| 19 Aug 2021 |
 gdamjan | one of my TODO items is to add a generic make-portable-service function to Nix, similar to the ones that build docker images etc. | 17:38:33 |
| gdamjan | I'm hosting this image on Ubuntu currently, and works fine for a while | 17:39:27 |
| gdamjan | I'm also trying to make a nextcloud portable service in similar vain, but I didn't have time to investigate and fix the issues | 17:40:18 |
 andi- | nice! This looks straight forward | 18:01:43 |
| andi- | I wonder why not more software vendors just ship their stuff like that instead of writing weird (broken) install scripts and defunct systemd units.. | 18:02:10 |
| andi- | I do wonder if we can pass a folder as RootImage and why we wouldn't do that for most system units. | 18:13:08 |
| andi- | That would give us most of the (usually manually added) isolation features for free and we would finally have to opt-in for state. | 18:13:30 |
 Arian | There is RootDirectory= | 18:14:22 |
| gdamjan | andi-: for a portable service? | 18:15:09 |
| andi- | Yes | 18:15:20 |
| gdamjan | andi-: portablectl already adds RootImage=/var/lib/portables/tt-rss_v2021-06-28.raw | 18:15:41 |
| gdamjan | ah you want a directory, not an image | 18:16:14 |
| andi- | I am thinking: why all the manual confinement code that we have if there is that. E.g. if I point it at /nix/store/....-nginx that contains the minimal required dirs | 18:16:24 |
| andi- | And then tmpfiles + bindmount + state dir/logdir/... | 18:16:45 |
 aanderse | andi-: sounds like some fun experiments | 22:51:16 |
| 20 Aug 2021 |
| andi- | Running my systems on v249 now. Can't say things are any different than before. | 09:00:54 |
 princemachiavelli | Looking forward to v249, hopefully systemd-cryptenroll makes TPM unlocking LUKs drives a bit simpler. | 16:20:40 |
| 21 Aug 2021 |
| andi- | That will still require some work. I haven't actually looked at any of the new features. It is already enough to try to keep things running. | 11:42:39 |
| andi- | That being said I also have a few local patches around resolved and enabling DNS-over-TLS etc.. | 11:43:07 |
| andi- | things we just don't allow right now | 11:43:13 |
| Arian | Yeh TPM won't work yet. We haven't enabled it in the default config. For TPM root partitions we need systemd-initrd. Which we don't have yet | 12:00:13 |
| Arian | So you could only use it to mount secondary partitions | 12:00:23 |
| andi- | what do you mean with TPM root partitions? | 12:10:15 |
| andi- | FWIW there is currently an open PR that adds TPM luks decryption to NixOS. I haven't looked in detail but that should work for root partitions. | 12:11:14 |
| Arian | As in. If you want to unlock your root partitions with the systemd-cryptenroll stuff you need systemd in initrd | 12:23:01 |
| andi- | I would be thinking about this systemd tpm integration more positively if they wouldn't use those weird user space bindings... | 13:08:45 |
| Arian | What do you mean? | 13:18:01 |
| Arian | Tpm2-tss? | 13:18:08 |
| andi- | yeah | 13:20:07 |
| andi- | supposedly the code is mostly generated from the spec yet it feels a bit clunky and their approach to testing breaks if run on ZFS for random reasons... | 13:21:46 |
