robryk @robryk@qoto.org

@dunkelstern Why? At least on macs there is a wireguard client and an NFS client and that setup doesn't require anything more from the terminal.

@dunkelstern

> But I probably still need Samba for the machines of some users that prefer to use their own laptops.

Why? You can give them VPN creds, give them a fixed IP in the VPN, and tell the nfs server to assume (via anonuid option in exports) that all traffic from that IP corresponds to their UID of the laptop's owner.

@dunkelstern

Ah, you mean in nixos modules as opposed to in packages.

Yes, that part is very rarely well documented. My rule of thumb is that, unless extraRawTextConcif is the only way some service has of being configured, I should not use it without reading the implementation of the module :(

@dunkelstern

I'm confused.

If a terminal is owned and permanently assigned to a signle user, there is no next and previous user. You can assume that all traffic coming from that machine (recognized by posession of a secret, e.g. of a wireguard private key) is on behalf of that user.

If you have a shared terminal, then:
- anyone using it would anyway trust it (if an attacker gets root on it, they can impersonate anyone who tries to log in on it later),
- you can treat it as a run of the mill multiuser Linux machine to get separation between users.

So, you can allow people to declare whether they want shared terminals to be able to mount their homedirs, and then trust the shared terminals to claim what user is logged in. You can recognize the shared terminals by possession of a secret, just like private ones (if someone gains root there, they can impersonate future users of that terminal anyway, so being able to exfiltrate the secret doesn't change things massively).

@dunkelstern

Re arguments to the package to modify it: fully agreed, they are documented something between badly and not at all.

I don't understand what configuration files you are referring to in the other two cases.

@dunkelstern

OK, but then the situation is somewhat simpler: each terminal has a fixed user. That could even be done by just having a wireguard network (with the list of peers managed manually) and IP-based NFS exports.

@dunkelstern

Do you mean documentation for packages or for nixos modules/config options, or both?

@dunkelstern

But also consider how you can realistically avoid trusting the terminals. If they are not assigned to individual users, how does a user verify that the terminal they intend to enter their password on/authenticate themselves in any other way is not running malicious software?

@dunkelstern

Would cross-linking to documentation of similar options/the docbook for the appropriate module from search.nixos.org be significantly helpful?

@dunkelstern

Ah, you don't trust the terminals. I see.

The only way to avoid using Kerberos that I know of is something that requires quite a bit of scripting: set up a VPN that clients connect to only when a user logs in (and that gives different internal IPs depending on which user authenticated themselves) and use IP-based restrictions in nfs exports. (Alternatively replace VPN with IPSec and dynamic, logged-in-user-dependent, additional IPs.)

@dunkelstern

I generally go to the source file and:

- look for other options defined in the same file and their description strings,
- look around for the xml file that contains the module's documentation,
- actually look at implementation if these two fail (which often doesn't really require much comprehension of the language, because often what you want to see is what gets interpolated into the same config file).

@dunkelstern

What does "does not with with NFS" mean? You can use LDAP as source of user information (using nsswitch.conf) and then UIDs will be consistent across all the machines so configured. What else does NFS require?

@tao I found it somewhat interesting that there's a very natural way to crotchet a Mobius strip (not by sewing it together from a rectangle), where if you keep crotcheting you will keep adding more width by going around its only edge. I wonder how many people have their first encounter with the concept by failing to correctly crotchet a tube (i.e. side surface of a cylinder).

@TarkabarkaHolgy why is there sawdust on the floor?

@ReneHenrich @TechConnectify

Note that this transition is at the very least in a very different stage in at least parts of Europe (and in some ways fought against), so that might serve as a comparison.

@jess @Mike_Enos @MysticBearPaw

Now that I think of it, I wonder why there is no way to report a skimmer _via the onscreen UI_.

@isomer do you know if the problem is not an individual defect?

@dunkelstern

Do you know of search.nixos.org? My procedure for determining how to make some change to my configuration is to go there, find some related option, and look at the documentation of the module this option is in. In more complicated situations (e.g. audio configuration, where there are multiple things that expose the same interface towards applications) I have to go search the nixos wiki and until now that always sufficed.

@timorl @gregeganSF

Where was the jab at Rogan? ^^*