2019-11-15

<clever> CMCDragonkai: you can test it with the x509 cmd i gave above
<clever> ah
<clever> if you run the server you use, and arent using lets encrypt, youll know when the certs are changing
<clever> then you are directly trusting that hosts current cert, and ignoring the whole ca mess
<clever> yeah*
<clever> yeay
<clever> `openssl x509 -in ./foo.pem -noout -text` will pretty-print a cert, once you shove all the base64 into a file
<clever> its also good for testing ssl problems on servers
<clever> that will open an ssl connection, and dump the certs
<clever> CMCDragonkai: `openssl s_client -connect google.com:443`
<clever> CMCDragonkai: what if you grab the cert for the domain in question, and trust it directly
<clever> witchof0x20: youll need to make an initrd file that contains the keyfiles, and put it into this option
<clever> witchof0x20: boot.loader.grub.extraInitrd
<clever> witchof0x20: does it need to auto-unlock without user intervention?
<clever> the keyfiles could be an issue though, i only use passphrase
<clever> then zfs will find them as it imports the pool
<clever> { name = "root"; device = "/dev/nvme0n1p2"; preLVM = true; }
<clever> is an example entry
<clever> witchof0x20: put each luks device into boot.initrd.luks.devices
<clever> 1.9M total
<clever> 58K /nix/store/j997iypa5yvbn8f8k4mqr9qfr998r521-hello-2.10-x86_64-unknown-linux-musl
<clever> 1.8M /nix/store/nyhfmdfhidgmla484f42pla5ai7m9hbv-musl-1.1.24-x86_64-unknown-linux-musl
<clever> and a simple hello-world binary, only depends on itself and musl, nothing else
<clever> $ nix-store -qR ./result
<clever> /nix/store/j997iypa5yvbn8f8k4mqr9qfr998r521-hello-2.10-x86_64-unknown-linux-musl
<clever> /nix/store/nyhfmdfhidgmla484f42pla5ai7m9hbv-musl-1.1.24-x86_64-unknown-linux-musl
<clever> aranea: we already have dynamic musl! lol
<clever> infinisil: oh, your right
<clever> result/bin/hello: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /nix/store/nyhfmdfhidgmla484f42pla5ai7m9hbv-musl-1.1.24-x86_64-unknown-linux-musl/lib/ld-musl-x86_64.so.1, not stripped
<clever> aranea: the key, is that they have different bootloaders, so the main entry point differs
<clever> aranea: i once had a system booting on both x86-64 and a raspberry pi, with a single rootfs
<clever> aranea: yeah, its just a matter of adding a dynamic musl option in nixpkgs
<clever> aranea: i dont think dynamic musl is an option currently
<clever> like so
<clever> $ nix-build -A pkgsCross.musl64.hello '<nixpkgs>'
<clever> aranea: if you build attributes like this, you can build software against the static musl
<clever> > pkgsCross.musl64.hello
<clever> aranea: yeah
<clever> aranea: nixpkgs already has a muslc "cross-compile" target

2019-11-14

<clever> aranea: ive even had arm and x86 binaries co-exist
<clever> aranea: yes
<clever> inkbottle: try logging out and then logging back in
<clever> CMCDragonkai: this code predates the creation of overrideAttrs
<clever> CMCDragonkai: not-os/ipxe.nix has a full example of private certs and signing the files, rather then the whole http
<clever> ah
<clever> CMCDragonkai: but how does ipxe get that https url?
<clever> CMCDragonkai: the example in not-os is signing the ipxe script itself, so the only risk is the ipxe binary
<clever> CMCDragonkai: but if people can mitm your ipxe script, your hosed
<clever> CMCDragonkai: probably
<clever> This command is available only when the build option CERT_CMD is enabled.
<clever> CMCDragonkai: https://ipxe.org/cmd/certstore
<clever> CMCDragonkai: you must download the cert at runtime, using one of the ipxe commands
<clever> CMCDragonkai: trust is for size-constrained images, like actual NIC boot roms
<clever> CMCDragonkai: maybe
<clever> CMCDragonkai: the trust flag only embeds the hash of the cert, while embed puts the entire cert file in
<clever> CMCDragonkai: line 78 and 79 tell it to embed that cert in, and to trust it
<clever> CMCDragonkai: line 75 bakes a cert into the build
<clever> CMCDragonkai: let me grab my example...
