2017-06-12

<clever> so you need a generic key=value store, where the value can be 100's of mb
<clever> catern: a common problem, is that the hash in /nix/store/<hash>-<name> is the hash of the build script, not the output
<clever> catern: you can copy derivations between systems using nix-copy-closure
<clever> gchristensen: i noticed an issue recently where the mic didnt work, but havent confirmed if it can reproduce
<clever> gchristensen: what chromium fix?
<clever> the .drv files usualy arent shared, you generate those from the nix expressions
<clever> catern: realized derivation is one way to describe it
<clever> ah, nice
<clever> if you get the directories right, yeah
<clever> and see where it landed
<clever> you would need to look in nix-profile after you install a font
<clever> maybe
<clever> and you will have to manualy link ~/.fonts up with symlinks
<clever> if you just nix-env a font, it will land somewhere in ~/.nix-profile/
<clever> catern: and the entire /etc framework is nixos only
<clever> catern: the font installing works by managing things in /etc/fonts/
<clever> it would probably have to be a package containing libraries related to intel's opencl
<clever> ah
<clever> thats an option that you dont really need to ever modify
<clever> ah
<clever> slabity: what are you trying to do?
<clever> slabity: everything put int opengl.extraPackages is added to the buildEnv that lands in /run/opengl-driver
<clever> since nixos-rebuild is doing the actual build
<clever> if your using --chroot, that wont be an issue
<clever> almost, you can skip a full nixos-install and instead do nixos-install --chroot, followed by nixos-rebuild boot
<clever> you may also need to update /mnt/etc/nixos/hardware-configuration.nix to refer to the new fat32
<clever> so you cant write to the directory under it
<clever> as a safety, i would also "chmod 0 /mnt/boot" before mounting it
<clever> then youll want to make a fat32 and mount it to /mnt/boot
<clever> ah
<clever> if your doing legacy booting (non-efi)
<clever> then you dont really even need a /boot fs
<clever> ah, ext4 for the real /
<clever> andrewrk: what fs is /?
<clever> that stuff may be from when you accidentaly ran things without /boot mounted
<clever> yeah
<clever> andrewrk: because some distros dont make a combined iso that can also boot from usb
<clever> every time ive seen somebody try unetbootin, it breaks everything
<clever> the nixos iso already had a valid mbr bootloader on it
<clever> andrewrk: normal iso dd'd to a usb stick?
<clever> andrewrk: ah, you probably need to fix the hardware-configuration.nix to have the right uuid, before you nixos-rebuild boot
<clever> andrewrk: has the uuid for the fs changed?
<clever> andrewrk: what exactly happened to the old boot?
<clever> yep*
<clever> yeo
<clever> so when they gc'd the old generations, it ceased booting
<clever> not the real /boot
<clever> i have seen some users forget to make /boot mount, so it was updating the grub.cfg in the /boot dir of /
<clever> i never garbage collect system profiles until i confirm it can still boot
<clever> might have been faster if a generation from before that change was still in grub
<clever> it may also help to gc less often, and to test rebooting every now and then
<clever> yeah, use a systemd unit for that
<clever> yay
<clever> thats all managed by install-grub.pl
<clever> ah
<clever> nixos-rebuild will run an install-grub.pl script, which reads the system symlinks and re-generates grub.cfg
<clever> loook: thats in /boot/grub/
<clever> system itself is just a symlink to the current system-xxx-link
<clever> loook: what do you have under profiles?
<clever> default default-69-link system-271-link system-276-link system-281-link system-286-link system-291-link system-296-link system-301-link system-306-link system-311-link
<clever> [clever@amd-nixos:/nix/var/nix/profiles]$ ls
<clever> loook: the numbered system links in /nix/var/nix/profiles/
<clever> i have managed to crash pid 1 by just spawning a systemd container on a malfunctioning fuse layer
<clever> boomshroom: there is an open issue about reviving the jobs framework, so services can be defined without using systemd terms
