2017-09-15

<clever> oh, you just gave me an idea
<clever> they could be wasting time trying to crack an empty drive
<clever> with luks, the attacker doesnt even know how much data is on the volume
<clever> because zfs has to know how much is free to hold cleartext datasets
<clever> yeah, with zfs encryption, simple stuff like used data is leaked, no way around that
<clever> luks just feels safer, because its 100% encryption
<clever> Mic92: a bigger question, how much metadata does zfs encrypt?
<clever> oooo
<clever> catern: yeah
<clever> disasm: can you try again with nix-shell --pure?
<clever> disasm: which part of it?
<clever> that, and hwrngd i think, treat the host /dev/random as a hardware random number generator
<clever> srk: what was the output in the qemu console?
<clever> disasm: when compiled, you get a kernel, initrd, and a 47mb squashfs for the rootfs
<clever> disasm: its an os, using nix, but its not-nixos
<clever> srk: and did you update the authorized keys in https://github.com/cleverca22/not-os/blob/master/configuration.nix
<clever> qemu will forward 2222 on the local machine to 22 inside the virtual lan
<clever> ah yeah
<clever> srk: this option creates a virtual LAN, with the given subnet and router, and then the guest has to setup the ip without dhcp
<clever> Alling: nix-build will printout the storepath, then add share/keymaps, and look around
<clever> /nix/store/8kaxk1qa38ya4xfv6d4ihqrqw14xylrs-kbd-2.0.4/share/keymaps/i386/qwerty/sv-latin1.map.gz
<clever> find /nix/store/8kaxk1qa38ya4xfv6d4ihqrqw14xylrs-kbd-2.0.4/share/keymaps/ | grep sv
<clever> Alling: nix-build --no-out-link '<nixpkgs>' -A kbd
<clever> Mic92: try nix-store --delete on that host, then remake the iso, then compare the storepath on the host (no need to boot the iso)
<clever> Mic92: its possible that the file was corrupt on the machine making the iso
<clever> then repeat the process
<clever> Mic92: try running nix-store --delete on the problem json file
<clever> yeah
<clever> Alling: i think you need to set it to sv-latin1
<clever> /nix/store/8kaxk1qa38ya4xfv6d4ihqrqw14xylrs-kbd-2.0.4/share/keymaps/i386/qwerty/sv-latin1.map.gz
<clever> Alling: it is running loadkeys and passing sv to that, as an argument
<clever> nope, its not corruption on the binary cache
<clever> checking something more...
<clever> ah
<clever> Mic92: it sounds more like random filesystem corruption truncated a file on you
<clever> Mic92: and also the contents of /nix/store/3jkdkw431bxks3b3v8ah006ljipvk0hm-users-groups.json.drv
<clever> ah right, its the drv hash, not the output hash
<clever> Mic92: try without /mnt
<clever> Mic92: can you gist the entire output of ls -lR /mnt/nix/var/log/nix/drvs
<clever> Mic92: can you read the file at /mnt/nix/var/log/nix/drvs/42/jk6ir4k8fhrpn889qaz8lh1l8d6n6h.drv.bz2
<clever> Mic92: what is the full storepath to users-groups.json
<clever> Alling: is the internet on that host working?
<clever> Alling: 6 Couldn't resolve host. The given remote host was not resolved.
<clever> Mic92: and what was the output?
<clever> which one was "is not" ?
<clever> you have 2 "is"'s in there
<clever> 2017-09-15 11:09:06 < Mic92> *is not
<clever> 2017-09-15 11:09:00 < Mic92> clever: becomes even weirder looks like `pkgs.writeText` is function correctly the json I print with lib.traceVal is correct.
<clever> what about the value passed to toJSON?
<clever> Mic92: what is the full storepath to the users-groups.json?
<clever> ah
<clever> Mic92: after the install, did you umount /mnt and properly shutdown?
<clever> Mic92: was the machine properly shutdown?
<clever> tilpner: this allows you to nix-env -iA foo.hello
<clever> [clever@amd-nixos:~]$ cat .nix-defexpr/test/foo/default.nix
<clever> import /home/clever/apps/nixpkgs
<clever> tilpner: but if its in systemPackages, youll have trouble finding the original
<clever> tilpner: you might have luck just adding something to nix-env or systemPackages, that has the same name
<clever> tilpner: ah, it cant be removed on nixos
<clever> tilpner: how did you install it to begin with?
<clever> maxigit: nix prints the path when it start the build
<clever> fearlessKim[m]: -A tells it to open a given derivation, -p creates a derivation on the fly
<clever> fearlessKim[m]: you cant mix -A and -p
<clever> that uSD was also specialy configured, to boot both armv6 and x86-64, with the same rootfs and nix store
<clever> at one time, i ran nixos from a uSD card in a usb reader

