<clever>
then you will want to turn the keep-number back up, so things cant get GC'd
<clever>
dalaing: then the previous --query --roots should say none, and you can --delete the corrupt path
<clever>
dalaing: then go into the hydra config for the blog project, and set the keep-number to 0, and "sudo systemctl start hydra-update-gc-roots.service"
<clever>
dalaing: you will need to first remove pandoc from the blog's profile, and after confirming blog no longer points to blog-34-link, you can delete blog-34-link
<clever>
dalaing: what does /nix/var/nix/profiles/blog point to?
<clever>
dalaing: is the blog profile at generation 34 right now?
<clever>
sublime has a backup, cache, index, and packages in its .config
<clever>
Infinisil: and sublime has 10 backups of something, that each include a 4.5mb eval.gif
<clever>
if you rename or move the result symlink, it has the same effect as deleting it
<clever>
pie__: you cant GC the result until the result symlink is deleted
<clever>
something that runs an opensource build of the darwin kernel, with a custom launchd, that only has sshd and nix-daemon
<clever>
Infinisil: something i have planned in the distance, is to make a nixos-like image based on XNU
<clever>
i have tried to run hackintosh before, and ran into issues with a lack of AMD support in the mac kernel, and a lack of vm extensions on all of my intel cores
<clever>
ah
<clever>
how? heh
<clever>
and far too many things assume 8080 is free
<clever>
Infinisil: sounds handy, ive seen one or 2 users having weird problems in here because they didnt notice that
<clever>
then mass-joined, and your new connection couldnt auto-identify
<clever>
Guest62794: matrix went down about an hour ago, and mass-disconnected
<clever>
nope
<clever>
try saying that in the channel?
<clever>
Guest62794: what about just /nick sphalerite
<clever>
Guest62794: it looks like matrix isnt configured to auto-identify upon connecting
<clever>
Infinisil: what else could the service-target refer to?
<clever>
re-running nixops deploy results in no change to /run/current-system, so its not the host rolling back by mistake
<clever>
i somehow keep loosing the wheel group
<clever>
and this keeps happening
<clever>
clever is not in the sudoers file. This incident will be reported.
<clever>
ive also heard that it has the same issue with zfs
<clever>
boot.loader.grub.copyKernels silences the warnings
<clever>
gchristensen: when /boot is on the same fs as /, grub has to navigate the horrors of /nix/store to find kernels, and spits out many warnings about invalid inodes
<clever>
gchristensen: found an oddity in grubs support of xfs
<clever>
and once that boots, it can phone-home, and register itself as installed, to de-queue the self-nuke, and make it available for nixops usage
<clever>
gchristensen: with a bit of tweaking, you could double-check that the system is scheduled to nuke itself (store the mac in a db queue), then just serve it the url to a netboot build setup to run justdoit on bootup
<clever>
which is also in the gist, and slightly modified to have justdoit pre-installed (an older version)
<clever>
and then it chainloads the script from nixos netboot
<clever>
if the version string is empty, its virtualbox, so it chainloads a better ipxe
<clever>
one system boots nixos over iscsi
<clever>
but you can easily add a database to it
<clever>
boot.php then uses a simple switch statement to sent a hard-coded ipxe script
<clever>
which is also included in the gist
<clever>
it causes ipxe to insert its own mac into the url, when loading boot.php
<clever>
see what i did with boot.php on line 10 of the dhcp conf?
<clever>
i think things at that scale are network only
<clever>
but now you need an enterprise sized printer, that isnt network capable
<clever>
yeah
<clever>
and you USB'd the printer to the rpi, and ran cups on the rpi
<clever>
although, if you ignored the network abilities of the printer
<clever>
joepie91: but if i have physical access to the printer, i can just plug my laptop into the rpi, and spoof the mac
<clever>
yeah
<clever>
then i was able to just services.dhcp.enable = true; and the problem went away
<clever>
which let me get into the xen host
<clever>
from there, i had to configure a static ip, then get into the router, and adjust the port forwards
<clever>
the only thing open, was vnc to a xen vm running windows, with broken network config
<clever>
the port forward for ssh went to a machine that relied on dhcp, but the dhcp server was down
<clever>
last week, i had to fix a severely broken network
<clever>
oh look, a mac that doesnt need radius, let me spoof
<clever>
oh, the printer doesnt support it, lets just add an exception for that mac!
