Re: [Nix-dev] How to add file to initrd?
2015-09-11 15:05 GMT+03:00 Tomasz Czyż: > > > Mhm, that's definitely not cool. I thought it will appear only inside initrd > image :[ A copy of the initrd is always kept in /nix/store, but also the .drv file and potentially any generated scripts (for building the initrd) might contain the key. > Do you think is there any other way to put this key in initrd? GRUB supports loading multiple initrd images at once. For example, on Arch Linux the generated grub.cfg contains this: menuentry 'Arch Linux' --class arch --class gnu-linux /* etc. */ { # ... initrd /boot/intel-ucode.img /boot/initramfs-linux.img } So one approach would be to create a initrd with just the keyfile (outside Nix), place it on the /boot partition, and then somehow make the grub.cfg generator emit the proper initrd line(s). ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
2015-09-11 19:03 GMT+01:00 Tuomas Tynkkynen: > 2015-09-11 15:05 GMT+03:00 Tomasz Czyż : > > > > > > > Mhm, that's definitely not cool. I thought it will appear only inside > initrd > > image :[ > > A copy of the initrd is always kept in /nix/store, but also the .drv file > and > potentially any generated scripts (for building the initrd) might > contain the key. > > > Do you think is there any other way to put this key in initrd? > > GRUB supports loading multiple initrd images at once. For example, > on Arch Linux the generated grub.cfg contains this: > > menuentry 'Arch Linux' --class arch --class gnu-linux /* etc. */ { > # ... > initrd /boot/intel-ucode.img /boot/initramfs-linux.img > } > > So one approach would be to create a initrd with just the keyfile > (outside Nix), place it on the /boot partition, and then somehow > make the grub.cfg generator emit the proper initrd line(s). > wow, I was not aware that stuff is even possible. I have to read more about how to access stuff from the other initrd. Btw, I search through /nix/store and the key copied with "echp ${key} > /key" is not there, so probably it's only inside a script, which is still bad. Thanks a lot. Tom ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen: > (Argh, replying to the list this time...) > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner : > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > [...] > > > > How about doing something like: > > > > preLVMCommands = > > let key = builtins.readFile ./keyfile; in > > "echo '${key}' >/key" > > > > Do note that by doing this, the key will get embedded somewhere in > /nix/store, with world-readable unix permissions. > Mhm, that's definitely not cool. I thought it will appear only inside initrd image :[ Do you think is there any other way to put this key in initrd? > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
(Argh, replying to the list this time...) 2015-09-09 9:03 GMT+03:00 Bryan Gardiner: > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: [...] > > How about doing something like: > > preLVMCommands = > let key = builtins.readFile ./keyfile; in > "echo '${key}' >/key" > Do note that by doing this, the key will get embedded somewhere in /nix/store, with world-readable unix permissions. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
On Fri, Sep 11, 2015 at 03:39:34PM +0100, Tomasz Czyż wrote: > 2015-09-11 15:31 GMT+01:00 Bryan Gardiner: > > > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote: > > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen : > > > > > > > (Argh, replying to the list this time...) > > > > > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner : > > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > > > > [...] > > > > > > > > > > How about doing something like: > > > > > > > > > > preLVMCommands = > > > > > let key = builtins.readFile ./keyfile; in > > > > > "echo '${key}' >/key" > > > > > > > > > > > > > Do note that by doing this, the key will get embedded somewhere in > > > > /nix/store, with world-readable unix permissions. > > > > > > Mhm, that's definitely not cool. I thought it will appear only inside > > > initrd image :[ > > > Do you think is there any other way to put this key in initrd? > > > > If you don't want it in plain text, you could compress or obfuscate it > > by any means, then reverse that in the initrd... The > > extraUtilsCommands method will certainly result in "not simply plain > > text." Though this is security by obscurity, and I don't know a quick > > way to truly secure it without having to enter your password an extra > > time. Nix doesn't support non-world-readable data in the store. > > > Thanks for explenation. > > > > > Can Grub pass its unlock password to the initrd? If so, you could > > decrypt the keyfile with that, and only put an encrypted keyfile in > > the store. > > > Not really, that's why I want to put key inside initrd. Otherwise I could > decrypt partitions with the pass from grub. > > > > > Or maybe you could restrict non-root users from accessing the initrds > > in the store via grsec or apparmor. > > > Mhm, I see. > What about putting something into initrd but not adding it to nixstore? > Do you think is there any initrd hook I can use to add stuff? That could work, if you find how the initrd is copied over. Grub manages to make /boot/grub have 700 permissions, so if you extract + insert + rebuild the initrd during its installation, and make /boot/kernels 700 as well? In my readings of nixpkgs/nixos, I haven't gotten to the bottom of the rabbit hole and found out how nixos modules *actually* have an effect on the world yet :). Cheers, Bryan pgpKBcKw7T2f3.pgp Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
