Here I store my notes regarding Nix as it pertains to this repository. This will include some findings and also projects I’m working on. I do have separate notes for Nix in my private notes repository, and I haven’t yet come up with a method of consolidating them.
This helps me close the many tabs I have open. This is very incomplete and I have many more tabs to go. I think I like this as a general “wut I do in Nix” scratch pad though.
Look up the next element in the periodic table, and then create that under
nix/hosts
.
Not a lot must be done here to accommodate BIOS, since a bootable partition is simply bootable. There might have to be some adjustments made in the BIOS settings. Despite how simple this process is, it is essentially dead already. New systems will use UEFI and thus see UEFI systems.
Unfortunately you cannot create a bootable image and simply slap it into a UEFI system, because that UEFI system has to be told where to boot. I’ve read that one can simply create a boot partition and put certain files in the right place. Nix does this, or can be taught to do this. In any case, I have verified the magic files went into the magic locations, but still no joy.
Instead, boot into the system using the detachable USB drive. The host is
called nucleus.proton
on boot. From there, you should be able to do a remote
deployment. Unfortunately proton-deploy
does not accommodate this activity
yet. You can add it, or you can use remote-deploy --enter-via nucleus.proton
...
. It is recommended to use proton-deploy
though, due to security
concerns.
The Raspberry Pi uses its own proprietary boot system. Sometimes it can use
something called uboot
, which may or may not be proprietary.
For these, use the following invocation:
host='my-host'; nom build ".#nixosConfigurations.${host}.config.system.build.sdImage" --show-trace --verbose --accept-flake-config
But, you know, change host
.
Once that’s complete, use image-deploy
thusly, with your SD card plugged in:
image-deploy --image result/sd-image/*.img.zst
Once it’s done, and the partition table looks fleshed out, remove the SD card (no eject/unmount needed). Plug it into the Pi and boot the Pi.
agenix
has some trouble with this configuration and needs some help getting
bootstrapped. Use proton-deploy
to the image to help it lay down everything
needed. I though I read this needed a reboot, but I was incorrect about that -
the reboot does nothing.
Part of the problem is that the host key that was laid down differs from the one
used in the initial build. I haven’t figured out how to get around this yet,
and from my recollection of reading oddllama
’s dotfiles, it’s not possible yet.
So scan the host key into the right location:
host='host'; ssh-keyscan $host.proton | grep -o 'ssh-ed25519.*' > secrets/$host-pub-key.pub
A quick git status
will show the host pub key has changed.
agenix rekey -a
Then do another proton-deploy switch $host
. This should fix everything.
This is all the Nix related projects I have.
This is largely done.
I am working on helping finish a pull request started by @fazo96 here: NixOS/nixpkgs#268378
I was able to get things running locally and have been enjoying the functionality there for some time, as well as putting it through its paces. My most notable improvement was getting the model stuff more or less sorted out, and declarative in a clean way. There remains some feedback items to address, but everything works.
In addition to the work left, there is a lingering question about some similar work done by @lboklin on nixified-ai#94. I’ve brought in some of the work, but many commits have been added to it since then and I haven’t taken a look yet.
In addition to feedback items, but as part of a separate pull request, I feel
the need to also add a wiki or documentation entry showing how one could run
comfyui
using Nix.
My tasks that remain for the pull request:
- [ ] Document the justification for
fetchModel
. - [ ] Fix issue where the URL changing for
fetchModel
causes a re-fetch. - [ ] Do we still need
fetchModel
? - [ ] See if we can use
buildPythonApplication
to build a Python application out ofcomfyui
. - [ ] Check for other feedback items.
- [ ] Link the feedback items in the pull requests to these tasks.
- [ ] There’s a suggestion to bring in a
pyproject.toml
but I don’t know if comfyui has it, but this reviewer has gotten it working regardless: https://github.com/SomeoneSerge/pkgs/blob/f28af3c0d60500697a987794b2b1e64f70cfd3b7/python-packages/by-name/co/comfy-ui/pyproject.toml
I have this error when using this override in my overlays:
pythonPackagesExtensions = [(py-final: py-prev: {
torch = py-final.pytorch-bin;
})];
The error:
trace: warning: cudaPackages.autoAddDriverRunpath is deprecated, use pkgs.autoAddDriverRunpath instead error: … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1571:24: 1570| let f = attrPath: 1571| zipAttrsWith (n: values: | ^ 1572| let here = attrPath ++ [n]; in … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `system.build.toplevel': … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/activation/top-level.nix': … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/activation/top-level.nix:71:12: 70| # Replace runtime dependencies 71| system = foldr ({ oldDependency, newDependency }: drv: | ^ 72| pkgs.replaceDependency { inherit oldDependency newDependency drv; } … while calling 'foldr' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:121:20: 120| */ 121| foldr = op: nul: list: | ^ 122| let … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:128:8: 127| else op (elemAt list n) (fold' (n + 1)); 128| in fold' 0; | ^ 129| … while calling 'fold'' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/activation/top-level.nix:68:10: 67| then throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}" 68| else showWarnings config.warnings baseSystem; | ^ 69| … while calling 'showWarnings' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/trivial.nix:867:28: 866| 867| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 868| … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/trivial.nix:867:33: 866| 867| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 868| … while calling 'foldr' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:121:20: 120| */ 121| foldr = op: nul: list: | ^ 122| let … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:128:8: 127| else op (elemAt list n) (fold' (n + 1)); 128| in fold' 0; | ^ 129| … while calling 'fold'' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `warnings': … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix': … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1096:10: 1095| attrs: 1096| map (name: f name attrs.${name}) (attrNames attrs); | ^ 1097| … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1096:16: 1095| attrs: 1096| map (name: f name attrs.${name}) (attrNames attrs); | ^ 1097| … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix:443:16: 442| mapAttrsToList 443| (name: service: | ^ 444| let … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix:450:16: 449| concatLists [ 450| (optional (type == "oneshot" && (restart == "always" || restart == "on-success")) | ^ 451| "Service '${name}.service' with 'Type=oneshot' cannot have 'Restart=always' or 'Restart=on-success'" … while calling 'optional' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:784:20: 783| */ 784| optional = cond: elem: if cond then [elem] else []; | ^ 785| … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `systemd.services.comfyui.serviceConfig': … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix': … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `systemd.services.comfyui.preStart': … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/services/web-apps/comfyui.nix': … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … while evaluating derivation 'comfyui-unstable-2024-04-15' whose name attribute is located at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:331:7 … while evaluating attribute 'installPhase' of derivation 'comfyui-unstable-2024-04-15' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/by-name/co/comfyui/package.nix:110:3: 109| 110| installPhase = '' | ^ 111| runHook preInstall … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/by-name/co/comfyui/package.nix:86:16: 85| 86| executable = writers.writeDashBin "comfyui" '' | ^ 87| cd $out && \ … while calling 'writeDash' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/build-support/writers/scripts.nix:233:21: 232| # '' 233| writeDash = name: argsOrScript: | ^ 234| if lib.isAttrs argsOrScript && ! lib.isDerivation argsOrScript … while evaluating derivation 'python3-3.11.9-env' whose name attribute is located at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:331:7 … while evaluating attribute 'passAsFile' of derivation 'python3-3.11.9-env' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/build-support/trivial-builders/default.nix:69:9: 68| inherit buildCommand name; 69| passAsFile = [ "buildCommand" ] | ^ 70| ++ (derivationArgs.passAsFile or [ ]); … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/development/interpreters/python/wrapper.nix:20:13: 19| env = let 20| paths = requiredPythonModules (extraLibs ++ [ python ] ) ; | ^ 21| pythonPath = "${placeholder "out"}/${python.sitePackages}"; … while calling 'requiredPythonModules' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/development/interpreters/python/python-packages-base.nix:54:27: 53| # Get list of required Python modules given a list of derivations. 54| requiredPythonModules = drvs: let | ^ 55| modules = lib.filter hasPythonModule drvs; … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:1793:25: 1792| */ 1793| unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) []; | ^ 1794| … while evaluating derivation 'python3.11-torchaudio-2.3.1' whose name attribute is located at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:331:7 … while evaluating attribute 'TORCH_CUDA_ARCH_LIST' of derivation 'python3.11-torchaudio-2.3.1' at «none»:0: (source not available) … while calling anonymous lambda at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:576:11: 575| mapAttrs 576| (n: v: assert assertMsg (isString v || isBool v || isInt v || isDerivation v) | ^ 577| "The ‘env’ attribute set can only contain derivation, string, boolean or integer attributes. The ‘${n}’ attribute is of type ${builtins.typeOf v}."; v) … from call site at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:576:21: 575| mapAttrs 576| (n: v: assert assertMsg (isString v || isBool v || isInt v || isDerivation v) | ^ 577| "The ‘env’ attribute set can only contain derivation, string, boolean or integer attributes. The ‘${n}’ attribute is of type ${builtins.typeOf v}."; v) … while calling 'assertMsg' at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/asserts.nix:41:5: 40| pred: 41| msg: | ^ 42| pred || builtins.throw msg; error: attribute 'cudaCapabilities' missing at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/development/python-modules/torchaudio/default.nix:100:56: 99| env = { 100| TORCH_CUDA_ARCH_LIST = "${lib.concatStringsSep ";" torch.cudaCapabilities}"; | ^ 101| };
I’m trying a pytorch build once again (getting away from the cachix stuff would be great.
