Could you provide more information? Snippets of the config that are relevant e.g custom TLS certs config, what does the flake look like, self-signed TLS certs? What exactly is breaking? curl https://localhost:8080/something ?
Have you compared the environment variables?
name = “nvidia-fuck-you”;
Got a good chuckle out of me. As for buildFHSEnv how does it work? Does it use chroot and mount parts of /nix/store into it?
Nice. Glad you got it working 👍
/usr/share/nginx/html/nix-cache-info
That indicates your nginx is probably still using the default config.
This is the default config in nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
Reading the dockerhub page for your image it states
Customize configuration
You can mount your configuration file, or build a new image with it.
If you wish to adapt the default configuration, use something like the following to get it from a running nginx container:
$ docker run --rm --entrypoint=cat nginx /etc/nginx/nginx.conf > /host/path/nginx.conf
And then edit
/host/path/nginx.confin your host file system.
Basically
volumeMounts:
- name: nix-cache-storage
mountPath: /data
- name: nix-cache-config
mountPath: /etc/nginx/sites-available/default # this should be /etc/nginx/nginx.conf
You might want to take some configuration options from the default config like the user, worker connections, etc.
Good luck.
Quite the ride you had there. I rarely reinstall even if my system is borked and just fight through everything until it’s fixed. I can understand not having that kind of time though.
This is when I realised I can’t recommend nixos to normal people. If for any reason you need to install sth. that is not in the packages you are fucked.
💯
After thinking about installing it on a friend’s laptop, I too ran into the issue of not finding some software and realised it would be me playing packager and package maintainer. It’s simple to install Debian and call it a day.
However once I managed to get the update working i wasn’t able to login into x11 anymore and Wayland seems inperformant in gaming.
This is definitely a reason I don’t want to use wayland yet. Maybe in a year or more it might become my main, but until then X11 it’ll have to be.
However, why do you need to boot with NVIDIA? Does GPU passthrough not work if you don’t? What type of VM are you using? KVM?
I don’t know why nix isn’t able to output a plan of stuff it has to do, but anyway, what I’ve done is just install the thing, then nix --query --referrers $storePath. You can do the same with every free-image-unstable you found in your store.
Also, you should be able to grep the .drv files for the store paths of each free-image-unstable and find out what was passed in to build them. My hunch is that the package was an input to other packages that needed to activate or deactivate build options. Maybe one package needed a specific feature and another needed yet another --> multiple builds.
mariadb doesn’t get backgrounded? Are you sure? Are you able to type commands and see their output? Also, what happens when putting set -x at the start of your shell hook? You should see the last line printed e.g MYSQL_PID=12345
sequenceDiagram
Computer->>+Nameserver: Where's wikipedia.org
Nameserver-->>-Computer: 185.15.59.224
Computer->>+Wikipedia: GET /
Wikipedia-->>-Computer: return /
Here is the simplified sequence diagram
As you can see the request to wikipedia itself does not go through a nameserver, only the DNS request does. It’s the entire reason Firefox has the option to proxy DNS queries over the proxy: to avoid DNS leaks
Right now, all that should be happening is DNS requests being proxied, not the rest of your traffic.
There’s a huge difference when I enter https://one.one.one.one/help/ normally with
"Use system proxy settings"in my browser and when I enter it with a"Manual proxy configuration"with theSOCKS Host set upand"Proxy DNS when using SOCKS v5"checked on.
To me that indicates the DNS proxy through TOR isn’t actually working with your dnscrypt setup 🤔 However it’s difficult to debug from here. It’s possible the DNS query is slow, but because the actual HTTP request is going through your standard internet with no proxy it’s fast, and when you do turn on the proxy for HTTP/S requests, you observe actually using TOR for everything and thus the latency.
Could you run these commands please
# Find which process is running the local DNS server
sudo ss -plant | grep ":53 " # alternatively sudo netstat -plant | grep ":53 "
# Check your DNS resolver config
# You can share it or not, but 127.0.0.1 MUST be in it, otherwise your DNS queries aren't being encrypted/proxied
cat /etc/resolv.conf
# Measure how long it takes to query a new domain name
time dig techhub.hpe.com
time dig bash.org
time dig element.io
If you feel comfortable with it, you share the logs of dnscrypt (I don’t know what kind of information is in there, so you might have to clean it).
journalctl -u dnscrypt-proxy2 or just systemctl status dnscrypt-proxy2. Either here or PMed. Here are encrypted pastebin alternatives.
