<axd-v>Am I supposed to make a /boot partition that it left unencrypted and then however many partitions for the system? I want at least 2 for / and /home along with a swap partition, which should also be encrypted. How do I make sure that guix understands all of it, lets me user only one key to unlock the system and configures grub correctly?
<axd-v>mbakke: I haven't set it up yet personally, I definitely want to encrypt it though. I would usually have this layout: bios_partition(/dev/sda1, for GPT with BIOS), boot(/dev/sda2), root(/dev/sda3), home(/dev/sda4),swap(/dev/sda5). I've done this with arch before, but now I use lvm so only need 3 partitions.
<mbakke>axd-v: I have some bad news... GuixSD does not support LVM yet.
<grafoo>rekado_: i opened an environment based on emacs, installed webkitgtk and ran configure with --with-xwidgets but i won't find the libs.
<axd-v>dustyweb: so you just have a partition for bootloader bios_grub partition/EFI and a second for the whole guix?
<grafoo>rekado_: what's strange, even pkg-config does not find the webkit libs
<zybell>but the 'embedded' part *is* unencrypted or grub wont start. Note that I said "*started* from". It doesnt mean that the whole grub is unencrypted.
<axd-v>mbakke: I did see that lvm isn't supported, but isn't it possible to set up multiple encypted partitions that open one another starting with root using just LUKS and without lvm?
<mbakke>axd-v: I believe multiple LUKS partitions will work fine.
<axd-v>mbakke: so is boot supposed to be encrypted or unencrypted and on its own partition?
<mbakke>Regarding partitioning, I have the same setup you asked dustyweb about.
<mbakke>axd-v: For GuixSD I would recommend having /boot on the same partition as /.
<axd-v>mbakke: so having something like 4 partitions: bios_grub, root, swap, home, be possible? Which ones would be encrypted and which ones not?
<axd-v>mbakke: forgot a boot partition, but only if there any point to split it from /
<mbakke>axd-v: You can encrypt all except bios_grub; however you'd have to type a password for each during the boot process.
<mbakke>Plus once for GRUB to unlock the root partition.
<axd-v>mbakke: is that what you do? Multiple passwords? How many in total?
<mbakke>There is no point in having /boot on a separate partition since GRUB needs to load the kernel from the encrypted /gnu/store anyway.
<mbakke>axd-v: I only have one large partition for GuixSD with btrfs subvolumes for /home etc.
<mbakke>Then a different partition with LVM that I use "manually".
<mbakke>You'll also need a bios_grub partition, or an EFI System Partition, depending on your hardware.
<axd-v>mbakke: so you use a swapfile in your guixsd partition for swap? Is your third lvm partition just used for data storage and irrelevant to the rest of the system? Just wondering why you have it.
<mbakke>axd-v: I use a swapfile or an LVM partition if/when I need swap.
<mbakke>The LVM partition is used for VMs, temporary mounts, that sort of stuff. Nothing interesting.
<mbakke>More convenient than setting up backing files for the same purposes..
<axd-v>mbakke: never thought of having a throwaway lvm partition, might just set one up.
<pkill9>how is a file in the store typically made setuid?
<mbakke>pkill9: On GuixSD you can use (setuid-programs ...) in your system configuration.
<pkill9>so would it automatically create a setuid wrapper in /run/setuid-programs when the package is installed by anyone? (that's my impression from looking at %setuid-programs in gnu/system.scm, i'm probably wrong tho)
<mange>No, the packages referenced by %setuid-programs will be used as input to the system (so they'll be in the store), and setuid wrappers will be installed to /run/setuid-programs. A user doesn't need to install the package into their user profile in order to call the wrappers in /run/setuid-programs.
***atw` is now known as atw
<vagrantcish>given that users can build arbitrary software, it would seem a bit dangerous to allow users without root privledges to arbitrarily mark things as setuid...
<axd-v>alright, so I'm building a custom kernel in my system config and I'm getting this error: `Makefile:933: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev,lielf-devel or elfutils-libelf-devel". Stop phase `biuld' failed after 1.8 seconds`.