2015-09-11 15:31 GMT+01:00 Bryan Gardiner: > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote: > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen : > > > > > (Argh, replying to the list this time...) > > > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner : > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > > > [...] > > > > > > > > How about doing something like: > > > > > > > > preLVMCommands = > > > > let key = builtins.readFile ./keyfile; in > > > > "echo '${key}' >/key" > > > > > > > > > > Do note that by doing this, the key will get embedded somewhere in > > > /nix/store, with world-readable unix permissions. > > > > Mhm, that's definitely not cool. I thought it will appear only inside > > initrd image :[ > > Do you think is there any other way to put this key in initrd? > > If you don't want it in plain text, you could compress or obfuscate it > by any means, then reverse that in the initrd... The > extraUtilsCommands method will certainly result in "not simply plain > text." Though this is security by obscurity, and I don't know a quick > way to truly secure it without having to enter your password an extra > time. Nix doesn't support non-world-readable data in the store. > Thanks for explenation. > > Can Grub pass its unlock password to the initrd? If so, you could > decrypt the keyfile with that, and only put an encrypted keyfile in > the store. > Not really, that's why I want to put key inside initrd. Otherwise I could decrypt partitions with the pass from grub. > > Or maybe you could restrict non-root users from accessing the initrds > in the store via grsec or apparmor. > Mhm, I see. What about putting something into initrd but not adding it to nixstore? Do you think is there any initrd hook I can use to add stuff? Tom > > Cheers, > Bryan > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote: > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen: > > > (Argh, replying to the list this time...) > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner : > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > > [...] > > > > > > How about doing something like: > > > > > > preLVMCommands = > > > let key = builtins.readFile ./keyfile; in > > > "echo '${key}' >/key" > > > > > > > Do note that by doing this, the key will get embedded somewhere in > > /nix/store, with world-readable unix permissions. > > Mhm, that's definitely not cool. I thought it will appear only inside > initrd image :[ > Do you think is there any other way to put this key in initrd? If you don't want it in plain text, you could compress or obfuscate it by any means, then reverse that in the initrd... The extraUtilsCommands method will certainly result in "not simply plain text." Though this is security by obscurity, and I don't know a quick way to truly secure it without having to enter your password an extra time. Nix doesn't support non-world-readable data in the store. Can Grub pass its unlock password to the initrd? If so, you could decrypt the keyfile with that, and only put an encrypted keyfile in the store. Or maybe you could restrict non-root users from accessing the initrds in the store via grsec or apparmor. Cheers, Bryan pgpJfPUIow3dc.pgp Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
Thanks for all the tips Bryan. 2015-09-11 16:02 GMT+01:00 Bryan Gardiner: > On Fri, Sep 11, 2015 at 03:39:34PM +0100, Tomasz Czyż wrote: > > 2015-09-11 15:31 GMT+01:00 Bryan Gardiner : > > > > > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote: > > > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen >: > > > > > > > > > (Argh, replying to the list this time...) > > > > > > > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner : > > > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > > > > > [...] > > > > > > > > > > > > How about doing something like: > > > > > > > > > > > > preLVMCommands = > > > > > > let key = builtins.readFile ./keyfile; in > > > > > > "echo '${key}' >/key" > > > > > > > > > > > > > > > > Do note that by doing this, the key will get embedded somewhere in > > > > > /nix/store, with world-readable unix permissions. > > > > > > > > Mhm, that's definitely not cool. I thought it will appear only inside > > > > initrd image :[ > > > > Do you think is there any other way to put this key in initrd? > > > > > > If you don't want it in plain text, you could compress or obfuscate it > > > by any means, then reverse that in the initrd... The > > > extraUtilsCommands method will certainly result in "not simply plain > > > text." Though this is security by obscurity, and I don't know a quick > > > way to truly secure it without having to enter your password an extra > > > time. Nix doesn't support non-world-readable data in the store. > > > > > Thanks for explenation. > > > > > > > > Can Grub pass its unlock password to the initrd? If so, you could > > > decrypt the keyfile with that, and only put an