I don’t think that’s a correct assumption. DNS just resolves domain names to IPs. When you access a website, if the IP isn’t in your dns cache, it will look it up and that’s the only part that should be going through dnscrypt. The actual request to the site goes to the IP directly. To use TOR across your entire system, it should either be used as a VPN or as a system-wide proxy. Dunno how to set that up though…
You should be able to at least activate logs for dnscrypt and see which DNS entries are being requested. To have a deeper look into your traffic, the only thing I know of is wireshark, which can sniff all your packets. You should be able to observe your DNS request going to dnscrypt, possibly through TOR (I doubt the packet tracing will work, sequence numbers or something should be disrupted by going through TOR), then a request going out to the IP it found over HTTP (port 80) or HTTPS (port 443).
How do you know it’s not being proxied? How are you reaching that conclusion?
I love the idea! It has to be accessible to noobs. In my mind it needs a wizard that walks you through the basic steps:
Basically, it should be possible for any old fart to go “geee, I would like to have a website/service”, download the tool, click through a few steps, and have everything up and running by the end without knowing a goddamn thing about the internet or even that nix/nixos is used in the background.
To answer your question: no guideline (as is typical with nix).
I always check https://search.nixos.org/options first. There’s a chance it’s a package which requires setup or even a service that has extra config. If it’s not there, then https://search.nixos.org/packages is next.
When multiple come up, it depends which prefix or suffix they have. Prefixes like pythonPackages. either mean the package is written in a specific programming language with its own packaging intricacies and its easier to keep them under that prefix, other prefixes like neovimPackages. mean it’s a package for a program and something like a plugin or so. Probably more prefixes exist.
There are some agreed upon but badly documented suffixes (the usual nix style). But if it’s a version suffix, then it’s up to you to decide which one to use. In a comment you mentioned julia, well that’s a programming language so you have to choose the version you want. Sometimes the manual has information on how to use the programming language or one of the wikis.
Uff, I don’t have any links and haven’t been tuned in too much, but amid all the toxicity on the forums, the nixos foundation got funding from some defense contractor and that kicked off a shitstorm. The forums became even more toxic than before with pro and anti defense contractors, which led to an open letter attacking the creator of nix and threatening with a fork.
Amongst all of that a nixos maintainer called jonringer became a polarising character and was banned (?) temporarily. He recently wanted to join again and that kicked up the dust again and it’s likely he won’t be able to contribute anymore.
A bunch of stuff happened in between like the creator of nix stepping down from his position (Benevolent Dictator For Life or something? dunno), many maintainers quitting, the foundation kind of giving in to the anti defense contractor crowd but the crowd not being satisfied and the pro-camp neither. A fork called auxolotl was created, but they don’t want jonringer in it either, and probably other stuff.
It feels like jonringer has a few people behind him but I don’t know if he would have enough support to fork nixos 🤷
Good grief, that community is toxic. Looks like some people are quitting over it. I’m curious where they’ll go to. They could move on to the Auxolotl fork, but hopefully it won’t be the toxic people joining that fork.
There is a nix/nixos fork out there called auxolotl. Dunno how active it is. The forum hasn’t seen significant activitiy in about a week. From what I gather the decision is to move away from github and a monorepo like nixpkgs. They are now on their own forgejo instance.
My changes take maybe a few seconds less, but I find that quite normal. It could be faster, but let’s be honest how often does one run that? I run it maybe once a week or once a month. 25 seconds a week is nothing to me.
Normally I test packages with nix-shell -p $package then when I’m satisfied, it goes into my configuration and the time to do so doesn’t matter anymore.
Great! Thanks for sharing the solution 👍 (And the instance)
Oooh! Check the users of searx and nginx! They don’t use your user but their own ones. You might have to add the searx user to the nginx user’s group, or vice versa, or a new common group.
I see you’ve activated the services but have you opened the firewall to outside traffic? Can’t remember which option that is…
Port 80 and 443 should do the trick. I see your searchxng instance is bound to 0.0.0.0, but it might be better to be explicit and use localhost after opening your firewall. You wouldn’t want the public internet to access it directly (I assume).
So the certs end up in these files:
Only the first one is mentioned on stackoverflow as being used by Go on debian.
Curl seems to have its default location compiled in by passing
--with-ca-bundle, but after installingcurlFulland runningcurl-config --ca, it doesn’t look like that was used and the “default” path is guessed.Looking further in the
curlderivation there are these lines for darwin :So, check the value of
NIX_SSL_CERT_FILEoutsidenix shelland within. The path might have to be set there. I dunno how to do that automatically withnix shell, so it might have to be done manually.Anti Commercial-AI license