2019-06-19

<clever> ambro718: nix itself checks by seeing if it has write to /nix/var/nix/db/ and also checking $NIX_REMOTE
<clever> stepcut: and just put s3://bucket into the cache list
<clever> stepcut: though you can also use `nix copy --to s3://bucket /nix/store/foo` and skip the hydra half
<clever> stepcut: s3 buckets support auth much better
<clever> stepcut: i think your best option is to just run a hydra with an s3 bucket
<clever> yeah
<clever> and then since its read-only, its safer to lack a passphrase
<clever> stepcut: ahh, i was thinking of a 2nd key, that can only read the store, via nix.sshServe
<clever> stepcut: this would let you restrict what they can access, when they do have the ssh key
<clever> and youll want nix copy --to local?root=/second/store/ /nix/store/foo to populate it with a subset
<clever> stepcut: then it can only share what is in /second/store/nix/store
<clever> stepcut: if you modify it, to use nix-store --serve --store local?root=/second/store/
<clever> stepcut: this is forcing ssh to run nix-store --serve or nix-daemon --stdio depending on version
<clever> stepcut: you may also be able to adjust ssh-serve some....
<clever> stepcut: ah, yeah, you would need to use firewall or vpn stuff to restrict access
<clever> stepcut: you may also want to mix nix sign-paths in also
<clever> stepcut: this is another option, it will just create a directory suitable for http:// cache operations, throw an http-server of your choice at it, and your up-and-running
<clever> nix copy --to file://./cache-test/ /nix/store/5bi5qvvn7j3jw3j177xa1q907wfj37sy-file-5.36
<clever> stepcut: i dont think ssh-serve allows listing the store, so they would have to know what to ask for
<clever> stepcut: the attacker would still need to steal both your id_rsa, and know the storepath of the secret
<clever> stepcut: would that be enough to make you confortable without a passphrase?
<clever> stepcut: this will authorized a given pubkey to read the store, but not modify it, and not be able to run anything
<clever> stepcut: one min
<clever> but passphrase is still an issue
<clever> stepcut: aha, you can do ssh-ng://host?ssh-key=/path/to/key
<clever> stepcut: but that likely wont be needed in this case, root is an exception in ssh-agent
<clever> stepcut: i also have a hack with nc to fix the uid problem you just mentioned
<clever> stepcut: ssh-auth-sock in NIX_PATH only works for pkgs.fetchGitPrivate, and wont help with ssh-ng://
<clever> stepcut: similarly, you could just systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/whatever";
<clever> stepcut: systemd.services.nix-daemon.environment.NIX_SSHOPTS = "-v";
<clever> stepcut: aha, modify the systemd service to set `NIX_SSHOPTS = "-v"`
<clever> stepcut: checking some source...
<clever> stepcut: nix-daemon is running under systemd, so it likely wont find your agent, you could use /root/.ssh/ssh_config to force which key to use, or just have /root/.ssh/id_rsa lack a passphrase
<clever> ambro718: your default.nix would need to specify which nixpkgs to use
<clever> it will also make things build much faster for them
<clever> ambro718: and there tmp dir wont be as loaded as heavily
<clever> ambro718: if you get them to use a binary cache service (either your own, or cachix), then they can just download a pre-built copy
<clever> ambro718: i went over to the console, to discover there was 20gig of garbage in /tmp, and the boot waits until its all cleaned up before continuing, lol
<clever> ambro718: related, one of my old machines had a persistant /tmp, but it cleared it on bootup, and one day after an unplanned reboot, it didnt come up right away
<clever> ambro718: libstore/build.cc looks like the best place, change the "" to point to the option, and if the option is "", the old behaviour returns
<clever> ambro718: you may need a PR to nix, to add an option
<clever> ambro718: and note, you want `unset`, not `export XDG_RUNTIME_DIR=`
<clever> ambro718: clearing that too should force it back to /tmp/
<clever> ambro718: it will then overwrite TMPDIR, TEMPDIR, TMP and TEMP, with the choice it made
<clever> ambro718: if TMPDIR is not set, it will use XDG_RUNTIME_DIR, if that is also not set, it will use /tmp
<clever> ambro718: one sec
<clever> ambro718: echo $TMPDIR ?
<clever> ambro718: `ps aux | grep nix-daemon` ?
