ChanServ changed the topic of #robotnix to: Robotnix: https://github.com/danielfullmer/robotnix || Channel logs: https://logs.nix.samueldr.com/robotnix
<matthewcroughan_> danielrf[m]: Okay, so what would this flake look like?
<matthewcroughan_> Would it look like github.com/matthewcroughan/robotnix-support ?
<matthewcroughan_> flake.nix would do nothing more than load my pyxis.nix config and build Robotnix against it?
<danielrf[m]> Sure, that's an option. See also this flake template: https://github.com/danielfullmer/robotnix/blob/master/template/flake.nix
<danielrf[m]> There's also my personal flake configuration for reference in case it's helpful: https://github.com/danielfullmer/robotnix-personal
<danielrf[m]> Another option (or something you could do in addition) would be to make a "robotnix module"
<danielrf[m]> Kindof like how you can include nixos modules from flakes into your nixos system, we ought to be able to do the same with robotnix
<danielrf[m]> So your pyxis module could use `mkIf` to check if the device = "pyxis" and if flavor = "lineageos"
<danielrf[m]> then apply the `source.dirs` arguments automatically
<danielrf[m]> Then for an end-user, they could have their own robotnix configuration, and just including your module for pyxis support
<danielrf[m]> It might require me to add an "imports = []" configuration option like is in NixOS
<matthewcroughan_> Too cool :D
<danielrf[m]> that github link you sent if 404 for me
<matthewcroughan_> yeah it doesn't exist, it was just an idea
<danielrf[m]> ah, sure thing
<danielrf[m]> Thinking about it a bit more, using external "robotnix modules" would seem to be the solution for unofficial devices / additional flavors that would be supported outside the main project
<samueldr> +1 for the concept
<samueldr> also allows users to distribute something out of tree
<samueldr> e.g. if someone was to package magisk and you don't want it :)
<danielrf[m]> yes, that was one example I had in mind
<matthewcroughan_> danielrf[m]: So, next step is implementing the updater right? :D
<matthewcroughan_> for lineage
<matthewcroughan_> Also, how would I go about building GrapheneOS for this device?
<matthewcroughan_> is GrapheneOS more like Vanilla? If a device supports Vanilla, will it support GrapheneOS?
<danielrf[m]> Only pixels are supported on GrapheneOS
<danielrf[m]> They do a bunch of device-specific security hardening in (for example) the kernel
<danielrf[m]> At best, we could build a "generic" target that could work on non-pixel phones, but as mentioned at that link, that's only intended for testing/development
<danielrf[m]> But yes, GrapheneOS is closer to vanilla with respect to some things like AVB support
<danielrf[m]> LineageOS tends to disable vanilla AOSP security features while GrapheneOS retains them
<matthewcroughan_> danielrf[m]: wasn't there a way with robotnix to embed apps in the image without apks?
<matthewcroughan_> like compiling them from fdroid source?
<danielrf[m]> The hard part is just getting them to build inside Nix
<danielrf[m]> there are a few examples under apk/
<danielrf[m]> mostly relying on https://github.com/tadfisher/gradle2nix
<matthewcroughan_> danielrf[m]: I had no idea Robotnix was NGI funded. Wow. Well done.
<danielrf[m]> Oh, thanks!
<matthewcroughan_> danielrf[m]: we're trying to run robotnix in Hydra now :D
<matthewcroughan_> any experience with that?
<danielrf[m]> I haven't tried yet with hydra, but it's definitely on my TODO
<matthewcroughan_> danielrf[m]: can you reach hydra.nix.how?
<matthewcroughan_> https://hydra.nix.how
<danielrf[m]> doesn't seem to be working for me
<matthewcroughan_> danielrf[m]: congratulations, your ISP doesn't support ipv6 :D
<matthewcroughan_> It's IPV6 only at the moment.