encrypted keyfile in > > > the store. > > > > > Not really, that's why I want to put key inside initrd. Otherwise I could > > decrypt partitions with the pass from grub. > > > > > > > > Or maybe you could restrict non-root users from accessing the initrds > > > in the store via grsec or apparmor. > > > > > Mhm, I see. > > What about putting something into initrd but not adding it to nixstore? > > Do you think is there any initrd hook I can use to add stuff? > > That could work, if you find how the initrd is copied over. Grub > manages to make /boot/grub have 700 permissions, so if you extract + > insert + rebuild the initrd during its installation, and make > /boot/kernels 700 as well? In my readings of nixpkgs/nixos, I haven't > gotten to the bottom of the rabbit hole and found out how nixos > modules *actually* have an effect on the world yet :). > > Cheers, > Bryan > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
2015-09-09 7:03 GMT+01:00 Bryan Gardiner: > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > > Hi, > > > > Continuation of this thread: > > > http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880 > > > > I already successfully set up crypted partitions for mdadm and for zfs. > The > > system is mounting them properly with standard nixos configuration using > > ``boot.initrd.luks`` configs. > > > > But for each mount I have to pass password/key. I thought I can put keys > > for all partitions to initrd as initrd is on encrypted boot partition > > (boot). The process would be like: > > * enter password for grub > > * grub loads initrd > > * initrd unlocks all other partitions > > > > Currently it works for me in very strange way. > > I am using preLVMCommands option with "echo 'mykey' > /key". > > I don't like it because I cannot keep my configuration on git somewhere > > cause it expose my passwords. > > How about doing something like: > > preLVMCommands = > let key = builtins.readFile ./keyfile; in > "echo '${key}' >/key" > > then putting keyfile in gitignore? > Thanks Bryan, looks like good trick :-) I'm new to nix, I didn't even thought about that stuff, cheers! Tom > > - Bryan > > > Is there any way to add key files to initrd? (I found some "extra" > options > > for boot partition but not for initrd, maybe there are some hooks I'm not > > aware of) > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
Thank you, I'll try. I couldn't find this in docs, it's kind of undocumented feature or I just was not looking carefully? Tom 2015-09-09 5:59 GMT+01:00: > On Tuesday, September 08, 2015 20:09:16 Tomasz Czyż wrote: > > > Is there any way to add key files to initrd? (I found some "extra" > options > > > for boot partition but not for initrd, maybe there are some hooks I'm not > > > aware of) > > > > boot.initrd.extraUtilsCommands looks like a good match. > > > > -- Evgeny > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
On Thu, Sep 10, 2015 at 09:18:38AM +0100, Tomasz Czyż wrote: > Thank you, I'll try. > I couldn't find this in docs, it's kind of undocumented feature or I just > was not looking carefully? It has internal = true; set on the declaration in nixpkgs/nixos/modules/system/boot/stage-1.nix, probably why it doesn't show up in the manual. - Bryan pgpajU1yp_UQ4.pgp Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
2015-09-10 16:27 GMT+01:00 Bryan Gardiner: > On Thu, Sep 10, 2015 at 09:18:38AM +0100, Tomasz Czyż wrote: > > Thank you, I'll try. > > I couldn't find this in docs, it's kind of undocumented feature or I just > > was not looking carefully? > > It has internal = true; set on the declaration in > nixpkgs/nixos/modules/system/boot/stage-1.nix, probably why it doesn't > show up in the manual. > Thanks for clarification. Tom > > - Bryan > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
Permission denied – if I try use /key. 2015-09-10 21:58 GMT+01:00 Bryan Gardiner: > On Thu, Sep 10, 2015 at 09:22:13PM +0100, Tomasz Czyż wrote: > > I have a problem with this method as you cannot copy the file outside > > extras tree. > > > > I used: > > > >''cp /my.key $out/key" - the final file is in /nix/store/X/here > > (hard to access, if hash will change this stuff stop work. > > > >"cp /my.key $out/../../key" or "cp /my.key /key" doesn't work, > > permission error, so I cannot put key in the root of initrd. > > I don't have encrypted boot going myself... I'm passing on a reply I > got off-list from Leroy (bcc'ed, thanks, hope you don't mind), whose > config works using boot.initrd.extraUtilsCommands: > > On Wed, Sep 09, 2015 at 07:40:21PM +1200, Leroy Hopson wrote: > > Hi Bryan, > > > > I have a similar setup. I'm using `boot.initrd.extraUtilsCommands` as > > Evygeny suggested. > > > > Here is a link to the relevant section of my configuration: > > > https://github.com/lihop/nixos/blob/7b1b0a7fd4396713573c35368791e32843feb957/devices/desktop.nix#L59-L72 > > > > Regards, > > Leroy > > He's putting the keyfile in the initrd's /bin, then I suspect that > $PATH is only "/bin" in his keyFile = ...; arguments. If that's the > case, then with your first cp command above, your keyfile should > simply be at "/key" in your initrd, no need to know the hash. > > Cheers, > Bryan > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
