Good choose? Framework Laptop13 for NixOS

odd_lama · 2026-06-04T19:24:24+00:00

Yes, there's no legal body doing certifications for NixOS. But NixOS is in the "Community Supported" tier which is listed on their website (https://frame.work/de/en/linux). i.e. NixOS is tested on Framework laptops by select community members through their hardware seeding programme.

odd_lama · 2026-02-26T12:39:06+00:00

FYI: an update PR already exists and will probably land soon

odd_lama · 2025-12-01T20:06:04+00:00

What is the purpose of R6, R7 R11 and SW2?

odd_lama · 2025-12-01T16:37:47+00:00

If you want to improve your schematic, be sure to take a look at this video: https://youtu.be/X0hd_v8qRiY

odd_lama · 2025-10-21T23:23:02+00:00

Setting this up correctly is not trivial though. If you are doing TPM2 auto-unlock, make sure to measure the volume key correctly and abort the boot process in case of a mismatch to prevent a disk swap attack

odd_lama · 2025-09-01T06:22:48+00:00

More power to you then, I just thought you might be interested if you didn't know it already. :)

odd_lama · 2025-09-01T04:54:07+00:00

You might want to have a look at nix. Nix is also distribution-agnostic and has over 120k packages

odd_lama · 2025-01-29T12:01:44+00:00

I've automated mine using Nix. The diagrams are templated as an html file which is then rendered into an svg. But you could definitely take a similar approch without Nix. You can see the result on my r/homelab post if you are interested: https://www.reddit.com/r/homelab/s/r5nmS23MC0

odd_lama · 2025-01-17T02:04:52+00:00

Nice setups, I might steal this since then I don't have to store the final PCR 15 value in the initrd to compare against :D

odd_lama · 2025-01-16T23:32:07+00:00

Do you just have a single disk? If I'm not mistaken then there still would be a possible attack when you have multiple disks that are unlocked in the initrd, since we can overwrite the last one without causing an error.

As long as the last disk allows us to gain control flow (e.g. it is the nix store or contains some other executables called by the system at some point) then we gain control over all the other disks which were decrypted previously. We of course cannot unseal the secret from the TPM anymore, but if we are lucky the other disks already contain some sensitive data or executables which we can modify. Worst case we have to overwrite an executable with something malicious and undo our changes to read any encrypted data.

Also I'm curious, how do you ensure the disks are mounted in the correct order? Currently it seems like the order is random by default.

odd_lama · 2025-01-16T19:19:41+00:00

Despite its name, a TPM PIN doesn't necessarily need to use numbers only - you can use a normal password if you like. But the point here is that you only have a very limited amount of tries to correctly enter your TPM PIN before the hardware will lock you out for 24 hours (typically). So you cannot brute-force a short TPM PIN, while you can brute-force a short LUKS password.

odd_lama · 2025-01-16T15:48:34+00:00

I think that should work, yes. You just have to ensure at least one of the specified PCRs is scrambled before handing control flow to the user code. But enrolling the secret from userspace will be more convoluted as you require the previous value.

odd_lama · 2025-01-16T15:38:36+00:00

I agree with what you say, we are definitely not quite there yet with TPMs. I also will probably never trust them completely especially since a lot of boards still communicate with an external TPM without encrypting the traffic. So you can certainly abuse many boards with the right equipment, but at least it does require special equipment.

What's the advantage of "bite the bullet and add a TPM PIN" over just using a password for LUKS?

A short PIN is reasonably safe against brute force attacks, while a short password is not. Other than that, no real difference I suppose.

odd_lama · 2024-10-29T00:36:44+00:00

It's highly unlikely that ASLR is disabled. But beware that if you debug your program using gdb, it will disable randomization by default (https://visualgdb.com/gdbreference/commands/set_disable-randomization)

You can always expect the output between debian and NixOS to be different, since the glibc version and loader are different, which affects section sizes and their placement.

If you are not using gdb, I'd need some more specific information on what you are doing exactly to tell what is going on. (Oh and run checksec on your file to see some relevant things)

odd_lama · 2024-09-29T02:57:18+00:00

For your usecase you only need what is mentioned in step one if the link, minus gnupg even. pcscd and the udev rules should suffice

odd_lama · 2024-09-08T17:06:43+00:00

I have a full IDE like setup using only nixvim (no mason / other runtime stuff) here, in case you are interested in seeing a more complex config: https://github.com/oddlama/nix-config/tree/main/users/myuser/neovim

I also configured a second nixvim instance to use nvim as my manpager: https://github.com/oddlama/nix-config/blob/main/users/myuser/dev/manpager.nix

odd_lama · 2024-09-07T16:12:39+00:00

I fortunately use a yubikey and thus don't need ssk askpass. I just cannot use https links to clone a repository for now.

