2019-10-02

<clever> elvishjerricco: what args did you give to nixos-rebuild?
<clever> elvishjerricco: efi or legacy?
<clever> elvishjerricco: is /boot correctly mounted when you rebuild?
<clever> elvishjerricco: any backtrace?
<clever> l33: the vm doesnt need those files to boot
<clever> l33: yes
<clever> hoppfull: -I appears numerous times in the nix manual
<clever> hoppfull: every nix command accepts a -I flag
<clever> hoppfull: nix-shell -I nixpkgs=/path/to/nixpkgs
<clever> hoppfull: what did you try to change the nixpkgs?
<clever> and if the machine causing the build is multi-user, and a non-root user triggered the build, youll find a similar link there too
<clever> if the build slave is using non-root, youll find a link like that there
<clever> which contains the pid of whatever controls it
<clever> clever 29850 0.4 0.1 521368 62476 pts/10 Sl+ 15:56 0:00 nix repl
<clever> arcnmx: but another common situation, is that youll run into a `nix-daemon 29850` process, that is a worker process
<clever> arcnmx: in my case, the parent of that ssh is hydra-queue-runner
<clever> and if you check netstat on the other end, you can map that port back to a pid, then check the tree again
<clever> ESTABLISHED 33456/ssh
<clever> [root@hydra:~]# netstat -anp | grep 50258
<clever> arcnmx: this will then reveal what ip and port was used to connect to ssh
<clever> `cat /proc/58171/environ | xargs -0 -n1 echo | grep SSH`
<clever> in this case, somebody ssh'd directly into root, ran `nix-store --serve --write`, and used the protocol to request a build
<clever> 58252 ? SNs 0:00 bash -e /nix/store/60vrvp21ws3y9v89wlddk38flj6fhkag-builder.sh
<clever> 58171 ? SNsl 0:01 nix-store --serve --write
<clever> 58162 ? Ss 0:00 sshd: root@notty
<clever> first, check a ps tree, like `ps -eH x`
<clever> arcnmx: ive typially done it by reading /proc and understanding what its fields mean
<clever> edef: ive also done some stuff with ipxe and snmp
<clever> ive managed to get it working inside docker
<clever> or you jump thru a lot of hoops
<clever> that will only work right if the user is running a full nixos install
<clever> but services is the tricky part, you cant auto-configure postgresql on ubuntu, so you need to explain to the user how to set it up correctly
<clever> some also work on darwin
<clever> libraries and packages work on pretty much any linux based kernel