I have a problem with this method as you cannot copy the file outside extras tree. I used: ''cp /my.key $out/key" - the final file is in /nix/store/X/here (hard to access, if hash will change this stuff stop work. "cp /my.key $out/../../key" or "cp /my.key /key" doesn't work, permission error, so I cannot put key in the root of initrd. Tom 2015-09-09 5:59 GMT+01:00: > On Tuesday, September 08, 2015 20:09:16 Tomasz Czyż wrote: > > > Is there any way to add key files to initrd? (I found some "extra" > options > > > for boot partition but not for initrd, maybe there are some hooks I'm not > > > aware of) > > > > boot.initrd.extraUtilsCommands looks like a good match. > > > > -- Evgeny > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
2015-09-10 9:19 GMT+01:00 Tomasz Czyż: > > > 2015-09-09 7:03 GMT+01:00 Bryan Gardiner : > >> On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: >> > Hi, >> > >> > Continuation of this thread: >> > >> http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880 >> > >> > I already successfully set up crypted partitions for mdadm and for zfs. >> The >> > system is mounting them properly with standard nixos configuration using >> > ``boot.initrd.luks`` configs. >> > >> > But for each mount I have to pass password/key. I thought I can put keys >> > for all partitions to initrd as initrd is on encrypted boot partition >> > (boot). The process would be like: >> > * enter password for grub >> > * grub loads initrd >> > * initrd unlocks all other partitions >> > >> > Currently it works for me in very strange way. >> > I am using preLVMCommands option with "echo 'mykey' > /key". >> > I don't like it because I cannot keep my configuration on git somewhere >> > cause it expose my passwords. >> >> How about doing something like: >> >> preLVMCommands = >> let key = builtins.readFile ./keyfile; in >> "echo '${key}' >/key" >> >> then putting keyfile in gitignore? >> > Thanks Bryan, > > looks like good trick :-) I'm new to nix, I didn't even thought about that > stuff, cheers! > > Tom > To sum up. This method works pretty well as long as you do "echo -n" so it won't add new line at the end of your key. But the method is not the best as if there any problem inside the script, the content of the file is printed on the screen (during the boot process). Not problem for me as I'm using boot partition encription, but it's kind of concert. Anyway thanks for sharing this tip!. > >> - Bryan >> >> > Is there any way to add key files to initrd? (I found some "extra" >> options >> > for boot partition but not for initrd, maybe there are some hooks I'm >> not >> > aware of) >> >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> >> > > > -- > Tomasz Czyż > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > Hi, > > Continuation of this thread: > http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880 > > I already successfully set up crypted partitions for mdadm and for zfs. The > system is mounting them properly with standard nixos configuration using > ``boot.initrd.luks`` configs. > > But for each mount I have to pass password/key. I thought I can put keys > for all partitions to initrd as initrd is on encrypted boot partition > (boot). The process would be like: > * enter password for grub > * grub loads initrd > * initrd unlocks all other partitions > > Currently it works for me in very strange way. > I am using preLVMCommands option with "echo 'mykey' > /key". > I don't like it because I cannot keep my configuration on git somewhere > cause it expose my passwords. How about doing something like: preLVMCommands = let key = builtins.readFile ./keyfile; in "echo '${key}' >/key" then putting keyfile in gitignore? - Bryan > Is there any way to add key files to initrd? (I found some "extra" options > for boot partition but not for initrd, maybe there are some hooks I'm not > aware of) pgpI7Lh6NM5O6.pgp Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] How to add file to initrd?
Hi, Continuation of this thread: http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880 I already successfully set up crypted partitions for mdadm and for zfs. The system is mounting them properly with standard nixos configuration using ``boot.initrd.luks`` configs. But for each mount I have to pass password/key. I thought I can put keys for all partitions to initrd as initrd is on encrypted boot partition (boot). The process would be like: * enter password for grub * grub loads initrd * initrd unlocks all other partitions Currently it works for me in very strange way. I am using preLVMCommands option with "echo 'mykey' > /key". I don't like it because I cannot keep my configuration on git somewhere cause it expose my passwords. Is there any way to add key files to initrd? (I found some "extra" options for boot partition but not for initrd, maybe there are some hooks I'm not aware of) -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to add file to initrd?
On Tuesday, September 08, 2015 20:09:16 Tomasz Czyż wrote: > Is there any way to add key files to initrd? (I found some "extra" options > for boot partition but not for initrd, maybe there are some hooks I'm not > aware of) boot.initrd.extraUtilsCommands looks like a good match. -- Evgeny ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev