| 6 Oct 2022 |
 colemickens | re #169116 is openvpn in stage-1 something explicitly supported now? | 00:10:29 |
 @elvishjerricco:matrix.org | colemickens: There's nixos tests for it at least | 00:11:05 |
| colemickens | hm I see | 00:11:21 |
| @elvishjerricco:matrix.org | and options for it in man configuration.nix | 00:11:22 |
| colemickens | huh yeah, okay, I guess I've just glossed over it | 00:11:47 |
 K900 | In reply to @colemickens:matrix.org
K900 btw dont ask why I know this, but: https://www.freedesktop.org/software/systemd/man/pam_systemd.html I also know that, the problem is WSL bypasses PAM entirely | 06:56:58 |
| K900 | Anyway I gave up | 06:57:10 |
| K900 | Let upstream figure it out | 06:57:24 |
| 10 Oct 2022 |
|  @raphi:tapesoftware.net joined the room. | 12:43:41 |
 Paul Haerle | I've been hacking around with network-related functionality from https://github.com/NixOS/nixpkgs/pull/169116
and needed to add the following files for outgoing https to work:
boot.initrd.environment.etc = {
"resolv.conf".text = "nameserver 1.1.1.1";
"ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
boot.initrd.systemd.storePaths = [
# so nix can look up dns entries
"${pkgs.glibc}/lib/libnss_dns.so.2"
];
Size increase is imho neglectable, so is this something you'd want to add to the PR ElvishJerricco ? (using network.namservers instead of 1.1.1.1 ofc)
| 22:31:22 |
| Paul Haerle | * I've been hacking around with network-related functionality from https://github.com/NixOS/nixpkgs/pull/169116
and needed to add the following files for outgoing https to work:
boot.initrd.environment.etc = {
"resolv.conf".text = "nameserver 1.1.1.1";
"ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
boot.initrd.systemd.storePaths = [
# so nix can look up dns entries
"${pkgs.glibc}/lib/libnss_dns.so.2"
];
Size increase is imho neglectable, so is this something you'd consider for the PR ElvishJerricco ? (using network.namservers instead of 1.1.1.1 ofc)
| 22:31:34 |
| Paul Haerle | I think it's useful, because it enables me to run tools like nix and curl in my initrd :) | 22:32:46 |
| Paul Haerle | * I think it's useful, because it enables me to run tools like nix with remote flakes and curl in my initrd :) | 22:32:58 |
| @elvishjerricco:matrix.org | Interesting... | 22:32:59 |
| @elvishjerricco:matrix.org | I dunno if we want that by default but I could see a configurable option for it | 22:33:24 |
| Paul Haerle | In reply to @elvishjerricco:matrix.org
I dunno if we want that by default but I could see a configurable option for it I think an option would work fine as well. Just see little harm besides a few kb. But i guess outgoing tls connections from your initrd are a fringe use case to begin with :D | 22:34:31 |
| 11 Oct 2022 |
 @oxalica:matrix.org | In reply to @phaer:matrix.org
I've been hacking around with network-related functionality from https://github.com/NixOS/nixpkgs/pull/169116
and needed to add the following files for outgoing https to work:
boot.initrd.environment.etc = {
"resolv.conf".text = "nameserver 1.1.1.1";
"ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
boot.initrd.systemd.storePaths = [
# so nix can look up dns entries
"${pkgs.glibc}/lib/libnss_dns.so.2"
];
Size increase is imho neglectable, so is this something you'd consider for the PR ElvishJerricco ? (using network.namservers instead of 1.1.1.1 ofc)
In stage 2, resolv.conf is managed by systemd-resolved. Should we just enable it in stage 1? | 06:52:28 |
| @elvishjerricco:matrix.org | that's an interesting option. | 06:54:35 |
| Paul Haerle | In reply to @oxalica:matrix.org
In stage 2, resolv.conf is managed by systemd-resolved. Should we just enable it in stage 1? Sounds reasonable to me? At least if networking is enabled? | 09:01:49 |
| Paul Haerle | In reply to @oxalica:matrix.org
In stage 2, resolv.conf is managed by systemd-resolved. Should we just enable it in stage 1? * Sounds reasonable to me? At least if networking is enabled. | 09:01:55 |
 Zhaofeng Li | What should we do to push https://github.com/NixOS/nixpkgs/pull/189676 forward? | 20:18:30 |
| @elvishjerricco:matrix.org | Seems like it just needs the approval of one or two reviewers. I don't see any outstanding technical issues, aside from the slight initrd size increase that I'm personally ok with. Though I guess we could reasonably only include the tpm/fido libraries/packages when the user is actually using the feature | 20:25:50 |
 flokli | I just pressed the button :-) let's get this in, if it ends up accidentally breaking something, we can always revert. | 22:56:55 |
| 12 Oct 2022 |
| colemickens | ElvishJerricco: have you looked at openvpn task for the network-initrd PR? I keep wishing it were merged... | 17:23:52 |
| @elvishjerricco:matrix.org | colemickens: To me the bigger blocker is the question about whether/how to auto-configure interfaces, like how the scripted initrd networking does | 17:35:09 |
| @elvishjerricco:matrix.org | That question needs to be answered. I wouldn't mind openvpn coming in a later PR | 17:35:22 |
| @elvishjerricco:matrix.org | It's not clear to me that we should auto-configure interfaces, and if we should, it's not clear to me how, particularly because of people who just use networking.useDHCP rather than configuring individual interfaces | 17:36:41 |
| @elvishjerricco:matrix.org | (though I guess that's deprecated isn't it? So we could just not support it with systemd stage 1 networking...) | 17:37:05 |
| @elvishjerricco:matrix.org | Oh there's also boot.initrd.network.flushBeforeStage2, which is true by default with scripted initrd, but systemd-networkd behaves as though it's false right now | 17:38:18 |
| @elvishjerricco:matrix.org |
When systemd-networkd exits, it generally leaves existing network devices and configuration intact. This makes it possible to transition from the initramfs and to restart the service without breaking connectivity. This also means that when configuration is updated and systemd-networkd is restarted, netdev interfaces for which configuration was removed will not be dropped, and may need to be cleaned up manually.
| 17:39:21 |