2019-10-01

<clever> proper secure boot requires multiple phases of signing
<clever> and the boot dir isnt encrypted, so you could just edit grub.cfg after yanking the drive, to backdoor it all you want
<clever> and grub itself isnt locked down, so you could just use the grub UI to hax the machine as hard as you want
<clever> it just means that it wont boot if grub ever updates
<clever> so i can have secureboot on, without dealing with actual signing
<clever> for my laptop, the firmware lets my enroll my own public keys, or just whitelist efi binaries by hash
<clever> in theory, nixos could just shove the same file onto its boot media
<clever> i believe ubuntu uses it as a shim, between the bios and the unsigned grub
<clever> which effectively makes the M$ keys pointless :P
<clever> my understanding, is that SHIMX64.EFI is just an EFI binary, signed by M$, that will run any unsigned EFI binary
<clever> there it is, SHIMX64.efi
<clever> that reminds me...
<clever> drakonis: and if they give that out, then secure boot is basically pointless
<clever> drakonis: it would have to be signed with microsoft's private key
<clever> drakonis: see if google knows anything about clearing the password or turning off secure boot
<clever> drakonis: did it have any previous owners that might have set a pw on you?
<clever> drakonis: pre-owned or fresh from the store?
<clever> drakonis: is it a desktop or laptop?
<clever> drakonis: and you dont know the password? you dont have the ability to factory-reset the motherboard?
<clever> drakonis: why are you unable to disable secureboot?
<clever> Capisce68: so you must set it to a string, not a bool, and choose from the values it lists
<clever> witchof0x20: you may want to look into nixos containers
<clever> probably the remain after exit then
<clever> gnidorah: does the value in the restart triggers field change?
<clever> but if you break things, it wont boot again
<clever> it also runs entirely from ram, so once you have booted, you could mess with /boot/
<clever> but you still need to worry about the entire machine crashing, or power failures
<clever> now you dont have to worry about the usb stick failing, or just getting lost
<clever> you can then do whatever you want from that, and customize it to include things like xserver and gparted
<clever> drakonis: this puts the entire nixos installer into /boot, along with a grub option for it
<clever> drakonis: you might be interested in my rescue-boot.nix file
<clever> ah
<clever> exarkun: of which repo?
<clever> to import the nix file, then import whatever the string refers to
<clever> exarkun: import then returns that string
<clever> so you need import (import ./nixpkgs.nix) {}
<clever> exarkun: fetchTarball returns a string
<clever> fuzen: you should be able to just do `import ./default.nix` inside `docker.nix`
<clever> bahamas: yep
<clever> bahamas: nix-store -r /nix/store/foo --add-root result --indirect, will create a result symlink pointing to it, which prevents it from being GC'd
<clever> bahamas: nix-copy-closure can be used to copy it between different machines
<clever> aria: refer to the above conversation with iqubic, its already fixed in nixpkgs master, just need to wait for the channels to update
<clever> yep
<clever> nixos-rebuild just makes the new nixpkgs take effect on nixos
<clever> correct, only nix-channel --update can update the nixpkgs
<clever> yep
<clever> yep
<clever> iqubic: left<->right is time, left is most recent
<clever> iqubic: i only see one failure, for nixos.ova.x86_64-linux
<clever> iqubic: because those are from a week ago, and arent important
<clever> every job on the left side must be green, before the channel will update
<clever> iqubic: click that link
<clever> ,howoldis iqubic
<clever> until the tests are all passing
<clever> iqubic: unstable is the latest version of master, that tests confirm wont brick your machine
<clever> iqubic: then the fix probably isnt in unstable yet, only master, youll need to wait for it to hit unstable
<clever> iqubic: what does `nix-channel --list` say?
<clever> te
<clever> nix-channel --upda
<clever> then you need to update the nixpkgs
<clever> the problem has already been fixed
<clever> iqubic: you are
<clever> 45693 version = "2.15.0";
<clever> [clever@amd-nixos:~/apps/nixpkgs-master]$ nix edit -f . cabal2nix
<clever> it may already have been done
<clever> first, check nixpkgs master
<clever> thats why
<clever> what is the version= in your hackage-packages.nix ?
<clever> at the top of the page you linked, it says that is in version 2.15.0
<clever> so that commit likely fixes the problems your having
<clever> that commit is removing disp
<clever> 2019-10-01 01:17:16 < clever> iqubic: do any commits add or remove a disp on line 115?
<clever> check more commits
<clever> iqubic: do any commits add or remove a disp on line 115?
<clever> iqubic: now open derivation.hs, on the github page
<clever> iqubic: what file did the error say the problem was in?
<clever> iqubic: and hackage has a link to the github page
<clever> iqubic: it will fetch cabal2nix from hackage, based on the pname and version
<clever> iqubic: the pname does
<clever> that file will point you towards the cabal2nix repo
<clever> iqubic: thats not the cabal2nix repo
<clever> iqubic: nix edit nixpkgs.cabal2nix
<clever> start by figuring out when it was broken, by reading the git history of cabal2nix
<clever> iqubic: you can also call it yourself
<clever> iqubic: because callCabal2nix needs a copy of cabal2nix, to call cabal2nix
<clever> iqubic: nix is build it for you, but that build is failing
<clever> iqubic: or use git blame within cabal2nix, to see when the problem was introduced
<clever> iqubic: it clearly says cabal2nix itself is failing to build
<clever> builder for '/nix/store/z4176nbyjj2x4rnrbapvicfd5cimjqx5-cabal2nix-2.14.4.drv' failed with exit code 1
<clever> when was disp added? do the commits say anythign?