<axd-v>Not sure what to do with it, there are a few more messages, but I think this is the main error.
<axd-v>I'm trying to build linux 4.15.6 using a custom definition. It's inheriting linux-libre and it did work with another install of guixsd on another machine, so I don't understand why it should fail to build on this one.
<axd-v>here's how my config looks like. The amount of modules and the specific ones are a bit all over the place since I don't really understand their hierarchy, but if anyone is willing to give it a look, it would help me a lot. http://paste.debian.net/1023618/
<axd-v>I've tried to install libelf in the installation live image and then try to run guix system init again, but the same problem came up. I guess gonna try to install libre version for now and hope that my raspberry pi arrives soon so that I can flash my bios and get rid of the wireless whitelist and install my libre card that I already have.
<lfam>axd-v: Packages are built in ephemeral containers that only contain the packages listed in the package definition. So, installing a package with `guix package --install` or similar will have no effect on any package building
<zybell>cross-compiling:libelf is needed in hostcode:nativeBuildInput in nix-Vocabulary.
<zybell>(btw,you should say if you run a cross-compile)
<axd-v>lfam: I see, well I'm now building a new generation with linux-libre. It should work and I may try to get the custom kernel to work maybe with the latest 4.16.7 version, but I have no idea what might be causing it to behave differently now that it's the same config on a different install. Still waiting for the easy deployment promissed by guix hehe
<axd-v>zybell: well, I posted my config in the pastebin link above. Not doing anything that deviates from the installation manual and you can see what's in my config. Don't think I'm cross compiling since it's just an amd64 architecture, but I really don't know.
<lfam>axd-v: My guess is that, on system that worked, Guix had been upgraded to a newer version with `guix pull`, whereas the failing system was still using an older version of Guix.
<zybell>sorry,I thought it was for Raspberry.But libelf has differences between i686 and x86_64.
<axd-v_>sorry got disconnected, let me see the archive real quick
<axd-v_>zybell: I see, no worries. I'm probably going to ultimately use FreedomBox or something on it which sets up nextcloud and other hosted services out of the box. Should be nice from everything I heard about it. But first I will use it to flash Heads+Coreboot onto my thinkpad x230 which should also be fun.
<CornBurglar>I realize it's not recommended, but with my current hardware the only way to run GuixSD is with the use of (unfree)intel wifi. Is there a good way to recompile GuixSD with this allowed or otherwise make the distribution usable for me?
<vagrantc>alright, guix pull finally worked on armhf-linux with f2e66663c2e00b482cdf5ba83173291d30363e7c ... i wonder if breaking out the base system helped, or if it was some other random thing
<vagrantc>CornBurglar: you'd have to use a kernel other than linux-libre
<axd-v_>Ok, so I have installed guixsd system and rebooted for the first time. I used encryption, so here, grub, after starting from bios_grub partition, tries to open the next partition which is encrypted in order to boot the kernel, but it shits the bed and doesn't find uuid or something. Has anyone experienced this?
<axd-v_>actually never mind everything I just said. I'm dumb and used the wrong password, but it is still strange that it didn't prompt me again and just failed.
<axd-v_>So my GuixSD install gets stuck during the boot procedure on `clocksource: Switched to clocksource tsc` anyone have any idea what this is?
<mange>Doesn't seem to be GuixSD specific. From a brief search it looks like a kernel thing.
<mange>... By which I mean, a problem that happens on other distributions, too.
<axd-v_>So I'm trying to run a `guix pull` and right after everything is done compiling I get this: `exception thrown whlie printing backtrace: In procedure private-lookup: Module named (guile) does not exist`
<soundtoxin>I want to set up an mpd service and an ssh server, but I don't know what I have to put in my config to get them working. Can anyone assist?
<mange>Have you looked in the manual? (guix) Audio Services, and (guix) Networking Services look the most helpful. They each have an example that can be added to your services entry in your operating-system.
<soundtoxin>I haven't yet taken a stab at getting mpd working, I think I tried and failed to get ssh working, but I'll give it another go
<axd-v_>Has anyone had any problems with getting `guix pull` to complete on the latest commit?