<clever> ambro718: i think only darwin does multi-user, but gchristensen should be able to confirm
<clever> when using multi-user nix, nix-daemon is ran by systemd, and then it doesnt point into /run/user/1000/
<clever> yeah, it can only use $TMPDIR
<clever> which is defined up about 15 lines
<clever> it calls tempName, with the root set to an empty string
<clever> ambro718: this is where it actually makes /tmp/nix-build-x
<clever> ambro718: looking...
<clever> pbb: the stage-1-init.sh will treat that as having gotten the wrong pw, and try again, then i think it will notice its already open and keep going?
<clever> pbb: i think you can just `killall cryptsetup`
<clever> pbb: one minute
<clever> ambro718: nix will obey TMP or TMPDIR i believe
<clever> abbec: ive not used overlays outside of nixos
<clever> abbec: i think so, or the overlays directory
<clever> putting it all into an overlay forces you to keep a hard record of what the trick is, and you can just nix-env -iA nixos.tiny-vim any time you want to upgrade it
<clever> `nix-env -iA nixos.vim_configurable.customize --argstr features tiny` may work, but then you have another downside, youll forget the magic incantation, and 6 months down the road, you wont remember how to get the new tiny vim when upgrading
<clever> and unused args are silently ignored
<clever> vim_configurable is not a function, so it wont try to call it with any arguments
<clever> and then, for every attr in the -A foo.bar.baz, it will repeat that again
<clever> which allows, nix-env -iA nixos.whatever --arg config '{ allowUnfree = true; }'
<clever> abbec: when nix loads a given file, it will check if the top-level value was a function (the root nixpkgs function in this case), and call it with any args it can accept
<clever> abbec: one minute
<clever> abbec: then you can nix-env -iA nixos.tiny-vim
<clever> abbec: self: super: { tiny-vim = super.vim_configurable.customize { features = "tiny"; }; }
<clever> abbec: its best to use something like an overlay to do things like this
<clever> abbec: --arg doesnt work like that
<clever> jbgi: you can also remove ~/.cache/nix/binary-cache-v6.sqlite to make it forget about things once, without having to change the ttl
<clever> :D
<clever> hyper_ch2: your guess was dead on!
<clever> tilpner: i have 5 machines in the house currently
<clever> exarkun: might be why the example i linked is changing the aws version
<clever> exarkun: the example i linked gets local and template from nixpkgs,and then fetches a custom aws provider version
<clever> exarkun: you must use terraform.withPlugins to patch it into supporting them, https://github.com/input-output-hk/iohk-ops/blob/master/terraform/terraform.nix#L22-L26
<clever> i tend to have many caches, so u ise `--option substituters ...` to exclude the faulty one and keep using others
<clever> gchristensen: so theres not much you can do, other then exploiting xz directly, lol
<clever> gchristensen: the narinfo also has a hash of the .nar.xz, and that hash is signed by the hydra keys
<clever> ,cache balsoft[m]
<clever> karetsu: cant think of what else to check
<clever> karetsu: did you tell home-manager to rebuild?
<clever> karetsu: did you also replace this one?
<clever> karetsu: you had systemctl in 2 nix files on your repo
<clever> karetsu: you want to replace systemctl with /run/current-system/sw/bin/systemctl
<clever> Unode: if you set the startAt on a service, nixos will auto-generate a timer of the same name, and link the timer&service for you
<clever> Unode: you also dont have to touch systemd.timers
<clever> so when you boot, and enter multi-user mode, systemd will bring up snmpd
<clever> Unode: that will result in multi-user.target, wanting snmpd.service
<clever> Unode: you need to set wanted-by
<clever> karetsu: then you probably want start, not restart
<clever> Unode: nope, timers are only needed for scheduling based on time
<clever> karetsu: i would delete the line i linked to
<clever> karetsu: but note, that may just lead to infinite recursion, starting polybar restarts polybar, which restarts polybar....
<clever> try using /run/current-system/sw/bin/systemctl instead of normal systemctl
<clever> karetsu: that line is why its trying to run systemctl from the service
<clever> karetsu: systemd runs services with a different PATH
<clever> karetsu: can you pastebin your home-manager config?
<clever> karetsu: and your running that directly in a shell?, what does `type systemctl` say?
<clever> elgoosy: nixos-rebuild always uses the channels on root, and you typically only need the user channels if you lack root or want to avoid sudo more
<clever> karetsu: what command are you running, to cause the error message?
<clever> elgoosy: compare `nix-channel --list` and `sudo nix-channel --list`
<clever> elgoosy: did you run --add with or without sudo?
