Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
since I haven't yet used it, should I try #NixOS on my backup NAS?
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
ok here we ggo. #NixOS ZFS root on the backup NAS
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
ok I've got a live image, /run/current-system/sw appears to be "ok I suppose we can sort of have a standard Unix-looking filesystem but not really"
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
and now I get to figure out how the fuck to do NixOS root on ZFS
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
update: success! NixOS is now running on Yttrium. Is there a declarative way to tell my zpool to expand to the other drives in my machine, or do I do that th old way?
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
update: NFS shared to my primary NAS, fwupd installed, nfs server running, this is actually working
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago

update: NixOS still deosn't have

boot.loader.secureboot.enabled = true;

or anything like that? despite using systemd-boot..... that seems really dumb

Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
I feel like the Linux community really fucked up in not embracing things like secure boot and mandatory disk encryption with TPM2 binding after the lies spread by anti-UEFI, anti-Secureboot people born out of misunderstandings about Windows 8 requirements
Show threadIrenes (many)3d ago
@freya we're in favor of that sort of thing, yeah, though it's .... TPM binding is nice but it's an after-the-fact detection system, which, while still genuinely helpful, is less comforting for us with an activist threat model than it would be to a corporation for which everything comes down to financial loss and can be averaged out and forgotten
Show threadIty Kitty3d ago
@ireneista @freya TPM can be used to seal a disk encryption key and simply not give access to the disk and refuse to boot on tampering
Show threadIrenes (many)3d ago
@tranquillity @freya sure, but, unless we're missing something, the bootloader, initrd etc still have to be unencrypted, right?
Show threadIty Kitty3d ago
@ireneista @freya cries in UKIs
Show threadIrenes (many)3d ago
@tranquillity @freya UKIs are definitely more elegant and convenient, especially around signing logistics... it's just that the size of the nixos initrd keeps creeping upwards, it's like triple what it was a few years ago (of course this does depend on settings). so a lot of systems have boot partitions that used to have plenty of space, and no longer do, and using separate kernel images saves a little :/
Show threadIrenes (many)3d ago
@tranquillity @freya (we think the ballooning initrd size is really unfortunate and keeping it small ought to be a higher priority, heh)
Show threadIty Kitty3d ago
@ireneista @freya NixOS makes me cry, and I refuse to come back until I handroll my own nixpkgs that isn't... What nixpkgs has become.
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩
@tranquillity @ireneista I'm probably not going to stick with NixOS, I wish Illumos distros had secure boot and built-in support for encrypted root on ZFS
Apr 13 at 5:21amWeb
Show threadIty Kitty3d ago
@freya @ireneista wdym "had secure boot" ?
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity @ireneista they just don't support secure boot at all, there's no native tooling for it. could maybe knock something together with shim to load the BSD loader and....... but I'm not you, I'm not that much of a masochist
Show threadIty Kitty3d ago
@freya @ireneista I'm a masochist by necessity
Wait-
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity @ireneista omg
Show threadIty Kitty3d ago
@freya @ireneista it's how I managed to daily drive NixOS for years! Masochism energy concentrate!