<clever>
and it wont overwrite an existing configuration.nix
<clever>
but you already have one from the disk image
<clever>
nixos-generate-config is what creates configuration.nix when doing a new install
<clever>
anywhere inside the main area of the file, just add system.stateVersion = "18.09";
<clever>
yeah, you can add that to configuration.nix and do another rebuild
<clever>
the image probably just lacks that setting then
<clever>
that would explain things then
<clever>
ahh
<clever>
ah, did you use a .iso file from march?
<clever>
nixos-generate-config would have created it, but you may have since deleted it
<clever>
sigtrm: i'm guessing it should be set to "18.09"
<clever>
sigtrm: thats from march and it lacks wireguard-tools, you need to `sudo nix-channel --update`, which will update the versions for everything
<clever>
sigtrm: and what about `nix-instantiate '<nixpkgs>' -A lib.nixpkgsVersion --eval` ?
<clever>
then its probably the initial version that you installed from
<clever>
sigtrm: what is the last date show in `nix-env -p /nix/var/nix/profiles/per-user/root/channels --list-generations` ?
<clever>
sigtrm: sudo nix-channel --list
<clever>
sigtrm: what channel are you on?
<clever>
sigtrm: did you add wireguard-tools to your configuration.nix?
2018-08-08
<clever>
and then have 2 TPM entires for encrypted hdds
<clever>
you would need to encrypt /boot with its own TPM entries, based on the measurements of the firmware+grub.efi, and then have a seperate /boot/EFI partition that secureboot monitors
<clever>
and give up on having the TPM hash that, nixos-rebuild
<clever>
Dezgeg: oh yeah, and is /boot encrypted??, i can just edit the grub cfg
<clever>
you would have to also tell grub to not report the kernel cmdline to the TPM, and trust that the grub pw lock is secure
<clever>
so the kernel cmdline must be part of the TPM measurements
<clever>
Dezgeg: but all it takes is rdinit=/bin/sh and i now have a shell inside your signed initrd, which would have had permission to decrypt the hdd via TPM
<clever>
Dezgeg: most distros have a static kernel cmdline, and they dont change the init= at every single boot
<clever>
it also relies on each executable stage (firmware, bootloader, kernel) reporting the hash of the next, before it hands over control
<clever>
mikky: it prevents an attacker from just booting his own os, if he somehow bypassed secure-boot
<clever>
mikky: and only if the same series of recordings are fed to it, will the TPM unlock and allow decrypting the hdd
<clever>
mikky: thats when the TPM records the hashes of every blob (bootloader, kernel, initrd, kernel params)
<clever>
mikky: measured boot will break every time you nixos-rebuild
<clever>
mikky: it is trivial to lie to the OS and claim secureboot is still on, once you are running your own code in ring0
<clever>
mikky: but nothing stops me from just replacing the motherboard with another one that has secureboot disabled, then putting some malware into your /boot partition to save the luks password
<clever>
mikky: the keys must exist on the hdd, and then an attacker could just steal them and sign his own kernels
<clever>
mikky: secure-boot is bsically imposible with nixos, due to needing to re-sign the kernel and initrd constantly at every rebuild
<clever>
mikky: i think bios-boot can work if the /boot is before that 2tb point
<clever>
mikky: nixos allows the kernels and grub.efi to be on seperate partitions
<clever>
mikky: and line 545 must point to an executable that will scan /nix/var/nix/profiles/system*, generate the rollback options for nixos, and install the bootloader
<clever>
mikky: make note of line 563-565
<clever>
mikky: it would define the options under options.boot.loader.refind = { ...
<clever>
mikky: currently, it chainloads the legacy MBR for windows, but grub also supports ntldr
<clever>
mikky: i have something like a ~5 line entry in configuration.nix to boot windows via grub
<clever>
mikky: try listing it on your machine if your on systemd-boot
<clever>
mikky: systemd-boot still adds itself to the efi vars listed by efibootmgr
<clever>
so if you have a setup that requires imaging all new macs, you have to partially configure the mac, turn off secure boot, re-image it, then configure it all over!
<clever>
mikky: it sounds like all modern macs now have secure boot enabled, and you must register the 1st user before you even have the choice to turn it off
<clever>
Dezgeg: an option rom can probably still extend uefi the same way
<clever>
windows somehow detects that, and refuses to even install
<clever>
i have seen some systems that lack nvme drivers in the firmware, so you just cant boot from nvme, end of story
<clever>
grub techncially also doesnt support nvme, it relies on the bios to provide the drivers
<clever>
i dont think any bios provides legacy wrappers for nvme
<clever>
Dezgeg: nvme wont boot with legacy at all
<clever>
and at that path within the partition, is the file it named
<clever>
-rwxr-xr-x 1 root root 119K Oct 29 2017 /boot/EFI/BOOT/BOOTX64.EFI
<clever>
mikky: line 4 says my current os is config #3 from the efi vars, line 10 shows config #3, which has a uuid and a path, and line 14 shows the uuid of partition #1
<clever>
mikky: each os will put the set of efi partition uuid, and path to .efi, into the efi vars
<clever>
mikky: the uuid of the efi partition is in the efi vars
<clever>
mikky: grub or systemd-boot?
<clever>
mikky: one min
<clever>
mikky: then you just pick one from the firmware
<clever>
mikky: when using efi, each OS should add its own entry to the efi vars
<clever>
the name there comes from `nix-channel --list`
<clever>
jabranham: then you want `nix-env -iA nixos.myPackages`
<clever>
t
<clever>
and pastebin that resul
<clever>
mikky: can you run `hexdump -C` over both, then diff the 2 hexdumps?
