#nixos — irc logs

14:53 <clever> Infinisil: "nixos-rebuild build-vm" allows running that configuration.nix under qemu

14:52 <clever> ij: can you copy/paste the full contents of the terminal to a pastebin?

14:50 <clever> Infinisil: XAUTHORITY may need to point to the copy

14:48 <clever> that will give it permission to use xorg between users

14:47 <clever> Infinisil: copy the ~/.Xauthority file to that user, and set $DISPLAY to match

14:44 <clever> Infinisil: let su die :P

14:43 <clever> Infinisil: sudo -u FOO -i

14:38 <clever> Infinisil: up next, make an empty directory, point $HOME there, and run it again

14:37 <clever> yeah

14:36 <clever> octe: nixos will silently wrap the entire module in { config = ...; }; if it lacks both .config and .options

14:35 <clever> octe: without the config. prefix

14:35 <clever> octe: add that config entry to configuration.nis

14:34 <clever> fgaz: propagatedNativeBuildInputs and propagatedBuildInputs are not available at runtime, those are available at the build-time of things depending on your package

14:33 <clever> Infinisil: find the exact storepath sphalerite is using, and run nix-store -r on it

14:30 <clever> Infinisil: i think java is dynamicaly extracting a .so from the jar at runtime, so you cant patchelf it

14:29 <clever> fgaz: the buildInputs are only available at build time

13:57 <clever> nix-build -E 'with import <nixpkgs> {}; callPackage ./default.nix {}'

13:55 <clever> ij: yeah

13:49 <clever> ij: its usually a functon that returns a derivation, but you need to run callPackage on that usually, to supply all arguments

13:48 <clever> Infinisil: https://gist.github.com/cleverca22/240c21dab528666c85a95c4edfdeae58

13:47 <clever> Infinisil: nix-build and --arg play together in a very weird and unexpected way

13:47 <clever> ij: which function

13:45 <clever> ij: and '<nixpkgs>' makes it look in $NIX_PATH

13:45 <clever> ij: the default argument for nix-build is default.nix in the current directory

13:45 <clever> Infinisil: nope

13:35 <clever> avn: same, on several machines

13:33 <clever> woffs: can that be limited to a single dataset?

13:32 <clever> woffs: i also wasnt entirely sure how good of a ratio i would have gotten on docker

13:31 <clever> woffs: in my case, i plan to just nuke all of /var/lib/docker when i'm done with it

13:23 <clever> though i'm not sure how snapshots deal with refcounts

13:23 <clever> Infinisil: i think there is also a cost when files are deleted, it has to decrement the refcounts, and see if the block is really free or not

13:19 <clever> Infinisil: it has to have the hashtable in ram or writes to the dedup'd volume are very slow

13:19 <clever> Infinisil: the cost of dedup is more in terms of ram usage

13:16 <clever> amd/docker logicalused 5.62G -

13:16 <clever> amd/docker written 2.00G -

13:15 <clever> amd/docker compressratio 3.01x -

13:15 <clever> [root@amd-nixos:~]# zfs get compressratio amd/docker

13:15 <clever> Infinisil: for docker, its currently storing 3 times what the size states

13:15 <clever> Infinisil: depends on how much duplication you have

13:14 <clever> sphalerite: oops, wrong name, also, i recently turned dedup back on, for just /var/lib/docker/

13:14 <clever> schoppenhauer: dedup is expensive, but if you know there is going to be duplicates (vm images), you can limit the dedup to just that region

13:12 <clever> schoppenhauer: and if your using vm images a lot, dedup can help

13:11 <clever> schoppenhauer: a: `zfs set dedup=verify` so you cant get collisions (dedup is optional as well), b: zfs send | ssh zfs receive

13:08 <clever> schoppenhauer: but instead of | ssh, you have to tell rsync to run itself over ssh, and it opens a 2-way channel

13:07 <clever> schoppenhauer: i think it will interactively talk to the remote rsync, and both sides will hash each block and exchange hashes

12:59 <clever> schoppenhauer: ah

12:59 <clever> schoppenhauer: i use zfs on everything now

12:58 <clever> grw: for some reason, ive memorized that part of the nix source, lol

