're you trying to achieve by putting lua there?
syhn has quit [Ping timeout: 250 seconds]
<wrkzk[m]>
I am trying to install a custom package from luarocks
<wrkzk[m]>
I used luarocks-nix to create the derivation
<wrkzk[m]>
I'm not sure if Im doing it correctly though
<dxb[m]>
put it in systempackages as something like `(import ./path/to/lua.nix)`
syhn has joined #nixos
<pennae>
wrkzk[m]: the lua you're looking for is probably an attribute of pkgs
haijuno has quit [Remote host closed the connection]
haijuno has joined #nixos
<pennae>
or what dxb said if you have an entire file, yeah
<tomberek>
Would love a look at 119517. Worried it and the service module can become stale. I'd like to have those packages enter into a more regular cadence of simple version bumps rather than refactors
<slyphon>
hey all, i just ran into this issue https://github.com/NixOS/nix/pull/4634 trying to install neovim. I see that it was merged, but i'm a total newb at nix, how do i get this fix in my local install of nix?
xkapastel has quit [Quit: Connection closed for inactivity]
stree has joined #nixos
<tomberek>
slyphon: update your nix with a version past that point (unless you are on nixos with a nix-daemon running?).
<slyphon>
nah i'm on centos 7
<slyphon>
how do i update my nix with a version past that point? I'm sorry i know that's a really basic question, but i just installed using the curl-into-sh thing in the instructions
<slyphon>
i'm just getting my bearings and reading the "ubuntu cheatsheet" wiki page to figure out the commands
<tomberek>
okay, one sec..... you're trying to install a specific nix version, right?
<slyphon>
i think so? i want to update to the point where this change has been merged
<slyphon>
rather where i'm running nix that has this fix in it
<slyphon>
i made a gist ^^ above of the output of nix-info if that helps
<tomberek>
not sure what channel you are on, but easiest would be something like directly installing the version you want: nix-env -if https://github.com/NixOS/nix/tarball/master
<atralheaven>
packages are isolated and atomic, which is great, what about configurations? are they stored separately for each package/version?
<atralheaven>
how configurations are managed, generally?
thomasjm_ has quit [Read error: Connection reset by peer]
<colemickens>
atralheaven: depends on what configurations.
<evils>
i think you're asking about the nixos modules
thomasjm__ has quit [Read error: Connection reset by peer]
<colemickens>
atralheaven: things configured via nixos modules are part of the system generation
<atralheaven>
I mean package configurations, not os related ones
<colemickens>
atralheaven: if you just install vlc and use it, no, it's just gonna write out random dotfiles wherever
<colemickens>
atralheaven: some applications can be configured via `programs.<foo>.....` in which case a config file is built as part of the generation and symlinked in place
<colemickens>
atralheaven: home-manager adds similar declarative (and thus profile/generation) support to MANY more "user-y" applications
meh` has quit [Ping timeout: 240 seconds]
fendor has quit [Remote host closed the connection]
<colemickens>
atralheaven: for example, basically every single thing I use on a linux system is handled declaratively through nixos+home-manager
<colemickens>
random things fall through the cracks though (for example, I might not have `htop` configured, but I have it installed, it writes out some config by itself that is thus not managed by the profile/generation)
<etu>
colemickens: htop configuration through home-manager is great though :)
meh` has joined #nixos
<colemickens>
I mean, I do have it ;)
fendor has joined #nixos
<colemickens>
home-manager is just delightful
<atralheaven>
how does it work, basically?
<Kinnison>
colemickens: periodically sweep ~/.config etc. for non-symlinks and home-managerify them?
* Kinnison
is in the early days of home-manager and finds himself having to do that every now and again
<colemickens>
yeah, and/or just checking h-m before randoming installing stuff, always amazed at what the community has already added
<colemickens>
atralheaven: that's a big question, can you narrow it down a bit
<etu>
Kinnison: I just run tmpfs for / and /home so I realize what's not included/symlinked after each reboot :p
<Kinnison>
I'd get sad if random files I'd dropped down in ~ vanished on a reboot
<atralheaven>
currently my problems are more related to configs than packages themselves, if I can have some sort of snapshots of application-related files like configs, it would make my life easier
* Kinnison
is still exceedingly early in his nixos life though
<colemickens>
atralheaven: sure, just take a peek at the home-manager documentation
<etu>
Kinnison: It pushes you to have diciplin of where you store things :p
<colemickens>
atralheaven: you use the nixos module system to configure your applications, then home-manager "renders" that into config files that are then symlinked into your home dir
<Kinnison>
etu: so do you end up with a ~/crap folder which isn't reset?
<Kinnison>
etu: Also do you preserve things like ~/.local ?
<etu>
Kinnison: Yes, it's called ~/Downloads
<etu>
Kinnison: Some specific paths yes
<Kinnison>
etu: and as for / being tmpfs -- I assume /etc is persistent?
<Kinnison>
etu: or is it just /etc/nixos ?
