2020-05-16

<clever> pie_: if you put kernel config in there, it should change what its netbooting
<clever> pie_: the netboot module includes a nixos config in the module = { .. };
<clever> pie_: in what way should it be similar?
<clever> cant remember i had verified that with wireshark or not
<clever> not clear if the bios was to blame or the setup
<clever> pie_: i never got efi to even load ipxe
<clever> pie_: note that justdoit wont ask before wiping any disks
<clever> pie_: then it probably worked the whole way, you can either justdoit or nixos-install as normal
<clever> pie_: depends on what the prompt says
<clever> pie_: i never really got efi netboot to work right
<clever> yeah, nixpkgs
<clever> ssk: its a function that will build a docker image when you feed it some more args
<clever> that often happens when doing cross
<clever> ssk: try tab-completing it in `nix repl '<nixpkgs>'`
<clever> ssk: pkgs.pkgsCross.something.dockerTools.buildImage maybe?
<clever> xxsds: yeah
<clever> xxsds: try adding `--option sandbox false` ?
<clever> xxsds: ssh into it?
<clever> morgrimm: yes
<clever> xxsds: can you pastebin the full output? and the output of `mount` ?
<clever> cole-h: that is the proper way to fix things in bash, and anything else you try will just lead to problems
<clever> xxsds: you shouldnt use switch under enter, only nixos-rebuild boot
<clever> cole-h: if you dont quote it, spaces and other stuff can break things
<clever> cole-h: cat "$VAR"
<clever> cole-h: which env var, going to which cmd?
<clever> cole-h: why does it need to be escaped? you could quote it better maybe?
<clever> cole-h: something in your build is asking to turn the sandbox off, but your nix.conf wont allow it
<clever> ,runtimeDeps lunik1
<clever> lunik1: it will only be in PATH at build-time, not runtime
<clever> lunik1: anything you put into nativeBuildInputs gets added to PATH for you
<clever> > { a=1; b=2; } // { b=3; c=4; }
<clever> Ashy: //
<clever> palo: you can also put the writeText result into a let block, to make the code more readable
<clever> palo: thats how all dependencies work in nix
<clever> palo: nix will automatically copy it for you
<clever> palo: you should be able to just run `tor -f ${pkgs.writeText ...}`
<clever> palo: and you cant tell tor to look at another file?
<clever> palo: your running tor in the initrd?
<clever> palo: what do you need a custom file for?
<clever> selfsymmetric-mu: this bot will report the updates, and the URL with the history shows the current state for each channel
<clever> selfsymmetric-mu: 2020-05-15 18:50:12 -{^_^}:#nixos- Channel nixos-20.03-small advanced to https://github.com/NixOS/nixpkgs/commit/91cdcf31357 (from 3 hours ago, history: https://channels.nix.gsc.io/nixos-20.03-small)
<clever> palo: your supposed to be doing just bare /path/to/secret
<clever> palo: pkgs.writeText will write it to /nix/store, and then its not a secret anymore
<clever> cole-h: can also just keep nix-env as-is
<clever> cole-h: isnt a fan of removing -i, or isnt a fan of keeping a neutered nix-env?
<clever> morgrimm: yep
<clever> morgrimm: so the system profile will only change if its ran as root
<clever> morgrimm: it can only delete generations from profiles it has permission to
<clever> cole-h: you could just remove the `-i/-u/-e` flags from nix-env, but keep the rest