<soundtoxin>I don't know how to fit the examples in to my existing file
<soundtoxin>technically yes, but I consider myself as one who cannot currently program
<soundtoxin>I have started sicp but I don't really have a good grasp of it
<mange>Okay then. What you have there, (services %desktop-services), is defining a list of services, as a field of your operating-system (which is opened higher in the file).
<mange>So, what you need to do is add more services into that service list.
<mange>By replacing that with something like (services (append (list ...) %desktop-services))
<soundtoxin>okay, not sure how much of this to take literally, I get that I should expand the services thing instead of adding a new service thing below it
<mange>Then, where that ... is, you want to put your service definitions. So maybe (services (append (list (service openssh-service-type)) %desktop-services)).
<mange>If you put that in your file, it should actually work. But I've defined that openssh-service-type with no configuration. If you want to put in configuration, you can do it in the same way as what you have in your screenshot (bearing in mind that nesting of parentheses matters, but whitespace doesn't).
<mange>If that doesn't make sense, say so and I can put together a more complete example.
<soundtoxin>I don't understand entirely yet. I quickly start to lose track of how many parentheses I need and where
<mange>But otherwise, you need to put the openssh-configuration stuff (including all the relevant parentheses) where you have that single space after openssh-service-type, but before the next closing paren.
<soundtoxin>I haven't updated today so it might take a bit before I see if this works
<soundtoxin>I have an alias that does 'sudo guix pull && sudo guix system reconfigure /etc/config.scm'
<soundtoxin>not sure if this is the best approach, but I just run it every now and then to get updates or when I change my file
<mange>If you change the file you don't need to pull first, which can let you rebuild much faster.
<soundtoxin>I guess if I did a reconfigure before a pull it might finish faster
<mange>The only problem I have with the default openssh config is that it allows password authentication, so you should try changing it to only allow authentication with a private key.
<mange>Unless you are fine with password authentication.
<soundtoxin>I've never gotten into much of that stuff with ssh. I guess I could give it a go. I usually have password authentication, and then I generate keys and do 'ssh-copy-id user@host', then it doesn't ask a password anymore.
<soundtoxin>I guess disabling password auth is just more secure
<mange>Yeah, disabling password auth means that other people can't guess your password. Usually a secret key is a lot harder to guess than a password.
<mange>Well, there are other attack vectors besides guessing a password, but for some reason that's the one I'm most intrinsically scared of.
<soundtoxin>my only worry is not being able to get into my own machine at some point... my workflow doesn't account for key-only ssh currently
<soundtoxin>I generally generate a new key on each machine and then copy it over via that command
<soundtoxin>not sure if it's secure to have the same key on multiple machines
<axd-v_>Why could guix complain that `Network is unreachable` when I can ping websites reliably. `nmcli` reports 2 connections, wired or wireless. Why would it play with me like that?
<mange>I have one key per machine. When I generate a key I copy it onto another machine with access, and use that to copy the key to the server.
<soundtoxin>yeah I guess as long as I keep one machine with access I can work things out
<mange>As long as I have at least one device with a valid key then I can set up all of my other ones.
<soundtoxin>I shared a vps with a friend who had password auth disabled so I had to deal with manually adding keys of other machines a couple times
<mange>axd-v_: What is saying the network is unreachable?
<axd-v_>...and now it starts working. I have been having these intermitten issues recently, hopefully it just goes away. mange: guix was saying that it can't get the substitutes but after a little more time, same thing just works.
<mange>Yeah, I've had problems with networking on GuixSD that I don't understand. I have basically no idea how to even start debugging it, but it usually fixes itself relatively quickly.
<mange>I've assumed it's my machines, because it's usually been on things with fairly patchy Linux support.
<axd-v_>mange: have you ever had this network problem happen mid installation? I have a few times just today. The only thing that saves me is that guix doesn't restart entirely from scratch everytime.
<mange>Yeah, I think I have. I haven't reinstalled for a while, so I can't really remember.
<axd-v_>mange: I mean even mid `guix pull` or `guix package -i ..`?