<colemickens>
etu: I uh, I want to be the kind of person that can do that but I already curse myself enough from throwing stuff in /tmp and then rebooting, god forbid all of $HOME
<Ke>
you don't need either
<etu>
Kinnison: /etc/nixos is bindmounted to a persistent volume, /etc isn't needed :p
<colemickens>
I've had "erase my darlings" on the back burner todo for forever. or at least the version that maybe snapshots and then applies the blank snapshot so I can cry less
<colemickens>
but the nixos manual might be an even better place to start if you have no idea what's going on under the covers :)
<Ke>
I have only /nix, /mnt/persist and /tmp
<euank>
and at the end, running home-manager will take that nix expression, create configuration files, and symlink them into place. This also includes managing $PATH, other session variables, bashrc, systemd --user services, etc
<atralheaven>
man that's awesome
<euank>
The goal is that you can then check in the .nix file, and when you run it again, you'll get the exact same result
<Ke>
oh, I do have /home, but only because I'm lazy
<euank>
home-manager includes a lot of existing programs / modules for specialized "translate this nix config into this program specific config", but you can also shim in files, with things like `home.file.".docker/config.json".text = # file contents`
<euank>
which all taken together ends up making it reasonable to represent pretty complicated configs pretty well with all the usual benefits of the nix language (declarative / pure / reproducible, unless you go out of your way to do impure things)
<euank>
Hopefully that description of it helped a little. I'd mostly just recommend playing around with it to get a feel for it, or poking through the docs + some people's home.nix on github
v0lde[m] has quit [Quit: Idle for 30+ days]
contrun has quit [Quit: Idle for 30+ days]
aiden[m] has quit [Quit: Idle for 30+ days]
<evils>
colemickens++ Kinnison++ euank++
<{^_^}>
colemickens's karma got increased to 62
<{^_^}>
Kinnison's karma got increased to 1
<{^_^}>
euank's karma now has 2 digits!
<atralheaven>
is nixos relatively lightweight/minimal by default in a fresh install?
hiro98 has quit [Ping timeout: 252 seconds]
berberman_ has joined #nixos
<etu>
atralheaven: It can be, and not just in fresh installs, it depends on your configuration and what you have installed.
<euank>
What a default / fresh-install is is a little less well-defined. iirc the 'configuration.nix' that 'nixos-install' generates doesn't even enable X, so I'd say it's pretty minimal...
berberman has quit [Ping timeout: 260 seconds]
<etu>
atralheaven: And in NixOS it's actually easy to go back, wipe out, and go back to a near "fresh-install" state (compared to other distros)
<euank>
but you're also expected to edit configuration.nix during the install before it's considered done, so again, not really a clearly-defined default.
<Kinnison>
etu: Hmm this ephemeral / thing seems quite plausible to me, and since I'm early in my journey it might make sense to do it before I get too deep
<Kinnison>
etu: why did you need special consideration for legacy boot, was it just wrt. partition formats ?
<etu>
Kinnison: To me it's actually easier in many ways, sure, when I start using a new application I have to discover how/where it stores things, but when I've put the care into mounting/linking it it's easier to backup and keep track of what files I actually care about :)
<atralheaven>
hmmm so let's say I have nixos and I want to install it on another machine, if I use the exact same configs, I'll get the same os "state"? I mean, the os "state" is only dependant on config files?
<etu>
Kinnison: Because I've got enough questions on how to do that even though it's just partition formats and types, I should merge those two posts because it's pretty much the same.
<etu>
atralheaven: Correct
<Kinnison>
etu: Okay, cool. My auto-setup stuff copes with both, so I could just wire that bit in, no problem
* Kinnison
was worried there'd be other gotchas
kshaa has quit [Client Quit]
ddellacosta has joined #nixos
exondation has quit [Ping timeout: 260 seconds]
<eyJhb>
Kinnison: Come join us ;) ;) It is quite a nice thing to do. I just need to switch a couple of VPS over to it as well + my router.
<thblt>
atralheaven: there may be a few edge cases, the most fundamental one being partitioning, though. It's common for NixOS configs to be split between config and hardware-config, the former importing the latter. Hardware-config, obviously, is per-machine.
exondation has joined #nixos
<atralheaven>
thblt: the separation makes complete sense
<euank>
.. also the predictable names of ethernet devices in `networking.interfaces.enpxxx` :(
<Kinnison>
eyJhb: I think ephemeral / is much more plausible for me than ephemeral /home for now
<atralheaven>
so the whole os would be like a program written with only pure functions, I didn't think that could even be possible, considering how different things usually are on operating systems
<eyJhb>
Kinnison: I just run with / and /home, + NOEXEC/NOSUID except for /nix/store and /nix-builds, because some builds require it... My server at home is running with /, and I have nothing in my home folder anyways, since it is a server. If that made sense.
<thblt>
atralheaven: not much, if you know basic Linux administration. Nix, obviously.
<atralheaven>
great! I'll try it in few days, thanks for your help!
<Kinnison>
etu: so apart from the persistent SSH keys, and machine-id faff that looks fairly straightforward for me to adjust my installer with. I may give that a go in a test VM on a branch of my config
<eyJhb>
Just looking at Minecraft qyliss, and they give the hashes as sha1... :p
<eyJhb>
Which is, annoying...
