I'm having trouble getting PAM auth to work, so I'm temporarily disabling it.
TIL that I can use the following to verify that PAM is properly setup for a
program (e.g. `bitlbee`).
```
pamtester -v bitlbee $(whoami) authenticate
```
...but despite this succeeding, I still cannot use the `identify` command in
`bitlbee` to successfully authenticate. It just tells me "Incorrect password"
even though I'm providing it the same password that I type when doing the
`pamtester` command from above.
Computers!
I'm still not entirely sure what bitlbee does, but I know this: I want as many
messengers in the same place as possible: IRC, Slack, Telegram. @tazjin tells me
that Bitlbee will help me get to the promised land. This is hopefully one step
of many in that direction.
Thankfully @tazjin builds Gemma (an Elm project) with Nix, so I could reference
Gemma's default.nix to help me with mine. Elm problematically attempts to
HTTP-fetch a list of packages to verify my project's dependencies. Because Nix
builds derivations in a sandbox without network access, I need to use some
escape hatches (i.e. NIX_REDIRECTS, LD_PRELOAD,
SYSTEM_CERTIFICATE_PATH). Welp... it's packaged now...
I'm also pointing learnpianochords.app to this project's index.html. It will be
live soon! :)
TODO(wpcarro): Rename "Chord Drill Sergeant" -> "Learn Piano Chords" (KISS)
This value defaults to localhost:3000, which works, but then Gitea
renders "http://localhost:3000/wpcarro/briefcase" as the URL to clone my
briefcase repository.
Gitea's announcement notes explain some of the benefits of Gitea over
Gogs:
https://blog.gitea.io/2016/12/welcome-to-gitea/
Also, I never configured Gogs such that I could use it, so the cost of
switching from Gogs to Gitea was basically zero.
Lorri does not cleanly integrate with my corporate device, which cannot run
NixOS. To expose dependencies to Emacs buffers, I will use nix-buffer.el, which
reads its values from dir-locals.nix. To easily expose dependencies from my
existing shell.nix files into dir-locals.nix, I wrote a Nix utility function.
- Create ./website directory
- Add a sitemap to wpcarro.dev
- Move covid-uk directory to sandbox directory
TODO: Next sandbox, blog, and learn in the website directory
Right now my website is serving at sandbox.wpcarro.dev, but I would rather
people view it at sandbox.wpcarro.dev/covid-19.
I previously tried to accomplish this with the following Nginx configuration:
```nix
locations."/covid-19" = {
root = briefcase.covid-uk;
}
```
I am now trying `alias = ...` instead of `root = ...`. I got the idea from this
SO question, https://stackoverflow.com/questions/10631933/nginx-static-file-serving-confusion-with-root-alias.
- Prefer hosting on sandbox.wpcarro.dev; I would prefer to host it at
sandbox.wpcarro.dev/covid-19, but I haven't figure out how to use Nginx to do
serve locations like /covid-19 yet.
- Splice the src directory: When I develop locally and index.html exists within
./src, I cannot access ./node_modules because ./node_modules is in a parent
directory. I could fix this if I used a bundler like Parcel or Webpack, but I
do not want to set that up at this time.
- Introduce Tailwind for CSS. This complicates my build a bit as well. For now,
I'm including output.css even though ideally I should not version-control this
file. I haven't figured out how to `yarn install` and run commands like `npx
tailwindcss build styles.css -o output.css` in a Nix derivation yet. Hopefully
I will learn and refactor this.
- Add some content about why I made this chart
- Add some content about some of my covid-19 predictions
- Add a footer to the webpage
- Delete timeseries.json and prefer fetching the published data instead
I was having trouble tracking the growth of corona virus cases in the UK.
Thankfully someone is publishing some daily COVID data as JSON. I downloaded
that data manually and plotted it using the chart.js library as a programming
exercise with Mimi.
Now I'm attempting to deploy to https://wpcarro.dev/covid-uk.
TODO(wpcarro): Prefer the live API data instead my soon-to-be-stale downloaded.
With this simple change, Nix should copy the static directory and all of its
contents to /nix/store and return the path to that directory.
