2018-09-03

<clever> and in the case of the amazon AMI's, it will use the user-data to create /etc/nixos/configuration.nix
<clever> and the default NIX_PATH points nixos-config to /etc/nixos/configuration.nix
<clever> nixos/default.nix has a configuration argument, which defaults to either $NIXOS_CONFIG or <nixos-config>
<clever> and its too late to change them by the time the config has been loaded
<clever> its the nixos modules that are responsible for reading configuration.nix and loading everything
<clever> more of a limitation of how it works
<clever> colemickens: or to do both at once, either with `NIX_PATH=.... nixos-rebuild ...` or `nixos-rebuild -I`
<clever> colemickens: the only way to effect the nixos modules is to set NIX_PATH before you run nixos-rebuild
<clever> colemickens: note that nixpkgs.pkgs only effects the pkgs tree, and the nixos modules will not be effected
<clever> this applies at every attribute in -A foo.bar.baz
<clever> lostman: and if wrapper returned such a function (and not a set), it would also work
<clever> lostman: this will accept --arg someArg true
<clever> { myDerivation = { someArg ? false }: wrapper imported.myDerivation }
<clever> lostman: what i mean, is
<clever> lostman: --arg foo value, only works for functions in the form of { foo }: ...
<clever> lostman: does `wrapper imported.myDerivation` return a function or a set?

2018-09-02

<clever> Orbstheorem: probably because makewhatis hasnt been ran
<clever> infinisil: aha!
<clever> p_l: thats usually required with services
<clever> philippD: ah, then maybe download with the browser, and then run nix-prefetch-url file:///path/to/thing.tar.gz
<clever> philippD: try nix-prefetch-url with just http instead of https
<clever> why?! lol
<clever> same as grep being in gnugrep
<clever> i think gnupatch is the main one
<clever> gnupatch.out 180,240 x /nix/store/id4hp2barkyn10z4wrmwg8smj901qsgf-patch-2.7.5/bin/patch
<clever> infinisil: http://ghtorrent.org/
<clever> gchristensen: from the http headers, < X-Runtime-rack: 6.179089
<clever> infinisil: i believe domen has also done something with hie
<clever> yeah, but cabal revisions dont effect the hash of the source
<clever> i was hoping/worrying that the cabal files where a near hash collision :P
<clever> infinisil: the odd part, is that the hashes in your error (which match the 2 cabal files perfectly), arent the hashes that had a single-bit error
<clever> infinisil: its generally done to fix build errors because of mistakes in the version constraints
<clever> 0.8.1.0
<clever> *looks*
<clever> infinisil: which package was that revision on?
<clever> infinisil++
<clever> infinisil: can you open an issue on the stack2nix github so the @rev:0 stuff is tracked?
<clever> cabal revisions have been a constant pain in stack2nix
<clever> ah
<clever> oh, interesting, the byte order is reversed, its a single bit out!
<clever> 7f486682a6a4979a4c9d69480fb549b5648066f2d0a1b31e25f9fef965931225
<clever> [root@router:~]# nix-hash --type sha256 --to-base16 098jjdjzkzpr4lgb78fhy9k80r5m96shyj39km69m5x4ls16cj3z
<clever> infinisil: yep, thats the hash from line 2
<clever> 8f486682a6a4979a4c9d69480fb549b5648066f2d0a1b31e25f9fef965931225
<clever> [root@router:~]# nix-hash --type sha256 --to-base16 098jjdjzkzpr4lgb78fhy9k80r5m96shyj39km69m5x4ls16cj4g
<clever> nix reports in base32 i believe, even if the input was 16, which can make it difficult to find the right hash to edit
<clever> infinisil: then grep nixpkgs for both
<clever> infinisil: using nix-hash, you can convert between base32 and base16
<clever> johanot: i did try doing something similar, with the flag to disable modules, but it ran into dependency problems
<clever> johanot: oh, thats an idea, just omit modules, and require the user to do `imports = [ <nixpkgs/nixos/modules/services/web-servers/nginx/default.nix> ];`
<clever> infinisil: yeah, it would be a drastic change in how things currently work
<clever> it would need an off switch, because it would even vanish from the docs :P
<clever> NOP out every option, dont even put them in the options tree
<clever> if services.nginx.enable = false, then services.nginx is just an untyped attrset, and essentially ignored
<clever> if the type of options could somehow depend on the config tree?