<mange>Oh, right. I don't think of them as installing. :P But yeah, definitely.
<mange>Because at some point the network just gives up, and everything stops downloading. Then I start it again and it's like "oh no, sorry, I do know how to download things!"
<soundtoxin>mange: so if I now want to get mpd going, do I just add to that same section where I just put openssh?
<soundtoxin>well maybe add another )) and put it near the end or something
<mange>Yep! Within the parentheses that the (list opened. If your editor doesn't help you then you'll have to count parentheses, unfortunately.
<mange>We usually use indentation to specify how many parentheses there are, which can be helpful. All the code in the documentation is formatted in this way.
<mange>Parentheses are pretty important in scheme, so if you're planning to do much with Guix it might be a good idea to find an editor that can show you which parenthesis matches which.
<soundtoxin>and maybe I should move some of the parens from the end to earlier...
<mange>Excellent! In that case, think of the parentheses as being like a function call. Your earlier (service openssh-service-type (openssh-configuration ...)) is similar to service(openssh-service-type, openssh-configuration(...)).
<mange>Sorry, that was about the vim comment, not the broken config. :P
<mange>divansantana_: I have seen that, and it was talked about on one of the mailing lists at some point (maybe a bug?). I think it's matter of installing something to the profile, but I can't remember exactly what.
<soundtoxin>hm I wasn't thinking of this in a system-wide mindset I guess, I normally would use a user config and user systemd service. I might want to change where I mount my music
<soundtoxin>I'll use it with how I was thinking for now to make sure it works
<divansantana_>mange: thanks. Ill search the mailing list a bit later. If anyone knows, let me know :)
<mange>soundtoxin: Yeah, that file is for setting up the whole system. I run a separate shepherd process to manage my user daemons, and mpd is just one of those. We ideally would love to have a more cohesive approach to managing daemons, but we're not there yet.
<soundtoxin>ohh I gotta add 'mpd' somewhere near the top I think
<axd-v_>mange: yeah it's happening all the time at the moment. I'm using a weird kernel which might affect something. I'm using 4.15.6, the mainline. The network reset seemed to reset it. I'm hoping this will go away once I transition to linux-libre kernel and a different wifi-card (intel -> atheros)
<mange>soundtoxin: Can you check if there are any other mpd processes running, and kill them if there are? Also `herd stop mpd`. Then, once you're confident none of them are running, run `herd start mpd`.
<soundtoxin>how does xlock decide what screensavers to use? I didn't have xscreensaver installed, so I installed it and then disabled a bunch of the screensavers from xscreensaver-demo, but when I use xlock it still uses ones I turned off
<civodul>soundtoxin: did you use 'screen-locker-service' for i3lock?
<zybell>Either you configure your client to use v6 too or you could strace -f the startup of mpd,see where it tries to read conf from,where it gets the notion not to use v4,and depending on source change that.
<bavier`>civodul: could you tell me more about this: "home directories should be mounted on the master node as well so that guix-daemon knows about these non-standard profiles and avoids collecting software they refer to."
<bavier`>guix-daemon doesn't scan home directories; it just needs to be able to check if a symlink to /var/guix is still alive, right?
<apteryx`>Hello! I'm using a SSH port forward to connect to IRC using a firewalled network, but gnutls fails the handshake, with the most likely cause being this message: gnutls: the hostname in the certificate does NOT match "localhost". Would there be a way to make this work, even with the hostname discrepancie?
<kvetcher>How do I know what a SHA256 hash refers to? I found the line "(define (linux-firmware-version) "9d40a17beaf271e6ad47a5e714a296100eef4692")" and can't figure out what the hash leads to. linux-firmware-version only pops up in 1 other spot. Online decrypters for it return errors. I'm a bit confused by the whole SHA256 thing. Help please?
<pkill9>i dunno kvetcher, but you can use `guix hash <file>` to get the hash of a local file, and `guix download <url>` to download the file and get the hash of it
<kvetcher>pkill9: Thanks. A shorter version of my question is "how do I go from an unknown hash to the original file"?