https://nixos.wiki/wiki/OpenLDAP
I have nickel
building. I was dumbly copying over the .zst
file which can
never boot because it’s a compressed archive. After decompressing it, I was
able to boot nickel
just fine. Questions remain on how I got it to that
state, and what purpose exists for all the other fancy stuff I have found
regarding Raspberry Pi and Nix.
My knowledge about LDAP is weak. I’ve had trouble setting it up, and I’ve been
copying examples from the NixOS Wiki in hopes of making things work. So far the
snippets are not working because the options
validation is failing - it’s not
even getting to LDAP yet. This is while declaring the password policy for LDAP.
The current error is:
error: A definition for option `services.openldap.settings.children."olcDatabase={1}mdb".attrs."olcOverlay={2}ppolicy"' is not of type `(LDAP value - either a string, or an attrset containing `path` or `base64` for included values or base-64 encoded values respectively. ) or list of (LDAP value - either a string, or an attrset containing `path` or `base64` for included values or base-64 encoded values respectively. )'. Definition values: - In `/nix/store/v24qicc8f4h1xafv4qzbn49crg6h2nvb-source/flake.nix': { attrs = { objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ...
And the code for that is:
"olcOverlay={2}ppolicy".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
olcOverlay = "{2}ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
Put in greater context:
services.openldap = {
enable = true;
urlList = [
"ldaps:///"
];
declarativeContents = {
"dc=proton,dc=org" = ''
...
'';
};
settings = {
attrs = {
# ...
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=proton,dc=org";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=admin,dc=proton,dc=org";
# Untested. Should work but no run done yet.
olcRootPW.path = config.age.secrets.ldap-root-pass.path;
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by * read''
];
# TODO: This doesn't validate in Nix for some reason. Need to
# investigate.
"olcOverlay={2}ppolicy".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
olcOverlay = "{2}ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcOverlay={3}memberof".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
olcOverlay = "{3}memberof";
olcMemberOfRefInt = "TRUE";
olcMemberOfDangling = "ignore";
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
};
"olcOverlay={4}refint".attrs = {
objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ];
olcOverlay = "{4}refint";
olcRefintAttribute = "memberof member manager owner";
};
};
};
};
};
This makes me wonder if this stuff is actually recursively nested even though
the settings
declaration in nixpkgs
’ openldap.nix
suggests otherwise.
I have found no tickets in nixpkgs
yet.
Upon further reading for the OpenLDAP Nix Wiki page, I can see this is not
placed correctly. The ppolicy
and other sections must be under
olcDatabase={1}mdb
. I have applied the edits but cannot test it yet.
I want to run LDAP on nickel
, which is a Raspberry Pi version 4 model B. I
have built for the 3 or 4 before with great success (see my Nix Adventures blog
post). However it hasn’t been building lately due to things moving around. So
I have some work via raspberry pi builds that I need to complete first.
There is a big deprecated section I copied unwittingly.
nix build '.#nixosConfigurations.cobalt-pi.config.system.build.sdImage' --system 'aarch64-linux' --no-eval-cache
nixpkgs#260754 led me to using rasbperry-pi-nix
for building Raspberry Pi
images. I would like to tie that in with nixos-generators
if at all
reasonable.
Example of raspberry-pi-nix
:
https://github.com/tstat/raspberry-pi-nix-example/blob/master/flake.nix
The documentation on the official Wiki for Raspberry Pi is outdated, as is typical. I might want to update it when I get everything working.
Out of the box, raspberry-pi-nix
didn’t work for me. I filed
raspberry-pi-nix#17 for the issue I was having with patches to the kernel not
applying properly. I have since then done a lot of pinning on my flake inputs,
and now it’s building. I don’t have success yet, but it’s still going after
5-ish hours - I am well past the patching phase. I’ve closed out the ticket
with those notes.
From that ticket, @tstat did show me how to do this to look at a derivation’s output metadata:
nix derivation show '.#nixosConfigurations.nickel.config.boot.kernelPackages.kernel'
I tried using the Cachix builds, but couldn’t get them to work. It’s not obvious how to debug it. The Cachix FAQ has some things to try there but nothing seemed to work for me. I couldn’t get the negative caching to work (as in it just seemed to do nothing). The Cachix folks seem eager to help with this, but I just haven’t pursued that yet.
When building an older version, I ran into a “NAR mismatch”. raspberry-pi-nix
is pinned to raspberrypi/linux#stable_20231123. I don’t know why this is. I
did find @lilyball ran into that same issue with raspberry-pi-nix#2 building on
aarch64-darwin
. I’d run into it there too. She moved her /nix
partition to
case-sensitive APFS. I asked and she said she moved everything to a new
partition, and replaced the old partition with the new. Some folks have done
this via a Time Machine backup and restore. Rightly, @lilyball asked in
nix#2415 if we can’t just make that the default since APFS is the default
filesystem for Nix nowadays. There is no reply yet. Other possible reasons for
a NAR mismatch is Flake inputs using follows
improperly/inconsistently, or the
lock file being borked per nix#6061. There is some prior work on preventing
mismatches, but I don’t think this is what’s affecting me.
I’d tried less extreme options. Building via linux-builder
directly didn’t
work, because linux-builder
is a slimmed down NixOS, and isn’t a fully
operational NixOS VM. I can’t run nix build
or nixos-rebuild switch
.
- The original
tstat
repository: https://github.com/tstat/raspberry-pi-nix - My fork: https://github.com/LoganBarnett/raspberry-pi-nix
- Someone’s notes on building for the Raspberry Pi with Nix: https://github.com/lucernae/nixos-pi
- Pins of the kernel on cachix - note that it’s just one, and it’s older than
what’s on
master
. - NixOS wiki on the Linux kernel - This shows how to set the kernel. Notably:
boot.kernelPackages = pkgs.linuxPackages_latest;
My build of the kernel on lithium
has been running for over 24 hours…
nix build '.#cobalt-nixos-generate' --system 'aarch64-linux' --no-eval-cache
Date is guessed - this is the earliest entry.
I’m paused on this in favor of raspberry pi builds via =raspberry-pi-nix=.
https://github.com/nix-community/nixos-generators
This is mostly a light wrapper about images in nixpkgs
that allow directly
building images. I don’t quite understand why this is needed and one cannot
build directly via nixpkgs
.
This is a GitHub search of other people using =formatConfigs=.
nixos-generators#203 simplifies the building of Raspberry Pi images by removing
all of the local configuration and instead leaning on what’s in nixpkgs
, since
it’s being handled there now. Unfortunately sd-aarch64
has recently been
migrated to just be an SD card for aarch64
in a general sense, and now there’s
sd-aarch64-raspberrypi
file/image for Raspberry Pi but nixos-generators
has
not followed it. I have been trying to make this work via formatConfigs
but I
had some trouble with it. Eventually I found out that the identifiers like
sdImage
are hard coded somewhere. I don’t know why or where, but I feel this
should be documented in nixos-generators
and I would like contribute to this.
