<clever>
ottidmes: if your dns server is listening on a public interface, it can be abused in a few ways
<clever>
nh2: and if you try to review task manager for anything fishy, you just find a normal system exe running
<clever>
nh2: no, more like, after a virus is already inside the computer, it launches a random system exe thats always running, scoops the brains out, and injects the virus into that exe, then terminals the original binary
<clever>
vaibhavsagar: nix.package in configuration.nix
<clever>
if you can run such a thing, you can also just use the syscalls for debugging directly
<clever>
i think its more about falsifying the records of what executable it even is
<clever>
the debugger thats doing the brain-scooping still has to be trusted first, and it could just as easily just make a normal exe and request it to be whitelisted
<clever>
all process management utils claim its one thing, but its something entirely different
<clever>
then immediately use the debugger to hollow out its skull, and implant different code
<clever>
launch a legit binary that people trust, but with a debugger attached
<clever>
nh2: ive also heard about virus level stuff happening on windows
<clever>
with dlopen or custom per-platform code?
<clever>
nh2: when you try to run TH code, ghc will compile to the target arch, serialize it, and ship it off to iserv, which then loads it (somehow), and then runs it
<clever>
nh2: which interpreter is in the ELF headers of the iserv binary
<clever>
which enables cross-compiling
<clever>
iserv also allows the TH to run on a different arch from the ghc
<clever>
then fix the bugs from the libs behaving differently
<clever>
and that feature of QT was in beta at the time, so i had to cross-compile my own QT that can map the apple SSL libs to the QT ssl api
<clever>
you must use the apple ssl libs
<clever>
ottidmes: apple does not allow openssl to be staticly (or dynamicly) linked into your apps
<clever>
ottidmes: but i did have to compile a custom QT, because of more apple reasons
<clever>
ottidmes: i dont remember what the details of the licensing where
<clever>
multiple windows (but the window manager is missing), scroll bars that work oposite of mobile
<clever>
so the mobile versions looked and behaved like desktop apps
<clever>
the main problem, is that QT has a desktop ui by default
<clever>
ottidmes: i rewrote the entire client in QT, since it can compile to android, ios, linux, osx, windows, and a dozen others :P
<clever>
angerman: and then when mac support started to come along, "surprise, i want mobile support to!"
<clever>
angerman: in my case, the boss hired a windows dev to make the client, and when things neared completion, sprang "oh, i want mac support" on us :P
<clever>
(or you modify the xml after packaging)
<clever>
but, this can only happen if you use non-apple build tools (qmake) which dont validate the xml when packaging
<clever>
if the info.plist file in your .app has xml errors, the app will silently hang on startup, and just do absolutely nothing
<clever>
ive also found funny bugs in darwin, which ive reported, and never heard back from them on
<clever>
:D
<clever>
nh2: despite it being a field in the mach-o and you can change it freely, the kernel rejects any binary where it has been changed!
<clever>
nh2: the path to dyld (the apple version of ld.so) has an if statement in the kernel
<clever>
nh2: apple would like to a word with you :P
<clever>
:D
<clever>
angerman: apple would like to say otherwise, lol
<clever>
jophish: it reduced my closure from 38mb to 2mb, and removed all dependencies
<clever>
jophish: nix why-depends automates that step for you
<clever>
ottidmes: and nothing says the dhcp has to be ran on the router, just make sure to configure the nixos one to use the right gateway, dns, and ip range
<clever>
ottidmes: in general, its simpler to just disable all other competing dhcp servers
<clever>
anothertest: you may be better off using a more custom kernel+initrd pair like the netboot.nix code, and just not having a disk image at all
<clever>
and if you drop .env, you can use nix-build on it
<clever>
as long as the deps are compatible with whats in haskellPackages, you can use that against any cabal file you want
<clever>
simpson: nix-shell -E 'with import <nixpkgs> {}; (haskellPackages.callCabal2nix "servant-py" ./. {}).env" then `runhaskell Setup.hs configure` and `runhaskell Setup.hs repl`
<clever>
yeah
<clever>
nullglob is enabled, so a pattern matching nothing just vanishes
<clever>
bbarker_home: the directory might already exist
<clever>
and then it builds it locally, and fails once more
<clever>
if the build does fail on hydra, then it simply wont be in the cache
<clever>
infinisil: regex bug detected!