12:57 <clever> octe: then you can just do what the wiki you linked said to override it

12:57 <clever> octe: if you override the package via nixpkgs.config.packageOverrides, the nixos service will use it

12:56 <clever> octe: plan c, clone nixpkgs and merge the 2 versions

12:56 <clever> octe: plan b, copy the module, rename the service, add it to imports, enable the new one (and packageOverride it)

12:56 <clever> octe: plan a: only upgrade the package via packageOverrides, use the old service

12:56 <clever> grw: yeah

12:55 <clever> octe: for new services, you can add its module to imports, for pre-existing services, you have 2 options

12:54 <clever> grw: when nix-daemon picks a member of the nixbld group to do the build under, it will `kill -9` every process in the user, then start a build under that user

12:54 <clever> grw: very

12:53 <clever> grw: did you add your user to the nixbld group?

12:46 <clever> ij: 3: nix-build '<nixpkgs>' -A hello (most tools accept a search path directly)

12:46 <clever> ij: 2: nix-instantiate --eval -E '<nixpkgs>'

12:46 <clever> ij: 1: nix-instantiate --find-file nixpkgs

01:35 <clever> so the bank was protecting the password harder then paypal

01:35 <clever> from what i remember (its been years), paypal sent the password "bare" over https, but my online banking app did something more complex

01:33 <clever> disasm: burp can also generate a custom ca, that you can trust OS wide on ios/android, allowing you to mitm any app

01:32 <clever> disasm: also usefull is burp proxy, which makes such mitm stuff trivial

01:32 <clever> disasm: any time you work with openssl, try to mitm yourself, and confirm it actualy rejects invalid certs

00:49 <clever> disasm: and because they never tried to mitm themself, they never confirmed if the hostname verification actually did anything, and it shipped

00:48 <clever> disasm: so one program that was trying to turn on all the security, was actually turning it all off

00:48 <clever> disasm: i remember something about the curl library, the enable openssl flag works backwards from what is obvious, and defaults to being secure

13:34 <clever> 1

13:34 <clever> nix-repl> builtins.head [ 1 2 3 ]

18:21 <clever> it can also be ran on a directory

18:20 <clever> eacameron: as part of the fixup phase

18:20 <clever> eacameron: it runs by default on everything in $out/bin/

18:07 <clever> eacameron: if you do "/usr/bin/env bash" and then allow patchSheBangs to run, it will replace in the result of $(which bash) at build time

17:25 <clever> the nixos firewall doesnt block with refused, and it always allows 22 for safety

17:25 <clever> lejonet: at this point, i would point a tcpdump at every interface in the path, and see where the RST packet came from

17:17 <clever> lejonet: in the case i saw, it was hans and halvm as the guest

17:17 <clever> yeah

17:16 <clever> but packets coming in from the real workd already have a checksum

17:16 <clever> lejonet: but when it sends it out the real card, the checksum accel in the hardware fills in the blank

17:16 <clever> lejonet: and the bridge then sends packets with an invalid checksum to the guests

17:16 <clever> lejonet: linux doesnt set the packet checksum when sending packets out (in certain conditions)

17:16 <clever> lejonet: ah, i had also ran into some weird problems with bridging, where the vm couldnt receive traffic from the host, but it could talk to anything else

17:14 <clever> lejonet: the FORWARD policy is only for use when its acting as a gateway

17:08 <clever> lejonet: that will forward the agent onward, so the vm can access the agent you used to get into it

17:08 <clever> lejonet: you can also use "ssh -A user@nixosvm"

17:06 <clever> lejonet: and it will then put its own key into /etc/ssh/authorized_keys.d/root

17:05 <clever> lejonet: yeah

17:03 <clever> Linux c2d 3.8.13-gentoo #3 SMP Thu Dec 15 10:33:05 AST 2016 x86_64 Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz GenuineIntel GNU/Linux

17:02 <clever> 14:02:54 up 240 days, 12:45, 10 users, load average: 0.07, 0.06, 0.09

17:02 <clever> gchristensen: i run irssi under screen, and its configured to save logs, and i never shut off that machine

17:01 <clever> lejonet: then fire up ssh-agent, and run ssh-add on a key that can access the machine

17:01 <clever> lejonet: what does "ssh-add -l" say?