<clever> infinisil: i just had an idea on how to further improve performance
<clever> rfold: not sure where the source is, the wrapper is complicating things
<clever> > gnatboot.src.urls
<clever> rfold: i dont see gnatmake in nixpkgs
<clever> > gnatmake.src.urls
<clever> yeah
<clever> bahamas: that one should do it
<clever> : nix-store -r /nix/store/wnw7dish1kawsqlzvvriqi9z4dgdcs1c-nix-2.0.4 && /nix/store/wnw7dish1kawsqlzvvriqi9z4dgdcs1c-nix-2.0.4/bin/nix-env -iA nixpkgs.nix
<clever> > "${(import <nixpkgs> { system = "x86_64-darwin"; }).nix}"
<clever> i put linux, not darwin, lol
<clever> wait doh
<clever> bahamas: do nix-store -r /nix/store/zk9plca43q4643ma41d85bqadfm48p6i-nix-2.0.4 && /nix/store/zk9plca43q4643ma41d85bqadfm48p6i-nix-2.0.4/bin/nix-env -iA nixpkgs.nix
<clever> > "${(import <nixpkgs> { system = "x86_64-linux"; }).nix}"
<clever> ah, you need nix2 to parse nixpkgs, one min
<clever> then just `nix-channel --update ; nix-env -iA nixpkgs.nix` without root
<clever> ah, single-user install
<clever> bahamas: without root, what does `ls -lh ~/.nix-profile` output?
<clever> bahamas: do you know if its a single or multiuser install?
<clever> bahamas: `sudo -i` then `nix-channel --update ; nix-env -iA nixpkgs.nix`
<clever> MarkRBM_: you can also just use nixos-unstable until then
<clever> 18.09
<clever> so only nixos-unstable has it
<clever> MarkRBM_: it was added to nixpkgs in may, 18.03 is from march
<clever> > pkgs._1password.meta.position
<clever> MarkRBM_: which channel are you on?
<clever> the problem is that you had just passed nixpkgs as a module, and it was calling nixpkgs and passing it every module arg
<clever> p_l: thats 2 paths, not 1!
<clever> > [ <nixpkgs>/pkgs ]
<clever> p_l: oh!, <unstable>/nixos/modules/virtualisation/lxd.nix is the problem!
<clever> can you paste the --show-trace output?
<clever> (import <unstable> {}).lxd
<clever> you forgot to import nixpkgs, you tried to just access an attribute on a path
<clever> <unstable>.nixpkgs.lxd is probably where its failing
<clever> but thats unrelated to the problem
<clever> p_l: <unstable>/nixos/modules/virtualisation/lxd.nix can be changed to <unstable/nixos/modules/virtualisation/lxd.nix>
<clever> infinisil: yeah, you sort of need to modify the eval-modules function to return its internal state, rather then the result of merging
<clever> p_l: can you gist the files you changed?
<clever> then i can eval them seperately in the repl
<clever> infinisil: what i tend to do is expose the thing via an attribute
<clever> infinisil: it looks like you can even mix loaOf and options
<clever> infinisil: and the options they defined will be merged
<clever> infinisil: you can also have 2 different modules doing foo = mkOption { options = ...; } i believe
<clever> yep
<clever> yep
<clever> but ALL of the override methods are unaware of it, and will remove it
<clever> this adds an attribute to the result, so you can do .a to access the 5
<clever> also, (stdenv.mkDerivation { ... }) // { a = 5; }
<clever> yeah
<clever> and overrideDerivation to mutate them after stdenv.mkDerivation has already done its own mutations
<clever> overrideAttrs to mutate the args before stdenv.mkDerivation has manipuluated them
<clever> overrideCabal can be used on anything haskell
<clever> the order for things in general, override can be used on anything returned by callPackage, and it will re-call the file with different args
<clever> the main reason i use overrideAttrs on haskell stuff, is to insert arguments that generic-builder.nix wont allow me to pass to the stdenv
<clever> once overrideAttrs is ran on it, its not a valid "haskell derivation" so overrideCabal cant really be used
<clever> overrideCabal first, then overrideAttrs second
<clever> you must do them in the right order
<clever> tnks: overrideAttrs applies after generic-builder has translated things from haskellPackages.mkDerivation to stdenv.mkDerivation

2018-09-01

<clever> yeah, thats one
<clever> buildInputs is an example of an array turning into a space-separated string
<clever> there are also functions to join arrays with a separator
<clever> derivations will join arrays into strings automatically
<clever> if the newline is not within the quotes, nix basically ignores it
<clever> das_j: [ "foo" "bar" ] ?