<clever> CMCDragonkai: ive primarily used custom certs and the signing built into ipxe
<clever> jumper149: i believe they are propated in, from stdenv
<clever> because cers are too big
<clever> CMCDragonkai: oh, i think it lacks ca certs by default, it only has ca cert hashes
<clever> CMCDragonkai: when ipxe starts, it lists what features its been compiled with, what do you see?
<clever> raboof: some stuff like that, may require logging out and back in
<clever> jumper149: you probably also want to use fetchFromGitHub, rather then fetchurl
<clever> jumper149: there is a fixup phase that fixes things, and buildCommand bypasses that
<clever> jumper149: try deleting the entire buildCommand, and instead do installPhase = "make install PREFIX=$out";
<clever> jumper149: can you pastebin your nix file?
<clever> jumper149: add python3 to your buildInputs and see if the output #! changes
<clever> jumper149: that will do it
<clever> jumper149: what does `ps` report in the shell that things work in?
<clever> jumper149: what direnv?
<clever> jumper149: then your in a nix-shell?
<clever> jumper149: what does `type python3` report?
<clever> jumper149: does it still look like that after you nix-build it? read the file under result
<clever> fifeefo: its based on things line #include <foo.h> in c/c++
<clever> fifeefo: as long as you quote it, things should be fine, shellcheck will complain any time you dont quote things like that
<clever> jumper149: read the generated script that your running, what does it do?
<clever> jumper149: probably, thats why i never install things like python, so such programs fail during development
<clever> jumper149: it should be in the nixpkgs manual
<clever> jumper149: use buildCommand, rather then builder
<clever> jumper149: if you add something to buildInputs and use the stdenv, it will handle -L and -I for you
<clever> tmplt: multiple output derivations
<clever> lordcirth: stdenv.cc is cc-wrapper
<clever> > "${stdenv.cc.cc.lib}"
<clever> exarkun: its probably uncompressing
<clever> exarkun: you can then use whatever tools you want, to mirror the files out of https://cache.nixos.org/
<clever> exarkun: if you flip this around (change --to into --from), it will copy from a directory, that contains narinfo and nar.xz files
<clever> nix copy --to file:///tmp/example2 /nix/store/q9yajgszjnvhi6n5083i415y196qmhgj-synapse-0.2.99.4
<clever> Twey: nix-store --add doesnt work with anything that has dependencies
<clever> then its not in the cache
<clever> exarkun: curl that, and look inside for the path to the .nar.xz
<clever> exarkun: /nix/store/foo-name maps to https://cache.nixos.org/foo.narinfo
<clever> exarkun: create a local directory, containing the .nar.xz and .narinfo files, then use nix copy
<clever> > synapse.meta.longDescription
<clever> > synapse.meta.description
<clever> so i can see breakage before i try to upgrade
<clever> tbenst: i have my hydra configured to pre-build my nixos config against the latest nixpkgs
<clever> tbenst: ah, ive noticed the exact same error on my hydra
<clever> fifeefo: nix-build '<nixpkgs>' -A synapse && ls -lh result/
<clever> fifeefo: and what package was that?
<clever> fifeefo: and what did you use for packageName?
<clever> fifeefo: what exact nix-env command did you use to install the package?
<clever> fifeefo: if its already built, it wont build it again
<clever> tbenst: that will build all of your opengl drivers in i686-linux mode
<clever> rossabaker: ^^
<clever> 2019-11-07 01:13:37< clever> rotaerk: that is the linux 5.3 iso image, for the current build of nixos-unstable
<clever> 2019-11-07 01:13:05< clever> rotaerk: https://hydra.nixos.org/build/105246685
<clever> fifeefo: run `nix-build '<nixpkgs>' -A packagename`
<clever> rossabaker: you can get a 5.x iso image
<clever> tbenst: do you have 32bit dri or pulse enabled?
<clever> fifeefo: nix-build
<clever> fifeefo: i usually just build it with nix-build, then ls that directory
<clever> and we got matrixed again
<clever> its probably fine
<clever> texasmynsted: /etc/nix/nix.conf
<clever> your old nix.conf is still there
<clever> the previous multi-user install sets that
<clever> texasmynsted: thats telling the nix installer to talk to nix-daemon, which doesnt exist
<clever> texasmynsted: you must `unset NIX_REMOTE`
<clever> is $NIX_REMOTE set ?
