<clever>
tnks: so nix-daemon is already signing things after the builds finish, if configured
<clever>
tnks: aha, i set secret-key-files in nix.conf, deleted a store path, then re-built it with nix-build, now db.sqlite contains a signature
<clever>
tnks: i believe you need write to the directory to grab the right lock files for opening
<clever>
tnks: this, as root, is how i view a sig, right now, its an empty value since its not signed
<clever>
[nix-shell:/nix/var/nix/db]# sqlite3 db.sqlite 'select sigs from ValidPaths where path = "/nix/store/b46sv85mp79xww7q31fv3cpz0c0zbw2n-daedalus"'
<clever>
tnks: cache.nixos.org and friends
<clever>
tnks: db.sqlite is the entire state of /nix/store/
<clever>
tnks: binary-cache-v3 is a cache of what is present on the binary caches
<clever>
Myrl-sak1: also, nix-store --query --roots tells you why its alive
<clever>
Lisanna: yeah, that doesnt really work then
<clever>
the nix-store man page shows how to generate the pair
<clever>
:q!
<clever>
or add the right user to trusted
<clever>
so you can either --to root@foo, or sudo nix-copy-closure --from source
<clever>
but with 1.11,nix-copy-closure with a trusted user on the receiving end, just ignores the signatures
<clever>
maybe 2.0 changes things some
<clever>
tnks: trusted-users are allowed to import unsigned paths
<clever>
ive had no issues with the old nix-serve
<clever>
tnks: which fields did you have to fill in?
<clever>
ottidmes: got a link to those docs?
<clever>
acertain: i think you can nix-shell -p '(lib.attrValues qt5)'
<clever>
ottidmes: ah, ive only gotten signing working with nix-serve and hydra
<clever>
ottidmes: for the binary caches, try to query the http://host/hash.narinfo file with curl
<clever>
ottidmes: oh, is this with local builds, or copying between machines?
<clever>
avn_: nix 2.0 saves signatures to db.sqlite when it downloads things, but nix-serve still re-signs everything it serves
<clever>
ottidmes: double-check to see what nix-store your using on each user
<clever>
ottidmes: is the client 2.0 still? realpath $(which nix-store)
<clever>
ottidmes: oh, that error, is your nix-daemon on 1.11 still?
<clever>
tnks: yeah, plain http is best for a simple binary cache
<clever>
which causes issues with build slaves
<clever>
so if you 'ssh user@host' nix works fine, but if you 'ssh user@host nix-store --help' it fails
<clever>
related, nix-store isnt always in $PATH for non-interactive shells
<clever>
ah, that sounds new
<clever>
so you can push/pull closures, and initiate builds remotely
<clever>
tnks: and a similar protocol us used for `ssh user@host nix-store --serve [--write]`
<clever>
tnks: if nix is ran without root, it uses the nix-daemon protocol over a unix socket to proxy everything over, and the daemon uses local-store
<clever>
tnks: if nix is ran as root, it will directly use local-store
<clever>
Myrl-sak1: that will reset all generations, so nix-env and nixos state is wiped clean
<clever>
Myrl-sak1: or try just normal nixos-install
<clever>
Myrl-sak1: try a cd / after you chroot
<clever>
Myrl-sak1: what exactly does it fail with?
<clever>
Myrl-sak1: pong
<clever>
zandy[m]: ah, then youll need to wait for lets encrypt caches to expire, then it can retry
<clever>
tnks: you can either patch it to use bzip2 -1 which is faster, or just change out the entire compression algo for something faster
<clever>
zandy[m]: scroll up some, maybe an hour or 2
<clever>
tnks: yeah, its hard-coded to 30, youll either want a package-override, or a reverse proxy that serves a different nix-cache-info and proxies the rest
<clever>
zandy[m]: check `journalctl`, scroll to the end and see if there are any acme related errors
<clever>
makefu: but nginx has to come up with an example.com cert for acme to work, and acme doesnt reload nginx
<clever>
makefu: the acme one runs itself on rebuild-switch, and at regular intervals
<clever>
zandy[m]: i believe you need to restart nginx now
<clever>
* SSL certificate problem: self signed certificate
<clever>
zandy[m]: and also, port 443 is blocked, security groups on aws
<clever>
zandy[m]: try systemctl restart nginx, then try the url again
<clever>
lejonet: lib.optional and the related functions
<clever>
Myrl-sak1: networking.nat
<clever>
Myrl-sak1: its running entirely from ram, so its safe to unplug the cable
<clever>
Myrl-sak1: and refresh the dhcp lease on it
<clever>
Myrl-sak1: once it boots, you can optionally just plug the broken machine into any router
<clever>
lexwhere: nix-bundle and arx are in my plans
<clever>
lexwhere: the nix variant isnt written yet
<clever>
Myrl-sak1: just run nixos-install
<clever>
lexwhere: i'm actually working on something just like that, that uses namespaces to put it at ~/nix/
<clever>
Myrl-sak1: if you dont nix-channel --update often, a single force can delete months worth of generations
<clever>
but you did delete everything that refered to the path you where deleting
<clever>
yeah, you didnt delete everything
<clever>
Myrl-sak1: just leave your configuration.nix as-is, and mount the right partition under /mnt/boot/
<clever>
Myrl-sak1: there is also a minor problem, since your booting via legacy, configuring efi will be a bit more tricky, but we can assume that the efivars are already setup
<clever>
Myrl-sak1: netboot_server.nix doesnt support EFI currently
<clever>
Xianwen: just copy that to /etc/nixos/cwm.nix, replace all dwm's with cwm's, and add imports = [ ./cwm.nix ]; to the configuration.nix, and it should become a valid option
<clever>
Myrl-sak1: do you have other nixos machines?, is a laptop still working?
<clever>
same
<clever>
Myrl-sak1: oh, id just back them up to another machine, how much is used?
<clever>
Myrl-sak1: nixos-install will fix it without loosing any files or your config
<clever>
Myrl-sak1: just dd it directly to the root of the usb drive
<clever>
Myrl-sak1: the nixos ISO's are already usb images
<clever>
Myrl-sak1: that is what --repair-path is for
<clever>
Myrl-sak1: if you boot from any install media for nixos, you can mount your FS's to /mnt, and re-run nixos-install to repair it from the existing configuration.nix
<clever>
ive done it, it breaks a lot :P
<clever>
Myrl-sak1: you shouldnt have forced it either
<clever>
tnks: currently, it can only cache the narinfo files
<clever>
tnks: so you fire up a cache-cache instance, put it into your binary-caches list, and it will proxy all requests upstream, and cache all replies
<clever>
tnks: basically, its a transparent http proxy for binary caches, with support to query several caches behind the scenes
<clever>
cache.nixos.org lacks garbage collection, so that cant really happen
<clever>
but if somebody was garbage collecting their own cache, and the build was not bit-for-bit reproducable, the narhash would come out different, resulting in a new signature for the new nar