<clever>
yeah
<clever>
you just need to experiment
<clever>
it might be setup to try network when hdd fails
<clever>
that will depend on the defaults in the firmware as well
<clever>
depends on the hardware/firmware
<clever>
but boot order may matter when your done, to make the new install boot
<clever>
it just directly runs a kernel
<clever>
kexec doesnt care about boot order at all
<clever>
no special setup at all
<clever>
no need for a /boot, or even a harddrive at all, for proper netboot
<clever>
on the kexec'd ones, or the netboot ones?
<clever>
kexec then, simpler
<clever>
depends on if you want to keep booting from the network, or just kexec an installer and then install normally
<clever>
kexec was just a shortcut to skip having to do that
<clever>
ottidmes: as long as you can write to the current /boot partition, you can do it without a reboot
<clever>
no real os needs to exist
<clever>
ottidmes: you just need to install grub to /boot with an ipxe.lkrn
<clever>
in this example,the script will require signed binaries, dhcp, fetch another script, verify the signature, and execute it
<clever>
then it just never does the normal dhcp auto-boot
<clever>
ottidmes: if you override ipxe, and set the EMBED var, you can bake an ipxe script into the binary
<clever>
i have to do the same with chromedriver and electron
<clever>
yep
<clever>
if you already have a chrome binary in PATH
<clever>
try just deleting that file, and see what happens
<clever>
and now you have the standard patchelf problems
<clever>
it packaged a pre-compiled copy of chrome
<clever>
2018-11-30 19:40:50 < clever> selfsymmetric-mu: is it native or raw js?
<clever>
ls -lh node_modules/.bin/
<clever>
npm would also drop it in that dir
<clever>
selfsymmetric-mu: what happens if you just run `npm install .` in that dir?
<clever>
selfsymmetric-mu: is it native or raw js?
<clever>
ottidmes: yeah, you usually arent cross-compiling with raw nix-shell -p
<clever>
ottidmes: but your above cmd just gives it a raw path to a finished product
<clever>
ottidmes: the crosscompile stuff expects the buildInputs to be attrsets, so it can get the native or cross version
<clever>
selfsymmetric-mu: that sounds like a simple case of nodejs 4 having been removed
<clever>
ottidmes: that will probably mostly work, but confuse cross-compiling
<clever>
runCommand is now an alias to runCommandNoCC (it lacks a gcc), but people expect nix-shell to have one, and runCommandCC may not exist (new nix, old nixpkgs)
<clever>
(pkgs.runCommandCC or pkgs.runCommand)
<clever>
also, its no longer pkgs.runCommand
<clever>
and the parens keep the list sane
<clever>
it allows things like, nix-shell -p 'foo.override { key = "value"; }' bar
<clever>
ottidmes: the parens
<clever>
then every input matching the name "baz" will just not be built/downloaded
<clever>
if you nix-shell foo.nix -A bar --exclude baz
<clever>
ottidmes: -p isnt a buildEnv, but a stdenv.mkDerivation
<clever>
eyjhb: if you impoad load-secrets.nix, and secrets.nix is missing, it returns an empty set of dummy secrets, which allow others to use the config (with the secrets missing) (and hydra too)
<clever>
it cant even remember which word it is, lol
<clever>
i saw it without even noticing, and type it the normal way :P
<clever>
infinisil: it might be another word, just a local dialect thing
<clever>
maybe it was something else, cant remember exactly
<clever>
infinisil: just wait till i start typing acrosst :P
<clever>
dmj`: if you ever get merge conflicts on that state file, your in for some "fun"
<clever>
so you could just `ssh remote nixops export -d | nixops import`
<clever>
dmj`: export prints to stdout, import reads from stdin
<clever>
dmj`: did you try `nixops import < deployment.json` ?