<clever>
if it differs from the efi system partition
<clever>
i suspect grub-install will bake in the partition uuid of where to find the config, and maybe the fs drivers for that partition
<clever>
the warning also mentioned how long i had been in the channel
<clever>
gchristensen: i did notice it had warned me at 17:43, but i didnt notice the warning until 20mins later
<clever>
tobiasBora: dont you have another machine you could run this on, one you have root on?
<clever>
nek0: you would need to find the right libstdc++, and then override the nix expression to fix things
<clever>
tobiasBora: if user namespaces are disabled, you dont really have very many options, your only real choice is to change the /nix path, and that involves rebuilding EVERYTHING
<clever>
it sounds like the arduino package is broken
<clever>
nix-shell only provides the x86 one
<clever>
nek0: ahh, then it wants the avr libstdc++, not the x86 one
<clever>
nek0: how are you trying to compile it?
<clever>
tobiasBora: you would need somebody to mount the usb to /nix for you
<clever>
nek0: ^^
<clever>
neonfuz: nix-shell should have libstdc++ in its search path by default
<clever>
elvishjerricco: oh yeah, i forget about auto
<clever>
tobiasBora: it may need local instead of daemon then
<clever>
not sure what will happen then
<clever>
either enable it with sysctl, or just sudo the nix-build
<clever>
debian doesnt allow that by default
<clever>
tobiasBora: it will need the kernel to allow you to make namespaces dynamically
<clever>
daemon, local, s3, ssh, ssh-ng, and a few other protocols are supported
<clever>
elvishjerricco: with nix 2, you can use URI's for both --store and substituters
<clever>
rm -rf is too dumb to +w things itself
<clever>
and you dont need sudo to delete fakeroot, `chmod -R +w fakeroot ; rm -rf fakeroot`
<clever>
and it will auto-create its own namespaces as needed
<clever>
and write everything to fakeroot
<clever>
it will treat the local nix-daemon as a binary cache, and then fall back to the normal when the daemon lacks things
<clever>
tobiasBora: i think this will do what you want
<clever>
tobiasBora: you need to configure it to use /nix as a cache
<clever>
it needs root to delete system profiles
<clever>
in that case, your only option is to delete old system generations with `sudo nix-collect-garbage --delete-older-then 30d` and then nixos-rebuild again
<clever>
systemd-boot doesnt have this option
<clever>
you need to set configurationLimit to limit how many it puts there
<clever>
yes, it will do that
<clever>
neonfuz: can you pastebin the output from the above ls command?
<clever>
what does dmesg say near the end?
<clever>
when ran without root
<clever>
neonfuz: what does `ls -ltrh /boot/EFI/nixos` say?
<clever>
elvishjerricco: setup.sh is the core of stdenv, and it was made back in ~2003
<clever>
nixpkgs has already gone thru one such rewrite :P
<clever>
before stdenv.mkDerivation, there was builderDefs
<clever>
dhess: there is a flag to allow the remote machines to use their own binary cache config to speed things up
<clever>
dhess: yeah, nixops wants a complete copy of the closure locally, before it even tries to update the machines
<clever>
vandenoever: yeah, you have no cache support and must build everything, gentoo style!
<clever>
vandenoever: then it should just grab gcc and bash from the cache
<clever>
vandenoever: if your following channels properly, then gcc shouldnt rebuild
<clever>
vandenoever: nixos-rebuild build, after updating the channel
<clever>
dhess: basically, you configure all of the nix-serve's in one central place, that runs cachecache, and that then provides a single cache url, and will mux it out and cache the replies
<clever>
just add another -drive param for a writable image, and modify the stage-1 script to mount it
<clever>
yeah
<clever>
kernel&initrd are directly passed to qemu, root disk is passed as a virtual cdrom, becuase thats the only thing in qemu that supports read-only files
<clever>
tobiasBora: this line runs not-os in qemu, no disk image required
<clever>
and then it asks for the passphrase in ssh, not X
<clever>
every time i login over ssh, it re-binds the agent to that ssh window
<clever>
maerwald: the stuff in configuration.nix causes more problems in my setup
<clever>
maerwald: i have enable-ssh-support in ~/.gnupg/gpg-agent.conf and i did not enable it in configuration.nix
<clever>
teto: what about with: nix-shell -E 'with import <nixpkgs> {}; clangStdenv.mkDerivation { hardeningDisable=["all"]; name = "name"; }'
<clever>
teto: so you can just hardeningDisable=all nix-shell -p clang
<clever>
teto: also of note, every attribute you put on a derivation becomes an env var
<clever>
teto: -p just dynamicaly generates a stdenv.mkDerivation with the listed packages in buildInputs
<clever>
teto: you want to use clangStdenv.mkDerivation
<clever>
kalbasit[m]: thats to deal with the in-ability to patch PYTHONPATH, the recent changes in nixpkgs to support plugins properly may improve that
<clever>
kalbasit[m]: stringio.patch is from an upstream PR, it was doing string appends poorly, and the slack with 16,452 users on it had several mb worth of json at connect time, and it consumed enough cpu to cause weechat to crash
<clever>
kalbasit[m]: wee_slack.patch allows you to ise weeslack without getting approval from your slack admins, which may sometimes be required
<clever>
kalbasit[m]: it also recently gotsupport for plugins in nixpkgs
<clever>
kalbasit[m]: probably, i just never got around to it