I think customFormats
is the old way of doing this. There is an example of it
in Discourse.
nixos-generators#168 remains as an issue - I noticed both the
sd-aarch64-installer
and sd-aarch64
both refer to the same nixpkgs
entity
(file/module?). Because of this, it seems like there’s no difference between
the two. Some of the work I was thinking about contributing might relate to
this. The findings of the last comment are now outdated because of the move to
sd-aarch-raspberrypi
et. al,.
One thing I haven’t tried in this journey is looking at image compression. I’ve
seen mention (link?) that the image needs to be decompressed - I don’t want to
just dd
a zst
file over to the SD card. There’s something that can be done
to emit a raw image, but I don’t know what it is - I think there is a mechanism
for it. I believe most of my tests were done against zst
, which would render
virtually all of my testing here invalid.
I continue to run into this issue:
error: Package ‘linux-6.1.63-stable_20231123’ in /nix/store/v24qicc8f4h1xafv4qzbn49crg6h2nvb-source/pkgs/os-specific/linux/kernel/linux-rpi.nix:9 is not available on the requested hostPlatform: hostPlatform.config = "aarch64-unknown-linux-gnu" package.meta.platforms = [ "armv7a-darwin" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "armv6l-netbsd" "armv7a-netbsd" "armv7l-netbsd" "arm-none" "armv6l-none" ] package.meta.badPlatforms = [ ] , refusing to evaluate. a) To temporarily allow packages that are unsupported for this system, you can use an environment variable for a single invocation of the nix tools. $ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake, then pass `--impure` in order to allow use of environment variables. b) For `nixos-rebuild` you can set { nixpkgs.config.allowUnsupportedSystem = true; } in configuration.nix to override this. c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add { allowUnsupportedSystem = true; } to ~/.config/nixpkgs/config.nix.
This is the case when using the following invocation:
nix build '.#cobalt-nixos-generate' --system 'aarch64-linux' --no-eval-cache
I’ve tried excluding all modules, but still no joy. I don’t know if the
builders are setup properly at all. I don’t know how to test it. I used to be
able to see it about 6 months ago, but not anymore. That this is the same exact
issue with raspberry-pi-nix
and even the standard means of doing this makes
me think that my builders are not working at all. But also there could be other
issues going on with the kernel package.
I don’t know how these builds were working. One of the above perhaps? This
emits an image in zstd
format. I’ve been using dd
on that file directly,
like an idiot. If I decompress that file and then copy it, well, it just works!
So how did I do that? And can I use that method and document it down the road?
Some issues I’ve had:
- When trying out
nixos-generators
, I now run into an issue wherelinux-builder
won’t build the image due touboot
not building forarmv7l-linux
(the target I should use for the Pi, I guess) - it wantsarmv6l-linux
. But I’m supposed to usearmv7l-linux
I think? - the issue something up with supported build platforms /
qemu
emulation. I think I’ve moved past that mostly, onto the specificuboot
issue above.
I don’t know how this image got emitted, what its hardware support looks like,
and if there’s anything additional I will want to do with it. I suppose if I
can do a pure nixpkgs
setup then all the work going into nixos-generators
and raspberry-pi-nix
must do something extra, right? Or is it just a bunch
of people working on the same problems but not coordinating with each other? My
experience with my own open source work indicates it might be the latter, but
also me doing things incorrectly is a constant factor in every problem I run
into.
Something about the dependencies coming from pypi.
I have some promising progress here for contributing back into agenix-rekey
.
See ./nixos-modules/secrets.nix for details.
I said I would work on this per my two tickets I filed.
Using the command line invocation to add the trust (see ./darwin.nix), a password prompt always comes up. This doesn’t happen on my personal. What’s the difference? More importantly: Can we avoid it?
I need to check if this exists already, but I don’t think it does.
Get a domain for public hosting. Get a wildcard certificate probably, because I just don’t want to mess with it.
A long way away, but I want this done too. I was going to use some pre-built mail server image (I forgot the name), but now that I’m on the Nix boat, I want it in Nix.
Convert this to Nix. Currently uses OctoPrint.
argon.proton
is the current host.
Convert this to Nix. Currently uses OctoPrint with a plugin.
It’s been down for some time. I want to spin up a new copy entirely.
This is a Pi I send home to the Japan family to setup a regional bridge between this network and theirs.
Migrate my existing nextcloud to a Nix based one. silicon.proton
is the
current host.
Yes please. This is cobalt
I think.
Oh boy this is going to be its own project probably.
# Alas, this isn't supported yet: https://github.com/NixOS/nix/pull/6911
export NO_COLOR=1
nix profile history --profile /nix/var/nix/profiles/system
Version �[1m114�[0m (2024-03-07) <- 113: No changes.
Version �[1m115�[0m (2024-03-07) <- 114: No changes.
Version �[1m116�[0m (2024-03-07) <- 115: No changes.
Version �[1m117�[0m (2024-03-07) <- 116: No changes.
Version �[1m118�[0m (2024-03-20) <- 117: No changes.
Version �[1m119�[0m (2024-03-31) <- 118: No changes.
Version �[1m120�[0m (2024-03-31) <- 119: No changes.
Version �[1m121�[0m (2024-03-31) <- 120: No changes.
Version �[1m122�[0m (2024-03-31) <- 121: No changes.
Version �[1m123�[0m (2024-03-31) <- 122: No changes.
Version �[1m124�[0m (2024-04-02) <- 123: No changes.
Version �[1m125�[0m (2024-04-02) <- 124: No changes.
Version �[1m126�[0m (2024-04-05) <- 125: No changes.
Version �[1m127�[0m (2024-05-14) <- 126: No changes.
Version �[1m128�[0m (2024-05-14) <- 127: No changes.
Version �[1m129�[0m (2024-05-14) <- 128: No changes.
Version �[1m130�[0m (2024-05-15) <- 129: No changes.
Version �[1m131�[0m (2024-05-15) <- 130: No changes.
Version �[1m132�[0m (2024-05-15) <- 131: No changes.
Version �[1m133�[0m (2024-05-15) <- 132: No changes.
Version �[1m134�[0m (2024-05-15) <- 133: No changes.
Version �[1m135�[0m (2024-05-15) <- 134: No changes.
Version �[1m136�[0m (2024-05-18) <- 135: No changes.
Version �[1m137�[0m (2024-05-21) <- 136: No changes.
Version �[1m138�[0m (2024-05-21) <- 137: No changes.
Version �[1m139�[0m (2024-05-21) <- 138: No changes.
Version �[1m140�[0m (2024-05-21) <- 139: No changes.
Version �[1m141�[0m (2024-05-21) <- 140: No changes.
Version �[1m142�[0m (2024-05-21) <- 141: No changes.
Version �[1m143�[0m (2024-05-21) <- 142: No changes.
Version �[1m144�[0m (2024-05-22) <- 143: No changes.
Version �[1m145�[0m (2024-05-22) <- 144: No changes.
Version �[1m146�[0m (2024-05-22) <- 145: No changes.
Version �[1m147�[0m (2024-05-22) <- 146: No changes.
Version �[1m148�[0m (2024-05-22) <- 147: No changes.
Version �[1m149�[0m (2024-05-23) <- 148: No changes.
Version �[1m150�[0m (2024-05-23) <- 149: No changes.
Version �[1m151�[0m (2024-05-23) <- 150: No changes.
Version �[1m152�[0m (2024-05-23) <- 151: No changes.
Version �[1m153�[0m (2024-05-23) <- 152: No changes.
Version �[1m154�[0m (2024-05-23) <- 153: No changes.
Version �[1m155�[0m (2024-05-23) <- 154: No changes.
Version �[1m156�[0m (2024-05-23) <- 155: No changes.
Version �[1m157�[0m (2024-05-23) <- 156: No changes.
Version �[1m158�[0m (2024-05-23) <- 157: No changes.
Version �[1m159�[0m (2024-05-23) <- 158: No changes.
Version �[1m160�[0m (2024-05-23) <- 159: No changes.