17:00 <clever> lejonet: which command is failing, and have you sucessfully done a deploy?

16:59 <clever> lejonet: but because nixops passes a -i flag, it wont be able to use the ~/.ssh/id_rsa

16:59 <clever> lejonet: ive found that nixops will accept help from the ssh agent

19:15 <clever> spear2: nix-env -p /nix/var/nix/profiles/system --list-generations

19:05 <clever> qz: `sudo nix-collect-garbage -d` will delete everything you can safely delete

18:17 <clever> yep

18:14 <clever> Lisanna_: yeah, then use // to merge that into whatever you wanted that key in

18:09 <clever> f "myFoo";

18:09 <clever> Lisanna_: f = name: { ${name} = { bar = "bar"; baz = name; };

18:07 <clever> /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs

18:07 <clever> rycee, spear2: there is also: ]$ nix-instantiate --find-file nixpkgs

17:45 <clever> cocreature: -K

17:45 <clever> rycee: but in the case of nixos with default config, <nixpkgs> points to the nixos channel on root

17:45 <clever> rycee: if you want to ensure nix-build uses the same channel, you have to manually look it up in the def-expr, and run `nix-build ~/.nix-defexpr/channels_root/nixos -A hello`

17:43 <clever> rycee: and this turns up as nix-env -iA foo.hello

17:43 <clever> import /home/clever/apps/nixpkgs

17:43 <clever> [clever@amd-nixos:~]$ cat .nix-defexpr/test/foo/default.nix

17:43 <clever> rycee: behind the scenes, nix-env will look in this general area, for default.nix files, and use the last directory in the chain as the name, so the above would turn up at nix-env -iA nixos.hello

17:42 <clever> -r--r--r-- 1 root root 557 Dec 31 1969 .nix-defexpr/channels/nixos/default.nix

17:42 <clever> [root@amd-nixos:~]# ls .nix-defexpr/*/*/default.nix -dl

17:42 <clever> rycee: such as nix-env -f '<nixpkgs>' or nix-build '<nixpkgs>', or via similar things within config.nix

17:41 <clever> rycee: both nix-env and nix-build will "basically ignore NIX_PATH", enless directly told to search for something in it

17:16 <clever> then only a minimal subset of packages get rebuilt

17:16 <clever> sphalerite: in theory, you can take the gcc from an unmodified nixpkgs, and override the stdenv in a new nixpkgs

17:15 <clever> sphalerite: `stdenvNoCC = stdenv.override { cc = null; };` this creates a new stdenv, with a given gcc

17:14 <clever> sphalerite: what this did, was open up an unmodified nixpkgs, grab its ghc, then use that to generate a haskellPackages using the generic-builder.nix in a modified nixpkgs

17:14 <clever> sphalerite: https://gist.github.com/cleverca22/60c46368afb999c16224fc17af5c538d

17:12 <clever> sphalerite: probably using something similar to what i did with ghc a month back, one min

17:10 <clever> rycee: nix-env will basically ignore NIX_PATH

13:06 <clever> v0lZy: exactly

13:04 <clever> and nix-daemon is purely to spawn the build, and enforce what args it gets started with, so nobody can cheat

13:04 <clever> Infinisil: more like the -foo.drv file contains the -foo path in it already

13:01 <clever> because your asking nix-daemon for the non-trojaned variant

13:01 <clever> even if another user installs a trojaned variant of a program, you will never be given the path to it

13:00 <clever> and nix-daemon enforces the rules, so you always get the program you asked for

13:00 <clever> only things root installs become global

11:00 <clever> in theory, you can also sign everything, but ive had trouble configuring that

10:55 <clever> builder@192.168.2.126 armv6l-linux,armv7l-linux /etc/nixos/keys/distro 1 1 big-parallel

10:55 <clever> woffs: thats set in your machines file

00:47 <clever> the new myCallPackage will first search within self, then pkgs

00:47 <clever> Lisanna_: bar can now depend on foo, without you having to pass it in

00:47 <clever> Lisanna_: myCallPackage = pkgs.newScope self; self = { foo = myCallPackage ./foo.nix {}; bar = myCallPackage ./bar.nix {}; };