<qyliss>
,tofu eyJhb
<{^_^}>
eyJhb: To get a sha256 hash of a new source, you can use the Trust On First Use model: use probably-wrong hash (for example: 0000000000000000000000000000000000000000000000000000), then replace it with the correct hash Nix expected. The library functions lib.fakeSha256, lib.fakeSha512, lib.fakeHash are available for this.
<qyliss>
ime we don't usually pay much attention to hashes from upstream
<eyJhb>
Shouldn't tofu be updated with the syntax sha1- , sha256-, etc?
<qyliss>
no, we're not making any effort to prefer those yet
<qyliss>
because stable Nix doesn't generate SRI
<eyJhb>
Ahh. okay :) Thanks!
<eyJhb>
qyliss++
<{^_^}>
qyliss's karma got increased to 0b10000110
<qyliss>
(but using them is fine too -- just use whatever's most convenient to you when changing the hash)
mniip has joined #nixos
jesystani has joined #nixos
<orion>
Thank you! (Whoever reset the build)
<pie_>
qyliss: i kinda feel like fakehashes should be builtins
<pie_>
qyliss: having to import lib is a bit of a pain sometimes iirc
<qyliss>
pie_: if you're doing it a lot, you can use an editor macro
ddellacosta has joined #nixos
<qyliss>
In emacs I do C-u 52 a
<qyliss>
(which generates 52 'a' characters, which is a valid base32 hash)
<qyliss>
I assume most editors have a way to repeat a character N times; vi and kakoune certainly do
<Schicko>
Are the cached pre-built binary packages in https://cache.nixos.org/ always built with glibc, or are there cached packages that are built with other libcs too, for instance musl? If so, how might I use nix to install packages built with musl? Would I just run `nix-env -i <package> pkgsCross.musl`? Or would I need to somehow need to use the `pkgsMusl` attribute?
ddellacosta has quit [Ping timeout: 260 seconds]
supersandro2000 has joined #nixos
<Schicko>
Or I guess `nix-env -iA nixpkgs.<package> pkgsCross.musl`. Is that right?
<__monty__>
Schicko: I think you use `nixpkgs.pkgsMusl.whateverPackage`.
<qyliss>
I don't think they get cached though
zupo has joined #nixos
<__monty__>
Not sure whether they're cached.
zupo has quit [Client Quit]
<Schicko>
Ah thanks, so I guess that would build it from source since it isn't cached, right?
<pie_>
i dont think nix nix exposes any way to fiddle with the sandbox on its side (id love to be proved wrong), but maybe one could modify the build environment as a tenant in it, in which case, good question if we have any tools for that
<lukegb>
Frosku: aaiu you're not trying to invoke perlbrew inside a Nix expression, right?
<lukegb>
Just on your system
<Frosku>
lukegb: Just in bash, not in a nix expression
<handerpeder>
I'm trying to deploy services using nix to a non nixos server. lets use postgresql as an example. getting the binaries on the server is a breeze but it's pretty annoying having manually set up systemd service files. nixpkgs contains expressions for generating these on nixos. shouldn't these be usable outside of nixos as well? how can I generate these to a file outside of nixos?
<qyliss>
I think there might have been a NixCon talk about that
<handerpeder>
qyliss: you replying to me?
<__monty__>
What are the conditions for the error that an output is not allowed to refer to certain paths?
<eyJhb>
Frosku: This is very very specific for NixOS, and it shouldn't be handled like that. You sohuld patch the sourcecode, and add direct paths into the nix store
<eyJhb>
Let me try to get you an example.
ddellac__ has quit [Ping timeout: 252 seconds]
<Frosku>
eyJhb: They already do that for other distributions. /usr/bin/pwd is only there to support Arch.
<Frosku>
I know how it *should* be done, which is to use the output from `which pwd`, but that breaks taint mode and perl hates breaking bc
<eyJhb>
No, it would no be `which pwd`.
<gchristensen>
Frosku: again, the ideal way to fix this is by patching it
<Frosku>
gchristensen: OK, how can I patch it when using perlbrew on command line to install multiple versions? Or alternatively, does someone want to maintain every version since 5.08 in nixpkgs? :P
<eyJhb>
gchristensen: Don't we discourage the use of substituteInPlace, and use `.patch` instead?
<eyJhb>
Frosku: That's not the Nix way :p If you use perlbrew, then you are outside of the nixpkgs eco-system, and pretty much on your own :)
<eyJhb>
But I think someone else is much qualified to answer about perl specifically. But that PR should not be merged in any case
zebrag has joined #nixos
<eyJhb>
gchristensen: Is there any place to read on when it is OK and when it is not?
<Frosku>
eyJhb: Which is why I sent a PR to perl, not to nix...
<eyJhb>
Frosku: Yes, it should not be merged by perl either.
<qyliss>
eyJhb: IMO you have to make a judgement call about which is likely to be more maintainable
<Frosku>
So you're offering me no way to manage older perl versions, which perl devs need tested when I release cpan packages, but also saying perl shouldn't offer it either?