<clever> infinisil: but, i know that if the -staging file is in, i must also have the bucket storage one
<clever> infinisil: and in the example i linked, there is some rather complex haskell code, that decides what goes into `nixops modify` based on several yaml files
<clever> but you can make a tree, and manage that list in files, and not need to re-run `nixops modify` every time you pull
<clever> infinisil: yeah
<clever> infinisil: mostly the same as imports, but without the fixpoint
<clever> infinisil: the requires flag in nixops is also not well known, and ive seen things get pretty messy without it
<clever> > builtins.typeOf "foo"
<clever> but you may need to use symbolic names, and have the python fill the gaps in after creating the resource
<clever> and in theory, you can have more complex dependencies, and and the python can detect the deps and create them in the right order
<clever> and when a security group depends on an elastic ip, it is using a symbolic name that the nix generated at eval time
<clever> elvishjerricco: all resource implementations in nixops have a .create_after function, that controls the order things are created in
<clever> elvishjerricco: one min
<clever> elvishjerricco: it is the nixos modules that are responsible for reading the config and obeying nixpkgs.pkgs, and then its too late to change the nixos modules
<clever> elvishjerricco: part of the problem, is that that option only effects the pkgs tree, not the nixos tree
<clever> yep
<clever> currently, nixops has no way for config in 1 file to cause another file to create machines
<clever> infinisil: and then spin up 5 backends, for a single loadbalancer, a total of 6 machines
<clever> infinisil: one thought on what you could now do, mystuff.loadbalancer.backends = 5;
<clever> infinisil: nice
<clever> for example, i want to define options in one place, config in another, then based on the config, define config for machines
<clever> infinisil: another factor ive found nixops is seriously lacking in, having options at the deployment level
<clever> thats 110 nixos evals...
<clever> infinisil: i once made a nixops deployment with 10 machines, each having 10 nixos containers
<clever> neat
<clever> yosemitesam: i would just `git clone` it when doing the initial install
<clever> yosemitesam: why do you need the repo copied somewhere?
<clever> try `with a.b; b`
<clever> no
<clever> if that doesnt exist, it tries other locations
<clever> yeah
<clever> `with pkgs.xdotool; xdotool` is identical to `pkgs.xdotool.xdotool`, which doesnt exist
<clever> yeah, thats identical to a.b
<clever> so the d becomes a variable you can refer to
<clever> JonReed: your defining a.b.c.d = foo and then doing a with a.b.c
<clever> JonReed: or just `with pkgs;`
<clever> JonReed: let xdotool = pkgs.xdotool; in ...
<clever> JonReed: `with pkgs.xdotool; xdotool` tries to do `pkgs.xdotool.xdotool`
<clever> hmmm, only 268mb usage
<clever> Maximum resident set size (kbytes): 268472
<clever> these paths will be fetched (191.28 MiB download, 939.96 MiB unpacked):
<clever> [root@system76:~]# command time -v nix-store -r /nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11
<clever> [root@system76:~]# nix-store --delete /nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11
<clever> symphorien: if its already in your /nix/store it wont use any ram downloading
<clever> symphorien: run it as root, and it wont use the daemon
<clever> teej: you may simply need more ram, until the constant-memory stuff in nix is fully finished
<clever> teej: older versions of nix try to keep the entire NAR as a std::string in ram, and may have 2 or 3 copies, and the NAR for go is 939mb...
<clever> teej: try the above 3 commands
<clever> teej: nix-channel --update ; nix-env -iA nixpkgs.nix ; nix-env -iA nixpkgs.go
<clever> teej: what does it print before that, and how much ram do you have?