2020-05-15

<clever> ah, that will do it
<clever> i think so
<clever> palo: you need to fix the Cargo.lock file
<clever> the wanted one
<clever> palo: it should be printing 2 hashes, is the 2nd one the one from your expr?
<clever> emily: its the only way to manage generations
<clever> emily: nix-env is still used behind the scenes for nixos-rebuild and nix-channel
<clever> :'(
<clever> and then insert an overlay at a later time
<clever> so you can make a set of inter-connected packages, that can callpackage eachother
<clever> but, it also adds a .overrideScope' function, that can take an overlay, and insert it between the return-value and the `self` given to packages
<clever> fps: line 52 creates a new set of packages, containing every attr that `packages: self: { ... }` returned
<clever> fps: if you want to get more fancy, then you can use makeScope
<clever> nix-build '<nixpkgs>' --arg overlays '[ (self: super: { pkg1 = self.callPackage ./pkg1 {}; pkg2 = self.callPackage ./pkg2 {}; }) ]' -A pkg2
<clever> and then you can start to get fancy
<clever> fps: with import <nixpkgs> { overlays = [ (self: super: { pkg1 = self.callPackage ./pkg1 {}; pkg2 = self.callPackage ./pkg2 {}; }) ]; }
<clever> fps: thats where an overlay can be simpler
<clever> Ashy: yep
<clever> bqv: the filesystem stuff isnt worth keeping in git, because if i loose the root disk, the rest are likely also gone, and i have to redo the filesystems anyways
<clever> bqv: i keep my configuration.nix thin, just filesystem stuff, and imports = [ /path/to/real/config.nix ];
<clever> Ashy: nix-shell -p 'foo.override { option = true; }'
<clever> setup-etc.pl has to iterate over /etc to see if there are old symlinks to delete and such
<clever> ,pills tom39291
<clever> rnhmjoj: and its a bug that `nix-build -p` is applying shell-only logic
<clever> rnhmjoj: behind the scenes, nix-build and nix-shell are the same program, and it uses argv[0] to decide how it should behave
<clever> energizer: and id say its a but that nix-build -p is applying the same logic, its a nix-shell only flag
<clever> rnhmjoj: behind the scenes, `nix-shell -p foo bar` will basically just run `nix-shell -E 'with import <nixpkgs> {}; stdenv.mkDerivation { name = "name"; buildInputs = [ (foo) (bar) ]; }`
<clever> DamienCassou: you could try comparing the output of powertop as a start
<clever> c00w: you can also run `nix-store --query --roots /nix/store/a` to see what depends on a
<clever> probably
<clever> c00w: if its used at build-time, its rooted by b being built
<clever> c00w: it should preserve anything currently in use

2020-05-14

<clever> Robertof: youll need to find out which module added zfs, and convince it to stop adding it
<clever> aiverson: `nixops scp machine --to foo.txt .`
<clever> that shows how to load a custom set of modules in a default.nix
<clever> unclechu: then youll want my module example
<clever> and then that loads more via imports
<clever> `nix repl '<nixpkgs/nixos>'` will load <nixos-config> which is usually your configuration.nix
<clever> except via -I nixos-config=
<clever> the module shouldnt be passed to nix repl
<clever> that looks a bit weird
<clever> unclechu: you have to load the module with the module tooling, something like `nix repl '<nixpkgs/nixos>'`
<clever> unclechu: (builtins.unsafeGetAttrPos "a" { a=1; }).file
<clever> unclechu: maybe using builtins.unsafeGetAttrPos
<clever> unclechu: so it depends a lot on what you want to do after you get that path
<clever> unclechu: it only gets copied to the store when you treat it as a string
<clever> unclechu: ./. is always the dir the file is within
<clever> qyliss: and lines 9-13 would be the nixos config for the disk image it boots, so you can bake in anything needed for testing
<clever> qyliss: if you just swap out line 22 to do rescue-kernel = /path/to/zImage; then it will use your custom kernel (but not any of the modules)
<clever> qyliss: this will add another entry to the grub menu, for booting a kernel+initrd pair, that runs entirely from a ramdisk
<clever> qyliss: does it have to run on hw, or would a vm be fine?
<clever> qyliss: one sec
<clever> qyliss: there is a section in the nixpkgs manual on building the kernel with nix-shell
<clever> so you must `-I nixpkgs=something`
<clever> nix-shell -p always loads <nixpkgs>
<clever> aiverson: `sudo -u foo bash`
<clever> aiverson: if you `sudo -u <foo> -i` to that user, and then try to `ls -l` the key, what happens?
<clever> jasom: yep
<clever> jasom: you can just add custom modules to the imports list
<clever> jasom: only a module can do that, overlays cant
<clever> energizer: does that network card exist?
<clever> energizer: probably running, the others look like they depend on it
<clever> no idea why
<clever> energizer: ah, ive seen that before too, systemd is asking for a pw somewhere, for some reason
<clever> energizer: what does `ps -eH x` say its doing for most of the slow time of switch?
<clever> energizer: then its not the nix eval
<clever> energizer: what about `nixos-rebuild dry-run` ?
<clever> you can still staticly link some libs, while dynamicly linking others
<clever> kvda: osx doesnt allow static, ever