<clever>
i also heard about some networks using proper radius on the network, so every single device must have a signed cert, even at the ethernet level
<clever>
so his windows username was left behind in every single machine
<clever>
and that printer persists, and has your username
<clever>
what he didnt know, is that RDP forwards your printer and shares it back to your host
<clever>
somebody was using RDP to proxy himself thru a company network, 100 RDP sessions deep
<clever>
i also saw another thing about printers and security
<clever>
the idiot just threw out the "possessed" printer
<clever>
joepie91: the guy now has a free printer
<clever>
joepie91: it then printed out a page saying it was possessed
<clever>
joepie91: ive also seen a thing on facebook, about a neighbor that left the printer wifi unsecured
<clever>
lol
<clever>
and also phish
<clever>
yeah
<clever>
ah, if i can get control of one device, it will be behind your firewall, and can further exploit other devices
<clever>
joepie91: though thinking about it, only devices with a screen or speaker can demand a ransom, everything else will just partitipate in a ddos, or spy on you
<clever>
joepie91: look at the image to see what that will result in
<clever>
joepie91: i found an sql injection problem in the login page, "1 or 2" was enough to make it ignore the password
<clever>
he was preparing a query like "select * from foo where bar = '$bar'"
<clever>
i once talked to a php dev that thought his mysql framework was automatically escaping all strings because he used prepared queries
<clever>
yeah
<clever>
closed source firmware on a chip that can access all ram, and no way to turn it off
<clever>
gchristensen: i have mixed feelings on IPMI's, on the one hand they fix a number of problems, on the other hand, it can lead to things like https://blog.exodusintel.com/2017/07/26/broadpwn/
<clever>
so i had to use 2 VM's to boot nixos
<clever>
the remote dvd only worked on xp
<clever>
the remote-console only worked on win7
<clever>
the active-x support was also rather fractured
<clever>
i had to deal with the dell drac, and it uses activex
<clever>
gchristensen: what happens if you just run "ssh-keygen" on that server?
<clever>
but only if you run it from bash
<clever>
if you try to run a +x'd script, without a #! (or with an invalid one it seems), bash will assume its a bash script
<clever>
/nix/store/grn032sshillbzn0h57ks7r4cya4mqxy-nixos-system-eeepc1-17.09pre111447.a7c8f5e419/bin/switch-to-configuration: line 3: use: command not found
<clever>
the kernel ignored the #! and bash tried to parse the perl
<clever>
luckily, the 64bit perl in the #! of a script failed to even switch to configuration
<clever>
eeek!, almost did a 64bit nixops deploy, to a 32bit only machine!
<clever>
NickHu: nixpkgs has helpers to make deb and rpm packages
<clever>
both ends can just connect in either direction, no matter the distance
<clever>
and that reminds me, if ipv6 is available at both ends, 3rd party servers and port forwarding are entirely a non-issue
<clever>
expecting it to be able to nat home
<clever>
i had customized the kexec based on how dedicated hosts behaved, then ran it on a virtual host
<clever>
virtual hosts get no ip at all
<clever>
dedicated hosts will get a private ip (with nat) if you try to dhcp
<clever>
with racklodge, you must configure a static public ip on all machines for it to work
<clever>
but that cant be routed, so you would need another machine in the broadcast segment
<clever>
i was using tcpdump to sniff for any packets from the mac, and stumbled upon its ipv6 link-local addr
<clever>
i ran into a similar problem with racklodge
<clever>
ah
<clever>
toxvpn would require less setup
<clever>
LnL: tmate.io is one option, but you still need a way to get the url back to the user
<clever>
LnL: getting such phone-home stuff to work for everybody, would require them to either setup port forwarding in a weird direction or having them rely on a 3rd party server/network
<clever>
LnL: even something as simple as having it curl a url and watching the access-logs can help
<clever>
yeah, thats where it can be handy to have it phone-home on bootup
<clever>
which python are you running, and which python was boost compiled against?
<clever>
ah, hmm
<clever>
bkchr: you need to point it to the non-python boost libs
<clever>
bkchr: you need to create a bash wrapper that sets that env variable correctly, before it runs python on your code
<clever>
bkchr: LD_LIBRARY_PATH
<clever>
Guest47554: it may be better to use python.withPackages
<clever>
the network is not yet up during activation at bootup, i helped somebody with a broken boot figure this out a montha go
<clever>
Guest47554: its usualy a bad idea to do anything complex in the activation script, and network is even worse
<clever>
tilpner: yeah, just throw up a PR and see if others like it
<clever>
et4te: cant think of anybody else at the moment
<clever>
erlandsona: nope
<clever>
error 500 means its fully responsive over tcp and icmp, and its an internal error in the server
<clever>
globin: died?