<qyliss>
eyJhb: substituteInPlace/sed are more flexible, but are more likely to go wrong, and will also at most emit a warning if they change nothing at all
<eyJhb>
Frosku: Did you read the part where I stated, that I am not qualified to answer NixOS + Perl questions, but qualified enough to know that is NOT the way? It is a basic thing, that should not be done like that, in any way. What you are trying to get merged is just a hack.
<Frosku>
eyJhb: It's not helpful to say "that's not the way" without saying what is.
<Frosku>
And "don't use perlbrew" isn't an answer.
<qyliss>
Frosku: a fix that doesn't use NixOS-specific paths would be to have it search PATH
<qyliss>
I think that would probably be acceptable to everyone
<qyliss>
here, at least
<Frosku>
That would break taint mode
<Frosku>
Would never get merged without a major version bump.
<qyliss>
because it would be looking at a string from the environment?
<Frosku>
The thing is, the way I'm doing it is how it has been historically handled by p5p maintainers. I know it's a hack, but the non-hack options break taint mode, which wont be deprecated until 7 and probably wont be deleted until 8.
<qyliss>
that said, Perl wouldn't be the first to have its build system use NixOS-specific paths. I think Rust's already does.
zgrep has joined #nixos
<Frosku>
Yeah, it's just to get past taint-mode. I know it's not the right way to do it in a scenario where we don't have to account for taint mode.
<eyJhb>
But I guess then it should be mentioned in the PR that it is in fact, a hack and should be removed at some point
<eyJhb>
ALso, feel free to include a link to the logs here in IRC. Always helpful
<qyliss>
Those paths were (AIUI) chosen specifically so that they wouldn't be hardcoded anywhere, but now we're getting popular enough that people are hardcoding them specifically for NixOS compatibility!
<qyliss>
Frosku: a Nixpkgs overlay that packages old Perl versions would be another good thing, but I don't think it exists at the moment (and I'm not telling you you have to make one!)
<eyJhb>
Generally I would kill for something, that would allow one to chose any version, of any package, at any point...
<Frosku>
qyliss: I may well do something like that at some point, when I'm more comfortable in nix.
slac19827 has joined #nixos
<Frosku>
I'm definitely far more familiar with perl than with nix :D
<pennae>
is there a good way to clear the serial backlog in a vm test (to wait only for stuff that hasn't been printed yet) other than logging a uuid and waiting for that?
<eyJhb>
Frosku: Remember to take notes of all the nice hacks you learn in Nix!
<__monty__>
eyJhb: Yes. I've started just keeping versions and hashes in my personal expressions. If I add an argument I could use that to select the version I want.
<Frosku>
qyliss: I'd want to know that there's some kind of userbase for it though, beyond me. Perl isn't the trendiest of languages these days but it's still a very capable one.
slac19827 has quit [Remote host closed the connection]
<eyJhb>
__monty__: A tool that could "autofind" whatever version one needed would be sooo cool.
<qyliss>
I know a few NixOS users who are Perl fans
orivej has quit [Ping timeout: 240 seconds]
slack1256 has quit [Ping timeout: 252 seconds]
<qyliss>
although I'm not sure how many of them actually write Perl day to day any more
<eyJhb>
Ie. give it a specification of all the specific versions you want, and it could find the SHAs of Nixpkgs, which has the most files in common to reduce the size
Alex84 has joined #nixos
<__monty__>
That sounds like a gargantuan task from what I've gleaned of cabal development.
<simpson>
MysteriousSilver: Is it doing nothing, or thrashing? Does your RAM and swap usage climb out of control?
<qyliss>
MysteriousSilver: Nix evaluation can use a lot of CPU and memory
hyper_ch2 has quit [Ping timeout: 260 seconds]
ddellacosta has quit [Remote host closed the connection]
<MysteriousSilver>
simpson: the shell commands runs well, i am just not able to use other application in the meantime due to heavy resource usage. qyliss: ah okay, i just wanted to know if its normal
<{^_^}>
curl/curl#593 (by kamermans, 5 years ago, closed): Curl is trying to use IPv6 when it is not usable
ram19890 has quit [Quit: Konversation terminated!]
<bgamari>
l33[m], that doesn't look like the same issue to me
<bgamari>
that appears to be a name resolution issue
<bgamari>
name resolution is working fine in my case
<l33[m]>
it is from the department of quick googling..
<bgamari>
fair
<l33[m]>
in that case it is unrelated.
<l33[m]>
i think wireshark will be your friend.
<bgamari>
yeah
sangoma has joined #nixos
<l33[m]>
a a very long time ago, i hang like this, but it was about supported cipher sets, the server has a restricted set of ciphers, and the client didn't have or didn't want to support what the server was offering.. this code has changed a lot due to lot of cipher downgrade attacks...
<l33[m]>
that's the first thing i'd check...
vidbina has joined #nixos
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<KarlJoad>
I want some additional features out of my Emacs which require build-time configuration. How should I go about overriding these build options?
<eacameron>
Is a private nix cache really necessary in general? Aren't Nix cache URLs unguessable?
<simpson>
In the formal sense, yes, they're unguessable, with a hardness of ~256 from SHA-256.
<simpson>
I don't actually grok why folks want private caches, but I don't grok a lot of business decisions.
zakame has joined #nixos
dev_mohe has joined #nixos
dev_mohe has quit [Client Quit]
<ehmry>
eacameron: is it a problem if people probe for what you have cached?
