| 1 Dec 2022 |
 @ask-yourself:matrix.org | Ok, now it's working perfectly. Thank you. :) | 22:50:00 |
 @linus:schreibt.jetzt | In reply to @zhaofeng:zhaofeng.li
Does doas git work? I suspect in such a case doas will do PATH resolution? | 22:51:12 |
| @ask-yourself:matrix.org | In reply to @linus:schreibt.jetzt
I suspect in such a case doas will do PATH resolution? Yes. | 22:51:48 |
| @linus:schreibt.jetzt | so doas sh -c git might be a better test | 22:52:02 |
| @ask-yourself:matrix.org | ~/Test λ doas sh -c git
sh: line 1: git: command not found
| 22:52:40 |
 Zhaofeng Li | In reply to @linus:schreibt.jetzt
I suspect in such a case doas will do PATH resolution? Aha, TIL | 22:56:45 |
| 2 Dec 2022 |
| @ask-yourself:matrix.org | For some reason my current config will build locally (on any of my machines) but will not push to my remote machine. It complains about lacking valid signatures. This is the line causing the issue (if I remove it I can push config to any machine): https://gitlab.com/IsaacBrown92/dotfiles/-/blob/main/modules/rofi/default.nix#L18 | 12:43:43 |
| @ask-yourself:matrix.org | inherit (config.lib.formats.rasi) mkLiteral;
| 12:44:06 |
| @ask-yourself:matrix.org | Could anybody clarify why this is happening? | 12:44:21 |
| @ask-yourself:matrix.org | In the NixOS server the had me run nix store verify --all, which outputted:
.dotfiles on main [!?] ⊥ nix store verify --all
path '/nix/store/4nhcx0ndfa374cgvi6x9sg73prmxmc04-publicsuffix-list-2021-09-03' is untrusted
path '/nix/store/y1hybm8h1kln0hg06c42m4g1wsblc0ig-freefont-ttf-20120503' is untrusted
path '/nix/store/ah9gyp7rxak9ig2q829myn6172jn302f-hack-font-3.003' is untrusted
path '/nix/store/dbn507rrsmgmdxwknhb3554nmkl0kvgi-gyre-fonts-2.005' is untrusted
path '/nix/store/jcqky5xbknabz7wn5p90qk0g9s031yzb-nixos-22.05.2764.0ba2543f8c8' is untrusted
| 12:44:46 |
| @ask-yourself:matrix.org | But after that they were not sure where to go. They said it wasn't an eval issue, so I thought maybe it's Colmena? Not sure. | 12:45:13 |
| @ask-yourself:matrix.org | * inherit (config.lib.formats.rasi) mkLiteral;
| 12:45:29 |
 Wanja Hentze | In reply to @zhaofeng:zhaofeng.li
Have you tried `--evaluator streaming`? It makes evaluation actually parallel using nix-eval-jobs. It's not the default yet but may be soon yes, actually that's what made us move from morph to colmena | 13:42:23 |
| Wanja Hentze | brought down eval time from several minutes to a little over one minute, so that's great :) | 13:42:43 |
| Wanja Hentze | what also helped: using disabledModules extensively to blacklist things that we never use | 13:44:44 |
| Wanja Hentze | the streaming evaluator also brought down RAM usage from ~40GB to a little under 10 | 13:45:17 |
| @linus:schreibt.jetzt | In reply to @ask-yourself:matrix.org
In the NixOS server the had me run nix store verify --all, which outputted:
.dotfiles on main [!?] ⊥ nix store verify --all
path '/nix/store/4nhcx0ndfa374cgvi6x9sg73prmxmc04-publicsuffix-list-2021-09-03' is untrusted
path '/nix/store/y1hybm8h1kln0hg06c42m4g1wsblc0ig-freefont-ttf-20120503' is untrusted
path '/nix/store/ah9gyp7rxak9ig2q829myn6172jn302f-hack-font-3.003' is untrusted
path '/nix/store/dbn507rrsmgmdxwknhb3554nmkl0kvgi-gyre-fonts-2.005' is untrusted
path '/nix/store/jcqky5xbknabz7wn5p90qk0g9s031yzb-nixos-22.05.2764.0ba2543f8c8' is untrusted
That means the path isn't signed by a key listed in trusted-public-keys | 13:52:19 |
| @linus:schreibt.jetzt | if you deploy as root, you won't have this problem | 13:52:31 |
| @linus:schreibt.jetzt | as is, you either need to make sure the machine you build on signs its paths (I wrote a little nixos module that does that https://github.com/NixOS/nix/issues/3023#issuecomment-781131502) and that the targets trust the key | 13:53:44 |
| @linus:schreibt.jetzt | or add your deploy user to trusted-users, which is root-equivalent access | 13:54:03 |
| @linus:schreibt.jetzt | Why don't you just deploy as root? | 13:54:26 |
| @ask-yourself:matrix.org | Thank you! | 14:00:02 |
| @ask-yourself:matrix.org | Yeah I accidentally removed this line while refactoring: trustedUsers = ["${user}"]; | 14:00:19 |
| @ask-yourself:matrix.org | What does it mean for a path to be untrusted? | 14:00:44 |
| @ask-yourself:matrix.org | * Thank you! Works now. | 14:01:03 |
| @linus:schreibt.jetzt | In reply to @linus:schreibt.jetzt
That means the path isn't signed by a key listed in trusted-public-keys ^ this | 14:01:06 |
| @ask-yourself:matrix.org | Right ok. | 14:01:21 |
| @linus:schreibt.jetzt | oh right, there are two more ways I can think of for a path to be trusted: being built locally, or being content-addressed (like the output of a fixed-output derivation) | 14:02:13 |
| @ask-yourself:matrix.org | The last is a bit over my head, but ok noted. | 14:10:16 |
| @linus:schreibt.jetzt | That usually means that a file with a known hash was downloaded and verified to match the hash | 14:10:48 |