<clever>
ive not messed with the themes of things much
<clever>
erlandsona: you have to tell it which channel to build that profile against, nix-env -iA master.my-profile would build everything with the channel called master
<clever>
mixing the 2 of you up a bit
<clever>
oops
<clever>
erictapen: which lets me do things like access github without the remote system needing its own keypair
<clever>
erictapen: for example, "ssh -A clever@laptop" will forward the agent, so within that remote shell, i can still make use of the agent
<clever>
erictapen: nix-env -iA master.foo, tells it to directly use the channel called master
<clever>
erictapen: '<nixpkgs>' doesnt load the nixpkgs from the master channel, it loads the first nixpkgs in $NIX_PATH
<clever>
erictapen: i use ssh agent all the time, it can do fun things like securely sharing the key between machines
<clever>
erictapen: look around inside /etc/ssh/authorized_keys.d/ on the target and you should see an extra key on root
<clever>
erictapen: i believe nixops will allow its own internal private key on the deploy, so it shouldnt need that for any future updates
<clever>
erictapen: yep
<clever>
erictapen: or rather, nix-env -iA master.my-profile
<clever>
erictapen: and what if you do nix-env -iA master.albert
<clever>
it will probably do builds as nixbld, but those are pure
<clever>
Fuuzetsu: the ssh isnt done from nixbld users
<clever>
erictapen: what channel are you on and what version are you expecting to see?
<clever>
wait, 30 is just checking, but something else definitely adds the -i and does that
<clever>
but i believe the agent will keep working
<clever>
line 30 changes the default search path for the private keys
<clever>
erictapen: what happens if you launch an ssh agent and ssh-add a key to that?
<clever>
erictapen: ah, i think i found the problem, nixops adds a "-i <keypath>" to the ssh args, to make ssh use an internally generated nixops key
<clever>
erictapen: ps aux | grep ssh, are there any weird ssh processes left around that go to .13.100?
<clever>
erictapen: can you gist the full output of the nixops command?
<clever>
erictapen: what happens if you try to ssh into the root user on that machine?
<clever>
simpson: sounds like a similar job to verifying source ip, to prevent spoofed sources
<clever>
simpson: firmware updates can then patch that function pointer table, to redirect anything to a variant that exists in ram
<clever>
simpson: there is a rom in the chip, with the full firmware, which copies a table of function pointers to a pre-defined area of ram, and uses that to do indirect calls to everything
<clever>
simpson: another intesting thing is how the broadcom chips deal with firmware updates
<clever>
simpson: these chips have a cortex m3 in them
<clever>
and it lacks no-execute bits in the cpu, so buffer overflows are worse
<clever>
Infinisil: a single-chip with cpu, ram, rom, and in this case, a wifi radio
<clever>
Infinisil: micro controller
<clever>
simpson: yeah, you can basically hijack any wifi chip in range, and make it spread the infection, so you now have wifi worms
<clever>
simpson, Infinisil: the bug i read about happens in that 2nd stage of processing, which is only done on the uC when they are wanting to avoid high cpu usage on the host
<clever>
simpson, Infinisil: for desktop/laptop wifi modules, the uC will handle the wifi level packet processing, and basicaly return frames very similiar to ethernet frames to the host, which finishes the processing within the wifi driver
<clever>
simpson: the more modern ones are on a pcie bus, so they can then DMA the host
<clever>
simpson: and virtually every android device uses a broadcom wifi chip
<clever>
but in mobile devices where power usage is important, they put everything into the wifi chip
<clever>
Infinisil: its less likely to happen in desktop/laptop machines, because the roles are split between the card and host driver
<clever>
simpson: so there are now RCE problems in the wifi chip, that can occur without any user interaction
<clever>
simpson: and those chips lack no-execute protections
<clever>
simpson: another thing i recently read about, the firmware in broadcom wifi chips has buffer overflow exploits in it
<clever>
tilpner: id have to double check the source to confirm where exactly overridable goes
<clever>
tilpner: callPackage already throws a makeOverridable over everything
<clever>
tilpner: something like that, but i think it has to be done after the 2nd set of args are passed in
<clever>
Infinisil: override would have to be added back in to the return value of buildEnv
<clever>
i see why that can become a problem
<clever>
and .override isnt available due to how callPackage interacts with things
<clever>
overrideDerivation and overrideAttrs would act on the json in pkgs, not the paths
<clever>
Infinisil: buildEnv is just a wrapper around runCommand, which sets the pkgs env variable to be a json'd version of paths
<clever>
Infinisil: ive heard of it but havent looked into it
<clever>
joepie91: ive been trying to do more things in haskell now, just to avoid the mess that js and php can be :P
<clever>
et4te: lol
<clever>
et4te: ah
<clever>
which makes a horid mess
<clever>
or (function () { ...}).bind(this)
<clever>
i tend to fix it with callback.bind(this) being passed around
<clever>
but its a pain to bind everything
<clever>
func.bind can be used to lock it in some
<clever>
Infinisil: if you store a function at this.callback, then the 'this' will be wrong when its ran
<clever>
joepie91: i have also used the firefox api to create my own custom sandboxes
<clever>
joepie91: they have also had some problems, where extension authors would leak a function reference down, that can break the sandboxing, so they have since locked down on what types can cross the border