<clever> elgoosy: looks like everything is working as it should
<clever> elgoosy: sudo nix-channel --list
<clever> tilpner: i think it just always obeys $TMPDIR, and users have a different value then services

2019-06-18

<clever> or `with import ./common.nix; let stuff= things; in stuff`
<clever> mac10688: in a let block, i would do `let stuff = import ./common.nix; things = stuff.things; in things` for ex
<clever> andi-: if you can do it in c, you can also use IFD to cheat like i did
<clever> andi-: i think its in there, if i did it at all
<clever> andi-: yes
<clever> mac10688: i just tab-complete under nix repl '<nixpkgs>'
<clever> that also works
<clever> philipp[m]: youll also need a packageOverrides as well, to change the package the module is using
<clever> philipp[m]: yeah
<clever> philipp[m]: ^^
<clever> 2019-06-18 05:04:00 < clever> NYXT: https://nixos.org/nixos/manual/index.html#sec-replace-modules
<clever> 2019-06-18 05:03:41 < clever> NYXT: you want to use disabledModules to remove the current plex module, and then use imports to add in the new one
<clever> sudo cant fix a lack of +x
<clever> but its not been +x'd so you lack permission to run it
<clever> inquisitiv3: so your attempting to run base.lst
<clever> inquisitiv3: you dont have a cat at the start
<clever> inquisitiv3: what is it having permission errors on?
<clever> capisce: ah, different from the problems i had
<clever> karetsu: you can also do `chmod u+w` to only add write to user, and leave all other bits as-is
<clever> capisce: anything 32bit or nfs at play?
<clever> karetsu: that will find every directory, print them with \0 seperators, then grab chunks of them and pass it to chmod
<clever> karetsu: find .config -type d -print0 | xargs -0 chmod 755
<clever> karetsu: directories will be fine, making files 755 will make everything into a program!
<clever> so up to you
<clever> both seem to work fine
<clever> its 700 on my desktop, 755 on my laptop
<clever> karetsu: chmod 755 .config, to fix it
<clever> drwxr-xr-x 44 clever users 72 May 13 11:24 .config
<clever> karetsu: .config is read-only
<clever> karetsu: and what are the permission bits on .config ?
<clever> karetsu: ls -lhd .config .config/i3
<clever> karetsu: who owns .config and .confg/i3 ?
<clever> DigitalKiwi: it was renamed back in 2015, and an alias was left behind for anybody that didnt get the memo
<clever> inotifyTools -> inotify-tools
<clever> Date: Tue Sep 1 10:52:47 2015 +0200
<clever> Author: Eelco Dolstra <eelco.dolstra@logicblox.com>
<clever> commit 9013dc5826dfd9d2d376fd0f45f4031a8cfa0c55
<clever> DigitalKiwi: /home/clever/.nix-defexpr/channels_root/nixos/pkgs/top-level/aliases.nix: inotifyTools = inotify-tools;
<clever> karetsu: nix-channel --list, nix-channel --add, nix-channel --remove, and every user has his own set of channels, you typically inherit from root's
<clever> Synthetica: builtins.toFile "name?" (builtins.toJSON foo) or pkgs.writeText
<clever> drakonis: nixpkgs-unstable did update, because it doesnt test grub, and then the nixpkgs on nixos guys broke grub
<clever> samueldr: that would do it
<clever> nixos-unstable refused to update, and protected most users
<clever> a bug got in that corrupted grub.cfg
<clever> about a year ago, there was a wave of people who ran nixpkgs-unstable on nixos (not master, but still lacked nixos tests)
<clever> thats how you brick machines :P
<clever> it takes a while for that to hit your channel
<clever> it updated systemd from 241.something to 242
<clever> drakonis: check the git history for the last file i pasted
<clever> pkgs/os-specific/linux/systemd/default.nix: passthru.interfaceVersion = 3;
<clever> nixos/modules/system/activation/top-level.nix: echo -n "systemd ${toString config.systemd.package.interfaceVersion}" > $out/init-interface-version
<clever> drakonis: compare that file, under /run/booted-system, /run/current-system, and /nix/var/nix/profiles/system/
<clever> 55 my $newVersion = read_file("$out/init-interface-version");
<clever> 54 my $oldVersion = read_file("/run/current-system/init-interface-version", err_mode => 'quiet') // "";
<clever> nixos/modules/system/activation/switch-to-configuration.pl:incompatible with the current configuration. The new configuration
<clever> drakonis: major changes to systemd?
