| 21 Oct 2021 |
 @teutat3s:pub.solar | https://devos.divnix.com/start/index.html e.g. here we still point to master | 17:14:34 |
 @timdeh:matrix.org | It appears to be working:
https://github.com/divnix/devos/actions/workflows/mdbook_docs.yml | 17:14:35 |
| @timdeh:matrix.org | oh that is strange, it is reflected in repo:
https://github.com/divnix/devos/blob/main/doc/start/index.md | 17:16:28 |
| @timdeh:matrix.org | ah here is the problem:
https://github.com/divnix/devos/blob/main/.github/workflows/mdbook_docs.yml | 17:16:59 |
| @timdeh:matrix.org | * ah here is the problem:
https://github.com/divnix/devos/blob/main/.github/workflows/mdbook_docs.yml#L6 | 17:17:19 |
| @teutat3s:pub.solar | https://github.com/divnix/devos/pull/391 | 21:53:55 |
| 22 Oct 2021 |
 @gytis-ivaskevicius:matrix.org | https://discourse.nixos.org/t/flakes-nix3-0-issues/15626 | 10:11:17 |
| @gytis-ivaskevicius:matrix.org | *would be nice if you guys were to point out things that would like to be changed as well | 10:58:01 |
| @timdeh:matrix.org | I've been sort of diswayed from worrying about this too much after being in a RFC meeting where it was said that, "the flake.nix format will not change" 😞 | 20:26:28 |
| @timdeh:matrix.org | (by a certain prominent developer) | 20:26:58 |
| 23 Oct 2021 |
|  @meccine:matrix.org left the room. | 02:03:59 |
| @meccine:matrix.org joined the room. | 02:04:31 |
 b12f | Is there a way to do a nixos-rebuild from a non-nixos live USB stick on mounted volumes? | 11:42:34 |
|  genadij.udarov joined the room. | 12:27:16 |
| b12f | Also, are secrets in /secrets double encrypted by default if using agenix? I don't see an exception in .gitattributes for .age files | 12:49:50 |
| b12f | they are encrypted by agenix, and then encrypted by git-crypt again. Would I have to unlock git-crypt files, remove git-crypt and then move to agenix to prevent this double encryption? | 12:50:42 |
| b12f | and a final question; how can I make sure initramfs reverts to a manual password entry if the keyfile is corruped or not found? | 13:07:31 |
 @aynish:sealight.xyz | In reply to @timdeh:matrix.org
^^ aynish i added self to the arguments of my user profile (not sure if it's a module?) but i don't know how to pass it in to that to it? i'm importing that file from the user profile | 14:41:02 |
 David Arnold (blaggacao) | In reply to @b12f:pub.solar
they are encrypted by agenix, and then encrypted by git-crypt again. Would I have to unlock git-crypt files, remove git-crypt and then move to agenix to prevent this double encryption? I'd ditch gitcrypt completely for agenix. | 15:14:22 |
| David Arnold (blaggacao) | I think we could even drop support for git-crypt since we want to have an opinionated setup that is comparatively easy to manage, rather than a toolbox with so many options we already fail.to document, I guess. | 15:15:42 |
| David Arnold (blaggacao) | * I think we could even drop support for git-crypt since we want to have an opinionated setup that is comparatively easy to manage, rather than a toolbox with so many options we already fail to document, I guess. | 15:15:47 |
| David Arnold (blaggacao) | In reply to @b12f:pub.solar
Is there a way to do a nixos-rebuild from a non-nixos live USB stick on mounted volumes? I can't really comment on that, I used a branch of deploy-rs for rebuilds in combination with live iso. | 15:16:57 |
| David Arnold (blaggacao) | * I can't really comment on that, directly. I used a branch of deploy-rs for rebuilds in combination with live iso, though. | 15:17:42 |
| @aynish:sealight.xyz | In reply to @aynish:sealight.xyz
i added self to the arguments of my user profile (not sure if it's a module?) but i don't know how to pass it in to that to it? i'm importing that file from the user profile hmmm, aso realizing that permission is denied when i try to cat /run/secrets/<secret> (for when modules take a command instead of a file for passwords) | 15:20:20 |
| b12f | So I've finally solved a weird issue today;
the intiial problem was git-crypt not properly decrypting my keyfile, causing the decryption to fail. Password prompt wasn't being shown because of https://github.com/NixOS/nixpkgs/issues/115982
I created an ISO from the basic devos main branch, booted it from a USB, decrypted + mounted the main and boot partions to /mnt, afterward chrooting in there with nixos-enter.
I fixed the keyfile issue, then ran both bud rebuild $HOST boot and directly used the nixos-rebuild equivalent, but it still wouldn't find the correct keyfile.
Turns out, the live USB/chroot setup had written the new efi file to /boot/efi/EFI/EFI/NixOS-boot-efi (notice the double /EFI). I'm not sure why this happened, but moving the directly over fixed the problem finally
| 16:15:31 |
| b12f | * So I've finally solved a weird issue today;
the intiial problem was git-crypt not properly decrypting my keyfile, causing the decryption to fail. Password prompt wasn't being shown because of https://github.com/NixOS/nixpkgs/issues/115982
I created an ISO from the basic devos main branch, booted it from a USB, decrypted + mounted the main and boot partions to /mnt, afterward chrooting in there with nixos-enter.
I fixed the keyfile issue, then ran both bud rebuild $HOST boot and directly used the nixos-rebuild equivalent, but it still wouldn't find the correct keyfile.
Turns out, the live USB/chroot setup had written the new efi file to /boot/efi/EFI/EFI/NixOS-boot-efi (notice the double /EFI). I'm not sure why this happened, but moving the files directly over fixed the problem finally
| 16:16:20 |
| @teutat3s:pub.solar | Did anybody already try using agenix for grub / initrd keyfiles? Upon rebuild switch the step updating GRUB 2 menu comes before agenix decryption step and thus fails because the secret is not yet copied in clear text to /run/secrets | 16:56:08 |
| David Arnold (blaggacao) | In reply to @teutat3s:pub.solar
Did anybody already try using agenix for grub / initrd keyfiles? Upon rebuild switch the step updating GRUB 2 menu comes before agenix decryption step and thus fails because the secret is not yet copied in clear text to /run/secrets I wonder if that would even be possible? Afaik, agenix is injecting itself into stage2, correct me if I'm wrong. But it would be interesting to know if there is a way to get early boot support for decrypting. | 21:01:48 |
| David Arnold (blaggacao) | Btw, does anybody want to prep a PR do ditch git-crypt? 😎🙂 | 21:02:44 |
| b12f | probably impossible without hacking into the bootloader setup stuff from nixos. We're looking at putting the kernel into an unencrypted partition, this way we can ditch the keyfiles altogether. Only personal data will be encrypted then | 21:06:28 |