<clever>
your telling it to open the json with sqlite :P
<clever>
dmj`: the -s flag tells it where to find the sqlite db
<clever>
dmj`: what error did it give?
<clever>
dmj`: it should import just fine
<clever>
ottidmes: i try to keep the numbers low, nixos-rebuild test :P
<clever>
and i wanted to go over it line to line to make sure no secrets wound up in the public repo, but also it had no real changes
<clever>
ottidmes: in the above case, i was moving a machine from one git repo to another, and re-arranging the nix files as i went, and turning it into nixops
<clever>
it segfaulted somewhere in pulseaudio, and gdb was confused by the mix of arches
<clever>
gchristensen: i flipped it around one day, to run x86-64 on a raspberry pi!
<clever>
oops, qemu-user.aarch64 = true;
<clever>
WhittlesJr: qemu.aarch64 = true; imports = [ ./qemu.nix ]; in configuration.nix, and it can just magically run aarch64 binaries (at reduced speed)
<clever>
sgillespie: youll want to either delete the corrupt paths (nix-store --delete /nix/store/foo) or repair them (nix-store --repair-path /nix/store/foo), dont use force with delete
<clever>
delroth: related, stack based builds on windows can fail in parallel, because the package-info.d locking is stupid
<clever>
mconstant: then it automagically knows every wifi i have visited before
<clever>
mconstant: i just copy the wpa_supplicant.conf between laptops when doing a new install
<clever>
but then your password is world-readable in /nix/store/
<clever>
mconstant: check networking.wireless.networks in the nixos docs (man configuration.nix, or https://nixos.org/nixos/options.html or some 3rd option)
<clever>
the default.nix in the root has examples of its usage
<clever>
and i tried to keep the nix-installer.nix part modular and generic, so you can just grab it, and call it with different args
<clever>
Lisanna: this manages a ~/.daedalus/nix/store/, along with nix-user-chroot, and similiar nix copy's, to apply updates to it when installers are ran
<clever>
Lisanna: ive done all of the above, in exactly that situation
<clever>
Lisanna: `nix copy --to local?root=/tmp/totar /nix/store/foo`, tar up /tmp/tofar, move it, untar, `nix copy --from local?root=/tmp/totar /nix/store/foo` to get it back out
<clever>
Lisanna: nix copy would allow you to have GC when doing thins kind of thing
<clever>
Lisanna: if you want to merge it into an existing store, you need to use nix copy
<clever>
{ allowUnfree = true; }
<clever>
~/.config/nixpkgs/config.nix
<clever>
configuration.nix doesnt effect nix-env, see the comment at the very bottom
<clever>
is it in config.nix?
<clever>
it used to, but a recent change broke the error handling
<clever>
you have to restart contains@name.service
<clever>
also, nixos-rebuild siwtch has a nasty habbit of not updating nixos containers
<clever>
correct
<clever>
and even then, it only takes effect when first creating the user
<clever>
if mutable users is true, then you want initialHashedPassword
<clever>
bbarker: hashedPassword i think is only when mutable users is false
<clever>
bbarker: there is a nixos-container root-login command
<clever>
yep
<clever>
Configures the time to sleep before restarting a service (as configured with Restart=). Takes a unit-less value in seconds, or a time span value such as "5min 20s". Defaults to 100ms.
<clever>
yl[m]: does the journal show signs of it restarting? and your not waiting RestartSec?
<clever>
yl[m]: oh, you can also mess with the restart rules, to make systemd keep trying
<clever>
yl[m]: and is the case right in the ssh.service ?
<clever>
yl[m]: fpletz should know more on this area
<clever>
yl[m]: systemd is also weird with its wants vs after vs needs stuff
<clever>
yl[m]: network-addresses-vboxnet0.service for ex
<clever>
yl[m]: i think you want to make sshd depend on the right -address service
<clever>
yl[m]: and later used it to netboot a laptop with basically zero changes to it