Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩since I haven't yet used it, should I try #NixOS on my backup NAS?
ok here we ggo. #NixOS ZFS root on the backup NAS
ok I've got a live image, /run/current-system/sw appears to be "ok I suppose we can sort of have a standard Unix-looking filesystem but not really"
and now I get to figure out how the fuck to do NixOS root on ZFS
update: success! NixOS is now running on Yttrium. Is there a declarative way to tell my zpool to expand to the other drives in my machine, or do I do that th old way?
update: NFS shared to my primary NAS, fwupd installed, nfs server running, this is actually working
update: NixOS still deosn't have
boot.loader.secureboot.enabled = true;
or anything like that? despite using systemd-boot..... that seems really dumb
I feel like the Linux community really fucked up in not embracing things like secure boot and mandatory disk encryption with TPM2 binding after the lies spread by anti-UEFI, anti-Secureboot people born out of misunderstandings about Windows 8 requirements
Irenes (many)@freya we're in favor of that sort of thing, yeah, though it's .... TPM binding is nice but it's an after-the-fact detection system, which, while still genuinely helpful, is less comforting for us with an activist threat model than it would be to a corporation for which everything comes down to financial loss and can be averaged out and forgotten
Ity Kitty@ireneista @freya TPM can be used to seal a disk encryption key and simply not give access to the disk and refuse to boot on tampering
@tranquillity @freya sure, but, unless we're missing something, the bootloader, initrd etc still have to be unencrypted, right?
@ireneista @freya cries in UKIs
@tranquillity @freya UKIs are definitely more elegant and convenient, especially around signing logistics... it's just that the size of the nixos initrd keeps creeping upwards, it's like triple what it was a few years ago (of course this does depend on settings). so a lot of systems have boot partitions that used to have plenty of space, and no longer do, and using separate kernel images saves a little :/
@tranquillity @freya (we think the ballooning initrd size is really unfortunate and keeping it small ought to be a higher priority, heh)
@ireneista @freya NixOS makes me cry, and I refuse to come back until I handroll my own nixpkgs that isn't... What nixpkgs has become.
@tranquillity @ireneista I'm probably not going to stick with NixOS, I wish Illumos distros had secure boot and built-in support for encrypted root on ZFS
@freya @ireneista wdym "had secure boot" ?
@tranquillity @ireneista they just don't support secure boot at all, there's no native tooling for it. could maybe knock something together with shim to load the BSD loader and....... but I'm not you, I'm not that much of a masochist
@freya @ireneista it's how I managed to daily drive NixOS for years! Masochism energy concentrate!