Skip to content

Latest commit

 

History

History
2645 lines (1932 loc) · 91.3 KB

README.org

File metadata and controls

2645 lines (1932 loc) · 91.3 KB

Nix

Here I store my notes regarding Nix as it pertains to this repository. This will include some findings and also projects I’m working on. I do have separate notes for Nix in my private notes repository, and I haven’t yet come up with a method of consolidating them.

This helps me close the many tabs I have open. This is very incomplete and I have many more tabs to go. I think I like this as a general “wut I do in Nix” scratch pad though.

creating new hosts

host file

Look up the next element in the periodic table, and then create that under nix/hosts.

BIOS systems

Not a lot must be done here to accommodate BIOS, since a bootable partition is simply bootable. There might have to be some adjustments made in the BIOS settings. Despite how simple this process is, it is essentially dead already. New systems will use UEFI and thus see UEFI systems.

UEFI systems

Unfortunately you cannot create a bootable image and simply slap it into a UEFI system, because that UEFI system has to be told where to boot. I’ve read that one can simply create a boot partition and put certain files in the right place. Nix does this, or can be taught to do this. In any case, I have verified the magic files went into the magic locations, but still no joy.

Instead, boot into the system using the detachable USB drive. The host is called nucleus.proton on boot. From there, you should be able to do a remote deployment. Unfortunately proton-deploy does not accommodate this activity yet. You can add it, or you can use remote-deploy --enter-via nucleus.proton .... It is recommended to use proton-deploy though, due to security concerns.

Raspberry Pi

The Raspberry Pi uses its own proprietary boot system. Sometimes it can use something called uboot, which may or may not be proprietary.

modules

initial deployment steps

For these, use the following invocation:

host='my-host'; nom build ".#nixosConfigurations.${host}.config.system.build.sdImage" --show-trace --verbose  --accept-flake-config

But, you know, change host.

Once that’s complete, use image-deploy thusly, with your SD card plugged in:

image-deploy --image result/sd-image/*.img.zst

Once it’s done, and the partition table looks fleshed out, remove the SD card (no eject/unmount needed). Plug it into the Pi and boot the Pi.

agenix has some trouble with this configuration and needs some help getting bootstrapped. Use proton-deploy to the image to help it lay down everything needed. I though I read this needed a reboot, but I was incorrect about that - the reboot does nothing.

Part of the problem is that the host key that was laid down differs from the one used in the initial build. I haven’t figured out how to get around this yet, and from my recollection of reading oddllama’s dotfiles, it’s not possible yet.

So scan the host key into the right location:

host='host'; ssh-keyscan $host.proton | grep -o 'ssh-ed25519.*' > secrets/$host-pub-key.pub

A quick git status will show the host pub key has changed.

agenix rekey -a

Then do another proton-deploy switch $host. This should fix everything.

projects

This is all the Nix related projects I have.

comfyui

setting up lithium

This is largely done.

finishing the comfyui NixOS module [0/7]

I am working on helping finish a pull request started by @fazo96 here: NixOS/nixpkgs#268378

I was able to get things running locally and have been enjoying the functionality there for some time, as well as putting it through its paces. My most notable improvement was getting the model stuff more or less sorted out, and declarative in a clean way. There remains some feedback items to address, but everything works.

In addition to the work left, there is a lingering question about some similar work done by @lboklin on nixified-ai#94. I’ve brought in some of the work, but many commits have been added to it since then and I haven’t taken a look yet.

In addition to feedback items, but as part of a separate pull request, I feel the need to also add a wiki or documentation entry showing how one could run comfyui using Nix.

My tasks that remain for the pull request:

Fix pytorch-bin overrides

I have this error when using this override in my overlays:

pythonPackagesExtensions = [(py-final: py-prev: {
  torch = py-final.pytorch-bin;
})];

The error:

trace: warning: cudaPackages.autoAddDriverRunpath is deprecated, use pkgs.autoAddDriverRunpath instead
error:
       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1571:24:

         1570|     let f = attrPath:
         1571|       zipAttrsWith (n: values:
             |                        ^
         1572|         let here = attrPath ++ [n]; in

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18:

         1204|         mapAttrs
         1205|           (name: value:
             |                  ^
         1206|             if isAttrs value && cond value

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18:

         1207|             then recurse (path ++ [ name ]) value
         1208|             else f (path ++ [ name ]) value);
             |                  ^
         1209|     in

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72:

          241|           # For definitions that have an associated option
          242|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                                                                        ^
          243|

       … while evaluating the option `system.build.toplevel':

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28:

          823|         # Process mkMerge and mkIf properties.
          824|         defs' = concatMap (m:
             |                            ^
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/activation/top-level.nix':

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137:

          824|         defs' = concatMap (m:
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |                                                                                                                                         ^
          826|         ) defs;

       … while calling 'dischargeProperties'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25:

          895|   */
          896|   dischargeProperties = def:
             |                         ^
          897|     if def._type or "" == "merge" then

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/activation/top-level.nix:71:12:

           70|   # Replace runtime dependencies
           71|   system = foldr ({ oldDependency, newDependency }: drv:
             |            ^
           72|       pkgs.replaceDependency { inherit oldDependency newDependency drv; }

       … while calling 'foldr'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:121:20:

          120|   */
          121|   foldr = op: nul: list:
             |                    ^
          122|     let

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:128:8:

          127|         else op (elemAt list n) (fold' (n + 1));
          128|     in fold' 0;
             |        ^
          129|

       … while calling 'fold''

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:124:15:

          123|       len = length list;
          124|       fold' = n:
             |               ^
          125|         if n == len

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/activation/top-level.nix:68:10:

           67|     then throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}"
           68|     else showWarnings config.warnings baseSystem;
             |          ^
           69|

       … while calling 'showWarnings'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/trivial.nix:867:28:

          866|
          867|   showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;
             |                            ^
          868|

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/trivial.nix:867:33:

          866|
          867|   showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;
             |                                 ^
          868|

       … while calling 'foldr'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:121:20:

          120|   */
          121|   foldr = op: nul: list:
             |                    ^
          122|     let

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:128:8:

          127|         else op (elemAt list n) (fold' (n + 1));
          128|     in fold' 0;
             |        ^
          129|

       … while calling 'fold''

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:124:15:

          123|       len = length list;
          124|       fold' = n:
             |               ^
          125|         if n == len

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18:

         1204|         mapAttrs
         1205|           (name: value:
             |                  ^
         1206|             if isAttrs value && cond value

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18:

         1207|             then recurse (path ++ [ name ]) value
         1208|             else f (path ++ [ name ]) value);
             |                  ^
         1209|     in

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72:

          241|           # For definitions that have an associated option
          242|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                                                                        ^
          243|

       … while evaluating the option `warnings':

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28:

          823|         # Process mkMerge and mkIf properties.
          824|         defs' = concatMap (m:
             |                            ^
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix':

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137:

          824|         defs' = concatMap (m:
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |                                                                                                                                         ^
          826|         ) defs;

       … while calling 'dischargeProperties'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25:

          895|   */
          896|   dischargeProperties = def:
             |                         ^
          897|     if def._type or "" == "merge" then

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1096:10:

         1095|     attrs:
         1096|     map (name: f name attrs.${name}) (attrNames attrs);
             |          ^
         1097|

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1096:16:

         1095|     attrs:
         1096|     map (name: f name attrs.${name}) (attrNames attrs);
             |                ^
         1097|

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix:443:16:

          442|       mapAttrsToList
          443|         (name: service:
             |                ^
          444|           let

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix:450:16:

          449|             concatLists [
          450|               (optional (type == "oneshot" && (restart == "always" || restart == "on-success"))
             |                ^
          451|                 "Service '${name}.service' with 'Type=oneshot' cannot have 'Restart=always' or 'Restart=on-success'"

       … while calling 'optional'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:784:20:

          783|   */
          784|   optional = cond: elem: if cond then [elem] else [];
             |                    ^
          785|

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18:

         1204|         mapAttrs
         1205|           (name: value:
             |                  ^
         1206|             if isAttrs value && cond value

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18:

         1207|             then recurse (path ++ [ name ]) value
         1208|             else f (path ++ [ name ]) value);
             |                  ^
         1209|     in

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72:

          241|           # For definitions that have an associated option
          242|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                                                                        ^
          243|

       … while evaluating the option `systemd.services.comfyui.serviceConfig':

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28:

          823|         # Process mkMerge and mkIf properties.
          824|         defs' = concatMap (m:
             |                            ^
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/system/boot/systemd.nix':

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137:

          824|         defs' = concatMap (m:
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |                                                                                                                                         ^
          826|         ) defs;

       … while calling 'dischargeProperties'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25:

          895|   */
          896|   dischargeProperties = def:
             |                         ^
          897|     if def._type or "" == "merge" then

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1205:18:

         1204|         mapAttrs
         1205|           (name: value:
             |                  ^
         1206|             if isAttrs value && cond value

