2018-08-09

<clever> ah
<clever> tilpner: that makes things a lot harder for yourself and will break on darwin
<clever> tilpner: also, why are you using derivation directly?
<clever> tilpner: nixpkgs also already has a function to generate a squashfs from a given closure
<clever> gchristensen: compression of the image is the only way to break the link
<clever> gchristensen: yeah
<clever> buildEnv
<clever> but the jobs typicaly also depend on it indirectly
<clever> so it can even GC that gcc, and wind up in the same place
<clever> hydra is also not aware of the IFD dependencies, and wont create GC roots to protect them
<clever> that has caused a hydra eval to take 2 hours before, because it has to build gcc just to symlink nixpkgs
<clever> so i have to throw in IFD and symlink the $out to the dir
<clever> i also cant nix-build a builtins.fetchTarball
<clever> i agree
<clever> nix-build -E './.'
<clever> error: expression does not evaluate to a derivation (or a set or list of those)
<clever> only place it doesnt work at is as a direct target of nix-build
<clever> its 1am here though, i need to get to bed, goodnight all :)
<clever> neonfuz: the nixos config will auto-load the modules for you
<clever> i think ive fixed this exact problem 3 or 4 times now, lol
<clever> if you manually mount it and run nixos-generate-config, it will fix hardware-config.nix automatically
<clever> manually mount it, fix the config in /etc/nixos/, and then nixos-rebuild once more, and all should be perfect
<clever> and that undoes any changes you had done
<clever> and then it boots the old config from the /boot partition
<clever> every time you nixos-rebuild, it updates /boot on the / partition
<clever> /boot is not mounted
<clever> because of the ;
<clever> the redirect only applies to the 2nd command
<clever> all of that should be on stdout
<clever> Growpotkin: can you pastebin the output of `mount ; ls -l /run/current-system /run/booted-system` ?
<clever> Growpotkin: is /boot mounted ?
<clever> correct
<clever> i believe
<clever> in configuration.nix
<clever> that has to go into nixpkgs.config.virtualbox.enableExtensionPack
<clever> and yeah, that too
<clever> you will want to remove the copy in nix-env
<clever> neonfuz: nix-env ignores configuration.nix values
<clever> and it wont overwrite an existing configuration.nix
<clever> but you already have one from the disk image
<clever> nixos-generate-config is what creates configuration.nix when doing a new install
<clever> anywhere inside the main area of the file, just add system.stateVersion = "18.09";
<clever> yeah, you can add that to configuration.nix and do another rebuild
<clever> the image probably just lacks that setting then
<clever> that would explain things then
<clever> ahh
<clever> ah, did you use a .iso file from march?
<clever> nixos-generate-config would have created it, but you may have since deleted it
<clever> sigtrm: i'm guessing it should be set to "18.09"
<clever> sigtrm: thats from march and it lacks wireguard-tools, you need to `sudo nix-channel --update`, which will update the versions for everything
<clever> sigtrm: and what about `nix-instantiate '<nixpkgs>' -A lib.nixpkgsVersion --eval` ?
<clever> then its probably the initial version that you installed from
<clever> sigtrm: what is the last date show in `nix-env -p /nix/var/nix/profiles/per-user/root/channels --list-generations` ?
<clever> sigtrm: sudo nix-channel --list
<clever> sigtrm: what channel are you on?
<clever> sigtrm: did you add wireguard-tools to your configuration.nix?