<danielrf[m]> hmm I thought I had ipv6 working in the past
<matthewcroughan_> https://test-ipv6.com/ this will tell you
<danielrf[m]> yeah ipv6 is definitely not working for me right now
<danielrf[m]> but apparently going through tor works :)
<matthewcroughan_> danielrf[m]: do you want a hydra account? :)
<matthewcroughan_> we just got into it, just playing around
<matthewcroughan_> having trouble with the flake bit
<danielrf[m]> what machine is it running on?
<matthewcroughan_> just some piece of crap with 2 cores 4 threads and mirrored ssds
<matthewcroughan_> I can put it on a much more powerful machine if you think you'll play with it more
<danielrf[m]> My workstation is already quite fast, so thanks anyway
<danielrf[m]> But I'll definitely be interesting in volunteers running builders for reproducibility testing later when I have that all set up
<matthewcroughan_> yeah man, threadripper :D
<danielrf[m]> + providing additional signatures / untrustix help
<danielrf[m]> Haha, on my old machine I could do maybe 1-2 builds per day
<danielrf[m]> so early development was quite slow :)
<danielrf[m]> turns out "imports = [ ... ]" is just an included feature of the module system, so it already works in robotnix
<matthewcroughan_> danielrf[m]: I'm getting error: The option `apps.microg' defined in `/home/matthew/git/hmenke/robotnix/pyxis.nix' does not exist.
<matthewcroughan_> https://termbin.com/9j36
<matthewcroughan_> I probably can't do all of this, but mostly stealing from
<danielrf[m]> `microg.enable` is not under `apps`
<matthewcroughan_> Oh
<matthewcroughan_> Ah right.. And what is the apv.buildID supposed to be set t o?
<matthewcroughan_> that camera snippet seems to need it
<matthewcroughan_> config.build .. Interesting, where is it deriving the value from in henri's setup?
<matthewcroughan_> sunfish.nix doesn't contain apv.buildID but it is probably getting it from somewhere
<danielrf[m]> hmenke is using the Google Camera from an extracted factory image
<danielrf[m]> which is why he refers to `config.build.apv.unpackedImg`
<matthewcroughan_> where is that value located?
<matthewcroughan_> when I think of config. I think of nixos config
<danielrf[m]> Tbh, it'd be easier to just sideload google camera later, or get it from aurora store
<matthewcroughan_> I take it that the likelihood of me managing to get the gcam compiled and working on my phone here is low :D
<danielrf[m]> I'd personally only use `apps.prebuilt` for apps that need to get additional privileged permissions
<danielrf[m]> or from nix-built apks
<danielrf[m]> he's using an internal feature of the apv module by refering to `config.build.apv.unpackedImg`
<danielrf[m]> `config` is in the function header at the top of the file
<matthewcroughan_> oh right, so it has nothing to do with nix at that point?
<danielrf[m]> You can use it in your nixos modules to refer to settings that are set it other modules
<matthewcroughan_> why would henri set the apv.buildID for Bacon? What would it be used for here?
<matthewcroughan_> That's the Oneplus One, I can't think of it being used for anything.
<danielrf[m]> yeah, I wouldn't set apv.buildID for that
<danielrf[m]> it's not necessary
<samueldr> it's possible camera apps *may* need heightened privileges
<samueldr> at least, in the ol' time of my asus-z00t, their camera app required to be privileged
<samueldr> (but it didn't use the fancy camera2 API, which were new at the time... it instead had its own custom API for its weird-but-more-featured camera)
<matthewcroughan_> I didn't set ccache.enable = true, that means it's gonna have to recompile android from scratch just to add microg and fdroid, right? :D
<danielrf[m]> Doesn't look to be privileged Google's upstream factory image: ./product/app/GoogleCamera/GoogleCamera.apk
<danielrf[m]> Otherwise it would be at product/priv-app/GoogleCamera/GoogleCamera.apk
<danielrf[m]> matthewcroughan_: yes
<danielrf[m]> even with ccache it will still take a while for each rebuild unfortunately
<danielrf[m]> although we have some ideas to mitigate this: https://github.com/danielfullmer/robotnix/issues/25
<matthewcroughan_> danielrf[m]: Issue #45 is hilarious
<danielrf[m]> I should see if that's been fixed upstream since I made that issue originally
<matthewcroughan_> It's incredible to think that I'm probably the only person running 18.1/Android11 on this device right now.