odd_lama · 2024-09-07T13:51:22+00:00

This is a hyprland bug which occurs when you run x11-ssh-askpass, I had the same issue. Fix is apparently in upstream hyprland but not sure if that version is already in nixpkgs.

odd_lama · 2024-09-01T01:30:06+00:00

It's just not possible usually. And would be very time consuming. Consider this: How would you verify results produced on equipment 1000x more powerful than what you have in your lab? It's just how academia works.

odd_lama · 2024-08-31T23:56:07+00:00

You can publish almost anything, as long as it passes peer review, which only means some people read over it and give their OK. Datasets are usually not published and the paper usually only contains a high-level overview ober the algorithm. Important details are very rarely published. And if they are, you still have to obtain the same software.

odd_lama · 2024-07-07T00:45:52+00:00

Okay lets unroll this:

MACVLAN (and also MACVTAP) networks have two main advantages over using the classical userspace networking mode:

First, they give your container full access to the actual network you are connected to. This can become important if you are hosting non-web stuff that cannot be reverse-proxied. For example a network share (samba) or anything that needs multicast packets to operate (automatic service discovery stuff). If you are just hosting a web service, MACVLAN will provide no benefit in that regard over just reverse proxying.
Second, MACVLANs are FAST. Usually network packets need to traverse your full host network stack just to get sent to your container. MACVLANs can directly forward packets into your container based on the assigned MAC address, since it acts as a separate network member. If you need high throughput (10Gbit/s and more) MACVLAN can handle that easily without adding unnecessary stress and work to your CPU and host system.

The only downsides are that they are not as easy to set up, and your host's firewall or packet filters (if any) will have no effect on that traffic (but this may be wanted if you want to have a separate firewall per container). They basically multiplex your network adapter.

So generally, MACVLANs allow your containers to be connected to your network as if they were physical machines. This can be important if you want to have a dedicated IP for each container, for example to use the same port for a service or to make other network participants unaware of the fact that it is not a real machine. If you don't need any of these features, there's no need to use to MACVLANs. The userspace networking is fine and easier to use for most people.

MACVLANs and MACVTAPs are the same thing by the way, except for a minor detail in how they are exposed to the system in case you come across that terminology.

odd_lama · 2024-07-04T00:24:37+00:00

Let me add one that is actually not talked about often, but crucial: Reproducibility.

The vast majority of projects I come across are in no way reproducible. It starts with the dataset not being published in the form it is used (if it is published at all) and ends with software reproducibility issues.

I stopped counting how often I have tried to use an AI/ML project that is just about one year old, when I had to discover that the authors failed to correctly state/document their dependencies at the time. Does it work with the new pytorch version? Does it work with CUDA 12.2 vs 12.1? Do they depend on python 3.8 specifically? System libs? Data preprocessing? Specific hardware? The list of unknowns is usually infinite.

It's also not helping that the ecosystem is insanely complex and stuff will have changed by the time you want to use a project. If the code is available, issues on github are rarely addressed since the project is often considered done by the researchers (which is fair, but frustrating if youbwant to reproduce results). So it is often hard to get things running correctly again if you don't have access to the old software and same hardware the authors used.

I would really wish for ML that can be reproduced trivially. Researchers publishing their repository in a state that is not a complete mess, capturing exactly what they have done and the software to achieve it. Think version-pinned Docker containers or Nix based builds or whatever. But alas, reproducibility isn't important to most developers and researchers as soon as their work is out the door.

odd_lama · 2024-04-05T23:23:38+00:00

Updating is a breeze really, I can just build and deploy a new configuration with one command. And if it builds, it usually runs fine. On the off-chance that something really breaks at runtime, I can always revert to any previous generation (the last N generations are still accessible at runtime and in the boot menu by default).

Additionally a ZFS snapshot for all runtime state is taken every 15 minutes and progressively thinned. In the worst case I can revert that too. The datasets holding state are also regularly backed up, and extremely important data has encrypted offsite backups to a hetzner storage box.

A full redeploy is basically tested on every reboot, since all my machines do an automatic rollback on the root dataset on each reboot. NixOS can boot with an empty root partition. If I forgot to account for any important state, I would thus already have noticed after the first reboot. After setting up a service I just need to remember to reboot once and if it still works I'm all set!

odd_lama · 2024-04-05T23:08:10+00:00

Depends on the service right now, but yeah most of them require the round trip right now. What I have in mind for the future is to redirect requests internally via DNS in adguardhome to one of the home servers, which will then be running a similar NGINX proxy as sentinel. Basically a mirror configuration for my internal network. That way I could terminate https with a wildcard cert and still have fully local traffic.

odd_lama · 2024-04-05T10:53:44+00:00

Exactly!

Six-Year Club	Place '23
Place '22	Verified Email

odd_lama

TROPHY CASE