Version �[1m161�[0m (2024-05-23) <- 160: No changes.
Version �[1m162�[0m (2024-05-26) <- 161: No changes.
Version �[1m163�[0m (2024-05-26) <- 162: No changes.
Version �[1m164�[0m (2024-05-27) <- 163: No changes.
Version �[1m165�[0m (2024-05-27) <- 164: No changes.
Version �[1m166�[0m (2024-05-27) <- 165: No changes.
Version �[1m167�[0m (2024-05-27) <- 166: No changes.
Version �[1m168�[0m (2024-05-27) <- 167: No changes.
Version �[1m169�[0m (2024-05-27) <- 168: No changes.
Version �[1m170�[0m (2024-05-27) <- 169: No changes.
Version �[1m171�[0m (2024-05-27) <- 170: No changes.
Version �[1m172�[0m (2024-05-27) <- 171: No changes.
Version �[1m173�[0m (2024-05-27) <- 172: No changes.
Version �[1m174�[0m (2024-05-27) <- 173: No changes.
Version �[1m175�[0m (2024-05-27) <- 174: No changes.
Version �[1m176�[0m (2024-05-27) <- 175: No changes.
Version �[1m177�[0m (2024-05-27) <- 176: No changes.
Version �[1m178�[0m (2024-05-27) <- 177: No changes.
Version �[1m179�[0m (2024-05-27) <- 178: No changes.
Version �[1m180�[0m (2024-05-28) <- 179: No changes.
Version �[1m181�[0m (2024-05-28) <- 180: No changes.
Version �[1m182�[0m (2024-05-28) <- 181: No changes.
Version �[1m183�[0m (2024-05-28) <- 182: No changes.
Version �[1m184�[0m (2024-05-28) <- 183: No changes.
Version �[1m185�[0m (2024-05-28) <- 184: No changes.
Version �[1m186�[0m (2024-05-28) <- 185: No changes.
Version �[1m187�[0m (2024-05-31) <- 186: No changes.
Version �[1m188�[0m (2024-05-31) <- 187: No changes.
Version �[1m189�[0m (2024-05-31) <- 188: No changes.
Version �[1m190�[0m (2024-06-02) <- 189: No changes.
Version �[1m191�[0m (2024-06-02) <- 190: No changes.
Version �[1m192�[0m (2024-06-02) <- 191: No changes.
Version �[1m193�[0m (2024-06-03) <- 192: No changes.
Version �[1m194�[0m (2024-06-03) <- 193: No changes.
Version �[1m195�[0m (2024-06-03) <- 194: No changes.
Version �[1m196�[0m (2024-06-06) <- 195: No changes.
Version �[1m197�[0m (2024-06-06) <- 196: No changes.
Version �[1m198�[0m (2024-06-06) <- 197: No changes.
Version �[1m199�[0m (2024-06-06) <- 198: No changes.
Version �[1m200�[0m (2024-06-07) <- 199: No changes.
Version �[1m201�[0m (2024-06-07) <- 200: No changes.
Version �[1m202�[0m (2024-06-07) <- 201: No changes.
Version �[1m203�[0m (2024-06-07) <- 202: No changes.
Version �[1m204�[0m (2024-06-07) <- 203: No changes.
Version �[1m205�[0m (2024-06-07) <- 204: No changes.
Version �[1m206�[0m (2024-06-10) <- 205: No changes.
Version �[1m207�[0m (2024-06-10) <- 206: No changes.
Version �[1m208�[0m (2024-06-10) <- 207: No changes.
Version �[1m209�[0m (2024-06-10) <- 208: No changes.
Version �[1m210�[0m (2024-06-11) <- 209: No changes.
Version �[1m211�[0m (2024-06-14) <- 210: No changes.
Version �[1m212�[0m (2024-06-14) <- 211: No changes.
Version �[1m213�[0m (2024-06-14) <- 212: No changes.
Version �[1m214�[0m (2024-06-18) <- 213: No changes.
Version �[1m215�[0m (2024-06-22) <- 214: No changes.
Version �[1m216�[0m (2024-06-29) <- 215: No changes.
Version �[1m217�[0m (2024-06-29) <- 216: No changes.
Version �[1m218�[0m (2024-06-29) <- 217: No changes.
Version �[1m219�[0m (2024-06-29) <- 218: No changes.
Version �[1m220�[0m (2024-06-29) <- 219: No changes.
Version �[1m221�[0m (2024-06-29) <- 220: No changes.
Version �[1m222�[0m (2024-06-29) <- 221: No changes.
Version �[1m223�[0m (2024-06-29) <- 222: No changes.
Version �[1m224�[0m (2024-06-29) <- 223: No changes.
Version �[1m225�[0m (2024-06-29) <- 224: No changes.
Version �[1m226�[0m (2024-06-29) <- 225: No changes.
Version �[1m227�[0m (2024-06-30) <- 226: No changes.
Version �[1m228�[0m (2024-07-03) <- 227: No changes.
Version �[1m229�[0m (2024-07-03) <- 228: No changes.
Version �[1m230�[0m (2024-07-03) <- 229: No changes.
Version �[1m231�[0m (2024-07-03) <- 230: No changes.
Version �[1m232�[0m (2024-07-03) <- 231: No changes.
Version �[1m233�[0m (2024-07-03) <- 232: No changes.
Version �[1m234�[0m (2024-07-04) <- 233: No changes.
Version �[1m235�[0m (2024-07-04) <- 234: No changes.
Version �[1m236�[0m (2024-07-04) <- 235: No changes.
Version �[1m237�[0m (2024-07-04) <- 236: No changes.
Version �[1m238�[0m (2024-07-04) <- 237: No changes.
Version �[1m239�[0m (2024-07-06) <- 238: No changes.
Version �[1m240�[0m (2024-07-06) <- 239: No changes.
Version �[1m241�[0m (2024-07-09) <- 240: No changes.
Version �[1m242�[0m (2024-07-09) <- 241: No changes.
Version �[1m243�[0m (2024-07-10) <- 242: No changes.
Version �[1m244�[0m (2024-07-14) <- 243: No changes.
Version �[1m245�[0m (2024-07-24) <- 244: No changes.
Version �[1m246�[0m (2024-07-24) <- 245: No changes.
Version �[1m247�[0m (2024-07-24) <- 246: No changes.
Version �[1m248�[0m (2024-07-24) <- 247: No changes.
Version �[1m249�[0m (2024-07-24) <- 248: No changes.
Version �[1m250�[0m (2024-08-09) <- 249: No changes.
Version �[1m251�[0m (2024-08-10) <- 250: No changes.
Version �[1m252�[0m (2024-08-13) <- 251: No changes.
Version �[1m253�[0m (2024-08-13) <- 252: No changes.
Version �[1m254�[0m (2024-08-21) <- 253: No changes.
Version �[1m255�[0m (2024-08-24) <- 254: No changes.
Version �[1m256�[0m (2024-08-24) <- 255: No changes.
Version �[1m257�[0m (2024-08-24) <- 256: No changes.
Version �[1m258�[0m (2024-08-28) <- 257: No changes.
Version �[1m259�[0m (2024-08-29) <- 258: No changes.
Version �[1m260�[0m (2024-08-31) <- 259: No changes.
Version �[1m261�[0m (2024-09-03) <- 260: No changes.
Version �[1m262�[0m (2024-09-03) <- 261: No changes.
Version �[1m263�[0m (2024-09-03) <- 262: No changes.
Version �[1m264�[0m (2024-09-03) <- 263: No changes.
Version �[1m265�[0m (2024-09-03) <- 264: No changes.
Version �[1m266�[0m (2024-09-03) <- 265: No changes.
Version �[1m267�[0m (2024-09-03) <- 266: No changes.
Version �[1m268�[0m (2024-09-03) <- 267: No changes.
Version �[1m269�[0m (2024-09-03) <- 268: No changes.
Version �[1m270�[0m (2024-09-03) <- 269: No changes.
Version �[1m271�[0m (2024-09-03) <- 270: No changes.
Version �[1m272�[0m (2024-09-03) <- 271: No changes.