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/attrsets.nix:1208:18:

         1207|             then recurse (path ++ [ name ]) value
         1208|             else f (path ++ [ name ]) value);
             |                  ^
         1209|     in

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:242:72:

          241|           # For definitions that have an associated option
          242|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                                                                        ^
          243|

       … while evaluating the option `systemd.services.comfyui.preStart':

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:824:28:

          823|         # Process mkMerge and mkIf properties.
          824|         defs' = concatMap (m:
             |                            ^
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while evaluating definitions from `/nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/nixos/modules/services/web-apps/comfyui.nix':

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:825:137:

          824|         defs' = concatMap (m:
          825|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |                                                                                                                                         ^
          826|         ) defs;

       … while calling 'dischargeProperties'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/modules.nix:896:25:

          895|   */
          896|   dischargeProperties = def:
             |                         ^
          897|     if def._type or "" == "merge" then

       … while evaluating derivation 'comfyui-unstable-2024-04-15'
         whose name attribute is located at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:331:7

       … while evaluating attribute 'installPhase' of derivation 'comfyui-unstable-2024-04-15'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/by-name/co/comfyui/package.nix:110:3:

          109|
          110|   installPhase = ''
             |   ^
          111|     runHook preInstall

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/by-name/co/comfyui/package.nix:86:16:

           85|
           86|   executable = writers.writeDashBin "comfyui" ''
             |                ^
           87|     cd $out && \

       … while calling 'writeDash'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/build-support/writers/scripts.nix:233:21:

          232|   #     ''
          233|   writeDash = name: argsOrScript:
             |                     ^
          234|     if lib.isAttrs argsOrScript && ! lib.isDerivation argsOrScript

       … while evaluating derivation 'python3-3.11.9-env'
         whose name attribute is located at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:331:7

       … while evaluating attribute 'passAsFile' of derivation 'python3-3.11.9-env'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/build-support/trivial-builders/default.nix:69:9:

           68|         inherit buildCommand name;
           69|         passAsFile = [ "buildCommand" ]
             |         ^
           70|           ++ (derivationArgs.passAsFile or [ ]);

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/development/interpreters/python/wrapper.nix:20:13:

           19|   env = let
           20|     paths = requiredPythonModules (extraLibs ++ [ python ] ) ;
             |             ^
           21|     pythonPath = "${placeholder "out"}/${python.sitePackages}";

       … while calling 'requiredPythonModules'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/development/interpreters/python/python-packages-base.nix:54:27:

           53|   # Get list of required Python modules given a list of derivations.
           54|   requiredPythonModules = drvs: let
             |                           ^
           55|     modules = lib.filter hasPythonModule drvs;

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/lists.nix:1793:25:

         1792|   */
         1793|   unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [];
             |                         ^
         1794|

       … while evaluating derivation 'python3.11-torchaudio-2.3.1'
         whose name attribute is located at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:331:7

       … while evaluating attribute 'TORCH_CUDA_ARCH_LIST' of derivation 'python3.11-torchaudio-2.3.1'

         at «none»:0: (source not available)

       … while calling anonymous lambda

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:576:11:

          575|     mapAttrs
          576|       (n: v: assert assertMsg (isString v || isBool v || isInt v || isDerivation v)
             |           ^
          577|         "The ‘env’ attribute set can only contain derivation, string, boolean or integer attributes. The ‘${n}’ attribute is of type ${builtins.typeOf v}."; v)

       … from call site

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/stdenv/generic/make-derivation.nix:576:21:

          575|     mapAttrs
          576|       (n: v: assert assertMsg (isString v || isBool v || isInt v || isDerivation v)
             |                     ^
          577|         "The ‘env’ attribute set can only contain derivation, string, boolean or integer attributes. The ‘${n}’ attribute is of type ${builtins.typeOf v}."; v)

       … while calling 'assertMsg'

         at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/lib/asserts.nix:41:5:

           40|     pred:
           41|     msg:
             |     ^
           42|     pred || builtins.throw msg;

       error: attribute 'cudaCapabilities' missing

       at /nix/store/58g9mmyj8ja8i0cp4s4j367h1kgjdabw-source/pkgs/development/python-modules/torchaudio/default.nix:100:56:

           99|   env = {
          100|     TORCH_CUDA_ARCH_LIST = "${lib.concatStringsSep ";" torch.cudaCapabilities}";
             |                                                        ^
          101|   };

I’m trying a pytorch build once again (getting away from the cachix stuff would be great.

ldap

https://nixos.wiki/wiki/OpenLDAP

[2024-06-08 Sat]

I have nickel building. I was dumbly copying over the .zst file which can never boot because it’s a compressed archive. After decompressing it, I was able to boot nickel just fine. Questions remain on how I got it to that state, and what purpose exists for all the other fancy stuff I have found regarding Raspberry Pi and Nix.

My knowledge about LDAP is weak. I’ve had trouble setting it up, and I’ve been copying examples from the NixOS Wiki in hopes of making things work. So far the snippets are not working because the options validation is failing - it’s not even getting to LDAP yet. This is while declaring the password policy for LDAP. The current error is:

error: A definition for option `services.openldap.settings.children."olcDatabase={1}mdb".attrs."olcOverlay={2}ppolicy"' is not of type `(LDAP value - either a string, or an attrset containing
`path` or `base64` for included
values or base-64 encoded values respectively.
) or list of (LDAP value - either a string, or an attrset containing
`path` or `base64` for included
values or base-64 encoded values respectively.
)'. Definition values:
- In `/nix/store/v24qicc8f4h1xafv4qzbn49crg6h2nvb-source/flake.nix':
    {
      attrs = {
        objectClass = [
          "olcOverlayConfig"
          "olcPPolicyConfig"
    ...

And the code for that is:

"olcOverlay={2}ppolicy".attrs = {
  objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
  olcOverlay = "{2}ppolicy";
  olcPPolicyHashCleartext = "TRUE";
};

Put in greater context:

services.openldap = {
  enable = true;
  urlList = [
    "ldaps:///"
  ];
  declarativeContents = {
    "dc=proton,dc=org" = ''
    ...
        '';
  };
  settings = {
    attrs = {
      # ...
    };
    children = {
      "cn=schema".includes = [
        "${pkgs.openldap}/etc/schema/core.ldif"
        "${pkgs.openldap}/etc/schema/cosine.ldif"
        "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
      ];
      "olcDatabase={1}mdb".attrs = {
        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
        olcDatabase = "{1}mdb";
        olcDbDirectory = "/var/lib/openldap/data";
        olcSuffix = "dc=proton,dc=org";
        /* your admin account, do not use writeText on a production system */
        olcRootDN = "cn=admin,dc=proton,dc=org";
        # Untested.  Should work but no run done yet.
        olcRootPW.path = config.age.secrets.ldap-root-pass.path;
        olcAccess = [
          /* custom access rules for userPassword attributes */
          ''{0}to attrs=userPassword
              by self write
              by anonymous auth
              by * none''
          /* allow read on anything else */
          ''{1}to *
              by * read''
        ];

        # TODO: This doesn't validate in Nix for some reason.  Need to
        # investigate.
        "olcOverlay={2}ppolicy".attrs = {
          objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
          olcOverlay = "{2}ppolicy";
          olcPPolicyHashCleartext = "TRUE";
        };

        "olcOverlay={3}memberof".attrs = {
          objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
          olcOverlay = "{3}memberof";
          olcMemberOfRefInt = "TRUE";
          olcMemberOfDangling = "ignore";
          olcMemberOfGroupOC = "groupOfNames";
          olcMemberOfMemberAD = "member";
          olcMemberOfMemberOfAD = "memberOf";
        };

        "olcOverlay={4}refint".attrs = {
          objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ];
          olcOverlay = "{4}refint";
          olcRefintAttribute = "memberof member manager owner";
        };
      };
    };
  };
};

This makes me wonder if this stuff is actually recursively nested even though the settings declaration in nixpkgsopenldap.nix suggests otherwise.

I have found no tickets in nixpkgs yet.

Upon further reading for the OpenLDAP Nix Wiki page, I can see this is not placed correctly. The ppolicy and other sections must be under olcDatabase={1}mdb. I have applied the edits but cannot test it yet.

[2024-06-05 Wed]

I want to run LDAP on nickel, which is a Raspberry Pi version 4 model B. I have built for the 3 or 4 before with great success (see my Nix Adventures blog post). However it hasn’t been building lately due to things moving around. So I have some work via raspberry pi builds that I need to complete first.

There is a big deprecated section I copied unwittingly.

raspberry pi

raspberry pi builds via raspberry-pi-nix

nix build '.#nixosConfigurations.cobalt-pi.config.system.build.sdImage' --system 'aarch64-linux' --no-eval-cache

nixpkgs#260754 led me to using rasbperry-pi-nix for building Raspberry Pi images. I would like to tie that in with nixos-generators if at all reasonable.

Example of raspberry-pi-nix: https://github.com/tstat/raspberry-pi-nix-example/blob/master/flake.nix

The documentation on the official Wiki for Raspberry Pi is outdated, as is typical. I might want to update it when I get everything working.

Out of the box, raspberry-pi-nix didn’t work for me. I filed raspberry-pi-nix#17 for the issue I was having with patches to the kernel not applying properly. I have since then done a lot of pinning on my flake inputs, and now it’s building. I don’t have success yet, but it’s still going after 5-ish hours - I am well past the patching phase. I’ve closed out the ticket with those notes.

From that ticket, @tstat did show me how to do this to look at a derivation’s output metadata:

nix derivation show '.#nixosConfigurations.nickel.config.boot.kernelPackages.kernel'

I tried using the Cachix builds, but couldn’t get them to work. It’s not obvious how to debug it. The Cachix FAQ has some things to try there but nothing seemed to work for me. I couldn’t get the negative caching to work (as in it just seemed to do nothing). The Cachix folks seem eager to help with this, but I just haven’t pursued that yet.

When building an older version, I ran into a “NAR mismatch”. raspberry-pi-nix is pinned to raspberrypi/linux#stable_20231123. I don’t know why this is. I did find @lilyball ran into that same issue with raspberry-pi-nix#2 building on aarch64-darwin. I’d run into it there too. She moved her /nix partition to case-sensitive APFS. I asked and she said she moved everything to a new partition, and replaced the old partition with the new. Some folks have done this via a Time Machine backup and restore. Rightly, @lilyball asked in nix#2415 if we can’t just make that the default since APFS is the default filesystem for Nix nowadays. There is no reply yet. Other possible reasons for a NAR mismatch is Flake inputs using follows improperly/inconsistently, or the lock file being borked per nix#6061. There is some prior work on preventing mismatches, but I don’t think this is what’s affecting me.

I’d tried less extreme options. Building via linux-builder directly didn’t work, because linux-builder is a slimmed down NixOS, and isn’t a fully operational NixOS VM. I can’t run nix build or nixos-rebuild switch.

My build of the kernel on lithium has been running for over 24 hours…

raspberry pi builds via nixos-generators

[2024-06-05 Wed]

nix build '.#cobalt-nixos-generate' --system 'aarch64-linux' --no-eval-cache

Date is guessed - this is the earliest entry.

I’m paused on this in favor of raspberry pi builds via =raspberry-pi-nix=.

https://github.com/nix-community/nixos-generators

This is mostly a light wrapper about images in nixpkgs that allow directly building images. I don’t quite understand why this is needed and one cannot build directly via nixpkgs.

This is a GitHub search of other people using =formatConfigs=.

nixos-generators#203 simplifies the building of Raspberry Pi images by removing all of the local configuration and instead leaning on what’s in nixpkgs, since it’s being handled there now. Unfortunately sd-aarch64 has recently been migrated to just be an SD card for aarch64 in a general sense, and now there’s sd-aarch64-raspberrypi file/image for Raspberry Pi but nixos-generators has not followed it. I have been trying to make this work via formatConfigs but I had some trouble with it. Eventually I found out that the identifiers like sdImage are hard coded somewhere. I don’t know why or where, but I feel this should be documented in nixos-generators and I would like contribute to this.

I think customFormats is the old way of doing this. There is an example of it in Discourse.

nixos-generators#168 remains as an issue - I noticed both the sd-aarch64-installer and sd-aarch64 both refer to the same nixpkgs entity (file/module?). Because of this, it seems like there’s no difference between the two. Some of the work I was thinking about contributing might relate to this. The findings of the last comment are now outdated because of the move to sd-aarch-raspberrypi et. al,.

One thing I haven’t tried in this journey is looking at image compression. I’ve seen mention (link?) that the image needs to be decompressed - I don’t want to just dd a zst file over to the SD card. There’s something that can be done to emit a raw image, but I don’t know what it is - I think there is a mechanism for it. I believe most of my tests were done against zst, which would render virtually all of my testing here invalid.

[2024-06-10 Mon]

I continue to run into this issue:

error: Package ‘linux-6.1.63-stable_20231123’ in /nix/store/v24qicc8f4h1xafv4qzbn49crg6h2nvb-source/pkgs/os-specific/linux/kernel/linux-rpi.nix:9 is not available on the requested hostPlatform:
         hostPlatform.config = "aarch64-unknown-linux-gnu"
         package.meta.platforms = [
           "armv7a-darwin"
           "armv5tel-linux"
           "armv6l-linux"
           "armv7a-linux"
           "armv7l-linux"
           "armv6l-netbsd"
           "armv7a-netbsd"
           "armv7l-netbsd"
           "arm-none"
           "armv6l-none"
         ]
         package.meta.badPlatforms = [ ]
       , refusing to evaluate.

       a) To temporarily allow packages that are unsupported for this system, you can use an environment variable
          for a single invocation of the nix tools.

            $ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) For `nixos-rebuild` you can set
         { nixpkgs.config.allowUnsupportedSystem = true; }
       in configuration.nix to override this.

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
         { allowUnsupportedSystem = true; }
       to ~/.config/nixpkgs/config.nix.

This is the case when using the following invocation:

nix build '.#cobalt-nixos-generate' --system 'aarch64-linux' --no-eval-cache

I’ve tried excluding all modules, but still no joy. I don’t know if the builders are setup properly at all. I don’t know how to test it. I used to be able to see it about 6 months ago, but not anymore. That this is the same exact issue with raspberry-pi-nix and even the standard means of doing this makes me think that my builders are not working at all. But also there could be other issues going on with the kernel package.

raspberry pi builds to zstd

I don’t know how these builds were working. One of the above perhaps? This emits an image in zstd format. I’ve been using dd on that file directly, like an idiot. If I decompress that file and then copy it, well, it just works! So how did I do that? And can I use that method and document it down the road?

Some issues I’ve had:

  1. When trying out nixos-generators, I now run into an issue where linux-builder won’t build the image due to uboot not building for armv7l-linux (the target I should use for the Pi, I guess) - it wants armv6l-linux. But I’m supposed to use armv7l-linux I think?
  2. the issue something up with supported build platforms / qemu emulation. I think I’ve moved past that mostly, onto the specific uboot issue above.

I don’t know how this image got emitted, what its hardware support looks like, and if there’s anything additional I will want to do with it. I suppose if I can do a pure nixpkgs setup then all the work going into nixos-generators and raspberry-pi-nix must do something extra, right? Or is it just a bunch of people working on the same problems but not coordinating with each other? My experience with my own open source work indicates it might be the latter, but also me doing things incorrectly is a constant factor in every problem I run into.

percol doesn’t consistently build

Something about the dependencies coming from pypi.

secrets

agenix-rekey automatic self-signed TLS CA and leaf certificates

I have some promising progress here for contributing back into agenix-rekey. See ./nixos-modules/secrets.nix for details.

help error message for agenix-rekey if agenix is incorrectly included

I said I would work on this per my two tickets I filed.

look into a security.pki.extraTrustedCertificates in nix-darwin [0/2]

fix my work machine always prompts for a password

Using the command line invocation to add the trust (see ./darwin.nix), a password prompt always comes up. This doesn’t happen on my personal. What’s the difference? More importantly: Can we avoid it?

NixOS module for nix-darwin

I need to check if this exists already, but I don’t think it does.

external CA

Get a domain for public hosting. Get a wildcard certificate probably, because I just don’t want to mess with it.

mail server

A long way away, but I want this done too. I was going to use some pre-built mail server image (I forgot the name), but now that I’m on the Nix boat, I want it in Nix.

octoprint

Ender 3 Pro

Convert this to Nix. Currently uses OctoPrint.

argon.proton is the current host.

laser engraver

Convert this to Nix. Currently uses OctoPrint with a plugin.

wireguard

replace old host

It’s been down for some time. I want to spin up a new copy entirely.

Japan bridge

This is a Pi I send home to the Japan family to setup a regional bridge between this network and theirs.

nextcloud

Migrate my existing nextcloud to a Nix based one. silicon.proton is the current host.

gitea

Yes please. This is cobalt I think.

incremental backups

Oh boy this is going to be its own project probably.

Nix

Generations

List generations

# Alas, this isn't supported yet: https://github.com/NixOS/nix/pull/6911
export NO_COLOR=1
nix profile history --profile /nix/var/nix/profiles/system

Version �[1m114�[0m (2024-03-07) <- 113: No changes.

Version �[1m115�[0m (2024-03-07) <- 114: No changes.

Version �[1m116�[0m (2024-03-07) <- 115: No changes.

Version �[1m117�[0m (2024-03-07) <- 116: No changes.

Version �[1m118�[0m (2024-03-20) <- 117: No changes.

Version �[1m119�[0m (2024-03-31) <- 118: No changes.

Version �[1m120�[0m (2024-03-31) <- 119: No changes.

Version �[1m121�[0m (2024-03-31) <- 120: No changes.

Version �[1m122�[0m (2024-03-31) <- 121: No changes.

Version �[1m123�[0m (2024-03-31) <- 122: No changes.

Version �[1m124�[0m (2024-04-02) <- 123: No changes.

Version �[1m125�[0m (2024-04-02) <- 124: No changes.

Version �[1m126�[0m (2024-04-05) <- 125: No changes.

Version �[1m127�[0m (2024-05-14) <- 126: No changes.

Version �[1m128�[0m (2024-05-14) <- 127: No changes.

Version �[1m129�[0m (2024-05-14) <- 128: No changes.

Version �[1m130�[0m (2024-05-15) <- 129: No changes.

Version �[1m131�[0m (2024-05-15) <- 130: No changes.

Version �[1m132�[0m (2024-05-15) <- 131: No changes.

Version �[1m133�[0m (2024-05-15) <- 132: No changes.

Version �[1m134�[0m (2024-05-15) <- 133: No changes.

Version �[1m135�[0m (2024-05-15) <- 134: No changes.

Version �[1m136�[0m (2024-05-18) <- 135: No changes.

Version �[1m137�[0m (2024-05-21) <- 136: No changes.

Version �[1m138�[0m (2024-05-21) <- 137: No changes.

Version �[1m139�[0m (2024-05-21) <- 138: No changes.

Version �[1m140�[0m (2024-05-21) <- 139: No changes.

Version �[1m141�[0m (2024-05-21) <- 140: No changes.

Version �[1m142�[0m (2024-05-21) <- 141: No changes.

Version �[1m143�[0m (2024-05-21) <- 142: No changes.

Version �[1m144�[0m (2024-05-22) <- 143: No changes.

Version �[1m145�[0m (2024-05-22) <- 144: No changes.

Version �[1m146�[0m (2024-05-22) <- 145: No changes.

Version �[1m147�[0m (2024-05-22) <- 146: No changes.

Version �[1m148�[0m (2024-05-22) <- 147: No changes.

Version �[1m149�[0m (2024-05-23) <- 148: No changes.

Version �[1m150�[0m (2024-05-23) <- 149: No changes.

Version �[1m151�[0m (2024-05-23) <- 150: No changes.

Version �[1m152�[0m (2024-05-23) <- 151: No changes.

Version �[1m153�[0m (2024-05-23) <- 152: No changes.

Version �[1m154�[0m (2024-05-23) <- 153: No changes.

Version �[1m155�[0m (2024-05-23) <- 154: No changes.

Version �[1m156�[0m (2024-05-23) <- 155: No changes.

Version �[1m157�[0m (2024-05-23) <- 156: No changes.

Version �[1m158�[0m (2024-05-23) <- 157: No changes.

Version �[1m159�[0m (2024-05-23) <- 158: No changes.

Version �[1m160�[0m (2024-05-23) <- 159: No changes.

Version �[1m161�[0m (2024-05-23) <- 160: No changes.

Version �[1m162�[0m (2024-05-26) <- 161: No changes.

Version �[1m163�[0m (2024-05-26) <- 162: No changes.

Version �[1m164�[0m (2024-05-27) <- 163: No changes.

Version �[1m165�[0m (2024-05-27) <- 164: No changes.

Version �[1m166�[0m (2024-05-27) <- 165: No changes.

Version �[1m167�[0m (2024-05-27) <- 166: No changes.

Version �[1m168�[0m (2024-05-27) <- 167: No changes.

Version �[1m169�[0m (2024-05-27) <- 168: No changes.

Version �[1m170�[0m (2024-05-27) <- 169: No changes.

Version �[1m171�[0m (2024-05-27) <- 170: No changes.

Version �[1m172�[0m (2024-05-27) <- 171: No changes.

Version �[1m173�[0m (2024-05-27) <- 172: No changes.

Version �[1m174�[0m (2024-05-27) <- 173: No changes.

Version �[1m175�[0m (2024-05-27) <- 174: No changes.

Version �[1m176�[0m (2024-05-27) <- 175: No changes.

Version �[1m177�[0m (2024-05-27) <- 176: No changes.

Version �[1m178�[0m (2024-05-27) <- 177: No changes.

Version �[1m179�[0m (2024-05-27) <- 178: No changes.

Version �[1m180�[0m (2024-05-28) <- 179: No changes.

Version �[1m181�[0m (2024-05-28) <- 180: No changes.

Version �[1m182�[0m (2024-05-28) <- 181: No changes.

Version �[1m183�[0m (2024-05-28) <- 182: No changes.

Version �[1m184�[0m (2024-05-28) <- 183: No changes.

Version �[1m185�[0m (2024-05-28) <- 184: No changes.

Version �[1m186�[0m (2024-05-28) <- 185: No changes.

Version �[1m187�[0m (2024-05-31) <- 186: No changes.

Version �[1m188�[0m (2024-05-31) <- 187: No changes.

Version �[1m189�[0m (2024-05-31) <- 188: No changes.

Version �[1m190�[0m (2024-06-02) <- 189: No changes.

Version �[1m191�[0m (2024-06-02) <- 190: No changes.

Version �[1m192�[0m (2024-06-02) <- 191: No changes.

Version �[1m193�[0m (2024-06-03) <- 192: No changes.

Version �[1m194�[0m (2024-06-03) <- 193: No changes.

Version �[1m195�[0m (2024-06-03) <- 194: No changes.

Version �[1m196�[0m (2024-06-06) <- 195: No changes.

Version �[1m197�[0m (2024-06-06) <- 196: No changes.

Version �[1m198�[0m (2024-06-06) <- 197: No changes.

Version �[1m199�[0m (2024-06-06) <- 198: No changes.

Version �[1m200�[0m (2024-06-07) <- 199: No changes.

Version �[1m201�[0m (2024-06-07) <- 200: No changes.

Version �[1m202�[0m (2024-06-07) <- 201: No changes.

Version �[1m203�[0m (2024-06-07) <- 202: No changes.

Version �[1m204�[0m (2024-06-07) <- 203: No changes.

Version �[1m205�[0m (2024-06-07) <- 204: No changes.

Version �[1m206�[0m (2024-06-10) <- 205: No changes.

Version �[1m207�[0m (2024-06-10) <- 206: No changes.

Version �[1m208�[0m (2024-06-10) <- 207: No changes.

Version �[1m209�[0m (2024-06-10) <- 208: No changes.

Version �[1m210�[0m (2024-06-11) <- 209: No changes.

Version �[1m211�[0m (2024-06-14) <- 210: No changes.

Version �[1m212�[0m (2024-06-14) <- 211: No changes.

Version �[1m213�[0m (2024-06-14) <- 212: No changes.

Version �[1m214�[0m (2024-06-18) <- 213: No changes.

Version �[1m215�[0m (2024-06-22) <- 214: No changes.

Version �[1m216�[0m (2024-06-29) <- 215: No changes.

Version �[1m217�[0m (2024-06-29) <- 216: No changes.

Version �[1m218�[0m (2024-06-29) <- 217: No changes.

Version �[1m219�[0m (2024-06-29) <- 218: No changes.

Version �[1m220�[0m (2024-06-29) <- 219: No changes.

Version �[1m221�[0m (2024-06-29) <- 220: No changes.

Version �[1m222�[0m (2024-06-29) <- 221: No changes.

Version �[1m223�[0m (2024-06-29) <- 222: No changes.

Version �[1m224�[0m (2024-06-29) <- 223: No changes.

Version �[1m225�[0m (2024-06-29) <- 224: No changes.

Version �[1m226�[0m (2024-06-29) <- 225: No changes.

Version �[1m227�[0m (2024-06-30) <- 226: No changes.

Version �[1m228�[0m (2024-07-03) <- 227: No changes.

Version �[1m229�[0m (2024-07-03) <- 228: No changes.

Version �[1m230�[0m (2024-07-03) <- 229: No changes.

Version �[1m231�[0m (2024-07-03) <- 230: No changes.

Version �[1m232�[0m (2024-07-03) <- 231: No changes.

Version �[1m233�[0m (2024-07-03) <- 232: No changes.

Version �[1m234�[0m (2024-07-04) <- 233: No changes.

Version �[1m235�[0m (2024-07-04) <- 234: No changes.

Version �[1m236�[0m (2024-07-04) <- 235: No changes.

Version �[1m237�[0m (2024-07-04) <- 236: No changes.

Version �[1m238�[0m (2024-07-04) <- 237: No changes.

Version �[1m239�[0m (2024-07-06) <- 238: No changes.

Version �[1m240�[0m (2024-07-06) <- 239: No changes.

Version �[1m241�[0m (2024-07-09) <- 240: No changes.

Version �[1m242�[0m (2024-07-09) <- 241: No changes.

Version �[1m243�[0m (2024-07-10) <- 242: No changes.

Version �[1m244�[0m (2024-07-14) <- 243: No changes.

Version �[1m245�[0m (2024-07-24) <- 244: No changes.

Version �[1m246�[0m (2024-07-24) <- 245: No changes.