2020-05-13

<clever> kvda: yes
<clever> kvda: and get all deps from pkgsStatic instead of pkgs
<clever> kvda: the shell file must use pkgsStatic.stdenv instead of the normal stdenv
<clever> kvda: youll want to build your stuff from pkgsStatic.stdenv
<clever> Gaelan: yeah
<clever> kvda: yes
<clever> kvda: this will build all packages staticly with musl
<clever> > pkgsStatic.sqlite
<clever> morgrimm: home-manager can only manage $HOME
<clever> morgrimm: home-manager cant touch /run
<clever> morgrimm: and you only get drivers in /run if you set hardware.opengl.enable = true;
<clever> morgrimm: how did you install mesa?
<clever> Edes: then you want pkgs.substituteAll and @foo@ in the file
<clever> Edes: if you make that file a nix expr, you can just run `import` on it directly
<clever> heh, didnt even notice it
<clever> and we know what to check next time it goes wrong
<clever> DigitalKiwi: check the etc in /run/booted-system/
<clever> it should have been like that on boot
<clever> not sure then, maybe a bug?
<clever> DigitalKiwi: you can also just chmod 666
<clever> DigitalKiwi: has this file changed on your machine?
<clever> ]$ grep MODE /etc/udev/rules.d/90-zfs.rules
<clever> KERNEL=="zfs", MODE="0666", OPTIONS+="static_node=zfs"
<clever> DigitalKiwi: if you chmod it, can you list again?
<clever> DigitalKiwi: that would be the problem then
<clever> DigitalKiwi: do the permissions on /dev/zfs look diff to you?
<clever> DigitalKiwi: which is just open for anybody
<clever> crw-rw-rw- 1 root root 10, 249 Apr 14 11:44 /dev/zfs
<clever> DigitalKiwi: strace says its touching this
<clever> openat(AT_FDCWD, "/dev/zfs", O_RDWR) = 5
<clever> DigitalKiwi: `zfs list` works without root here, and i havent updated for a few months
<clever> you need that if you cant get bridging to work
<clever> pikajude: probably
<clever> then set the router's dns server, in the dhcp server config
<clever> > pkgs.bind.meta.description
<clever> > pkgs.bind
<clever> i tend to use bind for that
<clever> ah, so no dns for the guest
<clever> what did that part do again?
<clever> pikajude: it should, since the guest has to download things to build
<clever> pikajude: it would probably be simpler to just use the nat code nixos/iohk use, you already have an example of how to configure everything
<clever> pikajude: there is a special bit in the first byte, that marks an addr as a broadcast one, which you shouldnt use
<clever> pikajude: thats probably fine, as long as its unique
<clever> pikajude: what mac did you last try?
<clever> acowley: -I foo=/foo -I bar=/bar
<clever> acowley: -I cant take a : seperated list, you need multiple -I's
<clever> not sure
<clever> pikajude: no, the mac's need to all be unique
<clever> pikajude: the guest inside the vm should have a unique mac, and the eth card must support mac spoofing i believe
<clever> pikajude: ah, i can see how you could misread the msg
<clever> pikajude: yep, thats what i said to do earlier
<clever> selfsymmetric-mu: i think you can do /archive/pull/42/head.tar.gz, but ive not tried that
<clever> selfsymmetric-mu: just push to github, done!
<clever> selfsymmetric-mu: github creates a tarball automatically, for every commit in the repo
<clever> selfsymmetric-mu: import (builtins.fetchTarball "https://github.com/owner/nixpkgs/archive/gitrevision.tar.gz") {}
<clever> pikajude: tap0 doesnt need an ip assigned
<clever> dont know
<clever> it should be happening automatically
<clever> pikajude: and only send it to the right places, like a normal switch
<clever> pikajude: it will keep track of what mac addr is on each slave if
<clever> pikajude: so the eth interface should just be ignored entirely
<clever> pikajude: any packets you try to send out the bridge, get sent out all slave IF's (the tap and eth)
<clever> pikajude: looks normal, and then on enp8s0 what does it show? if you leave both br0 and enp8s0 tcpdump'ing at the same time
<clever> pikajude: can you pastebin the output of `ip link`, `ip addr` and the tcpdump logs for br0?
<clever> pikajude: it should say that in `ip link`
<clever> pikajude: is eth0 part of br0?
<clever> pikajude: you can run tcpdump on several interfaces at once, because it may have just stopped
<clever> pikajude: does the packet make it thru all 4 interfaces?
<clever> pikajude: its less about if its failing, and more about how far the packet is getting
<clever> pikajude: "port 58 or port 68"
<clever> pikajude: add a port filter to the tcpdump
<clever> pikajude: then move the tcpdump to br0, are the packets getting there? then eth0?
<clever> pikajude: on the host, do `tcpdump -i tap0 -p -n` and see if you can detect the guest dhcp packets as it tries to get an ip
<clever> pikajude: use tcpdump and ping to see how far along the packets are getting
<clever> pikajude: the bridge will forward the guest traffic out eth0, and the local dhcp server will answer
<clever> pikajude: the guest inside the vm has the other side of the tap device, and gets an ip with dhcp as normal
<clever> pikajude: linux will then treat all of them like a single interface
<clever> pikajude: only br0 should get an ip, the slaves of br0 never get cofnigured