<clever> iqubic: check the git history for cabal2nix, and the file that is failing to build
<clever> iqubic: because the error said so
<clever> check on hackage
<clever> does disp take a PackageName and return a Doc?
<clever> iqubic: find out what package provides disp, and what version its in
<clever> 115 | [ attr "pname" $ doubleQuotes $ disp (packageName _pkgid)
<clever> Variable not in scope: disp :: PackageName -> Doc
<clever> iqubic: the version of some haskell package isnt right, so the haskell code isnt compiling
<clever> notgne2: basically, its an entire linux "distro" in a single 2mb ELF file, that lives in the initrd
<clever> notgne2: have you seen what i did with haskell-init?
<clever> notgne2: yeah, ewww perl! :D
<clever> so i would need to patch it into the perl code
<clever> notgne2: but, i want to wait until post-start has finished, then start things that depended on it
<clever> notgne2: the main issue i would run into, is that the perl runner script, does pre-start, start, post-start, and stop all for you
<clever> but that needs a proper language, not bash
<clever> then when you started x, you run a function pointer, that runs y
<clever> notgne2: the only way to make it any better, is to generate a dep tree, and fill the nodes with function pointers to initiate starting more things
<clever> notgne2: inotify can eliminate the need to poll
<clever> notgne2: another option, is to just create a file when the service is started, then everything just waits in a while loop, until said file exists
<clever> notgne2: it also relied on things just blocking until it was fully started
<clever> notgne2: init.d didnt really support concurrent startup, and you just had to number everything so starting things in order worked
<clever> notgne2: main problem i can forsee, is just making one wait for another, i dont know if runit supports that, so i may need to implement it in bash
<clever> l33_: the "new" gnome ruined everything for me
<clever> l33_: i prefer xfce
<clever> l33_: lol
<clever> lucasvo: services have their own PATH, you have to add things to systemd.services.foo.path = [ pkgs.bar ]; to be able to run them
<clever> simpson: haskell lets you go one step further, and just use forkIO and pure code, rather then child procs!
<clever> simpson: but if you can jam every binary into a single executable (like busybox), that could be even better (as long as it doesnt harm performance)
<clever> simpson: i like the idea of keeping things dynamic (so you can share code between binaries), but using patchelf to reduce closure sizes
<clever> simpson: it will recursively copy the dyn libs, and re-patchelf things, to reduce the closure size
<clever> simpson: nixos also has some patchelf based utils, when copying binaries into the initrd
<clever> so you need to bake the modules into the kernel
<clever> at which point, why even bother making it pure haskell if you have to put c binaries in :P
<clever> simpson: so you need the modprobe binary (written in c?) to load modules
<clever> simpson: kernel modules are a pain, because the a lot of the heavy lifting is done by the modprobe binary, not the kernel
<clever> simpson: its currently a single binary, under 4mb, with zero dynamic libs (muslc)
<clever> simpson: haskell-init was mostly just an example, to show what you can do with an ultra-minimal init, and using nix to build it all
<clever> simpson: ah, that would be even simpler!
<clever> simpson: #osdev is also available
<clever> simpson: once a basic userland is up, you would need to port nix itself to that kernel, so it can build itself
<clever> simpson: i think if you want sel4 under nix, you would need to first look into getting the kernel to build with nix, and then booting it under qemu
<clever> Python without an operating system
<clever> simpson: python works in grub.....
<clever> notgne2: currently, i dont have dependencies handled at all, several services fail to start because postgresql hasnt ran yet, but they just auto-restart until things work
<clever> notgne2: ahh, so your dealing with dependencies in the code, rather then requiring the user to do that
<clever> simpson: seen my haskell-init stuff?
<clever> notgne2: another difference from how i did things, it sounds like you just map over every single service, while i just have a whitelist: https://github.com/input-output-hk/cardano-explorer/blob/more-docker-improvements/docker/default.nix#L337-L344
<clever> i had to write my own deroot binary, then i noticed 3 setuid binaries already in nixpkgs (nix-index :D), and runit already has its own util for just that
<clever> the pam in nixpkgs lacks @include support, debian patched pam to have @include support, so the sudo in nixpkgs doesnt work in a docker based on ubuntu!!
<clever> sudo needs valid pam config files, or it wont do anything
<clever> sudo will reset PATH, even if you tell it not to
<clever> notgne2: su will reset PATH, even if you tell it not to
<clever> notgne2: oh yeah, and it turns out, dropping root is a lot harder then it needs to be, lol
<clever> notgne2: https://github.com/input-output-hk/cardano-explorer/blob/more-docker-improvements/docker/default.nix#L4-L19 and this is how i avoid maintaining a fork of nixpkgs
<clever> notgne2: but i ran into 2 bugs when using it, 1st: it doesnt support .User and .PermissionStartOnly, 2nd: it just does $var = "${foo}"; and if your ExecStart contains a ", all hell breaks loose :P
<clever> notgne2: this already exists in nixpkgs, and generates a perl script, that can run any systemd service
<clever> notgne2: ah, have you seen the .runner attr?
<clever> notgne2: and nearly all of those are just running the existing nixos modules, that run the same services on nixos
<clever> notgne2: i now have a nix expression, that generates a docker image, that runs postgresql, prometheus, grafana, nginx, oauth2_proxy, prometheus-postgres-exporter, and 2 custom services