<clever> texasmynsted: how did the last install fail, when you already owned /nix
<clever> texasmynsted: single-user should be simpler
<clever> ,profiling
<clever> your dividing
<clever> oh
<clever> gchristensen: http://hydra.nixos.org/queue-runner-status -> jobsets.<foo>.shareUsed
<clever> gchristensen: i believe hdyra also exports shares used
<clever> the mouse moved while in vim
<clever> lol
<clever> :q
<clever> yeah
<clever> gchristensen: that line set it
<clever> gchristensen: 158 environment.variables = config.environment.sessionVariables;
<clever> leo__: if the overlay exists in a nixos module, it can read config
<clever> leo__: the chvt in the nix store isnt setuid
<clever> s/trying/string/
<clever> leo__: put ${pkgs.kbd}/bin/chvt in your trying
<clever> ,locate bin chvt
<clever> ,locate bin chvt-priv
<clever> leo__: just use the pkg that contains that binary
<clever> nh2: along with a nix-build command to reproduce things
<clever> nh2: if you can link a branch in a PM, i could look into it later, maybe tomorrow
<clever> elvishjerricco: patchelf is much simpler
<clever> nh2: i think the musl thing is counted as a cross compile, so the native compiler is glibc
<clever> elvishjerricco: search nixpkgs for dpkg, and youll find examples
<clever> elvishjerricco: you would have to patchelf things first
<clever> elvishjerricco: the above example is a bit more complex, it changes nixos options, based on the presense of a file with secrets
<clever> though it still means you cant build until you fetch the file
<clever> jackdk: thats pkgs.requireFile, and it avoids needing the password
<clever> elvishjerricco: builtins.pathExists
<clever> elvishjerricco: enless you can write a drv to auto-login, check the old factorio fetcher
<clever> elvishjerricco: ah, id just use a local path then

2019-11-13

<clever> elvishjerricco: you dont need to copy it first (or bake it into the git repo)
<clever> elvishjerricco: use fetchurl and point it to the deb file
<clever> nh2: is it a normal or a cross compile?
<clever> nh2: are you overriding the ghc of haskellPackages?
<clever> slabity: nixops deploy --include machine1
<clever> slabity: nixops can only access the ssh agent if the $SSH_AUTH_SOCK var is set right
<clever> slabity: are you running nixops in the same terminal?
<clever> deni: some of the columns can be , seperated, space always seperates columns from eachother
<clever> slabity: does the key you added actually exist in /root/.ssh/authorized_keys ?
<clever> deni: enless your trying to set the mandatory features
<clever> deni: the features at the end must be , seperated
<clever> slabity: as the user that runs nixops, start ssh-agent, and do an ssh-add
<clever> WhatisRT: i think the default for dhcp may have changed
<clever> deni: its set on the local machine, the one starting the build
<clever> deni: when true, the remote machine will obey its own `substituters` in its own `nix.conf`, to fetch what it can first
<clever> deni: that depends on the builders-use-substitutes flag, check `nix show-config | grep builders-use-substitutes`
<clever> slabity: launch an ssh agent, and ssh-add your ~/.ssh/id_rsa
<clever> slabity: but if an ssh agent is running, those keys will leak into nixops and give it more power then it "should have"
<clever> slabity: so it never loads ~/.ssh/id_rsa directly
<clever> slabity: nixops will override the default private key location, to use its own keys
<clever> deni: when you use a build machine, you first download all dependencies to the current machine, then you copy them to the remote machine, and ask it to do the build, then copy the product backwards
<clever> tilpner: in vim, you can just do: 52i0<escape>
<clever> deni: you likely need to be a trusted user on the remote machine, to copy pre-built things over to it
<clever> builders = @/etc/nix/machines
<clever> [root@amd-nixos:~]# nix show-config | grep builders
<clever> deni: ah, ive not used that syntax much
<clever> deni: user@host, systems it supports, path to an ssh private key, number of jobs, speed factor (power relative to others), supported features
<clever> builder@192.168.2.126 armv6l-linux,armv7l-linux /etc/nixos/keys/distro 1 1 big-parallel
<clever> deni: /etc/nix/machines has the same format on all platforms
<clever> gchristensen: ah, why isnt that just in hydra itself? it already has a statsd, oh, thats not prometheus
<clever> gchristensen: ah, lol
<clever> gchristensen: maybe my hydra is just older...
