r2r-dev

chroot Environments on macOS

This is a draft.

macOS doesn’t have many of the advanced Linux or UNIX features that have come about in the past 20 years. So getting a proper chroot environment up and running takes a little more work.

Linux Desktop on Apple Silicon in Practice

I bought M1 MacBook Air. It is the fastest computer I have, and I have been a GNOME/GNU/Linux user for long time. It is obvious conclusion that I need practical Linux desktop environment on Apple Silicon.

Fortunately, Linux already works on Apple Silicon/M1. But how practical is it?

Two native ports exist.

Building a complete GNU toolchain

Things required:

Linux headers: https://cdn.kernel.org/pub/linux/kernel/
Binutils: https://www.gnu.org/software/binutils/
GCC: https://www.gnu.org/software/gcc/
glibc: https://www.gnu.org/software/libc/

Environment variables

Hardware Prerequisites

You'll need at least the following hardware:

At least 3 USB-A to USB-C converters or hub with enough ports for at least 3 USB devices if all your devices are USB-A then:
A USB drive
A USB keyboard
USB to Ethernet adapter, compatible USB dongle or USB tethering on a phone

tldr; try this: sudo iptables -D INPUT -j nixos-fw

Nix firewall chain drops connections from the kubedns Pod's attempt to contact api server.

This results in timeouts:

E0303 20:18:26.598781       1 reflector.go:199] pkg/dns/dns.go:145: Failed to list *api.Endpoints: Get https://10.0.0.1:443/api/v1/endpoints?resourceVersion=0: dial tcp 10.0.0.1:443: i/o timeout

I'm learning about SOPS and setting it up as my preferred mechanism for storing secrets. Here are my notes.

PGP

It’s security mechanism is that we (i.e. client) use a PUBLIC key from the receiver (i.e. server) and encode it with a random key (I’m saying nonce but it could be reused)

This varies from RSA and SSH because the server uses a PUBLIC key to identify the client.

Web of trust

Web of trust operates by still using PGP (i.e. encoding with recipient’s public key) but additionally, we can encrypt/sign the data as our own by signing it with the client’s private key.

This means the recipient will initially decrypt via our (i.e. client’s) public key (verifying the source) and then decrypting via their (i.e. server’s) private key to get the data.

After updating the configuration

nixos-rebuild switch

I had to restart the system for pulseaudio to load the bluetooth module.

pactl list should show the bluetooth module.

As I'm not using a desktop-manager I've configured the device from the command line following ArchLinux instructions

	with import ./. {};

	let

	extraSources = [];
	lib = pkgs.lib;

	optionsListVisible =
	lib.filter (opt: opt.visible && !opt.internal)
	(lib.optionAttrSetToDocList options);

	{ config, pkgs, ... }:

	{
	# Kubernetes configuration
	# Insecure, for local development only, totally unsuitable for production
	services.kubernetes = {
	roles = ["master" "node"];

	# Without explicitly defined keys things will break after reboot,
	# as by default keys will be generated in /var/run/kubernetes.

	{ config, lib, pkgs, ... }:

	with lib;

	{
	imports = [
	# ISO image
	<nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix>
	# Hardware support similar to installer Live CD
	<nixpkgs/nixos/modules/profiles/all-hardware.nix>