00:46 <clever> Lisanna_: you can also provide more defaults to callPackage

00:49 <clever> then '${foo}' works

00:49 <clever> ah yeah, if you use ${foo} in nix level, the single quotes dont matter

00:48 <clever> and now the variable itself is unquoted

00:48 <clever> $foo doesnt work inside single-quotes, so that variant used 'foo'$bar'baz'

00:47 <clever> variant

00:47 <clever> the single quote varaint isnt

00:47 <clever> double quote is safe against spaces

00:47 <clever> sed -i "s|my/path|my/other/path|g" myFileOfPaths.txt

00:46 <clever> from a random stackoverflow

00:46 <clever> sed -i 's|'$fileWithPath'|HAHA|g' file

17:08 <clever> and then the path doesnt matter as much

17:07 <clever> silver_hook: if the script is in the same directory as the nix file, you can do ExecStart = ./script.sh;

17:05 <clever> i just avoid spaces most of the time

17:03 <clever> silver_hook: as for the space in ExecStart, a \ should escape it, i believe

17:03 <clever> while "borg" is just a 4 character string, that means nothing to systemd

17:03 <clever> pkgs.borg is a string, containing the full path of borg

17:02 <clever> those should be strings

16:54 <clever> silver_hook: unquote*

16:53 <clever> silver_hook: also, unqupte the ExecStart as well

16:53 <clever> silver_hook: by quoting them, your telling nixos to just set PATH=borg/bin:gawk/bin ..., which wont do a thing

16:53 <clever> silver_hook: you want this: with pkgs; [ borg gawk wirelesstools ];

13:41 <clever> nh2: eek, yeah, nix lacks the ability to type-check the config right now

01:31 <clever> ah, nice

01:30 <clever> i havent heard of that option in aws

01:29 <clever> kuznero: for every hour the ec2 instance is on, you get billed, and if its on from 1:30 to 2:30, that counts as 2 hours

01:19 <clever> elastic IP's also from from a different IP block then the dynamic ones

01:14 <clever> nh2: this maps the names like maxJobs to build-max-jobs, and you have nix.extraOptions to inject anything it doesnt handle

01:13 <clever> nh2: https://github.com/NixOS/nixpkgs/blob/release-17.03/nixos/modules/services/misc/nix-daemon.nix#L42-L55

01:12 <clever> nh2: the one you linked, configures a nix-ssh user, that can only run nix-store, and never get a shell

01:11 <clever> nh2: there is a different nix-serve in nixos, that runs over http

01:10 <clever> nh2: ssh-substituter-hosts=value, in nix.conf

01:10 <clever> nh2: so you should be able to set the same values directly in nix.conf

01:10 <clever> nh2: oh right, `--option ssh-substituter-hosts` just acts as a way to override nix.conf entries

01:08 <clever> nh2: checking the source...

01:07 <clever> nh2: nix-serve lacks auth

01:06 <clever> nh2: a simpler option would be to run nix-serve on the remote machine and add it as a binary cache

00:40 <clever> i think so

00:39 <clever> Lisanna: eval "${!curPhase:-$curPhase}"

00:39 <clever> Lisanna: https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L1030

00:37 <clever> eikke: nix-store repair-path will re-run the .drv to re-compile the vmdk as it originally did

00:34 <clever> Lisanna: i think the stdenv only accepts it as an override if the string is non-zero length

00:30 <clever> kuznero: what revision of nixpkgs do you have checked out?

00:28 <clever> Lisanna: the way your doing it should work, but you could also try fixupPhase = "echo not fixing"; just to confirm if an empty string is handled specially

00:27 <clever> that sounds likely

00:27 <clever> check what nh2 just asked

00:26 <clever> Lisanna: fixupPhase is what runs pre/post, so pre/post are just broken if you modify fixupPhase

00:26 <clever> kuznero: what was the error?