<ToxicFrog>
Regulatory requirements; wanting a cache inside your business network so it can be quickly replicated to satellite offices; wanting a cache that you can store proprietary stuff in.
<eacameron>
ehmry: Yes that would be a big problem if you didn't want people to actually have access to your stuff.... but AFAIK all you have to do is disable listing.
<simpson>
ehmry: *Is* there a cap-aware way of discussing that particular problem? We can use #erights if it's not on-topic for Nix stores.
<eacameron>
ToxicFrog: I mean a public cache is the easiest thing to replicate.
<simpson>
eacameron: I think ehmry is talking about the scenario where an attacker knows a vulnerable version of a package, builds it locally and so learns the unguessable hash, and then probes caches to see if a cache has that particular hash with a timing-based attack.
<eacameron>
ToxicFrog: Proprietary stuff... yes that's exactly the issue here. But at some point "guessing a hash" and "hacking into your VPN" are indistinguishable from a security perspective I'd imagine.
<simpson>
This problem's endemic to content-addressed storage, so I wouldn't be surprised if it's fundamentally unfixable.
<ehmry>
^ yes, that will be a problem with ipfs
<ehmry>
someone else brought this up at the first nixcon
<simpson>
Yes, hacking into a VPN has an unguessability requirement and threshold; cryptographic encoding is generally unguessable.
<ToxicFrog>
eacameron: yeah, but it's easier to have a blanket policy of "our internal tools aren't allowed to be stored off-corp" than to add a bunch of exceptions based on the security properties of where you're storing them
Alex84 has quit [Quit: Connection closed]
<ToxicFrog>
and if you control the cache that also means you don't need to worry about the administrators of the cache itself being malicious
<simpson>
However, a VPN's keying mechanism can usually rekey or bump nonces (and sometimes *has* to do it) on a regular schedule, while content-addressed storage can't exactly change the content without ruining the entire point of content-addressability.
<ehmry>
simpson: if you really want private caps you could salt the path hashes
<eacameron>
ToxicFrog: True true. At this point we use GitHub Actions.... so our cache is probably the least of our worries :P
<eacameron>
simpson: ehmry: What exactly is the attack here? Knowing that a vulnerable package exists doesn't buy you much...
<ToxicFrog>
eacameron: yeah, I'm used to companies where everything is built and cached internally and often there are government regulations requiring us to do that -- the entire commit-to-execution path has to be internally auditable.
<eacameron>
ToxicFrog: How do you secure your Nix cache?
<ToxicFrog>
Both to ensure it's not tampered with and ensure no-one *else* gets to look at it without proper authorization, which you can't guarantee if you're sticking it in a public content-addressed store.
<ToxicFrog>
Oh, we don't, nowhere I've worked has used nix
<ehmry>
eacameron: if the catch is private it might imply that the vulnerable package is running somewhere
<eacameron>
ehmry: Oh you mean someone can discover that there's a likelihood that you're actually using the vuln package.
urkk has joined #nixos
<simpson>
eacameron: Exactly. For example, I might know that there's an OpenSSH server vuln, and I could check to see if you happen to be using a vulnerable version. I could "store spray" somewhat by building many different flavors of the vulnerable package, generating many different candidates.
mkaito has joined #nixos
<ehmry>
or a cached could be probed as part of business espionge ("'
<ehmry>
(I'm not sure what kind of conversation I walked into here)
<eacameron>
ehmry: The perfect one. "How are public nix caches insecure?" basically.
<ehmry>
well public caches are secure if you trust what gets put into them, and if you don't then you could make a private cache and hydra
ahmedelgabri has joined #nixos
zebrag has quit [Quit: Konversation terminated!]
<eacameron>
I mean, "secure" in the sense that you don't leak company secrets.
zebrag has joined #nixos
sebbadk[m] has quit [Quit: Idle for 30+ days]
<simpson>
Right, "secure" doesn't mean much. What we really care about is the threat model, the exfiltration channels, the possible operations, and the things we don't want to have happen.
<ehmry>
in this case it would be nice to have a caching nix proxy cache, and fill it from tor
erasmas has joined #nixos
proofofkeags has joined #nixos
zebrag has quit [Quit: Konversation terminated!]
justanotheruser has joined #nixos
growpotkin has joined #nixos
<eacameron>
ehmry: Can you explain?
zebrag has joined #nixos
ahmedelgabri has quit [Ping timeout: 260 seconds]
gentauro has quit [Read error: Connection reset by peer]
<ehmry>
eacameron: a cache in your network that fetches cache misses from the public cache, but over tor
<eacameron>
ehmry: Oh hah. How would that help?
gentauro has joined #nixos
<ehmry>
you would still get the cached packages but the public cache wouldn't know where the requests are coming from, if you don't trust the the public cache not to store metadata
abathur has joined #nixos
<ehmry>
I've thought about writing a caching nix proxy but the current cache is just so fast
<eacameron>
ehmry: Oh. If you don't trust the public cache then why would you use it at all?
