Thank you for the TPM2 #NixOSarticle@jnsgruk. I decided to give it a go last weekend, and it was a bit longer process than 10 minutes. For anybody who struggle to get rid of the password prompt for the LUKS volume, this setting is essential:
boot.initrd.systemd.enable = true;
The initrd must have systemd installed, so the settings defined with systemd-cryptenroll are available during the boot. Alternative way is to use Clevis to encrypt the LUKS password using the TPM module, and invoke it during boot. This is not super complex either, but I kind of like the systemd approach more.
Also the article didn’t mention much about the different PCR ids you can use with TPM. These define the system state when a secret key can be accessed from the TPM module. If any of the policies trigger, the TPM module will not output any secrets and the user needs to enter the LUKS password. The article uses three policies:
0: firmware updates
2: extended ROMs from pluggable hardware (e.g. USB)
7: secure boot disabled, or firmware certificates update
Additionally, one policy is needed to ensure an attacker cannot boot the system to a single user mode from the bootloader:
12: kernel config change, e.g. changing the boot parameters.
It is important to wipe the old slots with systemd-cryptenroll when changing the PCRs. Changing them is additional, and doesn’t modify the existing policies.
Edit: and do not wipe the password slot! This will render your disk unbootable.
I have to say, I really like a few things this year: I like how Lemmy turned out to be. It’s like a easier to follow forum compared to this side of the Fediverse, especially now when there’s a ton of work and now time to scroll the feed. I’m running of course my own instance, and found out the Photon UI is much nicer than the one installed with Lemmy typically.
Of course it’s super early phase software: today I upgraded to 0.19.0 and of course I got OOMs in the database during the migrations. A few reboots, a few variables changed and surprisingly everything works.
The other one is Paperless-ngx. I’m living in a country that adores paper, and I don’t. In a few days, this software helped me to categorize everything for this year’s taxes, nicely organized, tagged, OCR’d and all that. It even automatically loads all attachments from my email inbox and notifies me for new documents.
@Tehgingey@OttoVonNoob there's more to that. The moment of quietness, reading a bit maybe, relaxing before getting to work. All of it is kind of in this don't talk to me territory. Then a day of hell can begin.
Source: I drink one small cup of good coffee daily, but that is the peace moment.
Keskusta äänestää hallituksen ministerien luottamuksen puolesta, vaikka hallituksen toimenpiteet olisivat miten paskoja.
Keskusta haluaa niiden olevan paskoja. Saarikon koko kyyninen laskelmointi perustuu siihen, että hallitus saa tehdä tuhojaan jonkin aikaa, haja-asutusalueiden ihmiset kärsivät ja katkeroituvat, ja keskusta ulosmittaa nämä äänet.
Eivät he hallituksen vielä halua kaatuvan. Vasta sitten kun se hyödyttää heitä. Kyllä, he haluavat ihmisten kärsivän oman vallanhimonsa vuoksi.
@jojalonen SDP myös miettii samoja juttuja, että antaa hallituksen sekoilla ja kääritään äänet seuraavissa vaaleissa. Tai tällaisen kuvan ainakin sain eilen Hesaria lukiessani…
My main server is named Postulate (an idea that you assume for the sake of argument), my desktop is named Axiom (a proved postulate), and my backup server is named Corollary (an idea that follows from an axiom)....
@atomicpoet There’s this label called High Definition Tape Transfers converting old half-inch tape to the best possible digital versions. They sound really good too.
Jos ensi viikolla tulisi julki joku muutaman päivän takainen videoklippi, jossa Riikka Purra ja Arto Luukkanen juttelisivat kännissä naureskellen että "vittu sitä Orpoo, se saatanan nyhverö söis vaikka kilon paskaa saadakseen olla pääministeri, mitäs seuraavaks keksittäis" niin meidän Petteri vastaisi siihenkin että onhan tuo asiatonta mutta valtiovarainministeri Purralla on täysi luottamus ja haluaisin hallituksen jo pääsevän töihin toteuttamaan maailman parasta hallitusohjelmaa.
The leader of the German conservatives introduced the idea to collaborate with the far right AfD yesterday. He knows that he won’t get kicked out or replaced as the party leader. He will paddle back a bit after some backlash and that’s it. It doesn’t matter that he just meant on a community level either. The idea to collaborate with Nazis is now officially speakable without consequences. I feel sick!!
