| 30 Jul 2025 |
 emily | you can use TPM etc. to get a not-easily-extractable host key prior to decryption | 19:37:54 |
| emily | (and that host key can be only accessible if you are booting a trusted kernel/initrd and nothing funny went on with the bootloader) | 19:38:10 |
 hexa | yes, and an unencrypted ssh hostkey | 19:38:14 |
| hexa | the threat modelling on this is pretty clear | 19:38:24 |
| emily | well, that's the less effective option :D | 19:38:28 |
| emily | but yes | 19:38:30 |
| emily | we have had support for this in NixOS for years | 19:38:39 |
| hexa | right | 19:38:41 |
 DenKn | than you could also install a second system with a full nixos, which will be booted first. than you use containers for the encrypted services. | 19:39:35 |
| hexa | the discussion is about bringing parity for network configuration options between the running system and the initrd, no need to question everything from first principles | 19:41:08 |
| DenKn | yes, than you have only one network config | 19:48:42 |
| emily | this is initrd except worse | 19:50:09 |
| emily | since you can easily verify initrd with secure boot/attestation | 19:50:18 |
| hexa | or at least the one you are already familiar with | 19:51:38 |
| hexa | * or at least the configuration stack one you are already familiar with | 19:51:47 |
| DenKn | There are a filesystem/dm-module with no encryption, but with signing? | 20:12:57 |
 K900 | There are options, yes | 20:14:35 |
| emily | (with complicated trade-offs) | 20:16:13 |
| emily | (and not ones that are easy to deploy mutable NixOS systems to) | 20:16:19 |
| DenKn | I do not need encryption, but signing would be interesting in such cases. I only want to mount encrypted data, but mostly the system could be only signed | 20:18:30 |
| emily | dm-verity is used for this in production | 20:20:33 |
| emily | but is only really suitable for image deploys | 20:20:37 |
| emily | fs-verity has potential for mutable systems but is complicated to close the gap with | 20:20:47 |
 ElvishJerricco | huh, I can't seem to get networking to work with libvirt anymore... | 23:58:18 |
| 31 Jul 2025 |
| ElvishJerricco | If I set up a VM with virt-manager and just let it do its default network, which should be some NAT thing, it seems like it's just not doing DHCP | 00:15:10 |
| ElvishJerricco | great... If I downgrade virtualisation.libvirtd.package to the libvirt from 25.05 it works... | 00:34:16 |
| hexa | https://media.freifunk.net/v/openwrt-on-realtek-switches | 20:44:11 |
 adamcstephens | I run a couple gigabit realtek switches on openwrt. They've been stable and without problems | 20:52:04 |
| hexa | how fun is management? | 20:55:59 |
| adamcstephens | I'm not changing it much. Mostly just updates, which have been problem free. The interfaces for the basic switch setup are mildly awkward, either GUI or config, but they're passable | 20:57:04 |