<simpson>
Two kinds of trust: Trust to deliver the correct bytes, and trust to not keep metadata on requests.
<simpson>
One of those is auditable by the caller, but the other is inherently a trust-me-Trent situation.
<ehmry>
FWIW I trust the public cache in both regards
<ehmry>
well, just like everyone else
<eacameron>
simpson: I guess I'm thinking that a server might be tracking me, how do I know it's not also signing bad builds with the signature I trust?
<eacameron>
simpson: I suppose if *I* uploaded those signed builds...
<simpson>
eacameron: We can borrow some zero-knowledge proof theory. Suppose that the cache server issues every cache request; we're not concerned with whether proxies lie. Then, the cache server only has to be caught *once* with misbehavior in order for its entire userbase to run away.
<simpson>
This means that a user doesn't have to challenge very many packages; they can pick logarithmically few test packages, rebuild them locally, and confirm that the hashes match.
<simpson>
eacameron: https://web.mit.edu/~ezyang/Public/graph/svg.html demonstrates a classic zero-knowledge toy. This proof has the same principle: you only need to make relatively few queries to be relatively sure, and if the prover *ever* lies, then it's game-over for them.
<eacameron>
simpson: Awesome! I've had to work with zkSNARKS a bit but never thought of using it for this.
whatisRT- has quit [Ping timeout: 252 seconds]
<simpson>
ehmry++
<{^_^}>
ehmry's karma got increased to 1.0
<ehmry>
there goes my chaotic-neutral alignment
whatisRT has joined #nixos
<simpson>
eacameron: It's more about the zero-knowledge principle than the particular SNARK encoding. Here, the prover claims to have a large Nix store, impossible for a user to scan due to sheer size. Sometimes these are called Merlin-and-Arthur problems because of the differential in abilities.
wallacer has quit [Ping timeout: 250 seconds]
<KarlJoad>
Why would `emacs.overrideAttrs (oldAttrs: rec { withXwidgets = true; nativeComp = true; })` fail to have the related configure flags set?
mkaito has quit [Read error: Connection reset by peer]
stree has joined #nixos
beertoagunfight has joined #nixos
cole-h has joined #nixos
wallacer has joined #nixos
ahmedelgabri has quit [Ping timeout: 276 seconds]
<pgiarrusso>
hi all, noob Q: I downloaded a prebuilt binary on NixOs, it failed with ENOENT, and I ended up doing `sudo ln -s /nix/store/1jn6apz0fa9h9x7rl3v6vwiymwnjznwv-glibc-2.32-40/lib64/ld-linux-x86-64.so.2 /lib64/`.
<pgiarrusso>
what's the proper way to run a prebuilt binary on NixOS *without* creating a derivation?
<KarlJoad>
I'm trying to build emacs with Xwidgets for my NixOS system. Would an overlay be better, or just an override?
vidbina has quit [Ping timeout: 260 seconds]
<thblt>
KarlJoad: it's an option of the emacs package.
MysteriousSilver has quit [Ping timeout: 276 seconds]
orivej has joined #nixos
<KarlJoad>
Meaning I should just pass `withXWidgets = true` to a function call somewhere?
ahmedelgabri has joined #nixos
<thblt>
KarlJoad: In an override, I think. Something like (emacs.override { withXWidgets = true; })
nix has joined #nixos
nix is now known as lom
<KarlJoad>
That's whay I have figured out. I'm asking if overlaying that on emacs makes any sense. That way when I refer to "emacs", I mean an emacs where withXwidgets = true.
<lom>
If I add snapper configs, are snapshots automatically made of them?
<nixajon>
hello nixos channel, newbie here and getting starting. Is there a nix expression language equivalent of `which`? I'm using nix package manager, not on nixos, and I want to obtain the full path of the `fish` executable that's been installed by `home-manager`
<nixajon>
hello nixos channel, newbie here and getting starting. Is there a nix expression language equivalent of `which` ? I'm using nix package manager, not on nixos, and I want to obtain the full path of the `fish` executable that's been installed by `home-manager`
<radvendii>
if you enclose a variable in ${} inside a string (this includes a '' '' delimited script) it will put the value of that (string) variable. certain other variables also work, if they know how to convert themselves into strings. Derivations, for instance, will give the output path
<radvendii>
can i ask what the context is? there might be a better solution for your particular problem
ahmedelgabri has joined #nixos
<nixajon>
Yeah, fair question. I am using fish as my primary shell. My pattern is open terminal to bash, set the $SHELL to fish-path, launch tmux and attach or start a new session. tmux uses $SHELL to determine what shell to launch. This lets me have a POSIX compliant terminal but I can start at fish when I open a new terminal
<nixajon>
error: undefined variable 'fish' at /home/nixajon/projects/dotfiles/nixpkgs/home.nix:14:17
<radvendii>
can you give a pastebin of your home.nix?
AmandaC has joined #nixos
<radvendii>
what do you mean "POSIX compliant terminal but I can start at fish when I open a new terminal" aren't those mutually exclusive?
<nh2[m]>
Jan Tojnar: I see you investigated SublimeText issues with /usr/bin/pkexec in the past.
<nh2[m]>
If I try to save a root-woned `configuration.nix` in my normal user's Sublime, I get a popup `Unable to save /.../configuration.nix: ... /usr/bin/pkexec failed`. I am quite sure it worked in the past. Does that currently work for you?
<nh2[m]>
Also funny is that the popup does not appear when I `strace -fyp $(pidof sublime_text)` (but it still doesn't succeed to save).
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage2nix: update list of broken packages »: https://git.io/J3G3D
<superbaloo>
when a *vendor* executable comes in with a specific ld-linux loader
<superbaloo>
is there an easy way to wrap it to make load another loader (and ideally feed in the missing dependencies, and not relying on a ld_preload) ?
ahmedelgabri has joined #nixos
<pennae>
superbaloo: patchelf can change all those
jonringer has quit [Remote host closed the connection]
jonringer has joined #nixos
<matthewcroughan>
colemickens: I ended up getting 'error: access to path '/nix/store/lib/make-ext4-fs.nix' is forbidden in restricted mode' when I try to build your rpizero1 image.
<infandum>
I just installed nixos on a computer. It had a /home that I mounted. I am trying to get xmonad to work, but it just results in a blank screen (no cursor, no commands work, no signal from monitor). gnome does work though. I removed all configurations for xmonad, just the basic one from arch linux that compiles with xmonad --recompile. What could be causing this issue?
<infandum>
I am trying to use the same kind of config from my nixos laptop which does work.
<infandum>
I also have home-manager, but I removed all xmonad from that to troubleshoot
orivej has quit [Ping timeout: 240 seconds]
<oo_miguel>
as soon as I create more then one virtualHosts via. services.nginx.virtualHosts it does not come up anymore and I get: you should increase server_names_hash_bucket_size: 32
<infandum>
logging back into gnome, xmonad.errors is empty
<infandum>
journalctl -t xmonad shows "XIO: fatal IO error 0 (success) on X server ":0""
beertoagunfight has quit [Remote host closed the connection]
<thblt>
infandum: what about X log?
beertoagunfight has joined #nixos
<thblt>
(also gnome is wayland by default, so this may be a X bug?)
<mjlbach>
Trying to finish up my matrix dendrite PR, for systemd services it seems like execstartpre is executed *before* the creation of runtime directories. I wanted to use an environment file to do substitutions to avoid polluting the nix store with secrets, is "the move" to just write two separate systemd services?
<infandum>
thblt: which log?
beertoagunfight has quit [Ping timeout: 250 seconds]
ddellaco_ has quit [Remote host closed the connection]
<lom>
I'm trying to downgrade my channel to 20.09, from unstable. When rebuilding i'm now hit with a error: "error: undefined variable 'anything'", is this a known issue? How can I resolve it?
ddellacosta has joined #nixos
rubm has joined #nixos
ahmed_elgabri has joined #nixos
hke has quit [Quit: bye]
<infandum>
thblt: if I login to xmonad+nothing, (screen off), blindly type in "Mod4+S+Return -> reboot -> Return" then it reboots, so it must be a screen issue
hke has joined #nixos
<infandum>
err, none+xmonad
f4r598 has quit [Read error: Connection reset by peer]
<infandum>
in gnome, if I change the refresh rate from 75 to 120 (my monitor supports this) then it is a blank screen as well
<thblt>
infandum: to be clear: xmonad never worked with that setup? There's no way you've brought a state file from another install? (~/.xmonad.state IIRC)
<infandum>
I can check, as this install /home is on top of the previous arch linux install with home-manager
<infandum>
which messed up some stuff
<infandum>
which I needed to fix
philr has quit [Ping timeout: 240 seconds]
<thblt>
Another possibility is some multi-head confusion. The main monitor may be on a non-existing output.
justanotheruser has quit [Ping timeout: 260 seconds]
<matthewcroughan>
colemickens: I get "permission denied" when trying to build firmware for the sd-card-image/installer, trying again as root. But do you know anything about that?
<infandum>
thblt: Setting the videoDrivers worked
<infandum>
thank you so much!!
<thblt>
infandum: cheers :)
<colemickens>
eh, I don't recommend trying to run nix-build as root, doubtful that it will fix anything, and probably a bad sign if it does
<colemickens>
let me look real quick though
<matthewcroughan>
colemickens: I'm using the flake tooling
<pie_>
pennae: how does babby override systemd unit
<pie_>
im also annoyed at having to try to look this up
justanotheruser has joined #nixos
<pie_>
isnt there some kind of systemctl drop-me-into-this-units-environment or soemthing
<pie_>
or something like a reverse reptyr
infandum has quit [Remote host closed the connection]
<pennae>
pie_: drop a fragment of a service file with the things you want overridden in ${unit_name}.d/ with .conf extension and reload
<nh2[m]>
How do I link to a NixOS option containing a `*` in the manual? Like in `networking.wireguard.interfaces.<name>.peers.*.publicKey`
<pie_>
pennae: yeah but thats immutable isnt it
<pennae>
systemctl cat shows overrides too btw
<pie_>
(there is a mutable path somewhere)
<pennae>
there's more than one path systemd loads from, one of them is in /run
<pie_>
pennae: any idea if i can make `systemctl edit` work in some reasonable manner
<pennae>
yeah, just s,etc,run, and go
<pennae>
never tried edit actually, we're oldschool :D
proofofkeags has quit [Ping timeout: 252 seconds]
<colemickens>
nh2: that means you'd have things like `networking.wireguard.interfaces.wg1.peers."my-peer".publicKey`.
