<clever>
gchristensen: from the http headers, < X-Runtime-rack: 6.179089
<clever>
infinisil: i believe domen has also done something with hie
<clever>
yeah, but cabal revisions dont effect the hash of the source
<clever>
i was hoping/worrying that the cabal files where a near hash collision :P
<clever>
infinisil: the odd part, is that the hashes in your error (which match the 2 cabal files perfectly), arent the hashes that had a single-bit error
<clever>
infinisil: its generally done to fix build errors because of mistakes in the version constraints
<clever>
nix reports in base32 i believe, even if the input was 16, which can make it difficult to find the right hash to edit
<clever>
infinisil: then grep nixpkgs for both
<clever>
infinisil: using nix-hash, you can convert between base32 and base16
<clever>
johanot: i did try doing something similar, with the flag to disable modules, but it ran into dependency problems
<clever>
johanot: oh, thats an idea, just omit modules, and require the user to do `imports = [ <nixpkgs/nixos/modules/services/web-servers/nginx/default.nix> ];`
<clever>
infinisil: yeah, it would be a drastic change in how things currently work
<clever>
it would need an off switch, because it would even vanish from the docs :P
<clever>
NOP out every option, dont even put them in the options tree
<clever>
if services.nginx.enable = false, then services.nginx is just an untyped attrset, and essentially ignored
<clever>
if the type of options could somehow depend on the config tree?
<clever>
infinisil: i just had an idea on how to further improve performance
<clever>
rfold: not sure where the source is, the wrapper is complicating things
<clever>
and overrideDerivation to mutate them after stdenv.mkDerivation has already done its own mutations
<clever>
overrideAttrs to mutate the args before stdenv.mkDerivation has manipuluated them
<clever>
overrideCabal can be used on anything haskell
<clever>
the order for things in general, override can be used on anything returned by callPackage, and it will re-call the file with different args
<clever>
the main reason i use overrideAttrs on haskell stuff, is to insert arguments that generic-builder.nix wont allow me to pass to the stdenv
<clever>
once overrideAttrs is ran on it, its not a valid "haskell derivation" so overrideCabal cant really be used
<clever>
overrideCabal first, then overrideAttrs second
<clever>
you must do them in the right order
<clever>
tnks: overrideAttrs applies after generic-builder has translated things from haskellPackages.mkDerivation to stdenv.mkDerivation
2018-09-01
<clever>
yeah, thats one
<clever>
buildInputs is an example of an array turning into a space-separated string
<clever>
there are also functions to join arrays with a separator
<clever>
derivations will join arrays into strings automatically
<clever>
if the newline is not within the quotes, nix basically ignores it
<clever>
das_j: [ "foo" "bar" ] ?
<clever>
infinisil: but, i know that if the -staging file is in, i must also have the bucket storage one
<clever>
infinisil: and in the example i linked, there is some rather complex haskell code, that decides what goes into `nixops modify` based on several yaml files
<clever>
but you can make a tree, and manage that list in files, and not need to re-run `nixops modify` every time you pull
<clever>
elvishjerricco: it is the nixos modules that are responsible for reading the config and obeying nixpkgs.pkgs, and then its too late to change the nixos modules
<clever>
elvishjerricco: part of the problem, is that that option only effects the pkgs tree, not the nixos tree
<clever>
yep
<clever>
currently, nixops has no way for config in 1 file to cause another file to create machines
<clever>
infinisil: and then spin up 5 backends, for a single loadbalancer, a total of 6 machines
<clever>
infinisil: one thought on what you could now do, mystuff.loadbalancer.backends = 5;
<clever>
infinisil: nice
<clever>
for example, i want to define options in one place, config in another, then based on the config, define config for machines
<clever>
infinisil: another factor ive found nixops is seriously lacking in, having options at the deployment level
<clever>
thats 110 nixos evals...
<clever>
infinisil: i once made a nixops deployment with 10 machines, each having 10 nixos containers
<clever>
neat
<clever>
yosemitesam: i would just `git clone` it when doing the initial install
<clever>
yosemitesam: why do you need the repo copied somewhere?
<clever>
try `with a.b; b`
<clever>
no
<clever>
if that doesnt exist, it tries other locations
<clever>
yeah
<clever>
`with pkgs.xdotool; xdotool` is identical to `pkgs.xdotool.xdotool`, which doesnt exist
<clever>
yeah, thats identical to a.b
<clever>
so the d becomes a variable you can refer to
<clever>
JonReed: your defining a.b.c.d = foo and then doing a with a.b.c
<clever>
JonReed: or just `with pkgs;`
<clever>
JonReed: let xdotool = pkgs.xdotool; in ...
<clever>
JonReed: `with pkgs.xdotool; xdotool` tries to do `pkgs.xdotool.xdotool`
<clever>
hmmm, only 268mb usage
<clever>
Maximum resident set size (kbytes): 268472
<clever>
these paths will be fetched (191.28 MiB download, 939.96 MiB unpacked):
<clever>
[root@system76:~]# command time -v nix-store -r /nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11
<clever>
but some binaries are broken and dont show stats
<clever>
yeah
<clever>
then you will have seperate keys for the modules, bootloader, kernel, and config, potentially
<clever>
kisik21: do you want to open your bios config and load a new public every time?