<clever> loook: ?
<clever> it should be just /run/current-system
<clever> what if you try running activate manualy?
<clever> it has to be ran as pid 1 via exec to make the system "booted with systemd"
<clever> so the elf file is at least valid
<clever> /nix/var/nix/profiles/system/systemd/lib/systemd/systemd
<clever> loook: what happens if you just run the systemd with an absolute path?
<clever> loook: yeah, you can invoke the compiled version, it should be at -r-xr-xr-x 1 root root 4955 Dec 31 1969 /nix/var/nix/profiles/system/init
<clever> yeah, this is near the end of activate
<clever> ln -sfn "$(readlink -f "$systemConfig")" /run/current-system
<clever> loook: yeah, and line 132 ran activate, which i think was involved in settupg up /run
<clever> but systemd will get upset if its not pid 1
<clever> if you just run it normally without exec, it will drop back to the shell
<clever> if you exec, it can result in another panic
<clever> yeah
<clever> loook: yeah, if you exec stage2 from that shell, it will get pid1 and should try to boot fully
<clever> no need for a thumbdrive
<clever> disasm: if you have physical access, you can just pick an older generation, or add init=/bin/sh to the kernel commandline and get instant root
<clever> disasm: do you have physical access or access to grub?
<clever> there should be a -c flag and an absolute path
<clever> loook: but if you want the sshd-config to work, just read /nix/var/nix/profiles/system/etc/systemd/system/sshd.service
<clever> loook: you can usualy just run sshd without any args and it will work
<clever> so you can only ping ip's
<clever> also keep in mind, dns may not work yet
<clever> it might also need the word default added, ip route add default via 192.241.218.1 dev eth0
<clever> default via 192.168.2.1 dev eth0 metric 2
<clever> ip route del 192.241.218.1 dev eth0
<clever> you may need to delete the 192.241.218.1 route
<clever> yeah, that should be working
<clever> loook: what does "ip addr" and "ip route" say?
<clever> the gateway part is optional if you can ssh in from another droplet in the same subnet
<clever> it will be required before either route will fit
<clever> forgot that step
<clever> oh right, "ip link set eth0 up"
<clever> loook: that will get you internet access, then you can manualy run sshd with an absolute path and &, which should get you a better terminal and copy/paste
<clever> loook: "ip addr add 192.241.218.198/24 dev eth0; ip route add 192.241.218.0/24 dev eth0; ip route add via 192.241.218.1 dev eth0"
<clever> id get the network up first
<clever> yeah, that confirms its a channel, but that shouldnt have broken it
<clever> loook: also, do you know how to configure an ip with only "ip" or "ifconfig" ?
<clever> tab completion should work
<clever> loook: looks like the contents of a channel got modifyed what does it say if you run nix-store -q --roots on that path?
<clever> loook: can you screenshot it?, the hashes can help in debugging the cause
<clever> loook: in theory, once you can get it to boot fully, you can just "nixos-rebuild boot" and it will update the boot config
<clever> its hashing everything in /nix/store to see if anything is currupt
<clever> yeah
<clever> just unset NIX_REMOTE?
<clever> loook: you may need to export NIX_REMOTE=local i think
<clever> loook: can you get back into that bash shell and then run "nix-store --verify --check-contents" ?
<clever> try going back to grub and picking an older generation
<clever> ah
<clever> have you tried booting those yet?
<clever> loook: did you have the option to boot older generations in grub?
<clever> its jan 1st, 1970, minus your timezone offset
<clever> yeah, that date is normal
<clever> loook: try looking in ls -l /nix/var/nix/profiles/system/systemd/lib/systemd/systemd
<clever> ah
<clever> PATH=/run/current-system/systemd/lib/systemd \
<clever> let me see where it comes in from
<clever> ah wait, its not normally there
<clever> loook: can you cd into /nix/var/nix/profiles and check all of the other system sylinks?
<clever> loook: what does that say?