2017-09-14

<clever> but its not in the manpage
<clever> i believe
<clever> steveeJ: nix-hash can do it
<clever> i dont have push, but i can give it a thumbs up
<clever> yeah, i see how that can help
<clever> ah, paths cant be changed with overrideAttrs
<clever> tilpner: what would .override even override on a buildEnv?
<clever> or mesa_drivers
<clever> WinchellsM: you probably want mesa_glu
<clever> WinchellsM: mesa is a buildEnv, it doesnt have .override
<clever> WinchellsM: what you typed, is a list containing 2 packages, a function, and a set
<clever> WinchellsM: wrap it with ( and )
<clever> steveeJ: not sure, i havent looked into the nix expressions for tex much
<clever> nix shouldnt care if its in base32 or base16
<clever> the url or version could differ from how it was generated
<clever> steveeJ: base32 vs base16
<clever> steveeJ: the hash on lne 4, for your .doc, is the one its complaining about
<clever> 1fc9yyxn2ppsrgw7zdniinvy1rc5fq8lp0vy2yjlm2j11pz833j47z7qqybx4y3kgjdjy7g33lr331yn7fkbhvf67akbzxzg9manfq1
<clever> $ nix-hash --type sha512 --to-base32 013bab6a7abfff35d5316ec335ddb13e8c91e918ef78d9e49bc393be3cc6e71f22c740ff862045a5d20bbfc1a508bbc272f0dbc668db3ffc657dafb0ddfbc45c
<clever> steveeJ: are you sure you dont have the 2 hashes backwards?
<clever> makefu: that script gets sourced by the stdenv any time patchelf makes it into the inputs
<clever> makefu: but if you set the rpath afterwards, it wont shrink, and your runtime closure can be larger then it needs to be
<clever> makefu: one of the things the fixup phase does, is run shrink rpath, to remove anything that you dont need
<clever> hyper_ch: also, you want to do the --set-rpath BEFORE the fixup phase, or you loose the fixups
<clever> and have the identical effect
<clever> you can either move libpath to a let block, or use $libPath without {}
<clever> rec allows you to refer to other attributes in the set
<clever> so it didnt need to be on the derivation itself
<clever> hyper_ch: but line 48 reads it via the rec {
<clever> hyper_ch: a few minor things, line 19 defines libpath as a derivation attribute
<clever> yep
<clever> every single package in hackage is also in nixpkgs
<clever> prietoj: nix-env -iA nixos.haskellPackages.cabal2nix and your done
<clever> it already has a package in nixpkgs
<clever> prietoj: how large is the project, what kind of dependencies?
<clever> prietoj: only things that have been compiled by nix-build should be installed
<clever> prietoj: and you should never install things that you have manually compiled
<clever> prietoj: installing dev packages wont make builds work, you must add them to the nix-shell args
<clever> pie___: ah
<clever> octe: so nix will download it, but only the service will be able to use it
<clever> octe: line 34 refers to the sonarr package in the systemd unit by absolute path
<clever> so rebuild switch wont apply it
<clever> pie___: this code runs in the initrd at boot
<clever> pie___: theres a real simple way to find out!
<clever> phdoerfler: there is the lib.optional family of functions, that take a boolean and a value, and can return a pre-set default
<clever> 13 isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale);
<clever> /home/clever/nixpkgs/nixos/modules/tasks/kbd.nix: kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console
<clever> pie___: id start with nixpkgs
<clever> ive also put my wifi drivers into the initrd, and programmed it to connect over wifi and download the rootfs
<clever> tput bel just prints a bell character to the console, and the terminal is responsible for doing something with it
<clever> beep needs root, and directly controls the bios pc speaker, and you have freq and length control
<clever> then you can at least hear the exit status
<clever> pie___: you can also add || beep or || tput bel to help with that
<clever> so you can rotate the keys without downtime
<clever> and the packet says which of the 4 keys its encrypted with
<clever> for wep, iwconfig can also accept up to 4 keys
<clever> ip route add via 192.168.1.1 dev wlan1
<clever> ip route add 192.168.1.0/24 dev wlan1
<clever> ip addr add 192.168.1.100/24 dev wlan1
<clever> ip link set wlan1 up
<clever> iwconfig wlan1 essid foo
<clever> that only works for wep and open networks
<clever> and how it will react to each one
<clever> Infinisil: knowing the exact state of the system after every command i type in
<clever> and without a display
<clever> ive brought the wifi up before, with no networkmanager or wpa_supplicant
<clever> real men know the state and can type this with the display removed from the laptop :P
<clever> then you can see if its right or not, and adjust
<clever> adding -v makes it tell you what it did
<clever> that puts the files in $out/share/share
<clever> now you broke it again
<clever> yeah
<clever> teag
<clever> hyper_ch: if $out doesnt exist, it puts the contents of share in $out
<clever> hyper_ch: if $out does exist, it puts share inside $out
<clever> cp can be very unpredictable if you dont know the state of both sides
<clever> hyper_ch: add -v to that cp
<clever> hyper_ch: what is your nix expression?
<clever> hyper_ch: $out/share/applications/
<clever> it auto-creates a package, containing just a .desktop file
<clever> hyper_ch: as an example: jvisualvm = makeDesktopItem { name = "jvisualvm"; exec = "${oraclejdk}/bin/jvisualvm"; desktopName = "JVisualVM"; genericName = "jvisualvm"; categories = "Development;Debugger;"; };
<clever> hyper_ch: pkgs.makeDesktopItem