<clever> pikajude: thats if you point a single nix-build to several drvs
<clever> Gaelan: depending on the order they finish in, your result may be pointing to the "wrong" thing
<clever> Gaelan: nope, but when each one finishes, it will overwrite the result symlink
<clever> yeah
<clever> configure br0 like you used to configure eth0
<clever> pikajude: you must then move all of your network config to br0, not eth0
<clever> pikajude: then packets can just flow between the 2 like a regular switch
<clever> pikajude: create a bridge that both eth0 and tap0 are members of
<clever> pikajude: one min
<clever> pikajude: but if you use bridging instead, the tap interface will link to the lan, and use the lan's dhcp
<clever> pikajude: if you use nat, then the tap interface is isolated from the world, and needs its own dhcp server
<clever> pikajude: depends on if you use nat or bridge
<clever> pikajude: the iohk stuff is based on the nixos one, but can run several macs on a single host
<clever> pikajude: the nixos config runs a single mac vm from a zvol
<clever> pikajude: getting links...
<clever> pikajude: already done
<clever> > "file://" + "/home/clever/foo"
<clever> Gaelan: file:///home
<clever> omnipotententity: preConfigure = "set -x"
<clever> between lines 20 and 21
<clever> you want to add nixpkgs.config.allowUnfree to the container then
<clever> ah
<clever> T0pH4t: i also dont see any unfree software in there to cause an error
<clever> T0pH4t: are you sure its actually using that config file? that typo should have given a totally different error
<clever> T0pH4t: you have the nixpkgs. missing on line 3
<clever> T0pH4t: its nixpkgs.config.allowUnfree
<clever> T0pH4t: can you pastebin the configuration.nix?
<clever> T0pH4t: are you doing `import <nixpkgs> {}` at any point?
<clever> camsbury: read the grub.conf file it generates before you reboot?
<clever> camsbury: does it actually fail the switch?
<clever> camsbury: its likely a warning, its just blindly searching anything that could be a block device, to find any other os
<clever> assuming the user parsing happens in another uid
<clever> sounds like it may be using IPC within itself, to pass the pw from the user proc to its auth proc?
<clever> it does have several dovecot related users, but its not clear which one the auth gets ran as
<clever> you would need to enable dovecot and pam, and see what its doing internally
<clever> not clear from that config
<clever> and the defaults populate it
<clever> vika_nezrimaya: but setting anything at all in .dovecot2, causes the config to get made
<clever> vika_nezrimaya: i'm not sure how it works, but dovecot isnt setting any pam options
<clever> vika_nezrimaya: and i see pam stuff in dovecot, another email prog
<clever> /home/clever/apps/nixpkgs/nixos/modules/services/mail/dovecot.nix: security.pam.services.dovecot2 = mkIf cfg.enablePAM {};
<clever> vika_nezrimaya: thats how you authorize more things in nixos
<clever> vika_nezrimaya: and that setuid helper will use /etc/pam.d/ to enforce what its parent proc can actually ask of it
<clever> vika_nezrimaya: i think the pam library can run a setuid helper, to handle pw validation
<clever> cole-h: lorri is mostly just a cache for direnv, and deals with async building
<clever> mitchellh: i only ever compile things in nix-shell, but some people use direnv to automate entering the shell
<clever> mitchellh: most compilers wont work if installed with nix-env, only nix-shell and nix-build can make a compiler work
<clever> colemickens: there is also `nix copy --to s3://bucket` for backends nix itself supports
<clever> colemickens: you can use `nix copy --to file:///path` to make a dir of .narinfo and .nar.xz files, then just upload it to any static http server
<clever> keithy[m]: have you seen nix-serve ?
<clever> unclechu: nothing in /nix/store can be a secret from other users
<clever> unclechu: nix doesnt allow uid or gid in /nix/store/, everything must be root:root
<clever> unclechu: i dont think there is anything for that, why do you need ACL's?
<clever> unclechu: if you want setuid, then you have to do it in configuration.nix like this: https://github.com/cleverca22/nixos-configs/blob/master/wireshark-no-root.nix
<clever> unclechu: the only permission bit you can set is +x/-x, you have no choice over any other bit
<clever> unclechu: you cant put setuid or acl stuff in /nix/store/
<clever> unclechu: which permissions are you trying to add?
<clever> > vmTools.buildRPM
<clever> mitchellh: you can tab-complete lib. in `nix repl '<nixpkgs>'`
<clever> > :p lib.makeBinPath [ hello busybox ]
<clever> mitchellh: line 98, lib.makeBinPath
<clever> mitchellh: if your using single-user nix, then anything nix builds can freely delete things in /nix/store and corrrupt paths
<clever> mitchellh: run `nix-store --verify --check-contents`
<clever> dmj`: Catalina says otherwise
<clever> dmj`: but if your using a single-user nix, poorly written derivations can still break /nix/store/
<clever> mitchellh: run `nix-store --verify --check-contents`
<clever> dmj`: haskell isnt as terrible as js :P

