@dunkelstern Why? At least on macs there is a wireguard client and an NFS client and that setup doesn't require anything more from the terminal.
> But I probably still need Samba for the machines of some users that prefer to use their own laptops.
Why? You can give them VPN creds, give them a fixed IP in the VPN, and tell the nfs server to assume (via anonuid option in exports) that all traffic from that IP corresponds to their UID of the laptop's owner.
Ah, you mean in nixos modules as opposed to in packages.
Yes, that part is very rarely well documented. My rule of thumb is that, unless extraRawTextConcif is the only way some service has of being configured, I should not use it without reading the implementation of the module :(
I'm confused.
If a terminal is owned and permanently assigned to a signle user, there is no next and previous user. You can assume that all traffic coming from that machine (recognized by posession of a secret, e.g. of a wireguard private key) is on behalf of that user.
If you have a shared terminal, then:
- anyone using it would anyway trust it (if an attacker gets root on it, they can impersonate anyone who tries to log in on it later),
- you can treat it as a run of the mill multiuser Linux machine to get separation between users.
So, you can allow people to declare whether they want shared terminals to be able to mount their homedirs, and then trust the shared terminals to claim what user is logged in. You can recognize the shared terminals by possession of a secret, just like private ones (if someone gains root there, they can impersonate future users of that terminal anyway, so being able to exfiltrate the secret doesn't change things massively).
Re arguments to the package to modify it: fully agreed, they are documented something between badly and not at all.
I don't understand what configuration files you are referring to in the other two cases.
OK, but then the situation is somewhat simpler: each terminal has a fixed user. That could even be done by just having a wireguard network (with the list of peers managed manually) and IP-based NFS exports.
Do you mean documentation for packages or for nixos modules/config options, or both?
But also consider how you can realistically avoid trusting the terminals. If they are not assigned to individual users, how does a user verify that the terminal they intend to enter their password on/authenticate themselves in any other way is not running malicious software?
Would cross-linking to documentation of similar options/the docbook for the appropriate module from search.nixos.org be significantly helpful?
Ah, you don't trust the terminals. I see.
The only way to avoid using Kerberos that I know of is something that requires quite a bit of scripting: set up a VPN that clients connect to only when a user logs in (and that gives different internal IPs depending on which user authenticated themselves) and use IP-based restrictions in nfs exports. (Alternatively replace VPN with IPSec and dynamic, logged-in-user-dependent, additional IPs.)
I generally go to the source file and:
- look for other options defined in the same file and their description strings,
- look around for the xml file that contains the module's documentation,
- actually look at implementation if these two fail (which often doesn't really require much comprehension of the language, because often what you want to see is what gets interpolated into the same config file).
What does "does not with with NFS" mean? You can use LDAP as source of user information (using nsswitch.conf) and then UIDs will be consistent across all the machines so configured. What else does NFS require?
@tao I found it somewhat interesting that there's a very natural way to crotchet a Mobius strip (not by sewing it together from a rectangle), where if you keep crotcheting you will keep adding more width by going around its only edge. I wonder how many people have their first encounter with the concept by failing to correctly crotchet a tube (i.e. side surface of a cylinder).
@TarkabarkaHolgy why is there sawdust on the floor?
TIL about unzip-http, a successor to something I was trying to do with the dead httpfs:
https://github.com/saulpw/unzip-http
It let me get a single text file of metadata out of an *11 GB* zip file of data
Thanks @saulpw!
Note that this transition is at the very least in a very different stage in at least parts of Europe (and in some ways fought against), so that might serve as a comparison.
@jess @Mike_Enos @MysticBearPaw
Now that I think of it, I wonder why there is no way to report a skimmer _via the onscreen UI_.
@isomer do you know if the problem is not an individual defect?
Do you know of search.nixos.org? My procedure for determining how to make some change to my configuration is to go there, find some related option, and look at the documentation of the module this option is in. In more complicated situations (e.g. audio configuration, where there are multiple things that expose the same interface towards applications) I have to go search the nixos wiki and until now that always sufficed.
microreview of a short story collection, spoilerfree
Where was the jab at Rogan? ^^*
I enjoy things around information theory (and data compression), complexity theory (and cryptography), read hard scifi, currently work on weird ML (we'll see how it goes), am somewhat literal minded and have approximate knowledge of random things. I like when statements have truth values, and when things can be described simply (which is not exactly the same as shortly) and yet have interesting properties.
I live in the largest city of Switzerland (and yet have cow and sheep pastures and a swimmable lake within a few hundred meters of my place :)). I speak Polish, English, German, and can understand simple Swiss German and French.
If in doubt, please err on the side of being direct with me. I very much appreciate when people tell me that I'm being inaccurate. I think that satisfying people's curiosity is the most important thing I could be doing (and usually enjoy doing it). I am normally terse in my writing and would appreciate requests to verbosify.
I appreciate it if my grammar or style is corrected (in any of the languages I use here).