<clever> loook: i would check this first, "ls -lh /nix/var/nix/profiles/system/sw/bin/systemd"
<clever> loook: yeah, $PATH will be blank, try export PATH=/nix/var/nix/profiles/system/sw/bin
<clever> loook: this one will take a bit more typing, but what about init=/nix/var/nix/profiles/system/sw/bin/bash ?
<clever> oh right, no input at the initrd
<clever> the problem is that /bin/sh is a symlink with an absolute path, and its being checked from outside the chroot
<clever> tell it to continue anyways
<clever> it will also falsely claim it doesnt exist
<clever> though systemd hasnt ran yet, so it might not have auto-loading
<clever> that should replace stage2 with a shell, and it will have the full rootfs mounted, so it might have more drivers
<clever> loook: try booting with init=/bin/sh then and see what that does
<clever> loook: ah, the keyboard drivers might not be in the initrd
<clever> slabity: currently, there is no way to override modules, you need to clone the entire nixpkgs
<clever> debug1 just forces it to fail sooner
<clever> so its not a true failure
<clever> loook: setting debug1mounts forces it to "fail" after it has mounted everything
<clever> Mic92: that will query a metadata service at boot time, find the correct ip, and configure the network
<clever> Mic92: in the case of DO, there is https://github.com/NixOS/nixops/issues/605
<clever> loook: if you add boot.debug1 to the kernel commandline, it will instantly "fail" and give you a root shell in the initrd
<clever> slabity: all i can think of is to modify nixpkgs directly, and maybe send a PR upstream so it always does it that way
<clever> Mic92: and a one-time inspection of the current IP cant deal with that
<clever> Mic92: in the case of digital ocean, they will just open your rootfs and tinker with /etc/network/interfaces any time the IP changes
<clever> slabity: mkBefore and mkAfter cant easily be overridden, you would need to checkout a clone of nixpkgs on the same revision, and just edit the file directly
<clever> Mic92: hardest part, is ensuring the network will come up in every case, some datacenters expect static ip config, others dhcp
<clever> Mic92: yeah, it is almost that easy, extract a tar to /, /kexec_nixos, run "justdoit", reboot
<clever> Mic92: with this, nixops can take over the machine after the justdoit.nix in the same directory has finished installing
<clever> Mic92: i have also just tested it with nixops as well: https://github.com/cleverca22/nix-tests/blob/master/kexec/nixops-example.nix
<clever> Mic92: yeah, the kexec requires a working linux kernel, of any distro
<clever> andrewrk: you will need to boot from the install cd, mount the rootfs to /mnt, and put the new boot at /mnt/boot/, then run "nixos-install --chroot" and "nixos-rebuild boot"
<clever> Mic92: with the kexec stuff i linked previously, i can do an install without needing any custom iso to be mounted
<clever> if you use another working nixos droplet, you can mount the old one to /mnt and then do "nixos-install --chroot" to chroot into it, and then do repairs, and restore the previous connections
<clever> would it be possible to connect that disk image to another working droplet?
<clever> Mic92: which forces it to drop into a shell
<clever> so it supports the grub syntax, without actually using grub
<clever> loook: i suspect that are running a grub-clone, that just reads the config and always runs the default entry
<clever> loook: then you would have to connect to the console before the grub timeout can expire, and thats assuming DO even runs grub
<clever> loook: are you able to remain connected while it reboots?, are you able to send a ctrl+alt+del via that console?
<clever> another thing i had thought of is a custom bootloader that supports network intervention
<clever> ah, yeah, sounds like you need to get into grub, which requires very quick reaction time
<clever> currently, only 2 things are in the list
<clever> Mic92: i recently made a list of things that can be added to the kernel to help with that kind of thing: https://github.com/cleverca22/nix-tests/blob/master/kexec/configuration.nix#L14

2017-06-11

<clever> it could have been a random failure
<clever> jbgi: thats how you manualy check the binary cache
<clever> jbgi: that can sometimes happen if it fails to reach the binary cache
<clever> and cat will concat every instance of stat.h
<clever> its under include/sys/stat.h
<clever> and this will only check the libc's
<clever> ls -lh /nix/store/*libc*/include/stat.h
<clever> that will only check the include subdir of every storepath
<clever> ls -lh /nix/store/*/include/stat.h
<clever> Filystyn: if you know the general path, you can heavily limit it

2017-06-10

<clever> dhess: this script will just do the entire install, with zfs for the root, in 1 command
<clever> dhess: the tarball also adds an experimental script, not sure if that part will work on aarch64: https://github.com/cleverca22/nix-tests/blob/master/kexec/justdoit.nix#L32
<clever> dhess: yeah, all nixos instances include nixos-install
<clever> gchristensen: do you happen to know how well kexec works on aarch64?
<clever> if you set the system param for <nixpkgs/nixos> with --argstr, you should be able to create an aarch64 version of the tar
<clever> dhess: basicaly, you upload a tarball to an existing linux machine (any distro), run a bash script, and within ~2 minutes, it will be running nixos from a ramdisk
<clever> dhess: i havent tried it yet, but you could give my kexec trick a try on arm8
<clever> similiar for pkg-config, its setup hook adds all inputs to the pkgconfig search path
<clever> so if gcc isnt in the build inputs, it wont find any other buildinput
<clever> yeah, gcc has a setup-hook that adds buildInputs to the search path for libs and headers
<clever> so your just going to give yourself more problems down the road
<clever> benley: there is no real reason to do it, and the tools usualy dont work right when installed that way
<clever> deba5e12: correct, you should never put build-time tools like pkgconfig/gcc in the systemPackages
<clever> yeah
<clever> ah
<clever> deba5e12, spinus: installing pkgconfig breaks a lot of what nix does to automate things working, you need to add pkgconfig to the nix-shell args
<clever> and they list them all in the imports section
<clever> you can break configuration.nix up into multiple files
<clever> ?
<clever> this creates an nginx reverse proxy, with automatic ssl from lets encrypt
<clever> WinterFox[m]: and in the case of nginx, nixos can generate the config file for you
<clever> WinterFox[m]: you are free to use multiple files if you want
<clever> WinterFox[m]: yeah
<clever> your welcome :)
<clever> yep
<clever> yeah
<clever> it also means you cant corrupt the FS with improper shutdowns
<clever> and nothing is saved to the hdd, so end-users cant get any malware/breakage to persist
<clever> every time it boots, it downloads the latest version
<clever> so you wouldnt even need nixops, just reboot the pi and its upgraded
<clever> nerdpops: one of the expressions i have in there, is for network booting not-os, with only bootcode.bin on the sdcard
<clever> nerdpops: another option, though its a bit more advanced, is to run not-os on the pi's instead
<clever> i have ran it on one of my pi's before
<clever> so you can take normal nixos machines on baremetal and update them via nixops
<clever> nerdpops: if you set the targetEnv to "none" i believe, it will just ssh into an existing nixos machine and deploy
<clever> nerdpops: nixops
<clever> yeah
<clever> setting enable to true will add it to systemPackages for you, and configure it
<clever> ah, pulseaudio has either pulseaudioFull or pulseaudioLight, and it has a dedicated option to turn it on properly
<clever> inflames: do you have a with pkgs; before the [ ?
<clever> inflames: how exactly do they fail?
<clever> if your just testing changes to the nix file and dont want to make them active, you can run "nixos-rebuild build" without sudo
<clever> switch/boot/test need root, build doesnt
<clever> yeah
<clever> yeah
<clever> and you can check nix-env -q, as both your user and root, to check for duplicates
<clever> nixpkgs.config.chromium.enablePepperFlash=true; in configuration.nix
<clever> inflames: is chromium being installed with systemPackages or nix-env?
<clever> inflames: you can do that by just setting chromium.enablePepperFlash=true; in the nixpkgs config
<clever> inflames: enablePepperFlash has to be set for the chromium package
<clever> inflames: which program do you want to enable flash in?
<clever> and you cant just install flash, you have to enable it within the build options for the thing you want it on

