nixos post
This commit is contained in:
parent
dc432fc70b
commit
d5524dee6d
48
content/2023-10-27-nixos.md
Normal file
48
content/2023-10-27-nixos.md
Normal file
|
|
@ -0,0 +1,48 @@
|
||||||
|
+++
|
||||||
|
title = "Bye bye Fedora - Hello NixOS"
|
||||||
|
date = 2023-10-27
|
||||||
|
[taxonomies]
|
||||||
|
tags = [ "Fedora", "NixOS"]
|
||||||
|
+++
|
||||||
|
|
||||||
|
After over twenty years of using Red Hat and Fedora, it's time to move on to explore other possibilities.
|
||||||
|
Although my secure boot laptop still uses [VerityBook](https://github.com/haraldh/VerityBook), which is based
|
||||||
|
on Fedora, my other machines are now running [NixOS](https://nixos.org/).
|
||||||
|
|
||||||
|
<!-- more -->
|
||||||
|
|
||||||
|
How come? Well, for the [Enarx Project](https://enarx.dev/) and generally for software running in a TEE,
|
||||||
|
the desired state is to run reproducible binaries. And in this field NixOS really shines. Not only can it produce
|
||||||
|
the binaries reproducibly, but also docker images, disk images and the like. This also comes handy in my current job
|
||||||
|
at [MatterLabs](https://matter-labs.io/), where I am working on stuff TEE related
|
||||||
|
(soon to be open sourced and blogged about).
|
||||||
|
|
||||||
|
With NixOS I can keep my system configuration for several machines in just one file
|
||||||
|
(although split with an include like mechanism) and have reusable parts across machines.
|
||||||
|
|
||||||
|
Also, the configuration of one service affects the configuration of other services automatically,
|
||||||
|
so you don't have to micromanage every configuration file. It's like having something like Ansible or
|
||||||
|
Terraform built into a kickstart file.
|
||||||
|
|
||||||
|
With [`nixos-rebuild`](https://nixos.wiki/wiki/Nixos-rebuild) I can reconfigure remote machines via ssh and sudo
|
||||||
|
and with [`nixos-anywhere`](https://github.com/nix-community/nixos-anywhere) I can even format the disks
|
||||||
|
and deploy NixOS on nearly every existing Linux machine (replacing the old distro).
|
||||||
|
|
||||||
|
In the future I want to explore the mantra of ["Erase your darlings"](https://grahamc.com/blog/erase-your-darlings/),
|
||||||
|
where one attempts to extract the parts, which are not generated by the nix configuration (and are part of the backup).
|
||||||
|
|
||||||
|
Another interesting feature of the nix configuration is the possibility to create VM images,
|
||||||
|
which I might turn into a VerityBook like partition image with dmverity, which can then be signed
|
||||||
|
and used for a secure boot setup. Build the image on a trusted machine, sign it and deploy the image
|
||||||
|
to the machines, just like with VerityBook. But those plans have to wait until I have more time.
|
||||||
|
|
||||||
|
To overcome the steep learning curve for the nix language these tutorials helped me a lot:
|
||||||
|
* [Nix Pills](https://nixos.org/guides/nix-pills)
|
||||||
|
* [Zero to Nix](https://zero-to-nix.com/)
|
||||||
|
|
||||||
|
The only downside so far have been the slow response times to security issues due to the missing infrastructure for mass
|
||||||
|
rebuilds. I hope a solution for this can be found in the future.
|
||||||
|
|
||||||
|
Sorry Fedora community, you have served me well over 2 decades. It's time to move on and explore new possibilities.
|
||||||
|
|
||||||
|
<!-- [<i class="fab fa-mastodon fa-normal"></i> Comments on Mastodon](https://floss.social/@backslash) -->
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
+++
|
+++
|
||||||
paginate_by = 5
|
paginate_by = 10
|
||||||
sort_by = "date"
|
sort_by = "date"
|
||||||
+++
|
+++
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue