<clever>
Infinisil: "nixos-rebuild build-vm" allows running that configuration.nix under qemu
<clever>
ij: can you copy/paste the full contents of the terminal to a pastebin?
<clever>
Infinisil: XAUTHORITY may need to point to the copy
<clever>
that will give it permission to use xorg between users
<clever>
Infinisil: copy the ~/.Xauthority file to that user, and set $DISPLAY to match
<clever>
Infinisil: let su die :P
<clever>
Infinisil: sudo -u FOO -i
<clever>
Infinisil: up next, make an empty directory, point $HOME there, and run it again
<clever>
yeah
<clever>
octe: nixos will silently wrap the entire module in { config = ...; }; if it lacks both .config and .options
<clever>
octe: without the config. prefix
<clever>
octe: add that config entry to configuration.nis
<clever>
fgaz: propagatedNativeBuildInputs and propagatedBuildInputs are not available at runtime, those are available at the build-time of things depending on your package
<clever>
Infinisil: find the exact storepath sphalerite is using, and run nix-store -r on it
<clever>
Infinisil: i think java is dynamicaly extracting a .so from the jar at runtime, so you cant patchelf it
<clever>
fgaz: the buildInputs are only available at build time
<clever>
Infinisil: nix-build and --arg play together in a very weird and unexpected way
<clever>
ij: which function
<clever>
ij: and '<nixpkgs>' makes it look in $NIX_PATH
<clever>
ij: the default argument for nix-build is default.nix in the current directory
<clever>
Infinisil: nope
<clever>
avn: same, on several machines
<clever>
woffs: can that be limited to a single dataset?
<clever>
woffs: i also wasnt entirely sure how good of a ratio i would have gotten on docker
<clever>
woffs: in my case, i plan to just nuke all of /var/lib/docker when i'm done with it
<clever>
though i'm not sure how snapshots deal with refcounts
<clever>
Infinisil: i think there is also a cost when files are deleted, it has to decrement the refcounts, and see if the block is really free or not
<clever>
Infinisil: it has to have the hashtable in ram or writes to the dedup'd volume are very slow
<clever>
Infinisil: the cost of dedup is more in terms of ram usage
<clever>
amd/docker logicalused 5.62G -
<clever>
amd/docker written 2.00G -
<clever>
amd/docker compressratio 3.01x -
<clever>
[root@amd-nixos:~]# zfs get compressratio amd/docker
<clever>
Infinisil: for docker, its currently storing 3 times what the size states
<clever>
Infinisil: depends on how much duplication you have
<clever>
sphalerite: oops, wrong name, also, i recently turned dedup back on, for just /var/lib/docker/
<clever>
schoppenhauer: dedup is expensive, but if you know there is going to be duplicates (vm images), you can limit the dedup to just that region
<clever>
schoppenhauer: and if your using vm images a lot, dedup can help
<clever>
schoppenhauer: a: `zfs set dedup=verify` so you cant get collisions (dedup is optional as well), b: zfs send | ssh zfs receive
<clever>
schoppenhauer: but instead of | ssh, you have to tell rsync to run itself over ssh, and it opens a 2-way channel
<clever>
schoppenhauer: i think it will interactively talk to the remote rsync, and both sides will hash each block and exchange hashes
<clever>
schoppenhauer: ah
<clever>
schoppenhauer: i use zfs on everything now
<clever>
grw: for some reason, ive memorized that part of the nix source, lol
<clever>
octe: then you can just do what the wiki you linked said to override it
<clever>
octe: if you override the package via nixpkgs.config.packageOverrides, the nixos service will use it
<clever>
octe: plan c, clone nixpkgs and merge the 2 versions
<clever>
octe: plan b, copy the module, rename the service, add it to imports, enable the new one (and packageOverride it)
<clever>
octe: plan a: only upgrade the package via packageOverrides, use the old service
<clever>
grw: yeah
<clever>
octe: for new services, you can add its module to imports, for pre-existing services, you have 2 options
<clever>
grw: when nix-daemon picks a member of the nixbld group to do the build under, it will `kill -9` every process in the user, then start a build under that user
<clever>
grw: very
<clever>
grw: did you add your user to the nixbld group?
<clever>
ij: 3: nix-build '<nixpkgs>' -A hello (most tools accept a search path directly)
<clever>
so the bank was protecting the password harder then paypal
<clever>
from what i remember (its been years), paypal sent the password "bare" over https, but my online banking app did something more complex
<clever>
disasm: burp can also generate a custom ca, that you can trust OS wide on ios/android, allowing you to mitm any app
<clever>
disasm: also usefull is burp proxy, which makes such mitm stuff trivial
<clever>
disasm: any time you work with openssl, try to mitm yourself, and confirm it actualy rejects invalid certs
<clever>
disasm: and because they never tried to mitm themself, they never confirmed if the hostname verification actually did anything, and it shipped
<clever>
disasm: so one program that was trying to turn on all the security, was actually turning it all off
<clever>
disasm: i remember something about the curl library, the enable openssl flag works backwards from what is obvious, and defaults to being secure
2017-09-24
<clever>
1
<clever>
nix-repl> builtins.head [ 1 2 3 ]
2017-09-23
<clever>
it can also be ran on a directory
<clever>
eacameron: as part of the fixup phase
<clever>
eacameron: it runs by default on everything in $out/bin/
<clever>
eacameron: if you do "/usr/bin/env bash" and then allow patchSheBangs to run, it will replace in the result of $(which bash) at build time
<clever>
the nixos firewall doesnt block with refused, and it always allows 22 for safety
<clever>
lejonet: at this point, i would point a tcpdump at every interface in the path, and see where the RST packet came from
<clever>
lejonet: in the case i saw, it was hans and halvm as the guest
<clever>
yeah
<clever>
but packets coming in from the real workd already have a checksum
<clever>
lejonet: but when it sends it out the real card, the checksum accel in the hardware fills in the blank
<clever>
lejonet: and the bridge then sends packets with an invalid checksum to the guests
<clever>
lejonet: linux doesnt set the packet checksum when sending packets out (in certain conditions)
<clever>
lejonet: ah, i had also ran into some weird problems with bridging, where the vm couldnt receive traffic from the host, but it could talk to anything else
<clever>
lejonet: the FORWARD policy is only for use when its acting as a gateway
<clever>
lejonet: that will forward the agent onward, so the vm can access the agent you used to get into it
<clever>
lejonet: you can also use "ssh -A user@nixosvm"
<clever>
lejonet: and it will then put its own key into /etc/ssh/authorized_keys.d/root
<clever>
lejonet: yeah
<clever>
Linux c2d 3.8.13-gentoo #3 SMP Thu Dec 15 10:33:05 AST 2016 x86_64 Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz GenuineIntel GNU/Linux
<clever>
rycee, spear2: there is also: ]$ nix-instantiate --find-file nixpkgs
<clever>
cocreature: -K
<clever>
rycee: but in the case of nixos with default config, <nixpkgs> points to the nixos channel on root
<clever>
rycee: if you want to ensure nix-build uses the same channel, you have to manually look it up in the def-expr, and run `nix-build ~/.nix-defexpr/channels_root/nixos -A hello`
<clever>
rycee: and this turns up as nix-env -iA foo.hello
<clever>
rycee: behind the scenes, nix-env will look in this general area, for default.nix files, and use the last directory in the chain as the name, so the above would turn up at nix-env -iA nixos.hello
<clever>
-r--r--r-- 1 root root 557 Dec 31 1969 .nix-defexpr/channels/nixos/default.nix
<clever>
[root@amd-nixos:~]# ls .nix-defexpr/*/*/default.nix -dl
<clever>
rycee: such as nix-env -f '<nixpkgs>' or nix-build '<nixpkgs>', or via similar things within config.nix
<clever>
rycee: both nix-env and nix-build will "basically ignore NIX_PATH", enless directly told to search for something in it
<clever>
then only a minimal subset of packages get rebuilt
<clever>
sphalerite: in theory, you can take the gcc from an unmodified nixpkgs, and override the stdenv in a new nixpkgs
<clever>
sphalerite: `stdenvNoCC = stdenv.override { cc = null; };` this creates a new stdenv, with a given gcc
<clever>
sphalerite: what this did, was open up an unmodified nixpkgs, grab its ghc, then use that to generate a haskellPackages using the generic-builder.nix in a modified nixpkgs
<clever>
eikke: nix-store repair-path will re-run the .drv to re-compile the vmdk as it originally did
<clever>
Lisanna: i think the stdenv only accepts it as an override if the string is non-zero length
<clever>
kuznero: what revision of nixpkgs do you have checked out?
<clever>
Lisanna: the way your doing it should work, but you could also try fixupPhase = "echo not fixing"; just to confirm if an empty string is handled specially
<clever>
that sounds likely
<clever>
check what nh2 just asked
<clever>
Lisanna: fixupPhase is what runs pre/post, so pre/post are just broken if you modify fixupPhase
<clever>
kuznero: what was the error?