<pie_>
colemickens: question was about linking the manual tho
<colemickens>
oh :( oops
gustavderdrache has joined #nixos
lom has quit [Quit: WeeChat 3.1]
<nh2[m]>
I need the equivalent of `<link linkend="opt-networking.interfaces._name_.ipv4.addresses">networking.interfaces.eth0.ipv4.addresses</link>`
<nh2[m]>
here `_name_` is for `<name>` but I need to know what to write for `*`
<colemickens>
I'm not sure I can get any sort of "link" to work to the new search actually
<pie_>
" Note that this command cannot be used to remotely edit units and that you cannot temporarily edit units which are in /etc/, since they take precedence over /run/."
<pie_>
whelp?
<pie_>
pennae: that kind of sounds like this wont work anyway? or do overrides have a different file extension or something
<pennae>
i think that means outright replacing them? not sure though
<pie_>
maybe
maralorn has joined #nixos
<pennae>
overrides are all .conf, in a ${unit}.d folder. could still work
<pie_>
wonder if i could use one of those ld_preload libs to get the command to work on /run
<pie_>
i hate how inflexible systemd tooling can be
seku has joined #nixos
kcalvinalvin has quit [Ping timeout: 245 seconds]
<pie_>
guess ill just do it the easy way for once
radu2427 has joined #nixos
<pennae>
pie_: overrides are loaded from /run just fine it seems
<pie_>
yeah
<pie_>
pennae: hm. are dropins the same as overrides?
radu242 has quit [Ping timeout: 276 seconds]
radu2427 is now known as radu242
<pie_>
apparently nix generates (at least with my config) both a nix-daemon.service and an overrides.conf
<pennae>
yup
<pie_>
so what happens when there is a second overrides.conf?
<numkem>
I just started using zfs on NixOS and I’m trying to build my full config using unstable but it fails with a no space on device error even tho there is plenty of space left
<tpw_rules>
how is your /boot?
<numkem>
Petty much empty
<numkem>
it’s during package build, complaining about /build being full
<numkem>
My USB stick was on 20.03 trying to build unstable so maybe it’s part of the problem
sciamp has quit [Ping timeout: 246 seconds]
<qyliss>
could it be a tmpfs filling up?
qyliss has quit [Quit: bye]
riksteri has quit [Quit: riksteri]
<numkem>
/Tom
<numkem>
/tmp isn’t a tmpfs, it’s in the zpool
<numkem>
Well in /
qyliss has joined #nixos
<pie_>
,locate cpupower
<{^_^}>
Found in packages: linux.dev, linux-rt.dev, linux-libre.dev, linux_mptcp.dev, linux-rt_5_6.dev, linux_testing.dev, linux_mptcp_94.dev, linuxPackages_4_4.cpupower, linuxPackages_4_9.cpupower, linuxPackages_5_8.cpupower, linuxPackages_zen.cpupower, linuxPackages_4_14.cpupower, linuxPackages_4_19.cpupower, linuxPackages-libre.cpupower, linuxPackages_4_4.kernel.dev, linuxPackages_4_9.kernel.dev, linuxPackages_5_8.kernel.dev, and 17 more
<hrnz>
does the ,locate-function exist somewhere outside of the bot?
<pennae>
,locate nix-locate
mbrgm_ has joined #nixos
<{^_^}>
Found in packages: nix-index
supersandro2000 has quit [Killed (verne.freenode.net (Nickname regained by services))]
<hrnz>
thanks
supersandro2000 has joined #nixos
mbrgm has quit [Ping timeout: 252 seconds]
mbrgm_ is now known as mbrgm
stree has quit [Ping timeout: 252 seconds]
<samueldr>
,locate
<{^_^}>
Use ,locate <filename> to find packages containing such a file. Powered by nix-index (local installation recommended) https://github.com/bennofs/nix-index
<pennae>
building the index seems to be broken today(?), lots of errors in the json files it pulls?
<pennae>
tried it multiple times and it always dumped 5 gigs of erroneous json into /tmp
Mateon1 has quit [Remote host closed the connection]
Mateon1 has joined #nixos
<clever>
pie_: depends on what is doing the fetch
<clever>
numkem: df -i ?
judson_ has joined #nixos
civodul has quit [Ping timeout: 260 seconds]
S0rin has quit [Ping timeout: 240 seconds]
VideoGameEnjoyer has joined #nixos
<numkem>
clever: 1% everywhere
<clever>
numkem: can you pastebin the full build log and error?
stree has joined #nixos
<numkem>
clever: the machine doesn’t have a UI arm… it’s the first boot after initial install
orivej has joined #nixos
<numkem>
Is there a tool I could pipe it into?
mallox has quit [Quit: WeeChat 3.1]
<samueldr>
are you trying to nixos-rebuild into the live system?