<kvetcher>pkill9: Unfortunately, the config.scm on my hands is a bit old, and the hashes correspond to modules and firmware for an older kernel release (not to mention possibly a different architecture).
<zybell>if somebody finds a way to do it,that func is ditched, and a new one constructed,where that trick wont work.
<nckx>kvetcher: After reading the channel history: I'm still not entirely sure what exactly you're trying to do, but if you're writing custom package definitions you can use ‘guix download <URI>’ or ‘guix hash’ to calculate the checksum of an already downloaded file.
<nckx>That's not usually done or needed in config.scm though, so I might be way off :-)
<kvetcher>nckx: I'm trying to copy someone else's config.scm. Do I need the hashes?
<nckx>kvetcher: You need hashes if you're modifying standard Guix packages or defining new ones, yes. It's not a standard setup, but it's possible.
<nckx>Hard to say without seeing your config.scm and knowing exactly what you're trying to do, but if it's not a linux-libre variant I'm afraid we can't help you with that.
<nckx>(Hence why I'm only giving general advice since I'm pretty sure that's the case :-)
<nckx>kvetcher: Not trying to be unhelpful here, but 1) please see the channel topic for the preferred pastal service and 2) pasting anything with ‘define-public linux-nonfree’ in this channel is not going to end well :-p
<nckx>I will gladly explain any general packaging questions you may have though, though.
<kvetcher>nckx: Sorry about that. Do you have a tutorial to SHA256 sums for packages? I see them all the time, but searches online tell me how to verify them or generate one from a file. What are they actually?
<nckx>Changing gears a little: are you sure you need a different kernel at all?
<vagrantc>wow ... installing guixsd on armhf is taking... a long time. :)
<roptat>I've added a postgresql database in my config. How do I connect and create a database?
<nckx>Because it's not like installing Libreboot would magically liberate you peripherals. Linux-libre should boot on any machine.
<kvetcher>nckx: well, I need wifi to work. When I booted it up, it didn't show my wireless interface. I've used hashes in hash tables before in a data structures class. I'm not sure how they relate to package management and keysigning (other than that these hash functions require factoring large primes to crack them).
<divansantana_>How can I modprode a module with a particular option in the config.scm?
<vagrantc>basically, the hashes allow you to determine that the thing you've downloaded or produced matches what was expected.
<nckx>kvetcher: While I certainly don't want do discourage you from flashing Libreboot, it won't solve your wifi problem. Only replacing your wi-fi card or using an external (USB, ...) one (‘dongle’) will do that.
<kvetcher>Huh. Guess I'll have to do some shopping then. vagrantc: I don't actually need them for downloading a package? They're just to protect against man-in-the-middle attacks?
<nckx>kvetcher: I know it sounds cumbersome (I was once in your boat), but think of it as an investment :-)
<vagrantc>kvetcher: or any other form of data corruption
<vagrantc>kvetcher: in any reasonable package management system, you'll want some sort of cryptographic hash to verify that you're getting the right thing.
<mbakke>divansantana: I think currently you have to pass "module.option=foo" in (kernel-arguments ...).
<nckx>kvetcher: To be very sloppy, there is only one real file in the world that matches any given hash. So if your file matches that hash, you can be 99.muchos% certain that it was not maliciously modified. A million caveats apply, but that's the gist.
<mbakke>vagrantc: What arm hardware are you installing GuixSD on?
<davidl_>I started working more with user manifest and moved all font packages to one of those. Now Ill try and put them back into system config.scm
<lfam>davidl_: I would take a look at which fonts are installed. I know we have fonts with large or complete Unicode character glyphs, and font-gnu-unifont is a good fallback for the entire Unicode "basic multilingual plane"
<nckx>Does anyone have working emojos under GuixSD and know why?
<lfam>davidl_: It's possible that fonts are found when logging in (dunno) so you may need to log in and out for the applications to find the newly installed fonts. I don't really know how fonts work on GNU / Linux
<nckx>ACTION doesn't use them, but it's somewhat affecting my relationship.
<davidl_>lfam: ok, ill try installing that package.