What do you like about ansible? I guess it abstracts away the need to check for OS/init system? How else does it help in place of shell scripts?

Also after using NixOS, it’s amazing what NixOS does and disappointing that ansible is not so great for deterministic config ^[1], its more or less a batch of commands executed together. The closest thing, to NixOS, I’ve been able to achieve is load a variables file in playbook.yml and enable/disable service or install/purge pkg based on variables declared. I might be nitpicking/wrong given I’ve not been using long enough but directory layout is kinda too verbose. I say that because it’ll get really messy very quickly when writing modules for more services. NixOS is great, you only have to have configuration.nix or flake.nix+flake.lock too (if using flakes) and rest you can import however you like.

I think you mean registers not buffers. buffers are file(s) loaded in memory while registers contain text yanked/deleted/last command/last search, etc.

You can see all registers in use with :registers, to paste from a register say "2 in insert mode use key combination <ctrl-r>2 or in normal mode "2p. You can check out more in :help registers. Unnamed register or "" is the system clipboard I think. To copy texts in a register you can prepend yank (/delete/cut, etc.) with that register "_ (for black hole register^[1]) This is for neovim. Have keybinds for them and there saved you a plugin :D

Secondly, the dotfiles. I hear there is the Home Manager for that, but it doesn’t have support for everything

In this case, you can use home.file option of home-manager similar to environment.etc of NixOS configuration.

For example, let’s configure dunst with home-manager ^[1]:

# installing the package
home.packages = [ pkgs.dunst ];

# configure dunst

## writing new config
home.file.".config/dunst/dunstrc" = {
    text = ''
        [urgency_critical]
            timeout = 15
    '';
};

## using existing config
home.file.".config/dunst/dunstrc".source = "/path/to/existing/dunst/config";

services.dunst = {
    enable = true;
    # using existing config
    configFile = "/path/to/existing/dunst/config";

    # new config
    settings = {
        urgency_critical = {
            timeout = 15;
        };
    };
};

Is there a way to manage everything at the same time?

Yes, create a git repo and keep your configuration there. Don’t keep secrets unencrypted in there as those will end up in world readable /nix/store. Any user where system or human can access those. You can use any scheme to manage secrets at wiki^[2].

Even better if everything is in configuration.nix

You can do everything in single file but I wouldn’t recommend it as configuration may grow quickly and be difficult to manage later. Instead you may split the configuration.nix into multiple files and import those in configuration.nix.

Flakes simply helps to manage the inputs easily (e.g. nixpkgs, home-manager), i.e., which version of input your config uses. Traditionally inputs is managed by nix-channel imperatively. It generates flake.lock to store the hash of inputs which won’t be updated unless you update it. If you copy the config between different machines (or reinstall), you’ll get exact same version of packages. It also helps avoid adding nix-channel, which you have to add manually during reinstall and you may not get the same version of packages. So, it’s not important as you can do all things with/without it.

I found this guide ^[3] quite helpful to start with flakes. You may use one of Misterio77’s starter configs^[4]. Also, a big surprise with flakes is that if you don’t use git, then your all files from config dir will end up in /nix/store (world-readable^[5]) ^{[6] [7]}. So, you should use git with flakes that way only commited files will end up in /nix/store(world-readable).

Then, what does a package maintainer rely on?

Edit: I’m so dumb. It’s obvious they’d check original developer’s repo or issue tracker. I’m sorry

I wouldn’t be so sure it doesn’t affect NixOS^[1].

I am not a security researcher, nor a reverse engineer. There’s lots of stuff I have not analyzed and most of what I observed is purely from observation rather than exhaustively analyzing the backdoor code.

Also, it may take 10 days to downgrade the package^[2].

You are right. I shouldn’t have used diff. I’ll fix that

Also, incremental changes from subvolume to its snapshot might be incorrect as that will be new data added to subvolume, rather that old data deleted from subvolume while still present in snapshot. I’ll have to check carefully.

just comparing the subvolume with its snapshot with btrfs send -p /example/subvol /snapshot/of/example/subvol >examplediff.btrfs.

From man btrfs-send

generate a stream of instructions that describe changes between two subvolume snapshots

Thanks for btdu, it seems useful as ‘btrfs fi du’ probably doesn’t account for compression, will check it out sometime.

Thanks that helped. I have one snapshot of home. Size of diff between btrfs subvolume and Additional space used by snapshot is 11GiB (probably) and btrfs fi du -s / is 72GiB, making 83GiB (closer to btrfs fi df /).