See TODO for more what I would have liked to do ideally.
readTree uses the output attribute set of default.nix as the value for
nixos.socrates, which disables me from resolving nixos.socrates.rebuild since
there is no rebuild attribute in the output attribute set from default.nix.
If I rename default.nix -> configuration.nix, I can resolve
nixos.socrates.{configuration,hardware,rebuild}.
Nix complains that `nixos.socrates` is not a function but a set. By adding
`{ ... }:` to the top of the file, I'm hoping to change it from a set to a
function.
When I build socrates using `sudo nixos-rebuild [...] switch`, my
`nixos-config` (i.e. <briefcase/nixos/socrates/default.nix>) is a simple Nix
anonymous function. Typically readTree populates my pkgs, briefcase, depot
function parameters with <nixpkgs>, <briefcase>, <depot>, but `nixos-rebuild` is
unaware of `readTree`.
For now I'm manually importing these dependencies, and I'm leaving a TODO to
reconsider switching to the `{ pkgs, briefcase, ... }` style when I better
understand NixOS.
At the moment, I don't think nixos-rebuild is reading $NIX_PATH, which
appropriately sets the paths for depot and briefcase. I'm going to explicitly
expose these values in the rebuild script for now.
After I considered the security implications of calling
`systemctl --user cat monzo-token-server`, I realized that monzo-token-server
should be a root service instead of a user service.
This service unit now also explicitly depends on briefcase.monzo_ynab.tokens,
which is a big improvement.
"oneshot", according to `man systemd.service`, "will consider the unit up after
the main process exits". Since I designed token-server to run continuously, it
will not intentionally exit; therefore, systemd awaits its exit, which never
comes. "simple", on the other hand, does what I want.
Here is my first attempt to manage secrets when I deploy onto a NixOS machine.
Background: When I develop, I use direnv, which reads an .envrc file in which I
define my secrets. My secrets are read from `pass` using a pattern like this...
```shell
secret_value="$(pass show path/to/secret)"
```
...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which
asks me for a password to authenticate. This means that when I cd into a
directory with an .envrc file using this pattern, I may be prompted by GPG for a
password. When I'm not, it's because gpg-agent is still caching my
password. This works for development, but I currently do not know how to use
direnv for deployments.
Here is what I'm using until I find a more convenient solution:
- Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets
directory and its contents are only readable by root.
- Use systemd's Environment and NixOS's builtins.readFile to read the files in
/etc/secrets when I can `sudo nixos-rebuild`.
Ideally I could call a function like `builtins.readFromPasswordStore` within
configuration.nix. This would allow me to skip the step where I run...
```shell
> ssh socrates
> pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id
> pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret
> # etc
```
...I don't know how to manage secrets using NixOS, but at least this is one
answer.
TL;DR:
- Move /etc/nixos/configuration.nix -> //nixos/configuration.nix
- Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix
- Document installer.nix
- Create rebuild.nix wrapper around `sudo nixos-rebuild switch`
Previously I sketched ideas for the configuration.nix for socrates -- also known
as flattop -- the inexpensive Acer laptop residing in my flat and stored that
configuration.nix file in briefcase. Now, however, I have successfully installed
NixOS onto socrates. By default NixOS saves the configuration.nix and
hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files
into briefcase.
Because the command `nixos-rebuild` looks for the NixOS configuration
file in /etc/nixos, I wrote rebuild.nix, which creates a program to
call `nixos-rebuild` with the new location of my configuration.nix.
The command...
nix-build -A config.system.build.isoImage -I nixos-config=installer.nix nixos
...creates an .iso file in the ./result directory. You can then copy this onto a
USB and use it a custom installer...
cp ./result/iso/*-linux.iso /dev/sda
I needed an installer that used a version of the Linux kernel higher than the
one distributed on NixOS's website: 4.19.? -> 5.4.20+. My Acer laptop needed a
version of the kernel that supported its network controller: Intel 3168NGW.
TODO(wpcarro): Pin the nixpkgs git commit SHA inside of installer.nix.
I'm attempting to configure an old Acer laptop that I bought at a used
electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install
NixOS on it. The configuration.nix herein defines a starting point for the
configuration for that machine. It isn't currently working.
Troubleshooting and solutions forthcoming...