Version �[1m247�[0m (2024-07-24) <- 246: No changes.

Version �[1m248�[0m (2024-07-24) <- 247: No changes.

Version �[1m249�[0m (2024-07-24) <- 248: No changes.

Version �[1m250�[0m (2024-08-09) <- 249: No changes.

Version �[1m251�[0m (2024-08-10) <- 250: No changes.

Version �[1m252�[0m (2024-08-13) <- 251: No changes.

Version �[1m253�[0m (2024-08-13) <- 252: No changes.

Version �[1m254�[0m (2024-08-21) <- 253: No changes.

Version �[1m255�[0m (2024-08-24) <- 254: No changes.

Version �[1m256�[0m (2024-08-24) <- 255: No changes.

Version �[1m257�[0m (2024-08-24) <- 256: No changes.

Version �[1m258�[0m (2024-08-28) <- 257: No changes.

Version �[1m259�[0m (2024-08-29) <- 258: No changes.

Version �[1m260�[0m (2024-08-31) <- 259: No changes.

Version �[1m261�[0m (2024-09-03) <- 260: No changes.

Version �[1m262�[0m (2024-09-03) <- 261: No changes.

Version �[1m263�[0m (2024-09-03) <- 262: No changes.

Version �[1m264�[0m (2024-09-03) <- 263: No changes.

Version �[1m265�[0m (2024-09-03) <- 264: No changes.

Version �[1m266�[0m (2024-09-03) <- 265: No changes.

Version �[1m267�[0m (2024-09-03) <- 266: No changes.

Version �[1m268�[0m (2024-09-03) <- 267: No changes.

Version �[1m269�[0m (2024-09-03) <- 268: No changes.

Version �[1m270�[0m (2024-09-03) <- 269: No changes.

Version �[1m271�[0m (2024-09-03) <- 270: No changes.

Version �[1m272�[0m (2024-09-03) <- 271: No changes.

Version �[1m273�[0m (2024-09-04) <- 272: No changes.

Version �[1m274�[0m (2024-09-05) <- 273: No changes.

Version �[1m275�[0m (2024-09-05) <- 274: No changes.

Version �[1m276�[0m (2024-09-05) <- 275: No changes.

Version �[1m277�[0m (2024-09-05) <- 276: No changes.

Version �[1m278�[0m (2024-09-05) <- 277: No changes.

Version �[1m279�[0m (2024-09-05) <- 278: No changes.

Version �[1m280�[0m (2024-09-05) <- 279: No changes.

Version �[1m281�[0m (2024-09-05) <- 280: No changes.

Version �[1m282�[0m (2024-09-05) <- 281: No changes.

Version �[1m283�[0m (2024-09-05) <- 282: No changes.

Version �[1m284�[0m (2024-09-05) <- 283: No changes.

Version �[1m285�[0m (2024-09-05) <- 284: No changes.

Version �[1m286�[0m (2024-09-05) <- 285: No changes.

Version �[1m287�[0m (2024-09-05) <- 286: No changes.

Version �[1m288�[0m (2024-09-05) <- 287: No changes.

Version �[1m289�[0m (2024-09-05) <- 288: No changes.

Version �[1m290�[0m (2024-09-05) <- 289: No changes.

Version �[1m291�[0m (2024-09-05) <- 290: No changes.

Version �[1m292�[0m (2024-09-06) <- 291: No changes.

Version �[1m293�[0m (2024-09-06) <- 292: No changes.

Version �[1m294�[0m (2024-09-06) <- 293: No changes.

Version �[1m295�[0m (2024-09-06) <- 294: No changes.

Version �[1m296�[0m (2024-09-06) <- 295: No changes.

Version �[1m297�[0m (2024-09-06) <- 296: No changes.

Version �[1m298�[0m (2024-09-06) <- 297: No changes.

Version �[1m299�[0m (2024-09-06) <- 298: No changes.

Version �[1m300�[0m (2024-09-06) <- 299: No changes.

Version �[1m301�[0m (2024-09-06) <- 300: No changes.

Version �[1m302�[0m (2024-09-06) <- 301: No changes.

Version �[1m303�[0m (2024-09-06) <- 302: No changes.

Version �[1m304�[0m (2024-09-06) <- 303: No changes.

Version �[1m305�[0m (2024-09-06) <- 304: No changes.

Version �[1m306�[0m (2024-09-06) <- 305: No changes.

Version �[1m307�[0m (2024-09-06) <- 306: No changes.

Version �[1m308�[0m (2024-09-06) <- 307: No changes.

Version �[1m309�[0m (2024-09-06) <- 308: No changes.

Version �[1m310�[0m (2024-09-06) <- 309: No changes.

Version �[1m311�[0m (2024-09-06) <- 310: No changes.

Version �[1m312�[0m (2024-09-06) <- 311: No changes.

Version �[1m313�[0m (2024-09-06) <- 312: No changes.

Version �[1m314�[0m (2024-09-06) <- 313: No changes.

Version �[1m315�[0m (2024-09-06) <- 314: No changes.

Version �[1m316�[0m (2024-09-06) <- 315: No changes.

Version �[1m317�[0m (2024-09-06) <- 316: No changes.

Version �[1m318�[0m (2024-09-06) <- 317: No changes.

Version �[1m319�[0m (2024-09-06) <- 318: No changes.

Version �[1m320�[0m (2024-09-06) <- 319: No changes.

Version �[1m321�[0m (2024-09-06) <- 320: No changes.

Version �[1m322�[0m (2024-09-06) <- 321: No changes.

Version �[1m323�[0m (2024-09-06) <- 322: No changes.

Version �[1m324�[0m (2024-09-06) <- 323: No changes.

Version �[1m325�[0m (2024-09-06) <- 324: No changes.

Version �[1m326�[0m (2024-09-06) <- 325: No changes.

Version �[1m327�[0m (2024-09-06) <- 326: No changes.

Version �[1m328�[0m (2024-09-06) <- 327: No changes.

Version �[1m329�[0m (2024-09-06) <- 328: No changes.

Version �[1m330�[0m (2024-09-06) <- 329: No changes.

Version �[1m331�[0m (2024-09-06) <- 330: No changes.

Version �[1m332�[0m (2024-09-06) <- 331: No changes.

Version �[1m333�[0m (2024-09-06) <- 332: No changes.

Version �[1m334�[0m (2024-09-06) <- 333: No changes.

Version �[1m335�[0m (2024-09-06) <- 334: No changes.

Version �[1m336�[0m (2024-09-06) <- 335: No changes.

Version �[1m337�[0m (2024-09-06) <- 336: No changes.

Version �[1m338�[0m (2024-09-06) <- 337: No changes.

Version �[1m339�[0m (2024-09-06) <- 338: No changes.

Version �[1m340�[0m (2024-09-06) <- 339: No changes.

Version �[1m341�[0m (2024-09-06) <- 340: No changes.

Version �[1m342�[0m (2024-09-13) <- 341: No changes.

Version �[1m343�[0m (2024-09-14) <- 342: No changes.

Version �[1m344�[0m (2024-09-14) <- 343: No changes.

Version �[1m345�[0m (2024-09-16) <- 344: No changes.

Version �[1m346�[0m (2024-09-16) <- 345: No changes.

Version �[1m347�[0m (2024-09-19) <- 346: No changes.

Version �[1m348�[0m (2024-09-19) <- 347: No changes.

Version �[1m349�[0m (2024-09-20) <- 348: No changes.

Version �[1m350�[0m (2024-09-20) <- 349: No changes.

Version �[1m351�[0m (2024-09-20) <- 350: No changes.

Version �[1m352�[0m (2024-09-20) <- 351: No changes.

Version �[1m353�[0m (2024-09-20) <- 352: No changes.

Version �[1m354�[0m (2024-09-20) <- 353: No changes.

Version �[1m355�[0m (2024-09-20) <- 354: No changes.

Version �[1m356�[0m (2024-09-20) <- 355: No changes.

Version �[1m357�[0m (2024-09-20) <- 356: No changes.

Version �[1m358�[0m (2024-09-20) <- 357: No changes.

Version �[1m359�[0m (2024-09-20) <- 358: No changes.

Version �[1m360�[0m (2024-09-20) <- 359: No changes.

Version �[1m361�[0m (2024-09-20) <- 360: No changes.

Version �[1m362�[0m (2024-09-20) <- 361: No changes.

Version �[1m363�[0m (2024-09-20) <- 362: No changes.

Version �[1m364�[0m (2024-09-20) <- 363: No changes.

Version �[1m365�[0m (2024-09-20) <- 364: No changes.

Version �[1m366�[0m (2024-09-20) <- 365: No changes.

Version �[1m367�[0m (2024-09-20) <- 366: No changes.

Version �[1m368�[0m (2024-09-20) <- 367: No changes.

Version �[1m369�[0m (2024-09-20) <- 368: No changes.

Version �[1m370�[0m (2024-09-20) <- 369: No changes.