2018-08-08

<clever> and then have 2 TPM entires for encrypted hdds
<clever> you would need to encrypt /boot with its own TPM entries, based on the measurements of the firmware+grub.efi, and then have a seperate /boot/EFI partition that secureboot monitors
<clever> and give up on having the TPM hash that, nixos-rebuild
<clever> Dezgeg: oh yeah, and is /boot encrypted??, i can just edit the grub cfg
<clever> you would have to also tell grub to not report the kernel cmdline to the TPM, and trust that the grub pw lock is secure
<clever> so the kernel cmdline must be part of the TPM measurements
<clever> Dezgeg: but all it takes is rdinit=/bin/sh and i now have a shell inside your signed initrd, which would have had permission to decrypt the hdd via TPM
<clever> Dezgeg: most distros have a static kernel cmdline, and they dont change the init= at every single boot
<clever> it also relies on each executable stage (firmware, bootloader, kernel) reporting the hash of the next, before it hands over control
<clever> mikky: it prevents an attacker from just booting his own os, if he somehow bypassed secure-boot
<clever> mikky: and only if the same series of recordings are fed to it, will the TPM unlock and allow decrypting the hdd
<clever> mikky: thats when the TPM records the hashes of every blob (bootloader, kernel, initrd, kernel params)
<clever> mikky: measured boot will break every time you nixos-rebuild
<clever> mikky: it is trivial to lie to the OS and claim secureboot is still on, once you are running your own code in ring0
<clever> mikky: but nothing stops me from just replacing the motherboard with another one that has secureboot disabled, then putting some malware into your /boot partition to save the luks password
<clever> mikky: the keys must exist on the hdd, and then an attacker could just steal them and sign his own kernels
<clever> mikky: secure-boot is bsically imposible with nixos, due to needing to re-sign the kernel and initrd constantly at every rebuild
<clever> mikky: i think bios-boot can work if the /boot is before that 2tb point
<clever> mikky: nixos allows the kernels and grub.efi to be on seperate partitions
<clever> mikky: and line 545 must point to an executable that will scan /nix/var/nix/profiles/system*, generate the rollback options for nixos, and install the bootloader
<clever> mikky: make note of line 563-565
<clever> mikky: it would define the options under options.boot.loader.refind = { ...
<clever> mikky: to start with, create an refind.nix in a similar path, based on https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/boot/loader/grub/grub.nix
<clever> nothing stops grub from gaining those features
<clever> then you just need to do boot.loader.grub.extraEntries = "insmod os-prober";
<clever> mikky: you are free to create a custom grub module that can probe things at boot-time and mutate the menu: https://wiki.osdev.org/Writing_GRUB_Modules
<clever> yeah
<clever> mikky: the very end also shows an efi chainload method
<clever> add the block they show to boot.loader.grub.extraEntries = '' ... '';
<clever> mikky: https://wiki.gentoo.org/wiki/GRUB2/Chainloading#Windows_.28MSDOS_based_boot_loaders.29
<clever> mikky: currently, it chainloads the legacy MBR for windows, but grub also supports ntldr
<clever> mikky: i have something like a ~5 line entry in configuration.nix to boot windows via grub
<clever> mikky: try listing it on your machine if your on systemd-boot
<clever> mikky: systemd-boot still adds itself to the efi vars listed by efibootmgr
<clever> so if you have a setup that requires imaging all new macs, you have to partially configure the mac, turn off secure boot, re-image it, then configure it all over!
<clever> mikky: it sounds like all modern macs now have secure boot enabled, and you must register the 1st user before you even have the choice to turn it off
<clever> Dezgeg: an option rom can probably still extend uefi the same way
<clever> windows somehow detects that, and refuses to even install
<clever> i have seen some systems that lack nvme drivers in the firmware, so you just cant boot from nvme, end of story
<clever> grub techncially also doesnt support nvme, it relies on the bios to provide the drivers
<clever> i dont think any bios provides legacy wrappers for nvme
<clever> Dezgeg: nvme wont boot with legacy at all
<clever> and at that path within the partition, is the file it named
<clever> -rwxr-xr-x 1 root root 119K Oct 29 2017 /boot/EFI/BOOT/BOOTX64.EFI
<clever> mikky: line 4 says my current os is config #3 from the efi vars, line 10 shows config #3, which has a uuid and a path, and line 14 shows the uuid of partition #1
<clever> mikky: each os will put the set of efi partition uuid, and path to .efi, into the efi vars
<clever> mikky: the uuid of the efi partition is in the efi vars
<clever> mikky: grub or systemd-boot?
<clever> mikky: one min
<clever> mikky: then you just pick one from the firmware
<clever> mikky: when using efi, each OS should add its own entry to the efi vars
<clever> the name there comes from `nix-channel --list`
<clever> jabranham: then you want `nix-env -iA nixos.myPackages`
<clever> t
<clever> and pastebin that resul
<clever> mikky: can you run `hexdump -C` over both, then diff the 2 hexdumps?