2019-09-30

<clever> including multiple services at once
<clever> notgne2: then i package it all up into a docker image, so i can just run any nixos service
<clever> notgne2: ive been working on the reverse i think, i translate systemd service definitions (in nixos modules) into very simple scripts, that runit can then run
<clever> notgne2: if you want udev in the initrd (ethernet if naming), you must put the entire systemd in the initrd, and the package is pretty hefty
<clever> notgne2: they also ate udev whole
<clever> lucasvo: this is the most basic example
<clever> s
<clever> lucasvo: mkService would be a function you write, if you want to generate many service
<clever> lucasvo: you generally just assign values to systemd.services.something
<clever> l33_: ive also managed to crash pid1 when playing with systemd-nspawn and fuse, so it definitely seems to be over-reaching in its goals
<clever> now ive learned to put up with it :P
<clever> l33_: i was also anti-systemd before i switched to nixos
<clever> l33_: https://www.youtube.com/watch?v=o_AIw9bGogo "The Tragedy of systemd"
<clever> lucasvo: the nixos manual should explain everything you need to know
<clever> lucasvo: https://nixos.org/nixos/options.html#systemd.packages might help, try adding the package to that option
<clever> lucasvo: thats not a module, thats a package
<clever> lucasvo: is there a nixos module for it already?
<clever> gchristensen: hmmm, maybe the hydra slaves are more powerful, it took 7h there
<clever> gchristensen: either 12 or 48 hours, cant remember exactly
<clever> gchristensen: chromium is the closest i can think of
<clever> shyim: 30 days, to be specific!
<clever> > 2592000 / 3600 / 24
<clever> [root@amd-nixos:~]# nix show-config | grep narinfo-cache
<clever> narinfo-cache-positive-ttl = 2592000
<clever> narinfo-cache-negative-ttl = 3600
<clever> shyim: so if you didnt clear the cache, it wont recover for multiple days
<clever> shyim: by default, the positive ttl is in the days
<clever> nix will automatically remake them, and re-populate from the caches
<clever> shyim: yep
<clever> shyim: those files are used to cache what is in the cache
<clever> /root/.cache/nix/binary-cache-v6.sqlite
<clever> /nix/var/nix/binary-cache-v3.sqlite