2020-05-12

<clever> pjt_014: you also didnt pass the system param to anything, so it does nothing
<clever> pjt_014: you want something = pkgs.recutils.override { ... };
<clever> pjt_014: that is creating an attribute called recutils.override, not calling recutils.override
<clever> so the `ps aux` looks cleaner
<clever> jumper149: i think it will run httpd with the absolute path, but set argv[0] to plain "httpd"
<clever> jumper149: its a systemd flag
<clever> ,locate bin cbindgen
<clever> Jonathan54: you may need libredirect
<clever> infinisil: i worked around it with raw nsenter
<clever> infinisil: and the build i was trying to resume, was using absolute paths to $NIX_BUILD_TOP
<clever> infinisil: i wasnt able to get the chroot part of cntr to work right
<clever> Woutifier: and you can run nix-shell on the drv file, to get the deps into your env
<clever> evelyn: nix eval nixpkgs.lib.version
<clever> floscr: thats part of it
<clever> floscr: config.something.colors.black;
<clever> immae: how is a different librt causing problems?
<clever> different arches have renamed it some
<clever> yeah
<clever> and ldd says it found an ld.so
<clever> and can even mislead you more, when the ld.so hasnt been patchelf'd
<clever> which technically uses the wrong ld.so for the debug, giving different results
<clever> ldd is then a shell script, to run `LD_TRACE_LOADED_OBJECTS=1 /path/to/ld.so ${yourbinary}`
<clever> but if LD_TRACE_LOADED_OBJECTS=1 has been set, ld.so will print debug, and never run your main()
<clever> immae: that ld.so will then recursively load the libs
<clever> immae: when a program is ran normally, the ELF header says which ld.so to start with, and what the needed libs are and the RPATH
<clever> immae: try just running the program directly, with this env var set
<clever> $ LD_TRACE_LOADED_OBJECTS=1 ls linux-vdso.so.1 (0x00007ffedf7b3000) librt.so.1 => /nix/store/qb6k4hp7gk331x9fydw0w7qj4dv09bwz-glibc-2.27/lib/librt.so.1 (0x00007ffb1a450000)