00:25 <clever> kuznero: the . at the start of that says to try looking for <nixpkgs> in ./nixpkgs, if that exists

00:24 <clever> Lisanna: there are a lot of chunks missing, so its hard to tell what might be breaking it

00:23 <clever> eikke: nix-build -E 'with import <nixpkgs> {}; callPackage ./grpc.nix {}'

00:22 <clever> disasm: i think it depends a lot on what cmake is doing with the path

00:21 <clever> disasm: sounds like it was already installing to a subdirectory of the prefix, and you can just pass /plugins

00:18 <clever> eikke: cmake is confused more then ar is, lol

00:18 <clever> CMake Error: CMake can not determine linker language for target: cares

00:18 <clever> CMake Error: Cannot determine link language for target "cares".

00:17 <clever> Lisanna: can you gist your nix expression?

00:16 <clever> eikke: what did you do?

00:16 <clever> eikke: all i did was run nix-build on the nix file you gave me

00:14 <clever> still thinking about it

00:12 <clever> eikke: the failure has nothing to do with libz

00:11 <clever> [AR] Creating /tmp/nix-build-grpc-1.3.9.drv-0/grpc-1.3.9/libs/opt/libgpr.a

00:11 <clever> ar: invalid option -- '/'

00:08 <clever> eikke: testing it locally ...

00:05 <clever> nh2: you can also set a -I path to nixops with set-args i think

00:04 <clever> eikke: you need to add cmake to the nativeBuildInputs

00:01 <clever> eikke: can you gist the expression for your derivation?

00:00 <clever> it just works, without having to add .dev

00:00 <clever> [nix-shell:~]$ pkg-config --cflags zlib

00:00 <clever> -I/nix/store/s6hgm8cn82gi4a8mlj8qq4by03yk3297-zlib-1.2.11-dev/include

00:00 <clever> [clever@amd-nixos:~]$ nix-shell --pure -p zlib pkgconfig

23:59 <clever> eikke: the setup hooks dont work if you manualy install pkgconfig with nix-env or systemPackages

23:59 <clever> eikke: pkgconfig has a setup hook, that will add the buildInputs to the pkgconfig search path

21:31 <clever> it returns a magic string, that will be turned into the value of $out at build time

21:31 <clever> LnL: builtins.placeholder

21:25 <clever> not sure why $(out) behaves differently in some cases

21:25 <clever> roni: and other factors affect if bash is going to eval it or not down the road

21:24 <clever> roni: ${out} might get parsed by nix first, so you would have to escape it

12:18 <clever> robert`: nix-store --query can also help

12:17 <clever> robert`: in that drv file should be the path to its src drv, which will contain directions on how the src was downloaded

12:17 <clever> robert`: find the storepath of gonimo that is actively running (ps aux), then find its .drv file in the store of the deployer that ran nixops

00:40 <clever> yep

00:37 <clever> rather then a modified libunistring

00:37 <clever> only weird part, is that your storing a modified findutils inside libunistring

00:36 <clever> Unode: looks normal at a glance

00:10 <clever> ryantm: gchristensen recently modified the nix installer to do multi-user on darwin by default, because the OS is far more predictable then generic-linux

00:09 <clever> ryantm: rgrinberg: also, "sudo nix-channel --list" doesnt work on a mac, you must "sudo -i" then "nix-channel --list"

14:42 <clever> brodul: you can also run nix-copy-closure as root

13:42 <clever> viaken: there is also locate

13:40 <clever> viaken: i prefer using type in bash, since it can also detect aliases and functions

13:32 <clever> nh2: there is also a trailing ` after one of the ;'s

13:16 <clever> Jackneilll: stateVersion tells nixos what version your state is from

13:16 <clever> Jackneilll: you should leave that at the value it was when you installed

12:58 <clever> zzamboni: what OS is this on?

12:57 <clever> zzamboni: not sure then

12:56 <clever> zzamboni: as which user?

12:53 <clever> brokenboot9: you just need to set PATH correctly for the most part

12:37 <clever> zzamboni1: if nix-daemon is in use, it has to be set in the environment of nix-daemon

12:36 <clever> nh2: +1

03:43 <clever> its odd that it exists yet doesnt

03:33 <clever> can you gist your custom expression?

03:31 <clever> and does that directory exist?

03:30 <clever> what is the value?

03:29 <clever> env | grep run/user/1000

03:28 <clever> what about $TMP?