Version �[1m371�[0m (2024-09-20) <- 370: No changes.

Version �[1m372�[0m (2024-09-23) <- 371: No changes.

Version �[1m373�[0m (2024-09-23) <- 372: No changes.

Version �[1m374�[0m (2024-09-23) <- 373: No changes.

Version �[1m375�[0m (2024-09-25) <- 374: No changes.

Version �[1m376�[0m (2024-09-25) <- 375: No changes.

Version �[32;1m377�[0m (2024-09-26) <- 376: No changes.

conditional values

lib.mkIf

lib.mkIf either includes the value given or an empty attrset depending on the evaluation of the condition. In other words, this is for any attrset. For lists, see lib.optionals.

let
  a = lib.mkIf true { foo = "bar"; } # Returns { foo = "bar"; }.
  b = lib.mkIf false { foo = "bar"; } # Returns {}.
  # Returns { foo = "bar"; baz = "qux";  }
  c = { foo = "bar" } // (lib.mkIf true { baz = "qux"; })
  # Returns { foo = "bar"; }
  d = { foo = "bar" } // (lib.mkIf false { baz = "qux"; })
in {}

lib.optionals

lib.optionals includes the provided list if the condition is true. If false, an empty list is given. For an attrset, see lib.mkIf.

let
  a = lib.optionals true [ "foo" ] # Returns [ "foo" ].
  b = lib.optionals false [ "foo" ] # Returns [].
  # Returns [ "foo" "bar" ].
  c = [ "foo" ] // (lib.optionals true [ "bar" ])
  # Returns [ "foo" ].
  d = [ "foo" ] // (lib.optionals false [ "bar" ])
in {}

options that may not exist

While I was working on comfyui and started using different nixpkgs versions across hosts, I started running into problems with shared modules. Some would set services.comfyui and attributes under it, and this would cause Nix evaluation failures for hosts that didn’t know about it in their nixpkgs.

First, find or create your imports for the module in question. Next, use lib.mkIf and check for the existence of the option with builtins.hasAttr "comfyui" options.services). Then, in the key, allow the key name to evaluate to null based on a check.

imports = [
  (lib.mkIf (builtins.hasAttr "comfyui" options.services) {
    # This is kind of magical.  See
    # https://nix.dev/manual/nix/2.17/language/values.html?highlight=coerced#attribute-set
    # but basically if the attribute name evaluates to null then the attribute
    # won't exist.  Without this hack, we get `The option `services.comfyui'
    # does not exist.`.  This is a special case and one cannot use null as a
    # key name.
    services.${
      if (builtins.hasAttr "comfyui" options.services)
      then "comfyui"
      else null
    } = {
      package = pkgs ? comfyui-rocm;
      rocmSupport = true;
    };
  })
];

This is the best way to avoid config.modules and lib.mkMerge while also keeping things relatively simple. I should make a helper for this though.

To include a package conditionally, use this:

imports = [
  # cyme isn't available on all versions of nixpkgs I use.
  (lib.mkIf (builtins.hasAttr "cyme" pkgs) {
    environment.systemPackages =
      if (builtins.hasAttr "cyme" pkgs)
      then [
        # Allows us to query the status of USB devices.  This uses lsusb or
        # systemprofile -json under the hood in a cross-platform manner.
        # Unfortunately it does not work on non-USB devices (like SD cards)
        # like one might think.  This is _not_ for storage devices (many
        # things imply it will work, but it won't).
        pkgs.cyme
      ]
      else []
    ;
  })
];

Troubleshooting

age attribute missing

Fixed via PR: oddlama/agenix-rekey#56

This error appears when running agenix rekey -a.

The exact error is:

error: attribute 'age' missing
at /nix/store/zy9vgszqqqh51wmk8cjj6hghx6fydwbi-source/apps/rekey.nix:41:43:
    40|
    41|   nodesWithDerivationStorage = filter (x: x.config.age.rekey.storageMode == "derivation") (attrValues nodes);
      |                                           ^
    42|

This means there is a host that doesn’t have agenix on it as a module. Find the host in your flake.nix and remove the entry, then run again.

If we could somehow print the x on the error, we’d be in a great spot to find the issue.

agenix or agenix rekey throws expected a set but found a string:

When this happens you’ll see the value is the path to an element inside of the agenix.rekey.masterIdentities list.

The full error:

error:
       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:34:12:
           33|
           34|   strict = derivationStrict drvAttrs;
             |            ^
           35|

       … while evaluating derivation 'agenix-rekey'
         whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7

       … while evaluating attribute 'text' of derivation 'agenix-rekey'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17:
          101|       ({
          102|         inherit text executable checkPhase allowSubstitutes preferLocalBuild;
             |                 ^
          103|         passAsFile = [ "text" ]

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: expected a set but found a string: "/nix/store/hjxw6pyqs2f6s8xm2zr8aynciar35zsy-source/nix/secrets/agenix-master-key-3.age"

This happens even when running something incredibly fundamental like agenix rekey --help.

One of the only outputs we see is this:

Collecting information about hosts. This may take a while...

I also saw warnings about not using nodes anymore and favoring nixosConfigurations in the agenix-rekey.configure parameters. This was a trivial change I affected, and made no difference in behavior.

This can be traced to package.nix in agenix-rekey. The next line is where it runs nix run ... #agenix-rekey.${system}.$APP. It doesn’t seem to matter what $APP resolves to. I believe this is the Nix invocation that is failing. The error itself seems to be in building a derivation, which is probably this run script.

I looked through the configuration more to verify things. pkgs seemed to be a culprit of prior problems I’ve experienced, so I set that. I assumed my build host’s platform of aarch64-darwin and included my overlays, but still no change in behavior.

The next part of this seems to point at ./apps/${app}.nix.

The text attribute is what is complaining, but there is no mention of it in the apps/rekey.nix file. None of the other files under apps have it either. None of the files have mention of masterIdentities either.

Apparently, if one uses --show-trace in all the right places (or just everywhere), a more detailed stack can be found:

agenix --show-trace rekey --show-trace generate --show-trace

Collecting information about hosts. This may take a while...
warning: Git tree '/Users/logan/dev/dotfiles' is dirty
error:
       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:34:12:
           33|
           34|   strict = derivationStrict drvAttrs;
             |            ^
           35|

       … while evaluating derivation 'agenix-generate'
         whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7

       … while evaluating attribute 'text' of derivation 'agenix-generate'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17:
          101|       ({
          102|         inherit text executable checkPhase allowSubstitutes preferLocalBuild;
             |                 ^
          103|         passAsFile = [ "text" ]

       … while calling the 'concatStringsSep' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:246:7:
          245|   KNOWN_SECRETS=(
          246|     ${concatStringsSep "\n" (map (x: escapeShellArg x.sourceFile) (attrValues secretsWithContext))}
             |       ^
          247|   )

       … while calling the 'map' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:246:30:
          245|   KNOWN_SECRETS=(
          246|     ${concatStringsSep "\n" (map (x: escapeShellArg x.sourceFile) (attrValues secretsWithContext))}
             |                              ^
          247|   )

       … while calling the 'attrValues' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:246:68:
          245|   KNOWN_SECRETS=(
          246|     ${concatStringsSep "\n" (map (x: escapeShellArg x.sourceFile) (attrValues secretsWithContext))}
             |                                                                    ^
          247|   )

       … while calling the 'foldl'' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:113:24:
          112|   # Deduplicates secrets if the generator is the same, otherwise throws an error.
          113|   secretsWithContext = foldl' (
             |                        ^
          114|     set: host: foldl' (addGeneratedSecretChecked host) set (attrNames nodes.${host}.config.age.secrets)

       … while calling anonymous lambda
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:114:10:
          113|   secretsWithContext = foldl' (
          114|     set: host: foldl' (addGeneratedSecretChecked host) set (attrNames nodes.${host}.config.age.secrets)
             |          ^
          115|   ) { } (attrNames nodes);

       … while calling the 'foldl'' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:114:16:
          113|   secretsWithContext = foldl' (
          114|     set: host: foldl' (addGeneratedSecretChecked host) set (attrNames nodes.${host}.config.age.secrets)
             |                ^
          115|   ) { } (attrNames nodes);

       … while calling 'addGeneratedSecretChecked'
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:62:16:
           61|   addGeneratedSecretChecked =
           62|     host: set: secretName:
             |                ^
           63|     let

       … in the condition of the assert statement
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:94:7:
           93|       # Assert that the generator is the same if it was defined on multiple hosts
           94|       assert assertMsg (hasAttr sourceFile set -> script == set.${sourceFile}.script)
             |       ^
           95|         "Generator definition of ${secretName} on ${host} differs from definitions on other hosts: ${

       … from call site
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:94:14:
           93|       # Assert that the generator is the same if it was defined on multiple hosts
           94|       assert assertMsg (hasAttr sourceFile set -> script == set.${sourceFile}.script)
             |              ^
           95|         "Generator definition of ${secretName} on ${host} differs from definitions on other hosts: ${