<clever> teej: what about nix-env -iA nixos.go
<clever> teto: your shell.nix must return another derivation, that has that ghc in the buildInputs
<clever> teto: that drops you into a shell suitable for building ghcWithPackages, not using ghcWithPackages
<clever> teto: how are you using it?
<clever> teto: yes
<clever> worldofpeace: first step i usually do, is just nixos-rebuild build, and read the result to confirm its doing the right thing
<clever> at every stage, it uses --arg and --argstr to auto-fill arguments
<clever> if the b in -A a.b.c is a function, it runs it...
<clever> if the a in -A a.b.c is a function, it runs it
<clever> if the file it loaded is a function, it runs it
<clever> samueldr: -A will auto-call at every step
<clever> lol
<clever> gchristensen: the first half of this diff will improve the readability of the stats: https://gist.github.com/cleverca22/a8d61484e6ce42ebc0818b593c94065a
<clever> gchristensen: aha, ~/nix, not ~/apps/nix
<clever> gchristensen: all i know for sure, is that i was on the memoise branch...
<clever> gchristensen: dang!!, i sanitized my gists too much, i cant tell which machine this is from: https://gist.github.com/cleverca22/c99163e94b26d896f511d3540ce7303d
<clever> samueldr: are you importing nixpkgs multiple times?
<clever> samueldr: is nixops involved any?
<clever> let me find the other patch i have, it can probably be added to your pr
<clever> i had patched it locally (and lost the diff), and it was editing more places, 2 or 3 i think
<clever> gchristensen: heh, that was a far simpler fix then i thought
<clever> kisik21: oops, ^^^
<clever> lord|: in /nix/var/log/nix/
<clever> nix saves all logs
<clever> kisik21: run `nix-store -l /nix/store/foo`
<clever> kisik21: why does it need to rebuild?
<clever> kisik21: change one of its inputs?
<clever> gchristensen: for that case, i dont see much point in having stats
<clever> thats where i had my trouble, `nixops --dry-run` uses `nix-build --dry-run`
<clever> gchristensen: make sure --dry-run also works
<clever> gchristensen: looks good
<clever> gchristensen: that would also help
<clever> but then it prints before the real build starts
<clever> so if there is a clear gap between instantiate and build, it could go there?
<clever> of note, the stats cease to change when the build is done
<clever> gchristensen: id say yes
<clever> samueldr: the cloud is just somebody elses server
<clever> gchristensen: `nix build` may also be broken
<clever> gchristensen: it just needs a call to printStats at every exit point
<clever> gchristensen: what will the lawyers say to linking nvidia + zfs into the kernel binary?
<clever> also, say goodbye to zfs and nvidia :P
<clever> :D
<clever> Dezgeg: you could also just compile all modules in, and remove module support
<clever> samueldr: nix-build doesnt support NIX_SHOW_STATS
<clever> samueldr: instantiate works
<clever> but some binaries are broken and dont show stats
<clever> yeah
<clever> then you will have seperate keys for the modules, bootloader, kernel, and config, potentially
<clever> kisik21: do you want to open your bios config and load a new public every time?
