@buonhobo
As I understand it some people in the #nixos community disagree with the way the project is run. So as is common in open source, someone has started a fork. 🤷
In case you are wondering why #PythonPoetry is currently broken in #NixOS: Its dependency dulwich has been upgraded by accident. The commit has since been reverted, but that has not yet propagated to all channels. Keep an eye on https://nixpk.gs/pr-tracker.html?pr=307505
I like #Nix, I do not like what has happened to it. #NixOS is an incredible technology and it deserves better. Nobody else has started the process so I guess I have to be the one to do it. We are forking. I would rather try and fail alongside all the people who love Nix but were pushed away from the project than give up.
One aspect of #NixOS modules no one ever talks about: if you fetch and import modules written by someone else, you are effectively trusting them with root access to your machine
Thank you for the TPM2 #NixOSarticle@jnsgruk. I decided to give it a go last weekend, and it was a bit longer process than 10 minutes. For anybody who struggle to get rid of the password prompt for the LUKS volume, this setting is essential:
boot.initrd.systemd.enable = true;
The initrd must have systemd installed, so the settings defined with systemd-cryptenroll are available during the boot. Alternative way is to use Clevis to encrypt the LUKS password using the TPM module, and invoke it during boot. This is not super complex either, but I kind of like the systemd approach more.
Also the article didn’t mention much about the different PCR ids you can use with TPM. These define the system state when a secret key can be accessed from the TPM module. If any of the policies trigger, the TPM module will not output any secrets and the user needs to enter the LUKS password. The article uses three policies:
0: firmware updates
2: extended ROMs from pluggable hardware (e.g. USB)
7: secure boot disabled, or firmware certificates update
Additionally, one policy is needed to ensure an attacker cannot boot the system to a single user mode from the bootloader:
12: kernel config change, e.g. changing the boot parameters.
It is important to wipe the old slots with systemd-cryptenroll when changing the PCRs. Changing them is additional, and doesn’t modify the existing policies.
Edit: and do not wipe the password slot! This will render your disk unbootable.
With the nixos current situation maybe I should try to read Linux from scratch ? Does anyone has experience with it ? Would love to know how hard it is. :BlobhajfBlobbyHug:
I'm not really happy with the state of Nix and NixOS at the moment.
I really really like the idea to write code and generate a readonly system/program out of it.
My problem is the learning curve. There is no easy way to start. I use Nix for 4-6 months now. I still try to figure out what breaks my config or why the .. my overlay does not work.
I would love to have debugger like in python. Just show me the internal state, what are the variables, what variables even exist and what functions can be called at $line in code.
At the moment i am trying to figure out why the heck my overlay does not work ... again.
If there is a kind of debugger i would be happy with nix for now...
And i still don't get it how people can work with this software/os without getting insane if you want a custom version of a program or something not standard from cache.nixos.org .
I think the most hurtful thing with seeing #NixOS in flames and people leaving for other immutable distros is...
NixOS was strong for its module system, not so much its immutable nature.
The rapid development you could do, and test that locally, sewing together an entire fleet in a matter of hours, without much of a thought to the minor details was amazing.
Lets remember to take the NixOS module system with us.
I've been playing around with #nixos for over a month now. At some point, I had to make my first derivation. And what better software to package than @frameworkcomputer's inputmodule-control CLI.
After a bit of documentation, trial-and-error and 3 hours of time, the package is now building. I must say, it's almost scary how nix packaging works. A bit like black magic.
The package is not perfect yet. udev rules are still missing. Will fix that tomorrow and then create a PR :)
Getting really sick of painstakingly migrating to some Cool New Technical Thing With Superpowers and then whoops, It's All Ethics Violations after a while.
First #Kagi - CEO is a white dude who can't read the room when a bunch of users raise serious concerns re: suicide warnings, .ru indexes, Brave collab, etc.
Now #Nix / #NixOS - BDFL is a white dude who can't read the room when a bunch of users raise serious concerns re: toxic members, shitty governance, MIC sponsorship, etc.
TIL you can make your #NixOS declared systemd podman docker containers auto-update when you rebuild by adding --pull=newer to the container's extraOptions in your config
I’m so annoyed by that non-existing #NixOS community leadership, I’m short to drop all the work I invested in learning it and switch to something else.
But what are the options, especially if one enjoyed the full declarative and reproducible way the whole system was managed?
@muhh Silicon Valley would be green with envy over the kind of effective platform lock-in #NixOS can pull off while enforcing such high levels of toxicity.
@itsfoss NixOS gives up on any sort of documentation as developers bake a system into the OS that both can generate and explain the code to users, thereby negating the need for documentation to begin with. #nixos#technology#intheyear2000#comedy#maybenotcomedy?...