Version �[1m273�[0m (2024-09-04) <- 272: No changes.
Version �[1m274�[0m (2024-09-05) <- 273: No changes.
Version �[1m275�[0m (2024-09-05) <- 274: No changes.
Version �[1m276�[0m (2024-09-05) <- 275: No changes.
Version �[1m277�[0m (2024-09-05) <- 276: No changes.
Version �[1m278�[0m (2024-09-05) <- 277: No changes.
Version �[1m279�[0m (2024-09-05) <- 278: No changes.
Version �[1m280�[0m (2024-09-05) <- 279: No changes.
Version �[1m281�[0m (2024-09-05) <- 280: No changes.
Version �[1m282�[0m (2024-09-05) <- 281: No changes.
Version �[1m283�[0m (2024-09-05) <- 282: No changes.
Version �[1m284�[0m (2024-09-05) <- 283: No changes.
Version �[1m285�[0m (2024-09-05) <- 284: No changes.
Version �[1m286�[0m (2024-09-05) <- 285: No changes.
Version �[1m287�[0m (2024-09-05) <- 286: No changes.
Version �[1m288�[0m (2024-09-05) <- 287: No changes.
Version �[1m289�[0m (2024-09-05) <- 288: No changes.
Version �[1m290�[0m (2024-09-05) <- 289: No changes.
Version �[1m291�[0m (2024-09-05) <- 290: No changes.
Version �[1m292�[0m (2024-09-06) <- 291: No changes.
Version �[1m293�[0m (2024-09-06) <- 292: No changes.
Version �[1m294�[0m (2024-09-06) <- 293: No changes.
Version �[1m295�[0m (2024-09-06) <- 294: No changes.
Version �[1m296�[0m (2024-09-06) <- 295: No changes.
Version �[1m297�[0m (2024-09-06) <- 296: No changes.
Version �[1m298�[0m (2024-09-06) <- 297: No changes.
Version �[1m299�[0m (2024-09-06) <- 298: No changes.
Version �[1m300�[0m (2024-09-06) <- 299: No changes.
Version �[1m301�[0m (2024-09-06) <- 300: No changes.
Version �[1m302�[0m (2024-09-06) <- 301: No changes.
Version �[1m303�[0m (2024-09-06) <- 302: No changes.
Version �[1m304�[0m (2024-09-06) <- 303: No changes.
Version �[1m305�[0m (2024-09-06) <- 304: No changes.
Version �[1m306�[0m (2024-09-06) <- 305: No changes.
Version �[1m307�[0m (2024-09-06) <- 306: No changes.
Version �[1m308�[0m (2024-09-06) <- 307: No changes.
Version �[1m309�[0m (2024-09-06) <- 308: No changes.
Version �[1m310�[0m (2024-09-06) <- 309: No changes.
Version �[1m311�[0m (2024-09-06) <- 310: No changes.
Version �[1m312�[0m (2024-09-06) <- 311: No changes.
Version �[1m313�[0m (2024-09-06) <- 312: No changes.
Version �[1m314�[0m (2024-09-06) <- 313: No changes.
Version �[1m315�[0m (2024-09-06) <- 314: No changes.
Version �[1m316�[0m (2024-09-06) <- 315: No changes.
Version �[1m317�[0m (2024-09-06) <- 316: No changes.
Version �[1m318�[0m (2024-09-06) <- 317: No changes.
Version �[1m319�[0m (2024-09-06) <- 318: No changes.
Version �[1m320�[0m (2024-09-06) <- 319: No changes.
Version �[1m321�[0m (2024-09-06) <- 320: No changes.
Version �[1m322�[0m (2024-09-06) <- 321: No changes.
Version �[1m323�[0m (2024-09-06) <- 322: No changes.
Version �[1m324�[0m (2024-09-06) <- 323: No changes.
Version �[1m325�[0m (2024-09-06) <- 324: No changes.
Version �[1m326�[0m (2024-09-06) <- 325: No changes.
Version �[1m327�[0m (2024-09-06) <- 326: No changes.
Version �[1m328�[0m (2024-09-06) <- 327: No changes.
Version �[1m329�[0m (2024-09-06) <- 328: No changes.
Version �[1m330�[0m (2024-09-06) <- 329: No changes.
Version �[1m331�[0m (2024-09-06) <- 330: No changes.
Version �[1m332�[0m (2024-09-06) <- 331: No changes.
Version �[1m333�[0m (2024-09-06) <- 332: No changes.
Version �[1m334�[0m (2024-09-06) <- 333: No changes.
Version �[1m335�[0m (2024-09-06) <- 334: No changes.
Version �[1m336�[0m (2024-09-06) <- 335: No changes.
Version �[1m337�[0m (2024-09-06) <- 336: No changes.
Version �[1m338�[0m (2024-09-06) <- 337: No changes.
Version �[1m339�[0m (2024-09-06) <- 338: No changes.
Version �[1m340�[0m (2024-09-06) <- 339: No changes.
Version �[1m341�[0m (2024-09-06) <- 340: No changes.
Version �[1m342�[0m (2024-09-13) <- 341: No changes.
Version �[1m343�[0m (2024-09-14) <- 342: No changes.
Version �[1m344�[0m (2024-09-14) <- 343: No changes.
Version �[1m345�[0m (2024-09-16) <- 344: No changes.
Version �[1m346�[0m (2024-09-16) <- 345: No changes.
Version �[1m347�[0m (2024-09-19) <- 346: No changes.
Version �[1m348�[0m (2024-09-19) <- 347: No changes.
Version �[1m349�[0m (2024-09-20) <- 348: No changes.
Version �[1m350�[0m (2024-09-20) <- 349: No changes.
Version �[1m351�[0m (2024-09-20) <- 350: No changes.
Version �[1m352�[0m (2024-09-20) <- 351: No changes.
Version �[1m353�[0m (2024-09-20) <- 352: No changes.
Version �[1m354�[0m (2024-09-20) <- 353: No changes.
Version �[1m355�[0m (2024-09-20) <- 354: No changes.
Version �[1m356�[0m (2024-09-20) <- 355: No changes.
Version �[1m357�[0m (2024-09-20) <- 356: No changes.
Version �[1m358�[0m (2024-09-20) <- 357: No changes.
Version �[1m359�[0m (2024-09-20) <- 358: No changes.
Version �[1m360�[0m (2024-09-20) <- 359: No changes.
Version �[1m361�[0m (2024-09-20) <- 360: No changes.
Version �[1m362�[0m (2024-09-20) <- 361: No changes.
Version �[1m363�[0m (2024-09-20) <- 362: No changes.
Version �[1m364�[0m (2024-09-20) <- 363: No changes.
Version �[1m365�[0m (2024-09-20) <- 364: No changes.
Version �[1m366�[0m (2024-09-20) <- 365: No changes.
Version �[1m367�[0m (2024-09-20) <- 366: No changes.
Version �[1m368�[0m (2024-09-20) <- 367: No changes.
Version �[1m369�[0m (2024-09-20) <- 368: No changes.
Version �[1m370�[0m (2024-09-20) <- 369: No changes.
Version �[1m371�[0m (2024-09-20) <- 370: No changes.
Version �[1m372�[0m (2024-09-23) <- 371: No changes.
Version �[1m373�[0m (2024-09-23) <- 372: No changes.
Version �[1m374�[0m (2024-09-23) <- 373: No changes.
Version �[1m375�[0m (2024-09-25) <- 374: No changes.
Version �[1m376�[0m (2024-09-25) <- 375: No changes.
Version �[32;1m377�[0m (2024-09-26) <- 376: No changes.
lib.mkIf
either includes the value given or an empty attrset
depending on the
evaluation of the condition. In other words, this is for any attrset
. For
lists, see lib.optionals.
let
a = lib.mkIf true { foo = "bar"; } # Returns { foo = "bar"; }.
b = lib.mkIf false { foo = "bar"; } # Returns {}.