<danielrf[m]> Had the people behind https://github.com/SDM710-Development not actually run it?
<matthewcroughan_> Well, I'm assuming they actually have, yes.
<matthewcroughan_> One of a few, I should say.
<danielrf[m]> hehe :)
<matthewcroughan_> The most amazing part is that they aren't distributing it.
<matthewcroughan_> The latest actually working build on XDA is 16.0
<matthewcroughan_> Gonna go in there and tell them how to build 18.1 with Nix, blow the socks off.
<matthewcroughan_> Maybe after we've implemented LineageOS updater support?
<matthewcroughan_> I bet that'd drive a lot of nix usage, maybe we can change the culture over at XDA.
<danielrf[m]> Haha, if you do please stick around to answer questions if they show up in the IRC here :)
<danielrf[m]> Yes, I'd love to have that culture improve
<matthewcroughan_> You're demystifying Android bit by bit, have read through all your docs.
<matthewcroughan_> danielrf[m]: have you ever managed to get a yubikey working on android?
<danielrf[m]> my NFC based yubikey works great already
<matthewcroughan_> really? How :o
<matthewcroughan_> chromium just says no
<danielrf[m]> oh, haha not for 2fa I should have clarified
<matthewcroughan_> Just doesn't bloody work. What a waste :D
<danielrf[m]> or not u2f 2fa I mean
<danielrf[m]> but it works with my ssh key via openkeychain
<danielrf[m]> as well as TOTP via the "yubico authenticator" app
<matthewcroughan_> yeah that's fine for me too, always has been
<matthewcroughan_> but can't just login to my accounts in a web browser, for example
<danielrf[m]> is it supposed to work on chromium/android? is this a robotnix issue?
<matthewcroughan_> Brave claims to work with it, trying now.
<matthewcroughan_> Seems that it is supposed to, but it doesn't.
<matthewcroughan_> Might be a lineageOS issue.
<matthewcroughan_> danielrf[m]: https://youtu.be/x0HWhpkk3Vo
<matthewcroughan_> Hmm.. There may actually be something missing in Android, yes..
<danielrf[m]> Looks like that component is tied to google's services, likely not open source
<matthewcroughan_> damn :(
<matthewcroughan_> and microg isn't going to handle that
<matthewcroughan_> microg is a bit of a cheat anyway, I actually think I can do without it on my daily driver now
<matthewcroughan_> So silly :D
<matthewcroughan_> so if I install google play services, you think it'll work?
<danielrf[m]> beats me!
<matthewcroughan_> danielrf[m]: So am I supposed to relock the bootloader and stuff when signing releases?
<matthewcroughan_> if I want it to be "secure"
<samueldr> unless you find documentation stating otherwise, OEMs other than google assume that locked bootloader == OEM's own keys only
<samueldr> so what would happen is that when booting, the bootloader would check against the keys (the OEM's) and find the signed (or unsigned) image doesn't match
<samueldr> stopping
<danielrf[m]> also not sure what benefits relocking the bootloader provides if avb/dm-verity is disabled like it is in LineageOS
<danielrf[m]> Just pushed grapheneos-2021.03.20.16 tag, based on upstream GrapheneOS 2021.03.19.14
<danielrf[m]> Tested working on my crosshatch and sunfish
<danielrf[m]> The one NixOS test we have in robotnix for the attestation-server actually caught an issue :)
jack[m]1 has joined #robotnix
* jack[m]1 waves and then fades to lurk mode.