2017-06-09

<clever> and libuuid still shows, because its an alias of utillinuxMinimal
<clever> and nix-env is trying to remove duplicates, and it removed the original instead
<clever> pbogdan: ah, eject is an alias for utillinux
<clever> 11670 eject = utillinux;
<clever> i find nix-repl to just be better at viewing these things
<clever> pbogdan: part of the confusion, comes from the attribute path being utillinux, but the name is util-linux
<clever> wait no, thats not how the attr search works
<clever> pbogdan: you dont have -A, so its show names, not attribute paths
<clever> pbogdan: what are you using to query the packages?
<clever> :O
<clever> can yoy gist the entire error?
<clever> what user was it ran as?
<clever> what about it failed?
<clever> what about the result from the previous nix-build?
<clever> what is the value of $NIX_REMOTE?
<clever> what about when you use something like nixos-rebuild --fast?
<clever> yeah
<clever> so the current-shell would work, but only for root
<clever> but when nix is ran as root, it will bypass the daemon
<clever> yeah, you would need to be able to do a nixos-rebuild to apply things properly
<clever> you have to set it in the env for the daemon
<clever> bachp: ah, when nix-daemon is in play, the current-shell ceases to be enough
<clever> bachp: nix-build '<nixpkgs/nixos>' -A config.system.build.toplevel
<clever> bachp: does "type nix-build" show the nixUnstable version?
<clever> gchristensen: sudo -i is usualy better
<clever> by default, it uses the nix in the path to build the nix in configuration.nix, then continue onward
<clever> bachp: "_NIXOS_REBUILD_REEXEC=1 nixos-rebuild" will use the nix commands in $PATH, rather then the "correct" nix
<clever> bachp: do you have ssh to another nix machine that is working?

2017-06-08

<clever> mbrgm: however, nixos also gives the disk group +w to the block devices, so that user almost has root anyways
<clever> mbrgm: i modified your collectd example to wrap smartctl instead, and yeah, once i join the disk group, i can query any hdd i want
<clever> ison111: nice
<clever> ah
<clever> mbrgm: another option is to just edit collectd to do this on its own
<clever> mbrgm: about the only difference, is the one between trusting that a program will drop root correctly, vs just not giving it root to begin with
<clever> instead, i opted to have toxvpn start as root, grant itself the right caps, then drop to a specified user
<clever> mbrgm: i have also heard that systemd has stuff to handle caps for you, but never got it working
<clever> mbrgm: ah, i could probably test that on smartctl
<clever> starting strace as root may solve that
<clever> so the kernel just skips setting the uid
<clever> the problem, is that strace uses the same syscalls as gdb, and can freely manipulate the target program into doing anything
<clever> mbrgm: strace breaks all setuid programs
<clever> ison111: not sure, readelf can tell you what it is exactly
<clever> ison111: and something isnt compatible, so that will have to be debugged
<clever> ison111: looks like they tried to package every library themselves to make it portable, which is exactly the kind of problem nix solves
<clever> ison111: what does ldd say when ran on that program?
<clever> ison111: its also usually better to write a nix package to handle the patching for you
<clever> ison111: and what did you set the interpreter path to?
<clever> ison111: did you also fill in the rpath correctly?
<clever> pie_: last i heard, it was about 80gig for the closure of one eval
<clever> ison111: on nixos, you must fix the interpreter path for any binary to work
<clever> if its not correctly patched, it will just claim the file doesnt exist when you try to run it
<clever> ison111: yes, any ELF file that wasnt packaged for nixos must be patchelf'd
<clever> ison111: then it must be patchelf'd before it will work
<clever> ison111: has it been packaged for nixos?
<clever> that will confirm it without causing any damage
<clever> yeah, but rather then blindly delete random things, we can make a new user that just has none of it
<clever> Filystyn: i'm guessing some state in your home folder might be to blame
<clever> what happens if you create a new user entry in configuration.nix and log in under that user?
<clever> ah, not sure on that
<clever> Filystyn: and what exactly is (not) working?