03:28 <clever> outside of the nix build

03:27 <clever> jasom: what is $TMPDIR set to?

01:03 <clever> nixpkgs should also have support to run qmake for you with the right args

01:00 <clever> Nobabs27: to $out, which is passed to configure via --prefix

00:58 <clever> Nobabs27: the package will need to be fixed

00:58 <clever> Nobabs27: something in the package is trying to install to a place it shouldnt

19:34 <clever> mp6: how did you install docker?

15:33 <clever> bbl

15:27 <clever> and use --root for nixos-install and nixos-generate-config

15:27 <clever> hyper_ch: then mount it elsewhere

15:25 <clever> brb

15:25 <clever> hyper_ch: with the above, you now have a 4gig disk image you can install nixos to

15:24 <clever> mount -v /dev/loop1p1 (i think?) /mnt/

15:24 <clever> losetup /dev/loop1 /root/fake_usb.img -P

15:23 <clever> fdisk /root/fake_usb.img

15:23 <clever> truncate /root/fake_usb.img -s 4g

15:23 <clever> give it another try then

15:22 <clever> hyper_ch: what error did it fail with?

15:19 <clever> brb

15:19 <clever> heck, i have a netbook with a 4gig SSD, running nixos

15:18 <clever> 4gig can work

15:18 <clever> i also prefer that method

15:18 <clever> nixos will just ignore it

15:18 <clever> the .iso includes an MBR partition table, and nothing is stopping you from adding an extra partition after you write the image

15:17 <clever> but yeah, i can see that being a bit of an issue

15:17 <clever> hyper_ch: you can build a custom iso that has those scripts pre-installed

15:17 <clever> hyper_ch: in the case of the nixos iso, you can just dd it to a usb stick and you have a bootable stick

15:16 <clever> hyper_ch: not-os could be used, the nixos iso can also be used for the same thing

15:14 <clever> hyper_ch: for a bit

06:14 <clever> so you can refer to it in make -C

06:14 <clever> then the nix-shell loads all of the kernel build tools, and points $dev to those headers

06:13 <clever> basically, the nix-build makes nix download the dev headers that the kernel produces when compiled

06:13 <clever> spear2: https://github.com/NixOS/nixpkgs/commit/2d6d731f246fa93ce89cac8bd4c78f45c15a38fe

06:13 <clever> spear2: aha, the git commit domen linked has the full docs

06:12 <clever> which is a different package, a build-time dependency of the kernel

06:12 <clever> your reading the source for linux-config-<version>

06:12 <clever> spear2: look at line 47 of generic.nix

06:11 <clever> spear2: https://github.com/NixOS/nixpkgs/issues/14721

06:09 <clever> let me ee

06:09 <clever> there is a trick to running nix-shell against the live kernel, to get the right config

06:09 <clever> possibly

06:07 <clever> out of ideas then, something that simple should just work

06:06 <clever> spear2: anything in dmesg?

06:00 <clever> as in, reboot, insmod, rmmod

05:59 <clever> what if you reboot before doing rmmod?

05:58 <clever> hmmm, neither of those should be stuck in ram

05:58 <clever> spear2: where you able to unload it, then load that second version?

05:52 <clever> spear2: can you gist the source for the entire module?

16:34 <clever> dedup has always been a problem

16:31 <clever> luks has a master key in the header

16:31 <clever> but luks doesnt use the password on the blocks

16:31 <clever> yeah

16:29 <clever> if luks is just xor, then a mirror over 2 luks volumes, would give an attacker the result of xor'ing the 2 prng bitstreams, not sure what that can lead to...

16:28 <clever> nice

16:28 <clever> Mic92: so the backup server could GC older snapshots, while preserving the entire dataset, and never have the key to unlock it?

16:27 <clever> Mic92: zfs send while preserving crypto does sound good

16:26 <clever> Mic92: does luks just xor over a prng bitstream?

16:25 <clever> say, if a noob puts the mirror onto 2 luks volumes, with different master keys

16:25 <clever> what happens if you raid mirror with luks?

2017-09-25

2017-09-24

2017-09-23

2017-09-22

2017-09-21

2017-09-20

2017-09-19

2017-09-18

2017-09-17

2017-09-16

2017-09-15