<clever> if it differs from the efi system partition
<clever> i suspect grub-install will bake in the partition uuid of where to find the config, and maybe the fs drivers for that partition
<clever> the warning also mentioned how long i had been in the channel
<clever> gchristensen: i did notice it had warned me at 17:43, but i didnt notice the warning until 20mins later
<clever> tobiasBora: dont you have another machine you could run this on, one you have root on?
<clever> nek0: you would need to find the right libstdc++, and then override the nix expression to fix things
<clever> tobiasBora: if user namespaces are disabled, you dont really have very many options, your only real choice is to change the /nix path, and that involves rebuilding EVERYTHING
<clever> it sounds like the arduino package is broken
<clever> nix-shell only provides the x86 one
<clever> nek0: ahh, then it wants the avr libstdc++, not the x86 one
<clever> nek0: how are you trying to compile it?
<clever> tobiasBora: you would need somebody to mount the usb to /nix for you
<clever> nek0: ^^
<clever> neonfuz: nix-shell should have libstdc++ in its search path by default
<clever> elvishjerricco: oh yeah, i forget about auto
<clever> tobiasBora: it may need local instead of daemon then
<clever> not sure what will happen then
<clever> either enable it with sysctl, or just sudo the nix-build
<clever> debian doesnt allow that by default
<clever> tobiasBora: it will need the kernel to allow you to make namespaces dynamically
<clever> daemon, local, s3, ssh, ssh-ng, and a few other protocols are supported
<clever> elvishjerricco: with nix 2, you can use URI's for both --store and substituters
<clever> rm -rf is too dumb to +w things itself
<clever> and you dont need sudo to delete fakeroot, `chmod -R +w fakeroot ; rm -rf fakeroot`
<clever> and it will auto-create its own namespaces as needed
<clever> and write everything to fakeroot
<clever> it will treat the local nix-daemon as a binary cache, and then fall back to the normal when the daemon lacks things
<clever> tobiasBora: i think this will do what you want
<clever> [clever@amd-nixos:~]$ nix-build '<nixpkgs>' -A hello --store local?root=/home/clever/fakeroot --option substituters 'daemon https://cache.nixos.org'
<clever> tobiasBora: let me find an example...
<clever> tobiasBora: you need to configure it to use /nix as a cache
<clever> it needs root to delete system profiles
<clever> in that case, your only option is to delete old system generations with `sudo nix-collect-garbage --delete-older-then 30d` and then nixos-rebuild again
<clever> systemd-boot doesnt have this option
<clever> you need to set configurationLimit to limit how many it puts there
<clever> yes, it will do that
<clever> neonfuz: can you pastebin the output from the above ls command?
<clever> what does dmesg say near the end?
<clever> when ran without root
<clever> neonfuz: what does `ls -ltrh /boot/EFI/nixos` say?
<clever> elvishjerricco: setup.sh is the core of stdenv, and it was made back in ~2003
<clever> nixpkgs has already gone thru one such rewrite :P
<clever> before stdenv.mkDerivation, there was builderDefs
<clever> elvishjerricco: one min...