<clever>
kuznero: the . at the start of that says to try looking for <nixpkgs> in ./nixpkgs, if that exists
<clever>
Lisanna: there are a lot of chunks missing, so its hard to tell what might be breaking it
<clever>
eikke: the setup hooks dont work if you manualy install pkgconfig with nix-env or systemPackages
<clever>
eikke: pkgconfig has a setup hook, that will add the buildInputs to the pkgconfig search path
<clever>
it returns a magic string, that will be turned into the value of $out at build time
<clever>
LnL: builtins.placeholder
<clever>
not sure why $(out) behaves differently in some cases
<clever>
roni: and other factors affect if bash is going to eval it or not down the road
<clever>
roni: ${out} might get parsed by nix first, so you would have to escape it
<clever>
robert`: nix-store --query can also help
<clever>
robert`: in that drv file should be the path to its src drv, which will contain directions on how the src was downloaded
<clever>
robert`: find the storepath of gonimo that is actively running (ps aux), then find its .drv file in the store of the deployer that ran nixops
<clever>
yep
<clever>
rather then a modified libunistring
<clever>
only weird part, is that your storing a modified findutils inside libunistring
<clever>
Unode: looks normal at a glance
<clever>
ryantm: gchristensen recently modified the nix installer to do multi-user on darwin by default, because the OS is far more predictable then generic-linux
<clever>
ryantm: rgrinberg: also, "sudo nix-channel --list" doesnt work on a mac, you must "sudo -i" then "nix-channel --list"
2017-09-18
<clever>
brodul: you can also run nix-copy-closure as root
<clever>
viaken: there is also locate
<clever>
viaken: i prefer using type in bash, since it can also detect aliases and functions
<clever>
nh2: there is also a trailing ` after one of the ;'s
<clever>
Jackneilll: stateVersion tells nixos what version your state is from
<clever>
Jackneilll: you should leave that at the value it was when you installed
<clever>
zzamboni: what OS is this on?
<clever>
zzamboni: not sure then
<clever>
zzamboni: as which user?
<clever>
brokenboot9: you just need to set PATH correctly for the most part
<clever>
zzamboni1: if nix-daemon is in use, it has to be set in the environment of nix-daemon
<clever>
nh2: +1
2017-09-17
<clever>
its odd that it exists yet doesnt
<clever>
can you gist your custom expression?
<clever>
and does that directory exist?
<clever>
what is the value?
<clever>
env | grep run/user/1000
<clever>
what about $TMP?
<clever>
outside of the nix build
<clever>
jasom: what is $TMPDIR set to?
<clever>
nixpkgs should also have support to run qmake for you with the right args
<clever>
Nobabs27: to $out, which is passed to configure via --prefix
<clever>
Nobabs27: the package will need to be fixed
<clever>
Nobabs27: something in the package is trying to install to a place it shouldnt
2017-09-16
<clever>
mp6: how did you install docker?
<clever>
bbl
<clever>
and use --root for nixos-install and nixos-generate-config
<clever>
hyper_ch: then mount it elsewhere
<clever>
brb
<clever>
hyper_ch: with the above, you now have a 4gig disk image you can install nixos to
<clever>
mount -v /dev/loop1p1 (i think?) /mnt/
<clever>
losetup /dev/loop1 /root/fake_usb.img -P
<clever>
fdisk /root/fake_usb.img
<clever>
truncate /root/fake_usb.img -s 4g
<clever>
give it another try then
<clever>
hyper_ch: what error did it fail with?
<clever>
brb
<clever>
heck, i have a netbook with a 4gig SSD, running nixos
<clever>
4gig can work
<clever>
i also prefer that method
<clever>
nixos will just ignore it
<clever>
the .iso includes an MBR partition table, and nothing is stopping you from adding an extra partition after you write the image
<clever>
but yeah, i can see that being a bit of an issue
<clever>
hyper_ch: you can build a custom iso that has those scripts pre-installed
<clever>
hyper_ch: in the case of the nixos iso, you can just dd it to a usb stick and you have a bootable stick
<clever>
hyper_ch: not-os could be used, the nixos iso can also be used for the same thing
<clever>
hyper_ch: for a bit
<clever>
so you can refer to it in make -C
<clever>
then the nix-shell loads all of the kernel build tools, and points $dev to those headers
<clever>
basically, the nix-build makes nix download the dev headers that the kernel produces when compiled
<clever>
there is a trick to running nix-shell against the live kernel, to get the right config
<clever>
possibly
<clever>
out of ideas then, something that simple should just work
<clever>
spear2: anything in dmesg?
<clever>
as in, reboot, insmod, rmmod
<clever>
what if you reboot before doing rmmod?
<clever>
hmmm, neither of those should be stuck in ram
<clever>
spear2: where you able to unload it, then load that second version?
<clever>
spear2: can you gist the source for the entire module?
2017-09-15
<clever>
dedup has always been a problem
<clever>
luks has a master key in the header
<clever>
but luks doesnt use the password on the blocks
<clever>
yeah
<clever>
if luks is just xor, then a mirror over 2 luks volumes, would give an attacker the result of xor'ing the 2 prng bitstreams, not sure what that can lead to...
<clever>
nice
<clever>
Mic92: so the backup server could GC older snapshots, while preserving the entire dataset, and never have the key to unlock it?
<clever>
Mic92: zfs send while preserving crypto does sound good
<clever>
Mic92: does luks just xor over a prng bitstream?
<clever>
say, if a noob puts the mirror onto 2 luks volumes, with different master keys
<clever>
what happens if you raid mirror with luks?