<clever>
kisik21: your /boot changes every single time you `nixos-rebuild switch`
<clever>
hence "have fun" :P
<clever>
kisik21: and now the secret is readable by every single user on the machine
<clever>
kisik21: with the nix sandbox, you have to put the secret into /nix/store/
<clever>
oh, and have fun trying to sign the kernel modules in /nix/store/
<clever>
and maybe something else to enforce only loading signed kernel modules
<clever>
kisik21: you will need some packageOverrides to disable it
<clever>
kisik21: yes
<clever>
emily: to properly be secure, never sign a kernel that has kexec enabled
<clever>
emily: yeah
<clever>
so secure-boot with the M$ key is effectively useless
<clever>
and nobody can revoke that key, because it would render every single install dvd useless
<clever>
so anybody can just use that M$ signed binary as an escape-hatch to run unsigned code
<clever>
there is a bug in their installer-dvd bootloader, that runs unsigned code
<clever>
you will also want to remove the M$ key
<clever>
monokrome: create your own pair, and load the public into the bios using the bios options
<clever>
monokrome: your own keypair
<clever>
the scripts that update /boot for systemd-boot or grub, will need to sign the bootloader&kernel any time you update /boot/
<clever>
for any decent firmware, there is no money problems
<clever>
so i could just swap out your motherboard, and boot your hdd under that
<clever>
secureboot doesnt stop your OS from being ran in a hypervisor
<clever>
and even if you have luks, if the attacker does manage to defeat secureboot, he could boot your OS in a hypervisor, and then wait for you to enter the luks password
<clever>
some firmware allow you to load your own key
<clever>
and if your not using luks, an attacker can just read the secrets and then its pointless
<clever>
the problem is that you must sign the kernel and initrd that are in /boot/
2018-08-31
<clever>
also, profile your junk :P
<clever>
,profiling
<clever>
the units are bytes, and i need to set it to 30gig or so sometimes
<clever>
samueldr: increase GC_INITIAL_HEAP_SIZE
<clever>
nix will re-download the url hourly, and rename the output to match whatever the hash comes out to
<clever>
the only other option (which isnt "pure") is to just omit the sha256
<clever>
and only the name and sha256 are used
<clever>
fetchTarball uses a name of "source"
<clever>
replace a few digits with 0's, and then re-build
<clever>
you claimed it was identical, so nix didnt bother trying to fetch mkPandoc
<clever>
so nix just grabbed the nixpkgs from /nix/store/
<clever>
its identical to nixpkgs
<clever>
philippD: and is the sha256 correct?
<clever>
philippD: can you add nixpkgs.pinned.nix to the gist?
<clever>
pie__: not much
<clever>
v0latil3: ive just ran windows in virtualbox
<clever>
so anything alsa based will wind up connecting to pulse
<clever>
pulseaudio also includes its own alsa drivers
<clever>
pie__: pulseaudio may make things simpler
<clever>
pie__: its part of the base linux packages, so just `modprobe snd-aloop` or add it to the right nixos param for auto-loading
<clever>
oops, pasted too much
<clever>
,locate linux.out 8,068 r /nix/store/yw01y3c85zhzw4dwiic6vpdd92bfgvcs-linux-4.9.23/lib/modules/4.9.23/kernel/sound/drivers/snd-aloop.ko.xz
<clever>
samueldr: sure
<clever>
ixxie: havent thought of splitting it out
<clever>
gchristensen: there is a bug that causes it to half die, but not quit, after a few hours of uptime
<clever>
gchristensen: we will want to make sure ntpd still works on the next nixos release
<clever>
that looks good at a glance
<clever>
> '' ''$''${QT_HOST_DATA} ''
<clever>
ixxie: run `id`
<clever>
pip3000: nope
<clever>
pip3000: a: no, b: i dont see anything refering to unstable in that pastebin, so that will have zero impact on the system
<clever>
pip3000: you must only have 1 set after the in
<clever>
pip3000: you have 2 sets after the in
<clever>
ixxie: its mostly just a few independant systemd services
<clever>
pip3000: between the { pkgs, ... }: and the first {
<clever>
ah
<clever>
ixxie: i just use pure nixos, no k8 or docker
<clever>
ixxie: or for running a group of services in a contained way
<clever>
ixxie: the only time i see nixos containers being of use, is when a service is being dumb and expects something like a constant port or unix socket, and you cant run 2 of it
<clever>
but { let foo = bar; in ... } is not valid
<clever>
for example, { key= let key2=value2; in value3; }
<clever>
pip3000: `let key=value; in value` is only valid in areas where a value could have also be used
<clever>
pip3000: you need to use packageOverrides to change the teamspeak attribute
<clever>
Mark___: this channel handles nix, nixpkgs, nixos, and nixops
<clever>
Zajcev: can you pastebin /nix/store/kkj9rs80wgkcpki4znpak4fgp7c6nv9h-nginx.conf ?
<clever>
Zajcev: very, i have 5 or 6 domains on mine and no issues, you appear to have 2?