diff --git a/content/console.md b/content/2020-05-19-console.md similarity index 100% rename from content/console.md rename to content/2020-05-19-console.md diff --git a/content/2023-10-27-nixos.md b/content/2023-10-27-nixos.md new file mode 100644 index 0000000..73aa041 --- /dev/null +++ b/content/2023-10-27-nixos.md @@ -0,0 +1,48 @@ ++++ +title = "Bye bye Fedora - Hello NixOS" +date = 2023-10-27 +[taxonomies] +tags = [ "Fedora", "NixOS"] ++++ + +After over twenty years of using Red Hat and Fedora, it's time to move on to explore other possibilities. +Although my secure boot laptop still uses [VerityBook](https://github.com/haraldh/VerityBook), which is based +on Fedora, my other machines are now running [NixOS](https://nixos.org/). + + + +How come? Well, for the [Enarx Project](https://enarx.dev/) and generally for software running in a TEE, +the desired state is to run reproducible binaries. And in this field NixOS really shines. Not only can it produce +the binaries reproducibly, but also docker images, disk images and the like. This also comes handy in my current job +at [MatterLabs](https://matter-labs.io/), where I am working on stuff TEE related +(soon to be open sourced and blogged about). + +With NixOS I can keep my system configuration for several machines in just one file +(although split with an include like mechanism) and have reusable parts across machines. + +Also, the configuration of one service affects the configuration of other services automatically, +so you don't have to micromanage every configuration file. It's like having something like Ansible or +Terraform built into a kickstart file. + +With [`nixos-rebuild`](https://nixos.wiki/wiki/Nixos-rebuild) I can reconfigure remote machines via ssh and sudo +and with [`nixos-anywhere`](https://github.com/nix-community/nixos-anywhere) I can even format the disks +and deploy NixOS on nearly every existing Linux machine (replacing the old distro). + +In the future I want to explore the mantra of ["Erase your darlings"](https://grahamc.com/blog/erase-your-darlings/), +where one attempts to extract the parts, which are not generated by the nix configuration (and are part of the backup). + +Another interesting feature of the nix configuration is the possibility to create VM images, +which I might turn into a VerityBook like partition image with dmverity, which can then be signed +and used for a secure boot setup. Build the image on a trusted machine, sign it and deploy the image +to the machines, just like with VerityBook. But those plans have to wait until I have more time. + +To overcome the steep learning curve for the nix language these tutorials helped me a lot: +* [Nix Pills](https://nixos.org/guides/nix-pills) +* [Zero to Nix](https://zero-to-nix.com/) + +The only downside so far have been the slow response times to security issues due to the missing infrastructure for mass +rebuilds. I hope a solution for this can be found in the future. + +Sorry Fedora community, you have served me well over 2 decades. It's time to move on and explore new possibilities. + + diff --git a/content/_index.md b/content/_index.md index cbca776..fc33cfa 100644 --- a/content/_index.md +++ b/content/_index.md @@ -1,4 +1,4 @@ +++ -paginate_by = 5 +paginate_by = 10 sort_by = "date" +++