<clever> CMCDragonkai: thats the whole point of force import
<clever> gchristensen: the problem is more that its not exported by hydra
<clever> CMCDragonkai: if you make the hostid match between the 2 OS's, then they wont think another host was using it
<clever> gchristensen: everything under .machineTypes is also of use, with tags again
<clever> gchristensen: under /queue-runner-status, id like things like .jobsets.<foo>.seconds and .shareUsed to be in prometheus, using tags for <foo>
<clever> leo_: id need an hour to even figure ouy what your doing, lol
<clever> nh2: haskellPackages.override { ghc = ghc.overrideDerivation (old: [ patches = old.patches ++ [ ./foo ];
<clever> gchristensen: ive noticed a few things in the queue-runner-status, that arent in the metrics, let me find an example
<clever> lordcirth__: what else could you do with that metric?
<clever> lordcirth__: sort of tricky, if you just report total time spent compressing, you wind up just showing cpu usage for that task (time spent vs time elapsed)
<clever> leo_: probably
<clever> gchristensen: those might even be small enough that the L1 or L2 cache could hold the entire thing
<clever> gchristensen: not a single one of those was over 1mb, lol
<clever> 88mb in 46 seconds, ouch!
<clever> > 92888096 / 1024 / 1024
<clever> > 92888096 /1024 /1024
<clever> (92888096 bytes, compressed 86.4% in 46864 ms) to binary cache
<clever> gchristensen: youll find lines like this in the journal for hydra-queue-runner
<clever> gchristensen: (1578144 bytes, compressed 89.7% in 499 ms) to binary cache
<clever> both have a hydra, only one is booted
<clever> there are 2 identical nixops deployments
<clever> *duh*
<clever> oh wait
<clever> gchristensen: i cant get into the hydra that is uploading to s3, lol
<clever> gchristensen: ok, thats an issue..... ssh is blocked on the firewall
<clever> oh, it does log the cpu time spent...
<clever> gchristensen: ive also only really noticed the xz bottlenecks when dealing with ghc derivations
<clever> to see if something has been built before
<clever> another factor that can slow some hydra's down (but not nixos's), is checking upstream caches for narinfo files
<clever> gchristensen: how many cores on hydra.nixos.org ?
<clever> yep
<clever> i had to attach gdb and grab a backtrace, to see what it was "hung" on
<clever> Hc i think
<clever> so if you hit the right keys in top, you can see what drv each thread is compressing
<clever> andi-: it also puts the drv name into the threads argv[0]
<clever> gchristensen: its just compressing one std::string into a second pre-allocated std::string, so it needs zero fileio, and zero memory allocations
<clever> gchristensen: weirdly enough, its doing it so well, it doesnt make a single syscall, so its imposible to even know why its "hung" for 2mins with only strace, lol
<clever> gchristensen: i found that hydra often gets bottlenecked with xz compression
<clever> ,pr nahamu
<clever> werner291: there is no linux5 in 19.09
<clever> werner291: everything says it should be working...
<clever> werner291: any overrides or overlays in configuration.nix? can you pastebin the entire file?
<clever> thats strange
<clever> werner291: and youve ran nixos-rebuild as root?
<clever> werner291: what does `echo $NIX_PATH` report?
<clever> werner291: what path is configuration.nix at ?
<clever> werner291: nix-store -qR /run/current-system | grep codium ?
<clever> werner291: what exactly did you add to systemPackages ?
<clever> werner291: nix-env only reads config.nix
<clever> werner291: yes
<clever> werner291: and is codium in /run/current-system/sw/bin/codium ?
<clever> werner291: did nixos-rebuild work without errors?