Between btrfs filesystem usage / and btrfs filesystem du -s / there’s nearly 11GiB difference for used space. I have checked btrfs du -hs <path/to/subvolume> for all subvolume in the filesystem, and total seems to be 72 GiB, hence the confusion. Still I don’t know if I’m using the tools properly or something else is at fault here.

To correct myself, 11GiB is additional space used by snapshot probably used space difference between btrfs fi usage and btrfs fi du -s / is because of diff between snapshot and parent volume (didn’t consider that while adding all used GiB of subvolumes). So btrfs filesystem usage works well to check used/free space.

edit: fix incorrect args; additional space is not diff

I remember seeing a post on lemmy blocking posts with certain words on firefox (and its derivatives) with ublock origin.

1. Open My filters tab in ublock origin extension settings.
2. To block posts with word random on lemmy.ml, add this to text field lemmy.ml##div.post-listing:has(span:has-text("/random/i"))'. i after random/ matches case insensitively.

user’s password can be totally different from luks password if you’re using autologin. You can keep it same but that’s totally optional. You can login without entering any password at all if not using luks (or using autodecrypt), you can see that in live isos.

oh, I forgot. Thanks for mentioning that :)

grep -i fried menu

I have no idea what TPM is

Read Skull giver’s reply or look it up.

Re-reading your post, I take you want to avoid typing long and tedious password? And that’s why you want to auto-decrypt?

1. (Recommended) You could use strong memorable passwords that are not difficult to type and enable autologin. Related xfcd comic:

2. systemd-cryptenroll: For TPM usage, I highly recommend using secure boot. Though not sure if you can easily do that. A less secure alternative using systemd-cryptenroll would be use tpm2-pin and bind key to no pcrs (discouraged). But then you’ll have to use luks2 for encryption. Notice from man systemd-cryptenroll regarding tpm2-pin:

Note that incorrect PIN entry when unlocking increments the TPM dictionary attack lockout mechanism, and may lock out users for a prolonged time, depending on its configuration. The lockout mechanism is a global property of the TPM, systemd-cryptenroll does not control or configure the lockout mechanism. You may use tpm2-tss tools to inspect or configure the dictionary attack lockout, with tpm2_getcap(1) and tpm2_dictionarylockout(1) commands, respectively Also tpm2-pin is not disk encryption password and short alphanumeric password needed so tpm decrypts the device; so encryption password should be secured in a safe place. Also check if your distro supports systemd-cryptenroll.

3. usb drive: read previous comment

4. clevis: It probably isn’t as simple as systemd-cryptenroll but I guess you can use zfs and combine that with tpm2-pin if not using secure boot (discouraged).

You’ll have to make a compromise somewhere between security and convenience. Even if you use pam mount, you’ll have to enter the password, biometrics won’t do.

Edit: remove unnecessary user tag and add img uri

Assuming you want:

1. Single password prompt instead of auto-decrypt with tpm
2. User’s files to be encrypted

There are several ways to achieve this:

1. autologin (recommended for single user system): / is encrypted using luks or zfs native encryption and user’s home needs to be unencrypted. User’s password may be same as encryption password for convenience, though they still are two passwords used for different purposes.

2. pam mount: / is unencrypted or auto-decrypted and user’s home is encrypted independently from / using zfs,luks,fscrypt,etc. In this case, user’s login password must be same as user’s home encryption password. It’s suitable for multi-user system. NOTE: It cannot be used with autologin since user’s home needs to be decrypted to log in.

WARNING: For tpm usage, using secure boot is highly recommended to prevent unauthorized user from accessing key stored in tpm.

To prevent auto-decrypt with tpm, tpm-pin can be used (with autologin for requirement #1).

3. systemd-cryptenroll with/without tpm: As far as I know it can be only used to unlock disk encrypted with luks2. It can be used without tpm with pkcs11-token (e.g. YubiKey) or fido2-device. It also uses parameter encryption while key is unsealed, so safe from key sniffing via communication bus. This is easy if secure boot is enabled and luks2 is used for encryption.

4. clevis with tpm: It can be used in place of systemd-cryptenroll. May be used with zfs native encryption. Though I’m not sure if it uses parameter encryption (correct me).

5. unencrypted keyfile on usb: Not sure about zfs, but you can use keyfile on a usb drive to decrypt luks containers.

NOTE: I’m not a forensic/security expert. I listed a brief overview of methods I could think of to keep user’s files encrypted while providing single password till login.

deleted by creator

Meanwhile kde scattering everything in .config/

if you happen to find the comparison, could you link it here

afaik openzfs provides authenticated encryption while luks integrity is marked experimental (as of now in man page).

openzfs also doesn’t reencrypt dedup blocks if dedup is enabled Tom Caputi’s talk, but dedup can just be disabled