<clever> kisik21: your /boot changes every single time you `nixos-rebuild switch`
<clever> hence "have fun" :P
<clever> kisik21: and now the secret is readable by every single user on the machine
<clever> kisik21: with the nix sandbox, you have to put the secret into /nix/store/
<clever> oh, and have fun trying to sign the kernel modules in /nix/store/
<clever> and maybe something else to enforce only loading signed kernel modules
<clever> kisik21: you will need some packageOverrides to disable it
<clever> kisik21: yes
<clever> emily: to properly be secure, never sign a kernel that has kexec enabled
<clever> emily: yeah
<clever> so secure-boot with the M$ key is effectively useless
<clever> and nobody can revoke that key, because it would render every single install dvd useless
<clever> so anybody can just use that M$ signed binary as an escape-hatch to run unsigned code
<clever> there is a bug in their installer-dvd bootloader, that runs unsigned code
<clever> you will also want to remove the M$ key
<clever> monokrome: create your own pair, and load the public into the bios using the bios options
<clever> monokrome: your own keypair
<clever> the scripts that update /boot for systemd-boot or grub, will need to sign the bootloader&kernel any time you update /boot/
<clever> for any decent firmware, there is no money problems
<clever> so i could just swap out your motherboard, and boot your hdd under that
<clever> secureboot doesnt stop your OS from being ran in a hypervisor
<clever> and even if you have luks, if the attacker does manage to defeat secureboot, he could boot your OS in a hypervisor, and then wait for you to enter the luks password
<clever> some firmware allow you to load your own key
<clever> and if your not using luks, an attacker can just read the secrets and then its pointless
<clever> the problem is that you must sign the kernel and initrd that are in /boot/

2018-08-31

<clever> also, profile your junk :P
<clever> ,profiling
<clever> the units are bytes, and i need to set it to 30gig or so sometimes
<clever> samueldr: increase GC_INITIAL_HEAP_SIZE
<clever> nix will re-download the url hourly, and rename the output to match whatever the hash comes out to
<clever> the only other option (which isnt "pure") is to just omit the sha256
<clever> and only the name and sha256 are used
<clever> fetchTarball uses a name of "source"
<clever> replace a few digits with 0's, and then re-build
<clever> you claimed it was identical, so nix didnt bother trying to fetch mkPandoc
<clever> so nix just grabbed the nixpkgs from /nix/store/
<clever> its identical to nixpkgs
<clever> philippD: and is the sha256 correct?
<clever> philippD: can you add nixpkgs.pinned.nix to the gist?
<clever> pie__: not much
<clever> v0latil3: ive just ran windows in virtualbox
<clever> so anything alsa based will wind up connecting to pulse
<clever> pulseaudio also includes its own alsa drivers
<clever> pie__: pulseaudio may make things simpler
<clever> pie__: its part of the base linux packages, so just `modprobe snd-aloop` or add it to the right nixos param for auto-loading
<clever> oops, pasted too much
<clever> ,locate linux.out 8,068 r /nix/store/yw01y3c85zhzw4dwiic6vpdd92bfgvcs-linux-4.9.23/lib/modules/4.9.23/kernel/sound/drivers/snd-aloop.ko.xz
<clever> samueldr: sure
<clever> ixxie: havent thought of splitting it out
<clever> pip3000: that is why its failing
<clever> havent gotten around to a 2nd pr or a proper issue
<clever> i had filed a PR, then it got merged, then i noticed a typo that means i only fixed 32bit ntpd, lol
<clever> pip3000: no ; at the end of the file
<clever> gchristensen: there is a bug that causes it to half die, but not quit, after a few hours of uptime
<clever> gchristensen: we will want to make sure ntpd still works on the next nixos release
<clever> that looks good at a glance
<clever> > '' ''$''${QT_HOST_DATA} ''
<clever> ixxie: run `id`
<clever> pip3000: nope
<clever> pip3000: a: no, b: i dont see anything refering to unstable in that pastebin, so that will have zero impact on the system
<clever> pip3000: you must only have 1 set after the in
<clever> pip3000: you have 2 sets after the in
<clever> ixxie: its mostly just a few independant systemd services
<clever> pip3000: between the { pkgs, ... }: and the first {
<clever> ah
<clever> ixxie: i just use pure nixos, no k8 or docker
<clever> ixxie: or for running a group of services in a contained way
<clever> ixxie: the only time i see nixos containers being of use, is when a service is being dumb and expects something like a constant port or unix socket, and you cant run 2 of it
<clever> but { let foo = bar; in ... } is not valid
<clever> for example, { key= let key2=value2; in value3; }
<clever> pip3000: `let key=value; in value` is only valid in areas where a value could have also be used
<clever> pip3000: you need to use packageOverrides to change the teamspeak attribute
<clever> Mark___: this channel handles nix, nixpkgs, nixos, and nixops
<clever> Zajcev: can you pastebin /nix/store/kkj9rs80wgkcpki4znpak4fgp7c6nv9h-nginx.conf ?
<clever> Zajcev: very, i have 5 or 6 domains on mine and no issues, you appear to have 2?