2017-09-13

<clever> looking...
<clever> Infinisil: i think there is a dedicated attribute for that
<clever> Infinisil: it should be in native i believe, but when not doing a cross-compile, there is no difference between the 2
<clever> so you could handle things like git rev-parse and git ls
<clever> there was something on github a few months back, about a tool that would allow giving it a set of git args, and canned answers
<clever> disasm: i would have just patched the build scripts directly
<clever> musicmatze: but services ran by systemd lack that access
<clever> musicmatze: i think the issue is that pulseaudio sets env variables and talks via x11 to find the daemon
<clever> cmake has one that replaces the default ./configure code
<clever> WinchellsM: that works via setup-hooks, anything you add to buildInputs can optionaly have a setup hook, that modifies how the stdenv works
<clever> musicmatze: you can also run pavucontrol to inspect what programs are connected, adjust the volume of each, and see a VU meter of their audio
<clever> they should
<clever> it will even inject an alsa library that redirects all alsa only programs to pulseaudio
<clever> hardware.pulseaudio.enable = true; and your done
<clever> musicmatze: are you on nixos?
<clever> the only thing alsaSupport = true does is add alsaLib to the buildInputs
<clever> ive had no issues using obs with pulse
<clever> ah
<clever> musicmatze: which .override variant did you use?
<clever> WinchellsM: just add cmake to the buildInputs, and it will run cmake for you, completely automatically
<clever> musicmatze: its best to do it in config.nix, or 6 months down the road, you wont remember how to reproduce the install when upgrading
<clever> unlmtd: which file did you apply that override to?