<clever> yep
<clever> it will map a function over all inputs, that grabs the .dev output
<clever> lib.chooseDevOutputs ^^
<clever> ctrl+f for strictDeps here
<clever> i believe it forces only native inputs to get into PATH
<clever> to force you to do things in a cross-compile friendly way
<clever> there is also a new strict flag, that stops anything from buildInput getting into PATH
<clever> elvishjerricco: cross-compile complicates that
<clever> the nix level has to know which output it needs, before the build has even ran
<clever> it cant know which one contains /bin/ when at the nix level
<clever> i thought it was first in most
<clever> hmmm
<clever> > curl.outputs
<clever> so technically gtk is broken here
<clever> jtojnar: aha, dev is not the first output on gtk, thats the problem
<clever> > gnome2.gtk.outputs
<clever> > gtk.outputs
<clever> jtojnar: try removing gtk.dev and see if it still builds
<clever> and that will have propagated inputs to pull in others it needs
<clever> elvishjerricco: it will pick the first output in the list, which is generally .dev
<clever> some people just throw things at the wall until it builds, and then dont try to remove the un-needed things
<clever> the stdenv should pick the right thing for you with just somelibrary
<clever> jtojnar: see if it builds without .dev and then file a PR
<clever> jtojnar: i think its either that somelibrary wasnt written right, or somebody didnt fully know how split-outputs works
<clever> you have to nixos-rebuild to update /boot based on what GC has deleted
<clever> neonfuz: garbage collection wont clean up /boot/
<clever> yeah
<clever> neonfuz: this controls how many generations nixos will keep in there, and it will auto-delete any extras
<clever> and it only takes effect after nixos-rebuild has finished
<clever> selfsymmetric-pa: nix.nixPath will control the defaults for NIX_PATH
<clever> sudo will mess with env vars
<clever> selfsymmetric-pa: try `sudo -i` then set NIX_PATH and run nixos-rebuild
<clever> :D
<clever> --fast skips it, and goes directly to the real nixos build
<clever> so that winds up ignoring --option
<clever> but it doesnt correctly pass all the flags to that nix-build
<clever> nixos-rebuild will first build nix itself
<clever> vandenoever: try adding --fast
<clever> oh
<clever> i copy/pasted it because i dont trust myself with that word :P
<clever> vandenoever: those only control what nix-collect-garbage can delete
<clever> vandenoever: you can also `nixos-rebuild build --option substituters https://cache.nixos.org` to bypass the current config immediately
<clever> vandenoever: not setting them is correct, but the change only takes effect after nixos-rebuild has finished
<clever> during the deploy, it will also tell you if its fetching from a cache or copying to the slave, for each storepath
<clever> oh, and if you set it to false, nix-copy-closure will also gzip things
<clever> so setting it to false would make the slaves use the 300mbit fiber modem, and deploy faster
<clever> but also, my nixops machine is the laptop, with its cruddy 54mbit wifi
<clever> correct
<clever> for example, when managing machines within my house, true would be best, since my gigabit trumps the modem
<clever> relative to the remote machines and the caches
<clever> it refers to a fast connection between the nixops box and the remote machines
<clever> yep
<clever> then the remote machine will obey nix.conf and try to find a cache with things
<clever> dhess: https://nixos.org/nixops/manual/#opt-deployment.hasFastConnection
<clever> dhess: deployment.hasFastConnection
<clever> dhess: there is a flag to allow the remote machines to use their own binary cache config to speed things up
<clever> dhess: yeah, nixops wants a complete copy of the closure locally, before it even tries to update the machines
<clever> vandenoever: yeah, you have no cache support and must build everything, gentoo style!
<clever> vandenoever: then it should just grab gcc and bash from the cache
<clever> vandenoever: if your following channels properly, then gcc shouldnt rebuild
<clever> vandenoever: nixos-rebuild build, after updating the channel
<clever> dhess: basically, you configure all of the nix-serve's in one central place, that runs cachecache, and that then provides a single cache url, and will mux it out and cache the replies
<clever> dhess: this is something that i was planning to cover with https://github.com/cleverca22/cachecache
<clever> dhess: add the desktop as a cache for the laptop?
<clever> colemickens: but there is a bug in nix that causes it to never give up when a given url is offline
<clever> colemickens: you could just setup nix-serve on every machine in your LAN, and configure them all to read eachothers nix-serve url
<clever> kiloreux: hmmm, buildPythonPackage supports these 4 types, but its not clear which one is requirements.txt
<clever> 55 buildPythonPackage = makeOverridablePythonPackage ( makeOverridable (callPackage ../development/interpreters/python/build-python-package.nix {
<clever> kiloreux: one min
<clever> at least for system units
<clever> no need to do daemon-reload, nixos does that for you
<clever> tobiasBora: just copy the code from line 14-32 and you can boot nixos in qemu
<clever> the first one is meant for testing the justdoit.nix script, but it boots a full nixos, so you could just repurpose it
<clever> that will generate a pair of bash scripts in result/bin/
<clever> nix-build simple-test.nix -A legacy_sata
<clever> tobiasBora: oh, the kexec test stuff could also be used, and that has a full nixos, for only ~300mb
<clever> no wiki on the project, but your free to create pages in there
<clever> and if you expand the + on the last folder in log.html, you can see the runit output
<clever> which generates a screenshot of it booting
<clever> hydra is running the boot.nix file every time a push happens to nixpkgs master
<clever> just add another -drive param for a writable image, and modify the stage-1 script to mount it
<clever> yeah
<clever> kernel&initrd are directly passed to qemu, root disk is passed as a virtual cdrom, becuase thats the only thing in qemu that supports read-only files
<clever> tobiasBora: this line runs not-os in qemu, no disk image required
<clever> that makes things simpler
<clever> tobiasBora: oh, will this be hosting qemu, or running within qemu?