<clever> werner291: yes

2019-11-12

<clever> NoctisLa1: behind the scenes, `--upgrade` does `nix-channel --update nixos`, which only updates the nixos channel
<clever> betaboon: yep
<clever> correct
<clever> betaboon: so you run the 1st, once it boots you run `justdoit`, and shutdown, then run the 2nd to actually boot the machine it just installed
<clever> one uses -kernel and -initrd to boot the install media i'm testing
<clever> the attrs at the bottom each create a pair of qemu scripts
<clever> the efi firmware may be loading the default path
<clever> i cant remember if its actually persisting efi vars though
<clever> betaboon: thats what ive used when testing efi installs under qemu
<clever> samueldr: check the simple-test.nix in my kexec dir, that sets up the second flash
<clever> there is a qemu flag that should make nvram persist
<clever> and then use the same flags in the tests
<clever> it would let you at least confirm if nvram persists or not, when using certain flags
<clever> samueldr: if you `-boot menu` with efi enabled in qemu, i believe you can get into the full efi bios config UI
<clever> gchristensen: what could i run to query the agent and prod it do things and debug it?
<clever> gchristensen: tried that, no difference
<clever> gchristensen: my gpg ssh agent has been busted since the last nixos upgrade, it just fails with "sign_and_send_pubkey: signing failed: agent refused operation" now
<clever> selfsymmetric-pa: what args did you give it?
<clever> selfsymmetric-pa: that a shell command
<clever> selfsymmetric-pa: how does current-system depend on the fonts?
<clever> selfsymmetric-pa: nix why-depends /run/current-system /nix/store/path-to-fonts
<clever> selfsymmetric-pa: is the font within `nix-store -qR /run/current-system` ?
<clever> selfsymmetric-pa: did you install the fonts via fonts.fonts ?
<clever> worldofpeace: oooo, ofborg is profiling things!
<clever> worldofpeace: i suspect it might just be ocr weirdness, but havent looked at what the test is doing
<clever> evanjs: a number of tests, including the failing sddm test, arent checked on -small
<clever> betaboon: looks like OCR failures
<clever> betaboon: the last eval only has a single failure, https://hydra.nixos.org/build/106373190
<clever> i think -small has fewer tests
<clever> betaboon: the last build to be all green, is from nov 3rd
<clever> betaboon: nixos-unstable-small updated 6 hours ago, so the basic tests are passing
<clever> ,howoldis betaboon
<clever> slabity: i'm just running full-blown nixos on a router, with 2 cpu sockets, and 8gig of ecc ram
<clever> __monty__: from #nixos-on-your-router
<clever> 2019-11-12 04:27:23 < clever> Nov 12 04:23:15 system76 3s0avjla52qx9zx8yi6glba43did5bvq-unit-script-wpa_supplicant-start[7893]: /nix/store/3s0avjla52qx9zx8yi6glba43did5bvq-unit-script-wpa_supplicant-start: line 4: /sys/class/net/bonding_masters/uevent: Not a directory
<clever> __monty__: looks like you fixed the exact problem i was having
<clever> __monty__: oh, that may help my issues too
<clever> slabity: can you pastebin the output of both commands and the commands themelves?
<clever> slabity: does `nixops list` list `mysystem` ?
<clever> betaboon: also, the tty changes in nix-daemon somehow broke all logging in the derivation that builds the boot image
<clever> betaboon: so you need special flags to control the boot order
<clever> betaboon: i think the basic problem, is that with 2 virtio devices, qemu doesnt know which one to boot from
<clever> betaboon: not sure why, i got distraced and never followed up on the comments as well
<clever> betaboon: one min
<clever> so i can do `cabal build && test-wallet-mainnet`
<clever> line 23 is just running whatever `cabal build` left on the filesystem
<clever> in my case, i'm appending a test script to buildInputs (which you could also do)
<clever> kenran: in your case, you would stick the `env_var = ...` between lines 34&36
<clever> kenran: line 34 pulls up the .env attr of a haskell derivation, then overrides it
<clever> kenran: one min
<clever> kenran: ah, if you just want an env var pointing to it, do `env_var = writeText "name" "contents";` in whatever you pointed `nix-shell` to (inside the mkDerivation)
<clever> kenran: and then just run nix-build on that file, and then `cat result`
<clever> kenran: for example, just shove this into a file: with import <nixpkgs> {}; writeText "name" "hello is at ${hello}"
<clever> if using a set, then you -A something, to select a key in the set