@sarajw@bastianallgeier Lot of the people voting for Vox in Spain last Sunday were young voters. Lot of the people voting for True Finns in Finland in the last election were young voters. The far right has a great presence in the social media, especially TikTok. It’s not only boomers, I’m afraid…
@silvereagle some other good extensions for Firefox:
Sponsorblock: Prevent all those nordvpn sponsored segments etc. from displaying in the YouTube videos. They are just quietly skipped.
Decentraleyes: Cache the common fonts and libraries so Google cannot track you every time you enter a site that uses them.
Clearurls: Automatically removes tracking parameters (the UTM stuff) from URLs before entering the site.
Consent-O-Matic: Define your cookie preferences once, and this plugin clicks the settings for you under the surface when entering the site.
Of course you want uBlock Origin, but that’s already mentioned a few times in this thread. Most of the extensions work on the Android version of Firefox too. This mobile browser is essential for all Android users, and a good reason to choose Android over iOS.
CSD Berlin, the big and heavily commercialized Pride parade today, feels more distant and hostile every year.
This time they even got the christian-conservative mayor to open the event, which is just unbelievably disrespectful to a community that’s actively harmed by politicians like him.
But even without that … It’s just a big party, sanitized if any meaningful politics, practically devoid of protest. Safety at the event is a bad joke (I have long given up even getting just an acknowledgment from anyone involved of the sexual assault on me that happened the last time I attended)
And honestly, I personally have a hard time relating to treating “yay, we can wear lavish colorful party outfits on this one day while cis-hetero centrists enjoy gawking at us” as progress when I have to worry that me just existing in a boring everyday look might get me beaten up on the subway.
@esther isn’t there a better parade every year in the xberg area? Not in Berlin this year, but I remember having more fun in the smaller event, and never attended the CSD. Of course Folsom is my all time favorite, but that happens later in the Autumn…
I just discovered a surprising downside of #NixOS: I set up 22.11 in a VM with 15GB disk space running xfce and no(!) additional packages except the defaults from the GUI installer. So it's an OOTB setup.
After not using it for maybe 2 months, I started "sudo nixos-rebuild switch --upgrade" and ran out of disk space. I could not even recover using "nix-collect-garbage --delete-old" (freed 4.5GB). 😔
Therefore: NixOS needs WAY more disk space than other distros even for the basic OS + xfce.
@publicvoit running a dev workstation with a half terabyte disk and it gets full at least once a week, which means collecting garbage and doing cargo clean in the projects.
Btw, it is highly recommended to save space by enabling hard links in the nix store (not a default):
This week in #Finland: the police arrests men who’ve been printing assault rifles and storing thousands of bullets in their place. They have evidence of these men planning to kill a few politicians and making a #terrorist strike in Finland. The interior minister has not said anything on the case: the men are from a far right movement and one of them used to be part of her party’s youth organization.
The interior minister was talking today about how they are making it harder for foreigners to move to Finland.
I’m starting a Lemmy group to collect mainstream press coverage of the Fediverse, ActivityPub and the like. When you see an article on a news site or such, consider submitting it there?
The idea is to “crowdsource” a repository of what the world says about us in mainstream outlets that have a significant audience.
@revengeday I’m spending a month with my parents in Helsinki now. I can walk to any supermarket, day or night, and get a bag of heavenly rye bread for a few euros. No need to go to a bakery. I miss this possibility in Berlin.
You can sometimes buy this from the Finnish church in Bergmannkiez, worth a trip.
Näköjään on aika aktivoitua täällä, kun Twitterissä ei ole enää mitään järkeä. Mastodonin käyttö on tähän asti jäänyt vähäiseksi lähinnä sen takia, että tää on tuntunut hiukan Twitteriä sekavammalta enkä oo jaksanut perehtyä asiaan kunnolla. Kaikki Mastodon-käyttöohjeet on siis tervetulleita ✌️
So Meta has invented something that's neither an allowlist or a blocklist
I want to make a joke here but I'm not smart enough, what matters is that there's literally no reason for me to not block P92/Barcelona/Threads/whateveritsnameis
@loke@xerz Yep. Still sad, because I came to fediverse exactly to get rid of the big corporations. Now I hear Facebook this and that every day, and Google did this and that every other. I don’t want to hear these words in my daily life, nor Apple, nor Microsoft. I want these entities to not exist for me at all.
At least in Akkoma one can filter per terms in the main view, and in Lemmy setting the brands as slurs does the trick. Just annoying.
They not letting me cross post anymore rule (lemmy.ca)
[Question] What are your computers named?
My main server is named Postulate (an idea that you assume for the sake of argument), my desktop is named Axiom (a proved postulate), and my backup server is named Corollary (an idea that follows from an axiom)....