<clever> there is support to boot it over ipxe+tftp
<clever> tobiasBora: nope, its just a bare kernel, initrd, and root.squashfs
<clever> not-os also lacks the ability to apply changes at runtime and nixos-rebuild
<clever> and if you dont set a type at all, it will prefer true when they conflict
<clever> teto: the types.bool in the module system will throw an error if the bools dont agree on a value
<clever> yep
<clever> so you dont have to do anything special at all, just set it to a list containing a new item
<clever> wantedBy is a list, and nixos will just automatically concat all lists
<clever> dhess: systemd.services.foo.serviceConfig = lib.mkForce ...;
<clever> dhess: you want mkForce, not overrideAttrs
<clever> nix.useSandbox = true;
<clever> Orbstheorem: i always enable it system-wide, and the default in nixos recently changed
<clever> dhess: nope
<clever> or generate a new one
<clever> you only have to run ssh-add once, and you need to copy your ssh private key in anyways
<clever> that will also work with gpg-agent
<clever> but you still need ssh-add to add keys to it
<clever> your using gpg-agent
<clever> gpg-agent will also permanently save all added keys to the gpg keyring
<clever> you must run ssh-add to add the key
<clever> thats normal, gpg-agent doesnt read ~/.ssh/id_rsa on its own
<clever> and if you run `ssh-add -l` ?
<clever> maerwald: what is it set to?
<clever> maerwald: also, if i restart xorg and login again, it stops working, never got around to looking into why...
<clever> and then it asks for the passphrase in ssh, not X
<clever> every time i login over ssh, it re-binds the agent to that ssh window
<clever> maerwald: the stuff in configuration.nix causes more problems in my setup
<clever> maerwald: i have enable-ssh-support in ~/.gnupg/gpg-agent.conf and i did not enable it in configuration.nix
<clever> teto: what about with: nix-shell -E 'with import <nixpkgs> {}; clangStdenv.mkDerivation { hardeningDisable=["all"]; name = "name"; }'
<clever> teto: so you can just hardeningDisable=all nix-shell -p clang
<clever> teto: also of note, every attribute you put on a derivation becomes an env var
<clever> teto: -p just dynamicaly generates a stdenv.mkDerivation with the listed packages in buildInputs
<clever> teto: you want to use clangStdenv.mkDerivation
<clever> kalbasit[m]: thats to deal with the in-ability to patch PYTHONPATH, the recent changes in nixpkgs to support plugins properly may improve that
<clever> kalbasit[m]: stringio.patch is from an upstream PR, it was doing string appends poorly, and the slack with 16,452 users on it had several mb worth of json at connect time, and it consumed enough cpu to cause weechat to crash
<clever> kalbasit[m]: wee_slack.patch allows you to ise weeslack without getting approval from your slack admins, which may sometimes be required
<clever> kalbasit[m]: it also recently gotsupport for plugins in nixpkgs
<clever> kalbasit[m]: probably, i just never got around to it
<clever> kalbasit[m]: ive been installing it with a weechat from a pinned nixpkgs rev: https://github.com/cleverca22/nixos-configs/blob/master/weechat.nix
<clever> fresheyeball: can you gist the entire file?

2018-08-07

<clever> i would put just the above in postInstall, and remove the rest
<clever> wrapProgram $out/bin/rclone-browser --prefix PATH : "${rclone}/bin"
<clever> you want to do something like this