# Returns { foo = "bar"; baz = "qux"; }
c = { foo = "bar" } // (lib.mkIf true { baz = "qux"; })
# Returns { foo = "bar"; }
d = { foo = "bar" } // (lib.mkIf false { baz = "qux"; })
in {}
lib.optionals
includes the provided list if the condition is true. If false,
an empty list is given. For an attrset
, see lib.mkIf.
let
a = lib.optionals true [ "foo" ] # Returns [ "foo" ].
b = lib.optionals false [ "foo" ] # Returns [].
# Returns [ "foo" "bar" ].
c = [ "foo" ] // (lib.optionals true [ "bar" ])
# Returns [ "foo" ].
d = [ "foo" ] // (lib.optionals false [ "bar" ])
in {}
While I was working on comfyui
and started using different nixpkgs
versions
across hosts, I started running into problems with shared modules. Some would
set services.comfyui
and attributes under it, and this would cause Nix
evaluation failures for hosts that didn’t know about it in their nixpkgs
.
First, find or create your imports
for the module in question. Next, use
lib.mkIf
and check for the existence of the option with builtins.hasAttr
"comfyui" options.services)
. Then, in the key, allow the key name to evaluate
to null
based on a check.
imports = [
(lib.mkIf (builtins.hasAttr "comfyui" options.services) {
# This is kind of magical. See
# https://nix.dev/manual/nix/2.17/language/values.html?highlight=coerced#attribute-set
# but basically if the attribute name evaluates to null then the attribute
# won't exist. Without this hack, we get `The option `services.comfyui'
# does not exist.`. This is a special case and one cannot use null as a
# key name.
services.${
if (builtins.hasAttr "comfyui" options.services)
then "comfyui"
else null
} = {
package = pkgs ? comfyui-rocm;
rocmSupport = true;
};
})
];
This is the best way to avoid config.modules
and lib.mkMerge
while also
keeping things relatively simple. I should make a helper for this though.
To include a package conditionally, use this:
imports = [
# cyme isn't available on all versions of nixpkgs I use.
(lib.mkIf (builtins.hasAttr "cyme" pkgs) {
environment.systemPackages =
if (builtins.hasAttr "cyme" pkgs)
then [
# Allows us to query the status of USB devices. This uses lsusb or
# systemprofile -json under the hood in a cross-platform manner.
# Unfortunately it does not work on non-USB devices (like SD cards)
# like one might think. This is _not_ for storage devices (many
# things imply it will work, but it won't).
pkgs.cyme
]
else []
;
})
];
Fixed via PR: oddlama/agenix-rekey#56
This error appears when running agenix rekey -a
.
The exact error is:
error: attribute 'age' missing at /nix/store/zy9vgszqqqh51wmk8cjj6hghx6fydwbi-source/apps/rekey.nix:41:43: 40| 41| nodesWithDerivationStorage = filter (x: x.config.age.rekey.storageMode == "derivation") (attrValues nodes); | ^ 42|
This means there is a host that doesn’t have agenix
on it as a module. Find
the host in your flake.nix
and remove the entry, then run again.
If we could somehow print the x
on the error, we’d be in a great spot to find
the issue.
When this happens you’ll see the value is the path to an element inside of the
agenix.rekey.masterIdentities
list.
The full error:
error: … while calling the 'derivationStrict' builtin at <nix/derivation-internal.nix>:34:12: 33| 34| strict = derivationStrict drvAttrs; | ^ 35| … while evaluating derivation 'agenix-rekey' whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7 … while evaluating attribute 'text' of derivation 'agenix-rekey' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17: 101| ({ 102| inherit text executable checkPhase allowSubstitutes preferLocalBuild; | ^ 103| passAsFile = [ "text" ] (stack trace truncated; use '--show-trace' to show the full, detailed trace) error: expected a set but found a string: "/nix/store/hjxw6pyqs2f6s8xm2zr8aynciar35zsy-source/nix/secrets/agenix-master-key-3.age"
This happens even when running something incredibly fundamental like agenix
rekey --help
.
One of the only outputs we see is this:
Collecting information about hosts. This may take a while...
I also saw warnings about not using nodes
anymore and favoring
nixosConfigurations
in the agenix-rekey.configure
parameters. This was a
trivial change I affected, and made no difference in behavior.
This can be traced to package.nix
in agenix-rekey
. The next line is where
it runs nix run ... #agenix-rekey.${system}.$APP
. It doesn’t seem to matter
what $APP
resolves to. I believe this is the Nix invocation that is failing.
The error itself seems to be in building a derivation, which is probably this
run script.
I looked through the configuration more to verify things. pkgs
seemed to be a
culprit of prior problems I’ve experienced, so I set that. I assumed my build
host’s platform of aarch64-darwin
and included my overlays, but still no
change in behavior.
The next part of this seems to point at ./apps/${app}.nix
.
The text
attribute is what is complaining, but there is no mention of it in
the apps/rekey.nix
file. None of the other files under apps
have it either.
None of the files have mention of masterIdentities
either.
Apparently, if one uses --show-trace
in all the right places (or just
everywhere), a more detailed stack can be found:
agenix --show-trace rekey --show-trace generate --show-trace Collecting information about hosts. This may take a while... warning: Git tree '/Users/logan/dev/dotfiles' is dirty error: … while calling the 'derivationStrict' builtin at <nix/derivation-internal.nix>:34:12: 33| 34| strict = derivationStrict drvAttrs; | ^ 35| … while evaluating derivation 'agenix-generate' whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7 … while evaluating attribute 'text' of derivation 'agenix-generate' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17: 101| ({ 102| inherit text executable checkPhase allowSubstitutes preferLocalBuild; | ^ 103| passAsFile = [ "text" ] … while calling the 'concatStringsSep' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:246:7: 245| KNOWN_SECRETS=( 246| ${concatStringsSep "\n" (map (x: escapeShellArg x.sourceFile) (attrValues secretsWithContext))} | ^ 247| ) … while calling the 'map' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:246:30: 245| KNOWN_SECRETS=( 246| ${concatStringsSep "\n" (map (x: escapeShellArg x.sourceFile) (attrValues secretsWithContext))} | ^ 247| ) … while calling the 'attrValues' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:246:68: 245| KNOWN_SECRETS=( 246| ${concatStringsSep "\n" (map (x: escapeShellArg x.sourceFile) (attrValues secretsWithContext))} | ^ 247| ) … while calling the 'foldl'' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:113:24: 112| # Deduplicates secrets if the generator is the same, otherwise throws an error. 113| secretsWithContext = foldl' ( | ^ 114| set: host: foldl' (addGeneratedSecretChecked host) set (attrNames nodes.${host}.config.age.secrets) … while calling anonymous lambda at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:114:10: 113| secretsWithContext = foldl' ( 114| set: host: foldl' (addGeneratedSecretChecked host) set (attrNames nodes.${host}.config.age.secrets) | ^ 115| ) { } (attrNames nodes); … while calling the 'foldl'' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:114:16: 113| secretsWithContext = foldl' ( 114| set: host: foldl' (addGeneratedSecretChecked host) set (attrNames nodes.${host}.config.age.secrets) | ^ 115| ) { } (attrNames nodes); … while calling 'addGeneratedSecretChecked' at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:62:16: 61| addGeneratedSecretChecked = 62| host: set: secretName: | ^ 63| let … in the condition of the assert statement at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:94:7: 93| # Assert that the generator is the same if it was defined on multiple hosts 94| assert assertMsg (hasAttr sourceFile set -> script == set.${sourceFile}.script) | ^ 95| "Generator definition of ${secretName} on ${host} differs from definitions on other hosts: ${ … from call site at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:94:14: 93| # Assert that the generator is the same if it was defined on multiple hosts 94| assert assertMsg (hasAttr sourceFile set -> script == set.${sourceFile}.script) | ^ 95| "Generator definition of ${secretName} on ${host} differs from definitions on other hosts: ${ … while calling 'assertMsg' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/asserts.nix:41:5: 40| pred: 41| msg: | ^ 42| pred || builtins.throw msg; … in the left operand of the OR (||) operator at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/asserts.nix:42:10: 41| msg: 42| pred || builtins.throw msg; | ^ 43| … in the right operand of the IMPL (->) operator at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:94:48: 93| # Assert that the generator is the same if it was defined on multiple hosts 94| assert assertMsg (hasAttr sourceFile set -> script == set.${sourceFile}.script) | ^ 95| "Generator definition of ${secretName} on ${host} differs from definitions on other hosts: ${ … from call site at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:70:16: 69| relativeToFlake secret.rekeyFile; 70| script = secret.generator._script { | ^ 71| inherit secret pkgs; … while calling 'merge' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/types.nix:773:9: 772| merge = loc: defs: 773| fnArgs: (mergeDefinitions (loc ++ [ "<function body>" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue; | ^ 774| getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "<function body>" ]); … while evaluating the attribute 'mergedValue' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:851:5: 850| # Type-check the remaining definitions, and merge them. Or throw if no definitions. 851| mergedValue = | ^ 852| if isDefined then … while evaluating a branch condition at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:852:7: 851| mergedValue = 852| if isDefined then | ^ 853| if all (def: type.check def.value) defsFinal then type.merge loc defsFinal … while evaluating the attribute 'values' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:845:9: 844| in { 845| values = defs'''; | ^ 846| inherit (defs'') highestPrio; … while evaluating a branch condition at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:841:11: 840| # Avoid sorting if we don't have to. 841| if any (def: def.value._type or "" == "order") defs''.values | ^ 842| then sortProperties defs''.values … while calling the 'any' builtin at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:841:14: 840| # Avoid sorting if we don't have to. 841| if any (def: def.value._type or "" == "order") defs''.values | ^ 842| then sortProperties defs''.values … while evaluating the attribute 'values' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:944:7: 943| in { 944| values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs; | ^ 945| inherit highestPrio; … while calling the 'concatMap' builtin at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:944:16: 943| in { 944| values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs; | ^ 945| inherit highestPrio; … while calling the 'concatMap' builtin at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:831:17: 830| # Process mkMerge and mkIf properties. 831| defs' = concatMap (m: | ^ 832| map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while calling anonymous lambda at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:831:28: 830| # Process mkMerge and mkIf properties. 831| defs' = concatMap (m: | ^ 832| map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while calling the 'map' builtin at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:832:11: 831| defs' = concatMap (m: 832| map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 833| ) defs; … while evaluating definitions from `/nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/flake.nix': … from call site at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:832:128: 831| defs' = concatMap (m: 832| map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 833| ) defs; … while calling 'dischargeProperties' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:903:25: 902| */ 903| dischargeProperties = def: | ^ 904| if def._type or "" == "merge" then … while evaluating a branch condition at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:904:5: 903| dischargeProperties = def: 904| if def._type or "" == "merge" then | ^ 905| concatMap dischargeProperties def.contents … while evaluating the attribute 'value' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/types.nix:773:106: 772| merge = loc: defs: 773| fnArgs: (mergeDefinitions (loc ++ [ "<function body>" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue; | ^ 774| getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "<function body>" ]); … from call site at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/types.nix:773:114: 772| merge = loc: defs: 773| fnArgs: (mergeDefinitions (loc ++ [ "<function body>" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue; | ^ 774| getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "<function body>" ]); … while calling 'tls-signed-certificate' at /nix/store/nvwwcv0awllc55sjg148l28zvy7i40rk-source/nix/nixos-modules/secrets.nix:92:45: 91| # won't use the same one twice. This should be checked in. 92| age.generators.tls-signed-certificate = { | ^ 93| decrypt, … from call site at /nix/store/nvwwcv0awllc55sjg148l28zvy7i40rk-source/nix/nixos-modules/secrets.nix:106:7: 105| in 106| throwIfNot (isAttrs settings) "Secret '${name}' must have a `settings` attrset." | ^ 107| throwIfNot (isString settings.fqdn) "Secret '${name}' is missing a `fqdn` string." … while calling anonymous lambda at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/trivial.nix:868:40: 867| */ 868| throwIfNot = cond: msg: if cond then x: x else throw msg; | ^ 869| … while evaluating the attribute 'ageMasterDecrypt' at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:174:3: 173| ageMasterEncrypt = "${ageWrapperScript}/bin/ageWrapper encrypt"; 174| ageMasterDecrypt = "${ageWrapperScript}/bin/ageWrapper decrypt"; | ^ 175| ageHostEncrypt = … while calling the 'getAttr' builtin at <nix/derivation-internal.nix>:44:19: 43| value = commonAttrs // { 44| outPath = builtins.getAttr outputName strict; | ^ 45| drvPath = strict.drvPath; … while calling the 'derivationStrict' builtin at <nix/derivation-internal.nix>:34:12: 33| 34| strict = derivationStrict drvAttrs; | ^ 35| … while evaluating derivation 'ageWrapper' whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7 … while evaluating attribute 'text' of derivation 'ageWrapper' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17: 101| ({ 102| inherit text executable checkPhase allowSubstitutes preferLocalBuild; | ^ 103| passAsFile = [ "text" ] … while calling the 'concatStringsSep' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:60:9: 59| # Master identities that have a pubkey can be added without further treatment. 60| ${concatStringsSep "\n" ( | ^ 61| map ( … while calling the 'map' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:61:9: 60| ${concatStringsSep "\n" ( 61| map ( | ^ 62| x: … while calling the 'filter' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:12: 63| ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}'' 64| ) (filter (x: x.pubkey != null) mergedMasterIdentities) | ^ 65| )} … while calling anonymous lambda at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:20: 63| ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}'' 64| ) (filter (x: x.pubkey != null) mergedMasterIdentities) | ^ 65| )} … while selecting an attribute at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:23: 63| ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}'' 64| ) (filter (x: x.pubkey != null) mergedMasterIdentities) | ^ 65| )} error: expected a set but found a string: "/nix/store/nvwwcv0awllc55sjg148l28zvy7i40rk-source/nix/secrets/agenix-master-key-3.age"
With that, we’re able to find the broken line:
… while calling the 'filter' builtin at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:12: 63| ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}'' 64| ) (filter (x: x.pubkey != null) mergedMasterIdentities) | ^ 65| )} … while calling anonymous lambda at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:20: 63| ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}'' 64| ) (filter (x: x.pubkey != null) mergedMasterIdentities) | ^ 65| )} … while selecting an attribute at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:23: 63| ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}'' 64| ) (filter (x: x.pubkey != null) mergedMasterIdentities) | ^ 65| )}
Which is line 64 of agenix-rekey/nix/lib.nix
. The expression in question is:
(filter (x: x.pubkey != null) mergedMasterIdentities)
And my masterIdentities
has no pubkey
. That said, I did try the pubkey
and identity
form and found a new error. I am starting to think this is a bug.
Here’s the error when trying the attrset form:
error: A definition for option `age.rekey.masterIdentities."[definition 1-entry 1]"' is not of type `string or path convertible to it'. Definition values: - In `<unknown-file>': { identity = /nix/store/1gd1hrr3wjvz7mk4h9rbhzss4yaqrsw2-source/nix/secrets/agenix-master-key-3.age; pubkey = null; }
Where the declaration is now this:
masterIdentities = [
{
identity = ../secrets/agenix-master-key-3.age;
pubkey = null;
}
];
I also tried this:
masterIdentities = [
{
identity = ../secrets/agenix-master-key-3.age;
}
];
Because I have no .pub
file. No change in behavior.
For fun I even made up a value for pubkey
:
masterIdentities = [
{
identity = ../secrets/agenix-master-key-3.age;
pubkey = "foobar";
}
];
Is there a mechanism somewhere that’s supposed to coerce direct file references
into something that has a pubkey
entry?
I started a manual bisect on agenix-rekey
. Unfortunately code formatting
tools have made this a bit difficult. I managed to get things working again by
going by several months, all the way back to my last contribution.
3137e9b1df0724d0af8dbeb8c36f8eee4a26869a
The last time I saw it broken was d6de009fba42ac7f7e9c356142220570c6c07877, “allow rekeying 0 secrets”. So it might be somewhere in between those.
