15 Oct 2024 |
emily | was there any progress on https://github.com/NixOS/nixpkgs/issues/343975? | 07:45:29 |
Arian | Can we please change this enableNg flag to something like switch.backend = enum ng|pl ? | 09:29:45 |
Arian | I have system.switch.enable = false; to make appliance images. Surprised that suddenly I still had switch-to-configuration | 09:30:11 |
K900 | Good idea | 09:30:16 |
Arian | ah it does default to what enable is set to so that's good but still it's a bit odd | 09:31:20 |
emily | In reply to @arianvp:matrix.org Can we please change this enableNg flag to something like switch.backend = enum ng|pl ? it's only like this for compat | 09:31:44 |
emily | the option will go away anyway | 09:31:55 |
emily | In reply to @arianvp:matrix.org I have system.switch.enable = false; to make appliance images. Surprised that suddenly I still had switch-to-configuration also yeah this shouldn't happen | 09:32:06 |
emily | see https://github.com/NixOS/nixpkgs/pull/339727#issuecomment-2330897734 for the possible combinations | 09:33:27 |
emily | but I expect the perl to go away in 25.05 | 09:33:52 |
emily | or 25.11 at worst | 09:33:58 |
steveej | has anyone had success running nixos (with systemd) in any OCI container runtime recently? with containerd i'm finding that i have to run it with --privileged and still the path pointed to by CREDENTIALS_DIRECTORY doesn't get created for the services in the container | 09:36:49 |
Arian | it isnt | 09:50:05 |
Arian | I was holding it wrong | 09:50:10 |
Arian | seems the code is correct | 09:50:13 |
Arian | why do we inject the UKI using an overrideAttrs instead of partition.contents ?
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/image/repart-verity-store.nix#L170
| 10:44:23 |
Arian | i don't think it's needed; right? | 10:46:21 |
antifuchs | Huh, I had a weird failure state yesterday: resolvectl hung, eventually erroring, timed out connecting. Had to restart systemd-resolved to fix this; that was on a nixos-unstable system where a nixos-rebuild switch had upgraded systemd, did that maybe not effect a restart of the resolved? | 12:39:34 |
Jared Baur | @arianvp:matrix.org: I've got a fix for the amazon-init issues you noticed at https://github.com/NixOS/nixpkgs/pull/348668 | 22:25:52 |
16 Oct 2024 |
Moritz Sanft | Did we change anything about TPM-based disk unlock recently? Since a few weeks(?), I now have to enter my passphrase / pin ... twice on boot (once for "Please enter LUKS2 Token PIN", once for "Please enter passphrase for /dev/disk...") | 06:36:21 |
ElvishJerricco | Moritz Sanft: Yes but it shouldn't have had any significant effect: https://github.com/NixOS/nixpkgs/pull/343307 | 07:11:12 |
ElvishJerricco | Should have just added a touch more ordering | 07:11:21 |
ElvishJerricco | Moritz Sanft: that makes it sound like the TPM2 unlock is failing and it's falling back to another passphrase keyslot or something? | 07:13:16 |
ElvishJerricco | oh, if you're using lanzaboote, then that tpm2-setup stuff will actually do things | 07:13:41 |
ElvishJerricco | I mean, nothing relevant (at least I'm pretty sure) | 07:13:57 |
ElvishJerricco | but it'll create the SRK | 07:14:03 |
ElvishJerricco | but IIRC the metadata in the key slot informs whether systemd-cryptsetup should use the SRK or not, so an existing LUKS header shouldn't need any changes to continue working | 07:16:02 |
Moritz Sanft | In reply to@elvishjerricco:matrix.org Moritz Sanft: that makes it sound like the TPM2 unlock is failing and it's falling back to another passphrase keyslot or something? Hmm. I assume debug logging would be the only way to find out? | 07:17:58 |
ElvishJerricco | that would be an easy way, yea. Can be enabled on the specific service with overrideStrategy = "asDropin" and the SYSTEMD_LOG_LEVEL env var | 07:18:50 |
Arian | Most services support changing log level through systemctl these days | 07:46:34 |