| 5 Oct 2022 |
|  @kn:envs.net changed their profile picture. | 18:01:28 |
|  Rosuavio joined the room. | 19:06:25 |
 colemickens | K900 btw dont ask why I know this, but: https://www.freedesktop.org/software/systemd/man/pam_systemd.html | 22:44:08 |
| 6 Oct 2022 |
| colemickens | re #169116 is openvpn in stage-1 something explicitly supported now? | 00:10:29 |
 @elvishjerricco:matrix.org | colemickens: There's nixos tests for it at least | 00:11:05 |
| colemickens | hm I see | 00:11:21 |
| @elvishjerricco:matrix.org | and options for it in man configuration.nix | 00:11:22 |
| colemickens | huh yeah, okay, I guess I've just glossed over it | 00:11:47 |
 K900 | In reply to @colemickens:matrix.org
K900 btw dont ask why I know this, but: https://www.freedesktop.org/software/systemd/man/pam_systemd.html I also know that, the problem is WSL bypasses PAM entirely | 06:56:58 |
| K900 | Anyway I gave up | 06:57:10 |
| K900 | Let upstream figure it out | 06:57:24 |
| 10 Oct 2022 |
|  @raphi:tapesoftware.net joined the room. | 12:43:41 |
 Paul Haerle | I've been hacking around with network-related functionality from https://github.com/NixOS/nixpkgs/pull/169116
and needed to add the following files for outgoing https to work:
boot.initrd.environment.etc = {
"resolv.conf".text = "nameserver 1.1.1.1";
"ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
boot.initrd.systemd.storePaths = [
# so nix can look up dns entries
"${pkgs.glibc}/lib/libnss_dns.so.2"
];
Size increase is imho neglectable, so is this something you'd want to add to the PR ElvishJerricco ? (using network.namservers instead of 1.1.1.1 ofc)
| 22:31:22 |
| Paul Haerle | * I've been hacking around with network-related functionality from https://github.com/NixOS/nixpkgs/pull/169116
and needed to add the following files for outgoing https to work:
boot.initrd.environment.etc = {
"resolv.conf".text = "nameserver 1.1.1.1";
"ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
boot.initrd.systemd.storePaths = [
# so nix can look up dns entries
"${pkgs.glibc}/lib/libnss_dns.so.2"
];
Size increase is imho neglectable, so is this something you'd consider for the PR ElvishJerricco ? (using network.namservers instead of 1.1.1.1 ofc)
| 22:31:34 |
| Paul Haerle | I think it's useful, because it enables me to run tools like nix and curl in my initrd :) | 22:32:46 |
| Paul Haerle | * I think it's useful, because it enables me to run tools like nix with remote flakes and curl in my initrd :) | 22:32:58 |
| @elvishjerricco:matrix.org | Interesting... | 22:32:59 |
| @elvishjerricco:matrix.org | I dunno if we want that by default but I could see a configurable option for it | 22:33:24 |
| Paul Haerle | In reply to @elvishjerricco:matrix.org
I dunno if we want that by default but I could see a configurable option for it I think an option would work fine as well. Just see little harm besides a few kb. But i guess outgoing tls connections from your initrd are a fringe use case to begin with :D | 22:34:31 |
| 11 Oct 2022 |
 @oxalica:matrix.org | In reply to @phaer:matrix.org
I've been hacking around with network-related functionality from https://github.com/NixOS/nixpkgs/pull/169116
and needed to add the following files for outgoing https to work:
boot.initrd.environment.etc = {
"resolv.conf".text = "nameserver 1.1.1.1";
"ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
boot.initrd.systemd.storePaths = [
# so nix can look up dns entries
"${pkgs.glibc}/lib/libnss_dns.so.2"
];
Size increase is imho neglectable, so is this something you'd consider for the PR ElvishJerricco ? (using network.namservers instead of 1.1.1.1 ofc)
In stage 2, resolv.conf is managed by systemd-resolved. Should we just enable it in stage 1? | 06:52:28 |
| @elvishjerricco:matrix.org | that's an interesting option. | 06:54:35 |
| Paul Haerle | In reply to @oxalica:matrix.org
In stage 2, resolv.conf is managed by systemd-resolved. Should we just enable it in stage 1? Sounds reasonable to me? At least if networking is enabled? | 09:01:49 |
| Paul Haerle | In reply to @oxalica:matrix.org
In stage 2, resolv.conf is managed by systemd-resolved. Should we just enable it in stage 1? * Sounds reasonable to me? At least if networking is enabled. | 09:01:55 |
 Zhaofeng Li | What should we do to push https://github.com/NixOS/nixpkgs/pull/189676 forward? | 20:18:30 |
| @elvishjerricco:matrix.org | Seems like it just needs the approval of one or two reviewers. I don't see any outstanding technical issues, aside from the slight initrd size increase that I'm personally ok with. Though I guess we could reasonably only include the tpm/fido libraries/packages when the user is actually using the feature | 20:25:50 |
 flokli | I just pressed the button :-) let's get this in, if it ends up accidentally breaking something, we can always revert. | 22:56:55 |
| 12 Oct 2022 |
| colemickens | ElvishJerricco: have you looked at openvpn task for the network-initrd PR? I keep wishing it were merged... | 17:23:52 |
| @elvishjerricco:matrix.org | colemickens: To me the bigger blocker is the question about whether/how to auto-configure interfaces, like how the scripted initrd networking does | 17:35:09 |
| @elvishjerricco:matrix.org | That question needs to be answered. I wouldn't mind openvpn coming in a later PR | 17:35:22 |
| @elvishjerricco:matrix.org | It's not clear to me that we should auto-configure interfaces, and if we should, it's not clear to me how, particularly because of people who just use networking.useDHCP rather than configuring individual interfaces | 17:36:41 |