Next iteration: The commit “fix: show an error when no recipients are set in a master identity file” is broken too. c071067f7d972552f5170cf8665643ed0ec19a6d
Well this is unanticipated. I narrowed down the issue to this commit:
c6c1ca5b9ceaaa40fd979fb25bb7043adf4554ad
fix: correctly remove apps from exposed path
The error changes a little, but is ultimately the same I think:
error: … while calling the 'derivationStrict' builtin at <nix/derivation-internal.nix>:34:12: 33| 34| strict = derivationStrict drvAttrs; | ^ 35| … while evaluating derivation 'agenix-generate' whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7 … while evaluating attribute 'text' of derivation 'agenix-generate' at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17: 101| ({ 102| inherit text executable checkPhase allowSubstitutes preferLocalBuild; | ^ 103| passAsFile = [ "text" ] … while evaluating definitions from `/nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/flake.nix': (stack trace truncated; use '--show-trace' to show the full, detailed trace) error: cannot coerce a set to a string: { identity = "/nix/store/zidq8pvpbd7g3hpl5qi2v3awy0si1x8a-source/nix/secrets/agenix-master-key-3.age"; pubkey = null; }
The diff:
@@ -57,13 +57,14 @@
# pkgs.age and pkgs.rage.
agePackage ? (p: p.rage),
}:
- flake-utils.lib.eachDefaultSystem (system: {
+ (flake-utils.lib.eachDefaultSystem (system: {
apps = pkgs.${system}.lib.genAttrs allApps (app:
import ./apps/${app}.nix {
inherit nodes userFlake agePackage;
pkgs = pkgs.${system};
});
- });
+ }))
+ .apps;
# XXX: deprecated, scheduled for removal in late 2024. Use the package instead of
# defining apps. This is just a compatibility wrapper that defines apps with
And this just blows my mind. How could that be causing the issue?!
This change doesn’t seem to have directly permeated back to what’s at the HEAD
of main
. That said, there seems to be some refactors done that might make the
current state less obvious that this is causing the issue.
I can also see here why there would be an issue with overlays not being respected. It does its own import of nixpkgs which doesn’t get any overlays added to it. That’s a separate issue for another day.
When cooking a brand new host image for a Raspberry Pi (which is just a most impressive way to use Nix), one may notice some issues with the host on its first boot.
I’ve seen only with some number of reboots later did it decide to create the
swap file. agenix
may not lay down its secrets immediately and so services
may fail to boot. I think there is an issue describing this for agenix
. I
can’t speak to the others.
I’ve also noticed it has trouble with my small display sometimes. But in the flicker it makes, sometimes I can make out what seems to be a very small version of a boot or login screen, with its telltale gray and green on black.
This might be indicative of issues with the Raspberry Pi 5 settings. I have seen many issues crop up in the issue trackers, but I haven’t really looked into them since I haven’t gotten that far yet.
I’ve seen this issue when trying to move down in systemctl list-units
:
/*** stack smashing detected ***: terminated
I don’t know what it means yet.
This ticket is indicative of trouble, and suggests turning off uboot: nix-community/raspberry-pi-nix#16
Another is to use the rpi4 kernel, which I guess is supposed to work just as well?
I turned off uboot, and rebooted the pi. The screen was blank. I moved the power to the screen from the Pi to a dedicated USB power source, and then replugged the HDMI cable to the screen. The screen immediately showed me a Linux-staged boot sequence, but it’s still going and the print is far too small for me to read.
This makes me think under-voltage caused by the screen could’ve been causing
some issues, but it’s hard to say which caused which. This last experimentation
was done on selenium
but I could fall back to gallium
if it’s still having
boot issues. For now, gallium
is running and seems fairly healthy.
The general error is of the form: copying path <nix-drv-path> to <host> error: cannot add path <nix-drv-path> because it lacks a signature by a trusted key.
copying path '/nix/store/rp3ac35r3pfb3fqh3rdqzlzsq67jpnws-source' to 'ssh://gallium.proton'error: cannot add path '/nix/store/rp3ac35r3pfb3fqh3rdqzlzsq67jpnws-source' because it lacks a signature by a trusted key
These builds take forever and I’m not sure if it’s always dying in the same place.
[ 63%] Building NVCC (Device) object modules/cudaimgproc/CMakeFiles/cuda_compile_1.dir/src/cuda/cuda_compile_1_generated_hough_segments.cu.o [ 63%] Building CXX object modules/dnn/CMakeFiles/opencv_test_dnn.dir/test/test_main.cpp.o during RTL pass: dse1 In file included from /build/source/modules/ts/include/opencv2/ts.hpp:126, from /build/source/modules/features2d/test/test_precomp.hpp:7, from /build/source/modules/features2d/test/test_drawing.cpp:7: /build/source/modules/ts/include/opencv2/ts/ts_gtest.h: In member function 'void testing::internal::ParameterizedTestCaseInfo<TestCase>::RegisterTests() [with TestCase = testing::TestWithParam<std::tuple<perf::Mat> /build/source/modules/ts/include/opencv2/ts/ts_gtest.h:12117:3: internal compiler error: Segmentation fault 12117 | } // RegisterTests | ^ 0x17b29be diagnostic_impl(rich_location*, diagnostic_metadata const*, int, char const*, __va_list_tag (*) [1], diagnostic_t) ???:0 0x17b2d97 internal_error(char const*, ...) ???:0 0xd20acf crash_signal(int) ???:0 0x96adcd df_note_compute(bitmap_head*) ???:0 0x965831 df_analyze_problem(dataflow*, bitmap_head*, int*, int) ???:0 0x965929 df_analyze_1() ???:0 0x161f432 (anonymous namespace)::pass_rtl_dse1::execute(function*) ???:0 Please submit a full bug report, with preprocessed source if appropriate. Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions. make[2]: *** [modules/features2d/CMakeFiles/opencv_test_features2d.dir/build.make:230: modules/features2d/CMakeFiles/opencv_test_features2d.dir/test/test_drawing.cpp.o] Error 1 make[1]: *** [CMakeFiles/Makefile2:4866: modules/features2d/CMakeFiles/opencv_test_features2d.dir/all] Error 2 make[1]: *** Waiting for unfinished jobs....
I noticed that oomd
is running. I’ve turned it off and am trying again.
Furthermore, I have forced this to be off for future generations of lithium
.
After that:
nvcc error : 'cudafe++' died due to signal 11 (Invalid memory reference) nvcc error : 'cudafe++' core dumped CMake Error at cuda_compile_1_generated_reduce.cu.o.Release.cmake:280 (message): Error generating file /build/source/build/modules/cudaarithm/CMakeFiles/cuda_compile_1.dir/src/cuda/./cuda_compile_1_generated_reduce.cu.o
I confirmed oomd
is disabled.
This is exhausting. Can I just use torch-bin
?
Another attempt:
[ 9%] Building CXX object modules/imgproc/CMakeFiles/opencv_imgproc.dir/src/emd.cpp.o [ 9%] Building CXX object modules/imgproc/CMakeFiles/opencv_imgproc.dir/src/featureselect.cpp.o [ 9%] Building NVCC (Device) object modules/cudaarithm/CMakeFiles/cuda_compile_1.dir/src/cuda/cuda_compile_1_generated_div_mat.cu.o [ 9%] Building NVCC (Device) object modules/cudaarithm/CMakeFiles/cuda_compile_1.dir/src/cuda/cuda_compile_1_generated_div_scalar.cu.o during GIMPLE pass: dom /build/source/modules/imgproc/src/drawing.cpp: In function 'void cv::polylines(cv::InputOutputArray, cv::InputArrayOfArrays, bool, const Scalar&, int, int, int)': /build/source/modules/imgproc/src/drawing.cpp:2409:6: internal compiler error: Segmentation fault 2409 | void cv::polylines(InputOutputArray img, InputArrayOfArrays pts, | ^~ 0x17b29be diagnostic_impl(rich_location*, diagnostic_metadata const*, int, char const*, __va_list_tag (*) [1], diagnostic_t) ???:0 0x17b2d97 internal_error(char const*, ...) ???:0 0xd20acf crash_signal(int) ???:0 0xeb3110 expr_hash_elt::~expr_hash_elt() ???:0 0xe13271 (anonymous namespace)::pass_dominator::execute(function*) ???:0 Please submit a full bug report, with preprocessed source if appropriate. Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions.