nixos post

content/2023-10-27-nixos.md

@@ -0,0 +1,48 @@
++++
+title = "Bye bye Fedora - Hello NixOS"
+date = 2023-10-27
+[taxonomies]
+tags = [ "Fedora", "NixOS"]
++++
+
+After over twenty years of using Red Hat and Fedora, it's time to move on to explore other possibilities.
+Although my secure boot laptop still uses [VerityBook](https://github.com/haraldh/VerityBook), which is based
+on Fedora, my other machines are now running [NixOS](https://nixos.org/).
+
+<!-- more -->
+
+How come? Well, for the [Enarx Project](https://enarx.dev/) and generally for software running in a TEE,
+the desired state is to run reproducible binaries. And in this field NixOS really shines. Not only can it produce
+the binaries reproducibly, but also docker images, disk images and the like. This also comes handy in my current job
+at [MatterLabs](https://matter-labs.io/), where I am working on stuff TEE related
+(soon to be open sourced and blogged about).
+
+With NixOS I can keep my system configuration for several machines in just one file
+(although split with an include like mechanism) and have reusable parts across machines.
+
+Also, the configuration of one service affects the configuration of other services automatically,
+so you don't have to micromanage every configuration file. It's like having something like Ansible or 
+Terraform built into a kickstart file.
+
+With [`nixos-rebuild`](https://nixos.wiki/wiki/Nixos-rebuild) I can reconfigure remote machines via ssh and sudo
+and with [`nixos-anywhere`](https://github.com/nix-community/nixos-anywhere) I can even format the disks
+and deploy NixOS on nearly every existing Linux machine (replacing the old distro).
+
+In the future I want to explore the mantra of ["Erase your darlings"](https://grahamc.com/blog/erase-your-darlings/),
+where one attempts to extract the parts, which are not generated by the nix configuration (and are part of the backup).
+
+Another interesting feature of the nix configuration is the possibility to create VM images,
+which I might turn into a VerityBook like partition image with dmverity, which can then be signed
+and used for a secure boot setup. Build the image on a trusted machine, sign it and deploy the image
+to the machines, just like with VerityBook. But those plans have to wait until I have more time.
+
+To overcome the steep learning curve for the nix language these tutorials helped me a lot:
+* [Nix Pills](https://nixos.org/guides/nix-pills)
+* [Zero to Nix](https://zero-to-nix.com/)
+
+The only downside so far have been the slow response times to security issues due to the missing infrastructure for mass
+rebuilds. I hope a solution for this can be found in the future.
+
+Sorry Fedora community, you have served me well over 2 decades. It's time to move on and explore new possibilities.
+
+<!-- [<i class="fab fa-mastodon fa-normal"></i> Comments on Mastodon](https://floss.social/@backslash) -->

content/_index.md

@@ -1,4 +1,4 @@
 +++
-paginate_by = 5
+paginate_by = 10
 sort_by = "date"
 +++