Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩since I haven't yet used it, should I try #NixOS on my backup NAS?
ok here we ggo. #NixOS ZFS root on the backup NAS
ok I've got a live image, /run/current-system/sw appears to be "ok I suppose we can sort of have a standard Unix-looking filesystem but not really"
and now I get to figure out how the fuck to do NixOS root on ZFS
update: success! NixOS is now running on Yttrium. Is there a declarative way to tell my zpool to expand to the other drives in my machine, or do I do that th old way?
update: NFS shared to my primary NAS, fwupd installed, nfs server running, this is actually working
update: NixOS still deosn't have
boot.loader.secureboot.enabled = true;
or anything like that? despite using systemd-boot..... that seems really dumb
I feel like the Linux community really fucked up in not embracing things like secure boot and mandatory disk encryption with TPM2 binding after the lies spread by anti-UEFI, anti-Secureboot people born out of misunderstandings about Windows 8 requirements
Irenes (many)@freya we're in favor of that sort of thing, yeah, though it's .... TPM binding is nice but it's an after-the-fact detection system, which, while still genuinely helpful, is less comforting for us with an activist threat model than it would be to a corporation for which everything comes down to financial loss and can be averaged out and forgotten
@freya signed boot, now, we're hugely in favor of that. we've been chewing for years on what it would have to be like workflow-wise to provide high assurances to non-experts.
@ireneista something like what AVB does?
@freya well the hard part in our view is, with a source-based distro, when does signing happen?
@ireneista that's true, s'why I'm not a fan of source-based distros like gentoo myself\
Ity Kitty@freya @ireneista oh hey, that's my work (verified boot on Linux, specifically Gentoo)
@tranquillity @ireneista gentoo gives me a headache unfortunately
@freya @ireneista I don't like it but I found it the easiest for when I inevitably have to debug every single program on my OS and just edit the src of everything that runs on my system to fix bugs in upstream
Collecting a bunch of .patch files when yet another random thing breaks, my favorite.
@freya @ireneista I also need to have the debug info hooked up right for GDB to work
Etc
@tranquillity @freya yeahhhhh this is how we relate to nix heh sigh
@ireneista @tranquillity gods, you linux people are ridiculous, I hope you're aware
@freya @ireneista I still hate Linux
@tranquillity @ireneista have you tried Solaris, cutie?
@freya @ireneista not like I spent a decent enough time setting up a cross compiling toolchain for targeting Solaris :3
@tranquillity @ireneista yes but you should play iwth Solaris 11.4 on X64 with secureboot
@freya @ireneista hmm, I cooould
@freya @tranquillity we don't really identify as a linux person we just happen to use it
@tranquillity @freya oh nice!
@freya nix just doesn't have an answer for that because the tooling is deeply invested in pretending that user interaction during building is impossible
(we have a bunch of nix things that are authorized by a yubikey touch... which is user interaction, just, not through the obvious UI)
@freya we think that needs to change, but it seems like we're the only ones interested in that direction of research, so it may be a while