<clever> Ankhers: just use normal attrs then, erlang = erlangR21;
<clever> Ankhers: the difference, is that <nixpkgs>/.../foo.nix (or a variant of it), will search for <nixpkgs> in $NIX_PATH (even if its empty), while <nixpkgs/../foo.nix> will search for a version of nixpkgs that definitely has a foo.nix
<clever> gchristensen: i was cleaning up a bucket with ~200gig of data in it last week, it took 3 days just to delete every item in the bucket
<clever> yorick: on nix, ldconfig should just be ignored and never ran
<clever> lol
<clever> joepie91[m]: i think i heard it was at 80tb?
<clever> ,cache joepie91[m]
<clever> hardware.enableAllFirmware and hardware.enableRedistributableFirmware will also install firmwareLinuxNonfree for you
<clever> rndd[m]: any firmware you do install, must be put into the hardware.firmware option
<clever> NYXT: you want to use disabledModules to remove the current plex module, and then use imports to add in the new one
<clever> noqqe: it will take effect after a reboot

2019-06-17

<clever> jtojnar: ah, not sure then
<clever> jtojnar: it may be that you are cpu bound undoing the xz, and the remote server is kicking you for taking too long
<clever> jtojnar: because curl failed mid way thru fetching
<clever> jtojnar: error 9 means that xz hit EOF before the archive was done
<clever> mmercier: the map shouldnt be needed, since derivations turn to strings automatically
<clever> mmercier: i also try to avoid using pkgs when callPackage is at work, it makes .override harder
<clever> mmercier: stdenv.lib is another way to get lib
<clever> mmercier: and how are you passing it images?
<clever> mmercier: at least how this file is being called, and given ui-image and api-image
<clever> mmercier: can you pastebin more of the nix files, so i can see everything that is going on?
<clever> mmercier: what happens if you just use `lib.concatStringsSep " " [ ui-image api-image ]` ?
<clever> > let x = { __toString = self: "a${self.b}"; b = "42"; }; in "${x}"
<clever> Miyu-saki: sets can also be functions!
<clever> > let f = { __functor = self: arg: self.a + arg; a = 40; }; in f 2
<clever> > "${ { outPath = "foobar"; } }"
<clever> Miyu-saki: oops, ^^
<clever> mmercier: the parser is fairly smart
<clever> mmercier: what about: lib.concatStringsSep " " [ ui-image api-image ] ?
<clever> which can potentially become a performance problem, if you run that nix code often
<clever> jD91mZM2: but if you do ./foo, it hash to read and fully hash foo, before it knows the path
<clever> jD91mZM2: if you give it a fixed-output drv with a sha256, it immediately knows the hash, and can compute the storepath
<clever> jD91mZM2: and also somewhat about performance
<clever> jD91mZM2: and just letting you know about it
<clever> jD91mZM2: that warning is more about it being about to maybe eat a ton of ram
<clever> mmercier: oh, line 17 of the original pastebin, you want buildInputs = [ pigz ]; and then just run pigz normally
<clever> mmercier: derivations turn into strings automatically
<clever> mmercier: this will take a list of things, map a function over them, then join all of the results with a seperator
<clever> > lib.concatMapStringsSep "SEP" (x: "item${x}") [ "a" "b" "c" ]
<clever> mmercier: you want to turn that list into a string
<clever> mmercier: and as for your error, line 15, map returns a list, ${ only accepts a string
<clever> mmercier: you then dont have to deal with sourcing stdenv/setup
<clever> mmercier: lines 8-20, its much much simpler if you use `runCommand "images" {} ''bash goes here'';
<clever> mmercier: can you pastebin your nix exprs?
<clever> tommyangelo: src is a set, when it should be a string, you want to run fetchurl there
<clever> JosW: usually, i just run it, and see what it complains about when failing
<clever> tommyangelo: ah, you want pkgs.callPackage and { pkgs, ... }: as your first line
<clever> tommyangelo: callPackage takes 2 arguments
<clever> inquisitiv3: ah
<clever> inquisitiv3: are there any symlinks along the path?
<clever> tobiasBora: oh, one other thought, nix-store -q --deriver /nix/store/36xbdg33gdlyzpjh3dmr07y0znxy0kkk-hplip-3.19.1
<clever> tobiasBora: looks totally normal
<clever> tobiasBora: echo $NIX_PATH ?
