| 4 Mar 2025 |
 raitobezarius | this is how identity leaks should be handled | 14:01:02 |
| raitobezarius | you just rotate your identity | 14:01:06 |
| raitobezarius | In reply to @arianvp:matrix.org
so I guess deprecate initramfs and go back to initrd :D no but we can just fix her | 14:01:13 |
 Arian | In reply to @emilazy:matrix.org
and I guess we don't need the fancy bind mount stuff because the daemon isn't running in stage 1 anyway? systemd does exactly this fancy bind mount stuff | 14:01:20 |
| Arian | but for /usr | 14:01:24 |
 emily | finally the option names will be correct again | 14:01:29 |
| Arian | https://github.com/systemd/systemd/blob/facc9439a76b4c3a5c273c71bd7a676e4c74778c/src/core/main.c#L1871-L1884 | 14:01:50 |
| emily | I mean, including the part where there's a secret writable version? | 14:02:27 |
| emily | I assume systemd has no need to write to /usr unlike the Nix daemon | 14:02:27 |
| emily | (but like I said I guess irrelevant since running the daemon in stage 1 is nuts) | 14:02:39 |
| raitobezarius | (actually) | 14:02:53 |
| Arian | me sweats I’m not supposed to run `nix-daemon in stage1? | 14:02:56 |
| raitobezarius | (there's a good reason to do that: store verification) | 14:02:58 |
| raitobezarius | and people who does fancy immutable A/B schemas might do nix-build in stage 1 | 14:03:16 |
| raitobezarius | to obtain their upgrades | 14:03:18 |
| raitobezarius | because the userspace is under dm-verity | 14:03:27 |
| raitobezarius | this is your last chance to swap the dm-verity by something else | 14:03:38 |
| emily | I was thinking about that, but I figured anyone implementing such a scheme would take my statement as a compliment | 14:04:19 |
| Arian | anyhow we could just make /init a shell script that calls systemd and does this for us I guess | 14:04:24 |
| Arian | Orrrr… patch systemd | 14:04:29 |
| raitobezarius | In reply to @emilazy:matrix.org
I was thinking about that, but I figured anyone implementing such a scheme would take my statement as a compliment which I did :D | 14:04:35 |
| emily | I did try and fail to nerd snipe ElvishJerricco with the three words "nix store netboot" months ago | 14:04:49 |
| raitobezarius | for this, you would need a Linus Heckemann and snowboot | 14:05:04 |
| Arian | that’s basically what I am doing at work but in a not so good way | 14:05:05 |
| Arian | we just do a nix-store —realise && kexec | 14:05:25 |
| Arian | in late boot | 14:05:29 |
| emily | yeah that's basically what I was imagining | 14:05:37 |
| emily | with a disk-backed store, so you get caching | 14:05:50 |
| raitobezarius | i need that but for… embedded systems, anyway | 14:06:16 |
| Arian | Reason why I am doing this is because if your /etc/ is a bunch of symlinks to /nix/store sysusers and systemd-firstboot just write to files in the /nix/store when you’re not careful lol | 14:06:59 |