2017-09-12

<clever> then just nix-env -iA nixos.emacsWithOrg
<clever> make a package override in config.nix, creating emacsWithOrg
<clever> second, 6 months down the road when you want to upgrade emacs, what nix-env incantation did you use??
<clever> first, it fixes this issue
<clever> your better off using config.nix, it solves several things
<clever> not one package
<clever> mbrock: oh, the problem is that nix-env expects a set of things
<clever> where did you put that in configuration.nix?
<clever> and did nixos-rebuild work?
<clever> and you gave it something that isnt a function
<clever> error: attempt to call something which is not a function but a set, at undefined position
<clever> it will call that function, and pass it a list of all emacs packages
<clever> mbrock: and also, i think emacsWithPackages expects a function
<clever> no need to previx it with pkgs.
<clever> mbrock: the with statement brought in all of pkgs
<clever> sounds like youll need to read the code
<clever> ah
<clever> oops, forgot a --eval
<clever> fearlessKim[m]: nix-instantiate -E 'with import <nixpkgs> {}; "${firefox}"'
<clever> ive also found that cabal is sometimes missing, but "runhaskell Setup.hs" works fine
<clever> did you use -A foo.env ?
<clever> fearlessKim[m]: systemd creates that when you login
<clever> fearlessKim[m]: and make sure /tmp also has free space
<clever> fearlessKim[m]: you can also change TMPDIR to point to /tmp
<clever> fixing ghc would involve rebuilding ghc 10-20 times
<clever> so refering to any library in ghc pulls it all in
<clever> the split outputs are only on haskell packages, not ghc itself
<clever> i think i only fixed static ghc linking
<clever> also, strangely enough, ghc is ~200mb on zfs, with compression
<clever> but if you dynamicaly link, you depend on that .so at runtime, and the problem remains
<clever> so ghc just goes away if you staticly link
<clever> my pr puts all data files into $data
<clever> so refering to that 49kb js file at runtime, hauled in 1gig of ghc
<clever> previously, jquery.js was in the same output as a .so file depending on ghc
<clever> shake for example, depends on the haskell package called js-jquery, which is just a single string, containing the path to jquery.js
<clever> without my pr, yes
<clever> and even static linking has problems
<clever> yeah
<clever> yeah, my half should still be present
<clever> read the second paragraph
<clever> he also linked to mine
<clever> thats the one that got reverted
<clever> eacameron: https://github.com/NixOS/nixpkgs/pull/27209 and the one he linked to
<clever> then 2 people opened PR's to fix it within 12 hours of eachother :P
<clever> the problem had existed in master for years (ghc being depended on wrongly)
<clever> that looks like different multiple output changes
<clever> i hadnt heard of it being reverted
<clever> the haskell multiple outputs
<clever> that change massively reduces disk usage for haskell programs
<clever> might have been me ...
<clever> *bisects*
<clever> ah, i see
<clever> eacameron: what versions of nixpkgs work and dont work?
<clever> eacameron: have you tried a git bisect?
<clever> or find the critical difference, and mkForce those changes in configuration.nix
<clever> then as long as you only enable one of the versions, it will work
<clever> alunduil: you can also download the module, rename its service a bit, then add it to the imports of configuration.nix

2017-09-11

<clever> an x86 qemu-user that ran on x86 reproduced the problem without having to reboot linux constantly in a vm, without kvm speedups
<clever> i was debugging a program that failed under qemu-system, when kvm was turned off
<clever> or even more wonky, make a qemu-user for x86, that runs on x86!
<clever> pre-compiled closed-source junk now "works" on a raspberry pi!
<clever> also fun: make a qemu-user that runs x86 code on an arm
<clever> with the patch to nix, you gain a build-extra-platforms field in nix.conf, where you can convince nix to just blindly run builds meant for the "wrong" arch
<clever> without that patch, an x86 build of nix will just complain, armv7l-linux is required to build [...]
<clever> the patch is on line 13
<clever> you also need to patch the nix-daemon running on the machine that runs both arches
<clever> samueldr: i did
<clever> makefu: either natively, or by having qemu-user configured
<clever> makefu: it needs to be capable of running armv7 opcodes
<clever> octe: it tells nixos what version you originally installed, so certain things that are not backwards compatible remain working
<clever> octe: no
<clever> samueldr: https://nixos.org/nixos/options.html#nix.buildmac
<clever> samueldr: nix will automatically ssh into that machine when it has to do arm builds
<clever> builder@192.168.2.126 armv6l-linux,armv7l-linux /etc/nixos/keys/distro 1 1 big-parallel
<clever> [clever@amd-nixos:~/nixpkgs]$ grep arm /etc/nix/machines
<clever> but that will still be as slow
<clever> my main route is to setup build slaves, so it just pushes the jobs off to the arm and does native builds
<clever> cross-compiling has some issues still
<clever> samueldr: do you have an arm running linux nearby?
<clever> yeah, i dont see a lamobo in nixpkgs, i could try that
<clever> 69 defconfig = "Bananapi_defconfig";
<clever> 68 ubootBananaPi = buildUBoot rec {
<clever> the problem i had was it being very eratic and unpredictable, even when just restarting it repeatedly with no changes to the uSD card
<clever> the uboot is already in nixpkgs
<clever> samueldr: and here is how i was testing it: https://gist.github.com/cleverca22/8ff5bd6a322c45f5a3bf7e6109e03e7a
<clever> it also has sata and wifi
<clever> so you have zero firewall protecting the network during boot
<clever> but the only downside, is that the WAN and LAN can cross-connect, before linux boots and configures things
<clever> so you can isolate the WAN port from the LAN ports
<clever> and the management interface is also wired to the allwinner
<clever> samueldr: its a 6 port gigabit switch, with 1 port wired to an allwinner
<clever> the switch chip defaults into routing the wan and lan into the same network
<clever> it also has some minor defects that make it a bit un-suitable as a router
<clever> ive got an allwinner based switch/router here, but i can barely get it past u-boot, i suspect its voltage sags
<clever> M-liberdiko: there is also activation scripts, just remember to use mkdir -p and make sure it never fails

2017-09-10

<clever> Infinisil: ah, for /boot on usb that sounds like less of an issue
<clever> Infinisil: because systemd un-mounted the directory from under me
<clever> Infinisil: i often leave a shell cd'd into a nfs mount for hours, and then when i try to run anything nix in that directory, it hard fails
<clever> Infinisil: systemd-automount breaks a number of things for me
<clever> i see, just doing the cryptopen for 2 devices is costly
<clever> ahh
<clever> sphalerite: route 2, modify it to just blindly use the passphrase on all configured luks devices, and to keep asking for passphrases in a loop until everything is unlocked
<clever> sphalerite: then bash can read one passphrase, and feed it to cryptsetup twice
<clever> sphalerite: route 1: tell the name of each passphrase, and allow putting the same name on 2 devices
<clever> sphalerite: another idea i just had, modify the luks code within nixos, to go one of 2 new routes
<clever> and its a one-time cost (per boot) for the end-user
<clever> the slower it is, the longer it will take to brute-force the passphrase
<clever> turning the ascii string into a key that is used to decrypt the luks header
<clever> and even if you have since changed the luks passphrase, the master key is the same, and they can read any current files, if they re-image your drive
<clever> but in theory, if somebody was to image your entire drive, and then obtain your password at any point in the future, they can decrypt the luks header in that image
<clever> so the performance penalty is only when unlocking
<clever> luks -> lvm -> (root + swap)
<clever> i use lvm to fix that
<clever> sphalerite: only issue is if you ever let somebody get a shell, and things like nix-serve
<clever> ah
<clever> trailing / ?
<clever> Infinisil: can you gist both files?
<clever> it also means any non-root user can read it, while the machine is on
<clever> sphalerite: so you need to either embed it into the initrd (which also puts it in the store), or add some custom commands to mount ESP, read, umount
<clever> sphalerite: hmmm, i dont think /boot is mounted by the initrd until after it mounts /
<clever> 1005 pkgs.wirelesstools # FIXME: obsolete?