<clever> tobiasBora: once the rebuild is done, use `nix why-depends` to see how your final nixos build depends on the above hplip
<clever> tobiasBora: yeah, the next step would be to see what depends on this modified hplip
<clever> tobiasBora: and ssh opens 22 tcp on its own, so you dont need either
<clever> tobiasBora: only thing i can complain about, is that your opening port 22 udp, but ssh is tcp only
<clever> tobiasBora: i would expect that to all work just fine
<clever> tobiasBora: can you pastebin your configuration.nix file?
<clever> tobiasBora: then its not a matter of 32bit being uncached
<clever> tobiasBora: https://hydra.nixos.org/eval/1525433#tabs-inputs this is the eval your currently running, the rev matches up
<clever> tobiasBora: the bash/python in the #! also works
<clever> tobiasBora: can you pastebin your configuration.nix file?
<clever> tobiasBora: is it 32 or 64bit?
<clever> tobiasBora: look in /nix/store/36xbdg33gdlyzpjh3dmr07y0znxy0kkk-hplip-3.19.1/bin or /lib for a file, and then run `file` on it
<clever> tobiasBora: but i think i found a hint...
<clever> tobiasBora: but if i checkout nixpkgs rev a1dd419c1ff and nix-build hplip, i get a different path, which is in the cache
<clever> and yes, that isnt in the binary cache
<clever> 404
<clever> /nix/store/36xbdg33gdlyzpjh3dmr07y0znxy0kkk-hplip-3.19.1 then
<clever> tobiasBora: do you have the output path for something its trying to build?
<clever> tobiasBora: `nix eval nixpkgs.lib.version` ?
<clever> tobiasBora: nixos-unstable?
<clever> tobiasBora: which channel are you on?
<clever> immae: looks like it cant handle sysrq, only dmesg
<clever> immae: there is also netconsole...
<clever> which will do that for you
<clever> some serial port programs have a hotkey to send a break code over the serial port
<clever> immae: and a break signal on a serial port, is i think 10 bits of low, when the normal pattern is 1 low for the start bit, 8 data bits, and 1 high for the stop bit
<clever> immae: so <break>o will just cut power to the whole system
<clever> immae: related, if you send a break signal over the serial port, you can follow it with one of those magic letters
<clever> immae: ack!
<clever> perhaps: ( echo l ; echo t ; echo w) > /proc/sysrq-trigger
<clever> so you would need to issue multiple write() syscalls, one byte each
<clever> it allocates a `char c`, and then reads that from userland
<clever> immae: but also, line 1103, i think its only reading a single byte from the string being written
<clever> immae: you must check dmesg to see the result of everything
<clever> immae: this creates the sysrq-trigger file, and routes all writes to the function at the start
<clever> immae: or just `sudo -i` and use plain echo without tee
<clever> immae: what about tee -a?
<clever> immae: to the source!
<clever> immae: mlockall would also be of use here, so you can avoid io entirely
<clever> immae: could try with some of the read-only things, like ltw and see if it prints multiple debug things at once
<clever> b is basically identical to the reset button on the motherboard
<clever> pbb: and b will just hard-reset the machine, without even syncing the disks, so you can get it back online quickly
<clever> pbb: this lets you trigger sysrq without physical access, l t and w could be of use
<clever> [5303136.183099] sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)
<clever> [root@system76:~]# echo ? > /proc/sysrq-trigger
<clever> pbb: one sec
<clever> thats fairly diffrent from my issues
<clever> ah
<clever> pbb: ah, the machine is responding enough to run dmesg?
<clever> so i can just turn the monitor on to see what blew up
<clever> pbb: and because of that, any errors the kernel prints to the console, are visible, even after the kernel locks up solid
<clever> pbb: this causes mingetty to print an ansii escape code on startup, which disables power-saving in the gpu, so the monitor output is never disabled
<clever> pbb: one minute
<clever> pbb: the firmware in my SSD locks up randomly!
<clever> pbb: i had a similar problem that plagued my desktop since before i even switched to zfs, and eventually found the answer in http://media.kingston.com/support/downloads/60AABBF0_V3_RN_052816.pdf
<clever> pbb: does the machine have any swap?
<clever> li_matrix: and then people can take your stuff and setOfCrates.overrideScope' (self: super: { overlays })
<clever> li_matrix: the next trick, is that you can mix makeScope and newScope together with your `self: { stuff }` to make a set that contains an .overrideScope'
<clever> li_matrix: it lets you create a recursive thing, that accepts its own return value