2019-09-29

<clever> then everything is root
<clever> ddellacosta: for things like this, i prefer `sudo -i` to drop you into a root shell
<clever> ddellacosta: sudo only affects the 1st command, the ; runs the 2nd without root
<clever> ddellacosta: that should work..., what is the exact command you ran?
<clever> chris__: simplest thing is to just let grep search the whole thing for a common string
<clever> emily: you can still run iptables manually to mutate things, after nixos has applied its rules, but nixos will undo those changes next time you nixos-rebuild, potentially breaking things
<clever> chris__: nix.extraOptions
<clever> chris__: what are the first 3 lines of your nix.conf?
<clever> fling: unknown
<clever> yeah
<clever> emily: i believe so
<clever> emily: i think 5.2 is fine, if you use the export_kernel_fpu_functions.patch
<clever> so FPU operations in userland can come up with the wrong answer
<clever> basically, it doesnt fully restore the FPU flags when context switching
<clever> fling: ive heard that the zfs implementation leads to data corruption
<clever> ah, for 5.3 specifically
<clever> fling: yep, its in that dir
<clever> apps/nixpkgs-master/pkgs/os-specific/linux/kernel/export_kernel_fpu_functions.patch
<clever> [clever@amd-nixos:~]$ find apps/nixpkgs-master/ | grep export_kernel_fpu_functions.patch
<clever> apps/nixpkgs-master/pkgs/os-specific/linux/kernel/patches.nix: patch = ./export_kernel_fpu_functions.patch;
<clever> [clever@amd-nixos:~]$ grep export_kernel_fpu_functions.patch apps/nixpkgs-master/ -r
<clever> fling: have you grep'd nixpkgs for that string?
<clever> edcragg: i would check `nix-store -qR` and see if there is anything that doesnt belong
<clever> domenkozar[m]: nice!
<clever> m1cr0m4n: and on 16, you want to use self.fetchFromGitHub
<clever> m1cr0m4n: pkgs.glusterfs refers to the attr your setting on line 12, so infinite recursion
<clever> m1cr0m4n: you must use super.glusterfs on line 12
<clever> m1cr0m4n: can you pastebin your overlay?
<clever> immae: and this lets you `nix-env -iA foo.hello`, so the channel still works
<clever> [clever@amd-nixos:~]$ cat .nix-defexpr/test/foo/default.nix
<clever> import /home/clever/apps/nixpkgs
<clever> iqubic: (import ./.).env
<clever> pre-built derivations
<clever> iqubic: when you cant figure out how to host your own cache, and dont have a box you can leave on 24/7
<clever> truthadjustr: what fails if you use the cmake in nixpkgs?
<clever> truthadjustr: does it need to be that version, or will any do?
<clever> but you could also just: nix-env -f '<nixpkgs/nixos>' -A system --profile $profile --set
<clever> nixos-rebuild will build it once with nix-build, then use nix-env to store it to a profile
<clever> targetHostCmd nix-env -p "$profile" --set "$pathToConfig"
<clever> pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")"
<clever> and thats going to be a slow-down
<clever> both nix build, and nixos-rebuild are going to eval the nixos exprs
<clever> 2019-09-28 22:25:39 < durka> or I'm just going to put `rebuild() { cd /tmp; nix build -f '<nixpkgs/nixos>' system && sudo nixos-rebuild switch && rm result; }` in my bashrc
<clever> 354 would also need editing, and the related ones
<clever> nixos-rebuild is already a wrapper script!
<clever> durka: echo $buildInputs
<clever> durka: packages in systemPackages all wind up under /run/current-system/sw/

2019-09-28

<clever> something i do to mess with people, is i say hunter2 outloud, as i type in my real password
<clever> iqubic: the nix sandbox disables network access during the build
<clever> pie_: not that much
<clever> pie_: almost, you can overwrite any path in /nix/store/
<clever> higherorder: basically, every attribute passed to mkDerivation gets hashes (after casting them to a string), and that is used to compute $out
<clever> or realpath
<clever> l3333: most hydra stuff is in this channel
<clever> alexbakker: unquoted paths are their own type, that will be copied in as needed
<clever> alexbakker: the build is ran in a sandbox, and only the files nix knows you depend on are visible
<clever> alexbakker: dont quote the path
<clever> pie__: enable/disable involve modifying the files, but they are in the nix store
<clever> ah, no idea on that one
<clever> you cant start what doesnt exist!!
<clever> pie__: hardware.bluetooth.enable = false? lol
<clever> higherorder: these docs also help
<clever> ,pills higherorder
<clever> the default, is to only ensure the fs itself survives, but data can be lost (files get set to 0 bytes in size)
<clever> but the journal= flag for ext4 may solve things
<clever> ive never had issues like this on zfs
<clever> also, ive only ever seen such corruption on ext4
<clever> `sudo nix-store` puts it into sudo's path and arguments, so now sudo is "using" the path
<clever> boxscape: dont use `sudo nix-store`, but rather `sudo -i` then `nix-store --query`
<clever> boxscape: check `ps aux` to see if that pid exist, and re-check the --query