       … while calling 'assertMsg'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/asserts.nix:41:5:
           40|     pred:
           41|     msg:
             |     ^
           42|     pred || builtins.throw msg;

       … in the left operand of the OR (||) operator
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/asserts.nix:42:10:
           41|     msg:
           42|     pred || builtins.throw msg;
             |          ^
           43|

       … in the right operand of the IMPL (->) operator
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:94:48:
           93|       # Assert that the generator is the same if it was defined on multiple hosts
           94|       assert assertMsg (hasAttr sourceFile set -> script == set.${sourceFile}.script)
             |                                                ^
           95|         "Generator definition of ${secretName} on ${host} differs from definitions on other hosts: ${

       … from call site
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/apps/generate.nix:70:16:
           69|         relativeToFlake secret.rekeyFile;
           70|       script = secret.generator._script {
             |                ^
           71|         inherit secret pkgs;

       … while calling 'merge'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/types.nix:773:9:
          772|       merge = loc: defs:
          773|         fnArgs: (mergeDefinitions (loc ++ [ "<function body>" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue;
             |         ^
          774|       getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "<function body>" ]);

       … while evaluating the attribute 'mergedValue'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:851:5:
          850|     # Type-check the remaining definitions, and merge them. Or throw if no definitions.
          851|     mergedValue =
             |     ^
          852|       if isDefined then

       … while evaluating a branch condition
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:852:7:
          851|     mergedValue =
          852|       if isDefined then
             |       ^
          853|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal

       … while evaluating the attribute 'values'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:845:9:
          844|       in {
          845|         values = defs''';
             |         ^
          846|         inherit (defs'') highestPrio;

       … while evaluating a branch condition
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:841:11:
          840|           # Avoid sorting if we don't have to.
          841|           if any (def: def.value._type or "" == "order") defs''.values
             |           ^
          842|           then sortProperties defs''.values

       … while calling the 'any' builtin
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:841:14:
          840|           # Avoid sorting if we don't have to.
          841|           if any (def: def.value._type or "" == "order") defs''.values
             |              ^
          842|           then sortProperties defs''.values

       … while evaluating the attribute 'values'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:944:7:
          943|     in {
          944|       values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
             |       ^
          945|       inherit highestPrio;

       … while calling the 'concatMap' builtin
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:944:16:
          943|     in {
          944|       values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
             |                ^
          945|       inherit highestPrio;

       … while calling the 'concatMap' builtin
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:831:17:
          830|         # Process mkMerge and mkIf properties.
          831|         defs' = concatMap (m:
             |                 ^
          832|           map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while calling anonymous lambda
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:831:28:
          830|         # Process mkMerge and mkIf properties.
          831|         defs' = concatMap (m:
             |                            ^
          832|           map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while calling the 'map' builtin
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:832:11:
          831|         defs' = concatMap (m:
          832|           map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |           ^
          833|         ) defs;

       … while evaluating definitions from `/nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/flake.nix':

       … from call site
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:832:128:
          831|         defs' = concatMap (m:
          832|           map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |                                                                                                                                ^
          833|         ) defs;

       … while calling 'dischargeProperties'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:903:25:
          902|   */
          903|   dischargeProperties = def:
             |                         ^
          904|     if def._type or "" == "merge" then

       … while evaluating a branch condition
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/modules.nix:904:5:
          903|   dischargeProperties = def:
          904|     if def._type or "" == "merge" then
             |     ^
          905|       concatMap dischargeProperties def.contents

       … while evaluating the attribute 'value'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/types.nix:773:106:
          772|       merge = loc: defs:
          773|         fnArgs: (mergeDefinitions (loc ++ [ "<function body>" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue;
             |                                                                                                          ^
          774|       getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "<function body>" ]);

       … from call site
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/types.nix:773:114:
          772|       merge = loc: defs:
          773|         fnArgs: (mergeDefinitions (loc ++ [ "<function body>" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue;
             |                                                                                                                  ^
          774|       getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "<function body>" ]);

       … while calling 'tls-signed-certificate'
         at /nix/store/nvwwcv0awllc55sjg148l28zvy7i40rk-source/nix/nixos-modules/secrets.nix:92:45:
           91|     # won't use the same one twice.  This should be checked in.
           92|     age.generators.tls-signed-certificate = {
             |                                             ^
           93|       decrypt,

       … from call site
         at /nix/store/nvwwcv0awllc55sjg148l28zvy7i40rk-source/nix/nixos-modules/secrets.nix:106:7:
          105|     in
          106|       throwIfNot (isAttrs settings) "Secret '${name}' must have a `settings` attrset."
             |       ^
          107|       throwIfNot (isString settings.fqdn) "Secret '${name}' is missing a `fqdn` string."

       … while calling anonymous lambda
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/lib/trivial.nix:868:40:
          867|   */
          868|   throwIfNot = cond: msg: if cond then x: x else throw msg;
             |                                        ^
          869|

       … while evaluating the attribute 'ageMasterDecrypt'
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:174:3:
          173|   ageMasterEncrypt = "${ageWrapperScript}/bin/ageWrapper encrypt";
          174|   ageMasterDecrypt = "${ageWrapperScript}/bin/ageWrapper decrypt";
             |   ^
          175|   ageHostEncrypt =

       … while calling the 'getAttr' builtin
         at <nix/derivation-internal.nix>:44:19:
           43|       value = commonAttrs // {
           44|         outPath = builtins.getAttr outputName strict;
             |                   ^
           45|         drvPath = strict.drvPath;

       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:34:12:
           33|
           34|   strict = derivationStrict drvAttrs;
             |            ^
           35|

       … while evaluating derivation 'ageWrapper'
         whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7

       … while evaluating attribute 'text' of derivation 'ageWrapper'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17:
          101|       ({
          102|         inherit text executable checkPhase allowSubstitutes preferLocalBuild;
             |                 ^
          103|         passAsFile = [ "text" ]

       … while calling the 'concatStringsSep' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:60:9:
           59|       # Master identities that have a pubkey can be added without further treatment.
           60|       ${concatStringsSep "\n" (
             |         ^
           61|         map (

       … while calling the 'map' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:61:9:
           60|       ${concatStringsSep "\n" (
           61|         map (
             |         ^
           62|           x:

       … while calling the 'filter' builtin
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:12:
           63|           ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}''
           64|         ) (filter (x: x.pubkey != null) mergedMasterIdentities)
             |            ^
           65|       )}

       … while calling anonymous lambda
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:20:
           63|           ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}''
           64|         ) (filter (x: x.pubkey != null) mergedMasterIdentities)
             |                    ^
           65|       )}

       … while selecting an attribute
         at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:23:
           63|           ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}''
           64|         ) (filter (x: x.pubkey != null) mergedMasterIdentities)
             |                       ^
           65|       )}

       error: expected a set but found a string: "/nix/store/nvwwcv0awllc55sjg148l28zvy7i40rk-source/nix/secrets/agenix-master-key-3.age"

With that, we’re able to find the broken line:

… while calling the 'filter' builtin
  at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:12:
    63|           ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}''
    64|         ) (filter (x: x.pubkey != null) mergedMasterIdentities)
      |            ^
    65|       )}

… while calling anonymous lambda
  at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:20:
    63|           ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}''
    64|         ) (filter (x: x.pubkey != null) mergedMasterIdentities)
      |                    ^
    65|       )}

… while selecting an attribute
  at /nix/store/4jjvcww3gdkvahwcvbmd5cwn7pndbn9h-source/nix/lib.nix:64:23:
    63|           ''masterIdentityMap[${escapeShellArg (removeSuffix "\n" x.pubkey)}]=${escapeShellArg x.identity}''
    64|         ) (filter (x: x.pubkey != null) mergedMasterIdentities)
      |                       ^
    65|       )}

Which is line 64 of agenix-rekey/nix/lib.nix. The expression in question is:

(filter (x: x.pubkey != null) mergedMasterIdentities)

And my masterIdentities has no pubkey. That said, I did try the pubkey and identity form and found a new error. I am starting to think this is a bug.

Here’s the error when trying the attrset form:

error: A definition for option `age.rekey.masterIdentities."[definition 1-entry 1]"' is not of type `string or path convertible to it'. Definition values:
- In `<unknown-file>':
    {
      identity = /nix/store/1gd1hrr3wjvz7mk4h9rbhzss4yaqrsw2-source/nix/secrets/agenix-master-key-3.age;
      pubkey = null;
    }

Where the declaration is now this:

masterIdentities = [
  {
    identity = ../secrets/agenix-master-key-3.age;
    pubkey = null;
  }
];

I also tried this:

masterIdentities = [
  {
    identity = ../secrets/agenix-master-key-3.age;
  }
];

Because I have no .pub file. No change in behavior.

For fun I even made up a value for pubkey:

masterIdentities = [
  {
    identity = ../secrets/agenix-master-key-3.age;
    pubkey = "foobar";
  }
];

Is there a mechanism somewhere that’s supposed to coerce direct file references into something that has a pubkey entry?

I started a manual bisect on agenix-rekey. Unfortunately code formatting tools have made this a bit difficult. I managed to get things working again by going by several months, all the way back to my last contribution.

3137e9b1df0724d0af8dbeb8c36f8eee4a26869a

The last time I saw it broken was d6de009fba42ac7f7e9c356142220570c6c07877, “allow rekeying 0 secrets”. So it might be somewhere in between those.

Next iteration: The commit “fix: show an error when no recipients are set in a master identity file” is broken too. c071067f7d972552f5170cf8665643ed0ec19a6d

Well this is unanticipated. I narrowed down the issue to this commit:

c6c1ca5b9ceaaa40fd979fb25bb7043adf4554ad

fix: correctly remove apps from exposed path

The error changes a little, but is ultimately the same I think:

error:
       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:34:12:
           33|
           34|   strict = derivationStrict drvAttrs;
             |            ^
           35|

       … while evaluating derivation 'agenix-generate'
         whose name attribute is located at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/stdenv/generic/make-derivation.nix:336:7

       … while evaluating attribute 'text' of derivation 'agenix-generate'
         at /nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/pkgs/build-support/trivial-builders/default.nix:102:17:
          101|       ({
          102|         inherit text executable checkPhase allowSubstitutes preferLocalBuild;
             |                 ^
          103|         passAsFile = [ "text" ]

       … while evaluating definitions from `/nix/store/l1bdj49xb3rj3d24s7m58qmr5i3dwrb2-source/flake.nix':

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: cannot coerce a set to a string: { identity = "/nix/store/zidq8pvpbd7g3hpl5qi2v3awy0si1x8a-source/nix/secrets/agenix-master-key-3.age"; pubkey = null; }

The diff:

@@ -57,13 +57,14 @@
         # pkgs.age and pkgs.rage.
         agePackage ? (p: p.rage),
       }:
-        flake-utils.lib.eachDefaultSystem (system: {
+        (flake-utils.lib.eachDefaultSystem (system: {
           apps = pkgs.${system}.lib.genAttrs allApps (app:
             import ./apps/${app}.nix {
               inherit nodes userFlake agePackage;
               pkgs = pkgs.${system};
             });
-        });
+        }))
+        .apps;

       # XXX: deprecated, scheduled for removal in late 2024. Use the package instead of
       # defining apps. This is just a compatibility wrapper that defines apps with

And this just blows my mind. How could that be causing the issue?!

This change doesn’t seem to have directly permeated back to what’s at the HEAD of main. That said, there seems to be some refactors done that might make the current state less obvious that this is causing the issue.

I can also see here why there would be an issue with overlays not being respected. It does its own import of nixpkgs which doesn’t get any overlays added to it. That’s a separate issue for another day.

Raspberry Pi startup issues

When cooking a brand new host image for a Raspberry Pi (which is just a most impressive way to use Nix), one may notice some issues with the host on its first boot.

I’ve seen only with some number of reboots later did it decide to create the swap file. agenix may not lay down its secrets immediately and so services may fail to boot. I think there is an issue describing this for agenix. I can’t speak to the others.

I’ve also noticed it has trouble with my small display sometimes. But in the flicker it makes, sometimes I can make out what seems to be a very small version of a boot or login screen, with its telltale gray and green on black.

This might be indicative of issues with the Raspberry Pi 5 settings. I have seen many issues crop up in the issue trackers, but I haven’t really looked into them since I haven’t gotten that far yet.

I’ve seen this issue when trying to move down in systemctl list-units:

/*** stack smashing detected ***: terminated

I don’t know what it means yet.

This ticket is indicative of trouble, and suggests turning off uboot: nix-community/raspberry-pi-nix#16

Another is to use the rpi4 kernel, which I guess is supposed to work just as well?

I turned off uboot, and rebooted the pi. The screen was blank. I moved the power to the screen from the Pi to a dedicated USB power source, and then replugged the HDMI cable to the screen. The screen immediately showed me a Linux-staged boot sequence, but it’s still going and the print is far too small for me to read.

This makes me think under-voltage caused by the screen could’ve been causing some issues, but it’s hard to say which caused which. This last experimentation was done on selenium but I could fall back to gallium if it’s still having boot issues. For now, gallium is running and seems fairly healthy.

signature by a trusted key error

The general error is of the form: copying path <nix-drv-path> to <host> error: cannot add path <nix-drv-path> because it lacks a signature by a trusted key.

copying path '/nix/store/rp3ac35r3pfb3fqh3rdqzlzsq67jpnws-source' to 'ssh://gallium.proton'error: cannot add path '/nix/store/rp3ac35r3pfb3fqh3rdqzlzsq67jpnws-source' because it lacks a signature by a trusted key

building painful things

torch

opencv2

These builds take forever and I’m not sure if it’s always dying in the same place.

[ 63%] Building NVCC (Device) object modules/cudaimgproc/CMakeFiles/cuda_compile_1.dir/src/cuda/cuda_compile_1_generated_hough_segments.cu.o
[ 63%] Building CXX object modules/dnn/CMakeFiles/opencv_test_dnn.dir/test/test_main.cpp.o
during RTL pass: dse1
In file included from /build/source/modules/ts/include/opencv2/ts.hpp:126,
                 from /build/source/modules/features2d/test/test_precomp.hpp:7,
                 from /build/source/modules/features2d/test/test_drawing.cpp:7:
/build/source/modules/ts/include/opencv2/ts/ts_gtest.h: In member function 'void testing::internal::ParameterizedTestCaseInfo<TestCase>::RegisterTests() [with TestCase = testing::TestWithParam<std::tuple<perf::Mat>
/build/source/modules/ts/include/opencv2/ts/ts_gtest.h:12117:3: internal compiler error: Segmentation fault
12117 |   }  // RegisterTests
      |   ^
0x17b29be diagnostic_impl(rich_location*, diagnostic_metadata const*, int, char const*, __va_list_tag (*) [1], diagnostic_t)
        ???:0
0x17b2d97 internal_error(char const*, ...)
        ???:0
0xd20acf crash_signal(int)
        ???:0
0x96adcd df_note_compute(bitmap_head*)
        ???:0
0x965831 df_analyze_problem(dataflow*, bitmap_head*, int*, int)
        ???:0
0x965929 df_analyze_1()
        ???:0
0x161f432 (anonymous namespace)::pass_rtl_dse1::execute(function*)
        ???:0
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
make[2]: *** [modules/features2d/CMakeFiles/opencv_test_features2d.dir/build.make:230: modules/features2d/CMakeFiles/opencv_test_features2d.dir/test/test_drawing.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:4866: modules/features2d/CMakeFiles/opencv_test_features2d.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....

I noticed that oomd is running. I’ve turned it off and am trying again. Furthermore, I have forced this to be off for future generations of lithium.

After that:

nvcc error   : 'cudafe++' died due to signal 11 (Invalid memory reference)
nvcc error   : 'cudafe++' core dumped
CMake Error at cuda_compile_1_generated_reduce.cu.o.Release.cmake:280 (message):
  Error generating file
  /build/source/build/modules/cudaarithm/CMakeFiles/cuda_compile_1.dir/src/cuda/./cuda_compile_1_generated_reduce.cu.o

I confirmed oomd is disabled.

This is exhausting. Can I just use torch-bin?

Another attempt:

[  9%] Building CXX object modules/imgproc/CMakeFiles/opencv_imgproc.dir/src/emd.cpp.o
[  9%] Building CXX object modules/imgproc/CMakeFiles/opencv_imgproc.dir/src/featureselect.cpp.o
[  9%] Building NVCC (Device) object modules/cudaarithm/CMakeFiles/cuda_compile_1.dir/src/cuda/cuda_compile_1_generated_div_mat.cu.o
[  9%] Building NVCC (Device) object modules/cudaarithm/CMakeFiles/cuda_compile_1.dir/src/cuda/cuda_compile_1_generated_div_scalar.cu.o
during GIMPLE pass: dom
/build/source/modules/imgproc/src/drawing.cpp: In function 'void cv::polylines(cv::InputOutputArray, cv::InputArrayOfArrays, bool, const Scalar&, int, int, int)':
/build/source/modules/imgproc/src/drawing.cpp:2409:6: internal compiler error: Segmentation fault
 2409 | void cv::polylines(InputOutputArray img, InputArrayOfArrays pts,
      |      ^~
0x17b29be diagnostic_impl(rich_location*, diagnostic_metadata const*, int, char const*, __va_list_tag (*) [1], diagnostic_t)
        ???:0
0x17b2d97 internal_error(char const*, ...)
        ???:0
0xd20acf crash_signal(int)
        ???:0
0xeb3110 expr_hash_elt::~expr_hash_elt()
        ???:0
0xe13271 (anonymous namespace)::pass_dominator::execute(function*)
        ???:0
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.