2017-08-02

<clever> Infinisil: did you see my runHaskell gist?
<clever> gchristensen: and then you can auto-generate dhcp config, and bind config
<clever> gchristensen: my general idea, was that you have a single attrset, in the form of { hostname = { mac="..."; v4.private = "..."; };
<clever> but it uses import from derivation
<clever> gchristensen: https://github.com/cleverca22/nix-tests/tree/master/ip-magic is what i wrote to deal with it
<clever> gchristensen: fe80::230:48ff:fec5:d2df turns into f.d.2.d.5.c.e.f.f.f.8.4.0.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
<clever> now try doing v6 in pure nix
<clever> for v4, its simple, 192.168.2.15 -> 15.2.168.192.in-addr.arpa.
<clever> dns*
<clever> gchristensen: for example, do you know how PTR records work in dig?
<clever> gchristensen: one random example ive run into, i want to do ip manipulation for dns in nix
<clever> yeah
<clever> we need types, lol
<clever> but it can be unclear, do you want it in seconds, miliseconds, nanoseconds, days?
<clever> but ${lib.months * 6} for ex
<clever> only way to improve it more would clutter lib.nix up a bit
<clever> gchristensen: then its more readable then just 15552000
<clever> gchristensen: another trick you can do with nix here, is just math it out in ${, like ${3600*24*30*6}, https://github.com/NixOS/nixos-org-configurations/pull/33
<clever> displayManager.sessionCommands lets you inline xprofile type things
<clever> .xprofile must return for the session to properly load, so you should only set vars and daemonize things
<clever> and once it returns, the entire session is torn down
<clever> .xsession is more for entirely replacing the desktop manager
<clever> then xprofile is the best option
<clever> and 130 gets executed
<clever> 122 gets sourced, as you found
<clever> Infinisil: line 118 lets you configure things in the nixos config
<clever> Infinisil: oh, one min
<clever> i think its mostly the repitition
<clever> just show --show-trace and -v are readable out of the box
<clever> gchristensen: but also, i would maybe want such an option directly in nix
<clever> then throw a legend at the top
<clever> so basicaly, undo the path search
<clever> gchristensen: replace every instance of a given path, with <nixpkgs>, while obeying $NIX_PATH
<clever> gchristensen: oh, some other processing i often want in nix paths like this
<clever> gchristensen: i want one that scans the conntrack table and follows the nat, then relays the reques to the right machine
<clever> gchristensen: then its no better then the ones irc clients implemented, that could basicaly lie :P

2017-08-01

<clever> gchristensen: aha, but ive not seen one that works thru NAT
<clever> Infinisil: i dont think the service really exists in any modern linux distro, but older irc clients used to implement it
<clever> Infinisil: its why you get this error when connecting
<clever> *** No ident response; username prefixed with ~
<clever> its why you have a ~ in your ident, Infinisil [~infinisil@178.197
<clever> Infinisil: it was a service where you can query what user is owning the connection on a given port
<clever> that little known service that nobody ever used, lol
<clever> nisil [~infinisil@17
<clever> now you just need the ident service working right
<clever> yay
<clever> dhess: but a recent change in nixpkgs broke that and made it overly complex
<clever> dhess: yeah, it should be as simple as just nixpkgs.platform = pkgs.platforms.foo;
<clever> yegortimoshenko: the gpu blob only has to exist as a file in the /boot directory, it never gets linked into anything at build time
<clever> and the drivers all exist in a fork of linux, so it must have the right linuxPackages set
<clever> and if both of those are gone, its nearly imposible to even know its booting
<clever> and youll be lucky to even get usb
<clever> without the right kernel drivers, you wont get any video output on an rpi
<clever> dhess: in the rpi, the power management is handled by the gpu firmware
<clever> yeah
<clever> dhess: but that isnt aware of the low ram and may try to make more use of the cores then the ram can allow
<clever> dhess: nixos-generate-config usually handles nix.buildCores
<clever> and what hardware you can even use after you start booting varies wildly
<clever> but the allwinner line will start in the ARM, with a bootrom that loads a stub from a set offset in various storage media
<clever> all of the rpi's start the boot from a rom in the GPU!!, which will load firmware from a few places, and then it puts a stub at physical address 0, along with a kernel, and sets the ARM loose on it
<clever> and then just how they boot, and what hardware they have, is even less standardized
<clever> and also chips that can do all 3
<clever> so just with the above, you have 2 variants of the 32bit instruction set, and 64bit only chips with no backwards compat
<clever> and armv6 vs armv7 are sort of like 32bit with or without mmx
<clever> but the aarch64 build slaves for hydra.nixos.org are 64bit only
<clever> the rpi3 can run armv6, armv7, and aarch64 code
<clever> arm is far less standardized then x86, even though its all "made" by one company
<clever> Infinisil: or use a custom script that can get passwords via the env
<clever> Infinisil: yeah, your only option there is to either store a template in git, and run sed over it on startup to sub in the passwords
<clever> Infinisil: i also recently read about this, and you could give it a spin: https://tech.channable.com/posts/2017-07-06-introducing-vaultenv-keeping-your-secrets-safe-with-vault-and-haskell.html
<clever> and just never commit that file
<clever> Infinisil: i would put the passwords into a different file, and import them
<clever> Infinisil: nope
<clever> i would just make a new password for irc, and accept that it will be plain-text in the irssi config
<clever> dont do it, you wont survive!
<clever> if i try to edit any user in hydra, it auto-fills my info ontop of them
<clever> i also discovered a nasty interaction between lastpass and hydra
<clever> i use lastpass now
<clever> i just mean the stock password manager built into the browser
<clever> and it has an option to encrypt the entire thing with a master pass
<clever> Infinisil: firefox doesnt try to give you a false sense of security, and just lets you view all saved passwords
<clever> Infinisil: which means, if i want the password for paypal.com, oh, thats also the key to decrypt it! (facepalm)
<clever> Infinisil: internet explorer would "encrypt" the password with the domain name
<clever> Infinisil: saved passwords in a browser have the same issue
<clever> Infinisil: so your only option left is to put a master password over it that you must enter to decrypt, and then its not automatic
<clever> Infinisil: the problem, is that no mater what you do, the computer has to be able to decrypt it on its own, and then an attacker can do the same
<clever> sometimes..., it doesnt do anything today
<clever> xfce with pulseaudio running does manage volume up/down on my usb headset
<clever> dont follow it
<clever> for symlinks, the only content is the target of the link itself
<clever> so a relative link can point to different things, depending on which hardlink you use
<clever> its relative to whever the name exists
<clever> you can now find every name behind a given file
<clever> also handy, ls -li shows inodes (stat also does), and `find -inum <x>` can search by inode
<clever> exactly
<clever> it also dedups the symlinks, by hardlinking all identical symlinks to eachother
<clever> [clever@amd-nixos:~/apps/nixpkgs]$ time echo /nix/store/.links/* | wc -w
<clever> real 0m25.826s
<clever> 1045508
<clever> your cache is probably tainting the ls time
<clever> try the du again
<clever> Infinisil: and echo /nix/store/.links/<tab> only prints a single bel character, after several minutes of delay
<clever> thats not stdout
<clever> Infinisil: ls | wc -l is heavily IO bound
<clever> Infinisil: yeah
<clever> but full iteration is slow
<clever> it must have an internal tree, to allow fast lookup
<clever> but if i try to list the directory, it takes forever
<clever> grantwu: oddly, zfs can access any file/directory almost instantly, if i give it the full name
<clever> 1.5 million at last count?
<clever> now, how many entires are in my .links folder?
<clever> yep
<clever> this cuts the average directory size down to 1/256ths of the normal size
<clever> 00 04 08 0c 10 14 18 1c 20 24 28 2c 30 34 38 3c 40 44 48 4c 50 54 58 5c 60 64 68 6c 70 74 78 7c 80 84 88 8c 90 94 98 9c a0 a4 a8 ac b0 b4 b8 bc c0 c4 c8 cc d0 d4 d8 dc e0 e4 e8 ec f0 f4 f8 fc info
<clever> [clever@amd-nixos:~/apps/nixpkgs]$ ls .git/objects/
<clever> do you know how git deals with this FS problem?
<clever> it also happens to work perfectly on darwin
<clever> this is a bit of bash somebody else wrote, and its been floating around since
<clever> causing it to scan everything and delete nothing
<clever> and if i already have more then that free, it will just tell nix-collect-garbage to delete a negative number of bytes
<clever> Infinisil: this will compute how many bytes i must free, to reach 32gig total free space
<clever> one sec
<clever> Infinisil: in this case, the problem is more in a bash script
<clever> Infinisil: that machine has a 128gig L2Arc on a WD green i believe
<clever> Infinisil: it took 2.5 hours to delete zero bytes
<clever> Infinisil: as an example of how bad too many entries in /nix/store/.links can be: https://gist.github.com/cleverca22/a59112360dcf5c1bd6ebdd9826227bb1
<clever> Infinisil: probably a feature in pandoc
<clever> 8gig vm images
<clever> or rename it in your default.nix
<clever> you either need to map it over like callPackage ../applications/editors/neovim/neovim-remote.nix { pythonPackages = python3Packages; };
<clever> no
<clever> dhess: and if you add ot to the linuxPackagesFor function, it will auto-generate a derivation for every kernel
<clever> dhess: this will build the kernel first, then build the modules against that kernel
<clever> dhess: many, one sec
<clever> dhess: that makes it far simpler to manage
<clever> dhess: out-of-kernel modules can always be built as a different derivation
<clever> ah
<clever> dhess: or could you just cut out that subtree and put it into $out with the runCommand?
<clever> dhess: do you need anything above that directory?
<clever> i usually try to use the properly scoped callPackage whenever its available
<clever> so its more obvious which python packages it needs
<clever> using python2Packages.callPackage will make the argument names be python package names
<clever> Infinisil: python2Packages.callPackage
<clever> i see this in some areas, but i would avoid that, because renaming the variable can lead to confusion
<clever> neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { pythonPackages = python3Packages; };
<clever> ah
<clever> and nix can just build it against any version of python
<clever> if you load it within python-packages.nix, it will be available inside every variant of pythonPackages
<clever> thats how most of the language frameworks work
<clever> if you use pythonPackages.callPackage, it should pass you buildPythonPackage
<clever> the bar part doesnt look valid
<clever> mpcsh: i leave mutableUsers on the default value
<clever> that only sets it once, upon creating the user
<clever> Infinisil: i prefer using initialHashedPassword over hashedPassword
<clever> Taneb: and if your using wpa, you have to run wpa_passphrase essid >> /etc/wpa_supplicant.conf
<clever> grantwu: that was also broken at one point, because the kernel ran /bin/sh with zero env variables, and nixos sh lacks a default PATH
<clever> grantwu: when you try to read the snapshot directory, the zfs driver will automatically spawn a mount process to mount them
<clever> vagrant-: the .lib output goes to result-lib
<clever> vagrant-: its in the .lib output for me
<clever> vagrant-: postgresql.lib 0 s /nix/store/caibx9mv6yr0qlj5j8jjl1qskxwaaanh-postgresql-9.5.6-lib/lib/libpq.so.5
<clever> ij: a lot of internal things like that arent documented
<clever> ij: internally, it desugars into a call of builtins.findFile over builtins.nixPath: https://github.com/NixOS/nix/blob/561e977f51c1d9ec55e4a70791958d4e214df465/src/libexpr/parser.y#L380-L386
<clever> ij: it makes nix search within $NIX_PATH and the paths supplied by -I
<clever> there is only a 3mb difference in the closure sizes, so it doesnt really matter much if its on
<clever> then everything will use it
<clever> grantwu: create a packageOverride that sets openssh = pkgs.openssh_with_kerberos;
<clever> grantwu: so you will need something like git.override { openssh = pkgs.openssh_with_kerberos; }
<clever> looks like git does depend on ssh, without _kerberos
<clever> /nix/store/dsflmyhgzrpdf5w935rngkxqzssl01yi-openssh-7.5p1
<clever> nix-store -qR /nix/store/q0crs4bgh5vgl9cjpp9yxysd1w97inr0-git-2.13.2 | grep ssh
<clever> grep openssh_with_kerberos ~/.nix-defexpr/channels/nixos/pkgs/top-level/all-packages.nix openssh_with_kerberos = pkgs.appendToName "with-kerberos" (openssh.override { withKerberos = true; });
<clever> openssh openssh_hpn openssh_with_kerberos
<clever> nix-repl> openssh<tab><tab>
<clever> [root@nas:/etc/nixos/nixcfg]# nix-repl '<nixpkgs>'
<clever> nh2: and if its anything else (like a path), the 2nd part runs import on it
<clever> nh2: if an entry in imports is a set or function, the first block runs: https://github.com/NixOS/nixpkgs/blob/master/lib/modules.nix#L102-L107
<clever> grantwu: depends on if they refer to pkgs.ssh, or rely on ssh being in path already
<clever> nh2: the file will usually look worse, and i cant see any reason you couldnt just put the module in the parent, rather then the imports list
<clever> grantwu: just nix-env -iA the version you want
<clever> that will affect which version is pre-installed, and used for sshd
<clever> symphorien, grantwu: you want to change programs.ssh.package
<clever> yeah
<clever> nh2: if you have a sample that isnt working i can take a look at it
<clever> nh2: they can be inlined into the imports, but the backtrace will no longer have its own filename
<clever> mog: --add and --add-fixed behave very differently
<clever> mog: nix-store --add-fixed sha256
<clever> mog: how did you add it to the store?
<clever> it has to be the exact version nix is expecting
<clever> yeah
<clever> then it passes that custom stdenv to generic.nix
<clever> then it takes the normal stdenv, and overwrites the platform attribute with that
<clever> it takes the normal stdenv.platform, and overrides the kernelBaseConfig to make a custom platform
<clever> something like this
<clever> dhess: import ./generic.nix { stdenv = stdenv // { platform = stdenv.platform // { kernelBaseConfig = "foo"; }; }; };
<clever> dhess: looking...
<clever> disasm: you can also look at the commit logs for examples that have been merged: https://github.com/NixOS/nixpkgs/tree/master/nixos/modules
<clever> disasm: name: 1.2 -> 1.3 for updates
<clever> dhess: chrome and firefox also do that
<clever> the src route seems simpler
<clever> but then you need to apply the exact same postUnpack to the kernel as well
<clever> that would apply an override to the kernel, that mutates the derivation held in the configfile arg
<clever> kernel.overrideAttrs (drv: { configfile = drv.configfile.overrideAttrs (drv: { postUnpack = ...; }); })
<clever> at a glance, i think you would need to do this
<clever> but if you change the src passed into generic.nix, it will go into both config and kernel
<clever> not easily
<clever> and fetchurl generates a package when given a url
<clever> nix is a bit weird, in that the downloads are seperate "packages", that you need to "compile" by running curl
<clever> then use a few fetchtarball derivations to download the tar
<clever> now use this derivation as the src for the whole kernel
<clever> ''
<clever> unpack all the tars to .
<clever> mkdir -pv $out ; cd $out
<clever> runCommand "kernel-source" {} ''
<clever> create a new derivation, like this
<clever> it can be tricky to get to the right one here, but i have another idea
<clever> so your applying the override to the wrong derivation
<clever> the error is in the kernel config
<clever> your override modifies the kernel to add a postUnpack
<clever> ah, i suspected that
<clever> the kernel build does some weird things
<clever> dhess: what about adding those headers in the postPatch phase?, or prePatch?
<clever> mpcsh: boot.kernelPackages = pkgs.linuxPackages_4_12;
<clever> yeah, i can see how that would look like a giant mess to approach
<clever> contrapumpkin: and if i care about the project, i'll try to upstream them
<clever> contrapumpkin: most of the time, if i'm modifying something where the source is available (i tend to ignore the license), i just put my changes up on github and call it done
<clever> contrapumpkin: yeah, i should probably go over most of my projects and pick them
<clever> its more of an example you can fork and customize to suit your needs
<clever> havent thought about that
<clever> oh, october
<clever> gchristensen: is it this weekend? lol
<clever> only people who drive on the right side of the road?
<clever> canadian :P
<clever> i believe it did
<clever> sheenobu: sounds like the language-ninja stuff
<clever> maine?
<clever> the kexec trick has a full nixos install env, and can easily also have xorg and wifi added
<clever> sheenobu: not-os could be modified to have a basic gui, with download options for distros, and then kexec into each
<clever> sheenobu: or my kexec trick
<clever> sheenobu: not-os could be modified to do that
<clever> and the update stuff may detect a patched version as either a hax or old of date
<clever> steam apps cant be patchelf'd because steam downloads them at runtime
<clever> and a script to chroot into it
<clever> its an FHS layout, with symlinks pointing into the nix store
<clever> steam uses it for example
<clever> sheenobu: does the fhs chroot not count?
<clever> lol
<clever> contrapumpkin: not currently planning on it
<clever> gchristensen: you may want to run it thru the gist command and give them a url
<clever> gchristensen: the output is a bit large to expect a user to copy/paste into github
<clever> gchristensen: ping?
<clever> Infinisil: aha
<clever> Infinisil: i can see the log

2017-07-31

<clever> Infinisil: so anybody can just open that gist and confirm things
<clever> Infinisil: for example, my keybase proof stating i own a given github user, is a gist, that must not be deleted
<clever> Infinisil: i think part of it, is that you must post proofs on other servers, so people dont have to trust keybase
<clever> yep
<clever> Infinisil: mostly the nixops expressions for the deployments and nixos tests
<clever> could it be as simple as thermal throttling?
<clever> bedroom temp: 26.88c(80.38f)
<clever> its normally so smooth
<clever> the framerate on that background is oddly slow
<clever> and now that i open that site, i have questions, what is up with my gpu....
<clever> yep
<clever> Infinisil: i work for https://iohk.io/
<clever> gchristensen: yeah, had to get one when i went to bayhack
<clever> mpcsh: i think builtins.fetchurl supports ssl
<clever> mpcsh: and 3rd, you have pkgs.fetchurl, which supports mirrors and ssl: https://github.com/NixOS/nixpkgs/tree/master/pkgs/build-support/fetchurl
<clever> mpcsh: then you have import <nix/fetchurl.nix> which uses a curl embeded into the nix build and requires a hash: https://github.com/NixOS/nix/blob/master/corepkgs/fetchurl.nix
<clever> mpcsh: first is builtins.fetchurl, the hash is optional, and nix will re-download it hourly: https://github.com/NixOS/nix/blob/master/src/libexpr/primops.cc#L1881-L1885
<clever> though ive never left this continent before
<clever> gchristensen: lol, good point
<clever> gchristensen: i think its half way around the globe?
<clever> there are roughly 3 fetchurl's available
<clever> which needs a hash
<clever> that looks like the pkgs.fetchurl
<clever> it will re-download the .deb at every eval
<clever> mpcsh: you need to use the builtins.fetchurl, which doesnt require a hash
<clever> network isnt allowed during this, so you will need to fetchurl anything network based
<clever> ''
<clever> cp ${src} $out
<clever> verify signature on ${src}
<clever> runCommand "foo.tar" { buildInputs = [ gpg ]; } ''
<clever> you need to run a derivation over it to check the signature
<clever> and if the contents are different, it will compute a new storepath
<clever> mpcsh: every time you eval that nix expression, it will check the age of the file in the cache, and potentialy re-download it
<clever> mpcsh: within an hour, yeah
<clever> pie_: installing pkgconfig breaks them, so you should just never install pkgconfig
<clever> pie_: pkgconfig has some setup hooks that manipulate the pkgconfig search path
<clever> mpcsh: --upgrade simply alls "nix-channel --update" behind the scenes, it has no effect on the builtins.fetchurl caching
<clever> mpcsh: if your using builtins.fetchurl, nix will re-fetch that url every hour, and that can have an effect on the eval
<clever> pie_: something like that