NixOS

cross-posted from: https://infosec.pub/post/15780978

Am I out of touch?

No, it's the forward-thinking generation of software engineers that want elegant, reliable, declarative systems that are wrong.

Had a lot of headaches the last week or two trying to optimize star citizen as well as fix a vulkan RHI bug which was affecting unreal engine games.

Apparently rolling release schedules (like NixOS23.05, 23.11, 24.05...) are better for servers since they're less prone to change, where as nightlies like for the unstable Branch are better for gaming since those latest drivers are likely the current ones for a newly released game

This idea is inspired by nixos-mailserver. It was so easy to spin up the mailserver after changing some DNS records and putting in some settings. I thought it might be a good idea to do the same for services that need public, decentralized infrastructure to support. Some ideas include

• Tor relay, or exit node
• Encrypted messaging nodes. It looks like SimpleX chat relies on SMP servers to relay communication
• Crypto miners (I know, I know, but you understand how it fits the "public contribution" usecase)
• Search engines like searxng (I currently use a public instance)
• Libredirect services, like proxy clients for social media

Maybe federated services, but those require more than just the software running on the public internet. Those require moderation and long term maintenance. Ideally, the services in this config would be ephemeral.

Does this sound like a good idea? Would you spin one of these up on a $10 VPS? I understand that this is the NixOS community, not necessarily the privacy community, but I figured thered be overlap.

What other services do you think would be applicable?

Went through the pain of packaging a python project on Nixos. Here's some issues I hit, and how I got lucky resolving them. I feel the most reliable way of doing this in the future is to use docker and just imperatively build.

Here's how I got web drivers, AI dependencies, gpu dependencies, and an api dependency bundled together into an ephemeral shell for python development, on NixOS 23.11

0. Enable Flakes

1. Start with setting up poetry2nix

2. Get the template flake by running nix flake init --template github:nix-community/poetry2nix

3. in the flake.nix, sometimes changing projectDir = self to projectDir = ./. fixed some issues

4. in your terminal, run nix develop . to build the poetry app with python packages described in pyproject.toml

5. By default, just poetry and python latest should be installed. the dependencies for the project (which gets reflected in the pyproject.toml) are updated with poetry add, such as poetry add numpy selenium scikit-learn

6. Exit out of the ephemeral shell from nix develop ., and rerun to have poetry2nix rebuild and link the newly declared packages

Poetry2nix has worked pretty well for the more obscure python packages, but failed in others. For example, sentence-transformers would depend on maturin, which would fail to link setuptools. If poetry doesn't work, you can try and get the package from nixpkgs, or specify sha256s from pypi.org

Here's an example of what I added to my flake.nix to get gpu acceleration, sentence-transfomers, firefox drivers for selenium, and other packages poetry failed to setup:

packages = [ pkgs.poetry pkgs.python311Packages.sentence-transformers pkgs.firefox 
            pkgs.python311Packages.openai pkgs.python311Packages.yt-dlp pkgs.python311Packages.pyopencl
];

was added to this flake.nix, as in,

{
  description = "Application packaged using poetry2nix";

  inputs = {
    flake-utils.url = "github:numtide/flake-utils";
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    poetry2nix = {
      url = "github:nix-community/poetry2nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, flake-utils, poetry2nix }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        # see https://github.com/nix-community/poetry2nix/tree/master#api for more functions and examples.
        pkgs = nixpkgs.legacyPackages.${system};
        inherit (poetry2nix.lib.mkPoetry2Nix { inherit pkgs; }) mkPoetryApplication;
      in
      {
        packages = {
          myapp = mkPoetryApplication {
            projectDir = ./.;
          };
          default = self.packages.${system}.myapp;
        };
        devShells.default = pkgs.mkShell {
          inputsFrom = [ self.packages.${system}.myapp ];
          packages = [ pkgs.poetry pkgs.python311Packages.sentence-transformers pkgs.firefox 
            pkgs.python311Packages.openai pkgs.python311Packages.yt-dlp pkgs.python311Packages.pyopencl
          ];
          nativeBuildInputs = [(
            pkgs.python311Packages.buildPythonPackage rec {
              pname = "serpapi";
              version = "0.1.5";
              src = pkgs.python311Packages.fetchPypi {
                inherit pname version;
                sha256 = "b9707ed54750fdd2f62dc3a17c6a3fb7fa421dc37902fd65b2263c0ac765a1a5";
              };
            }
          )];
        };
      });
}

There was one package (serpapi), which was not in nixpkgs, and poetry failed as well. Adding this to native build inputs got serpapi installed

nativeBuildInputs = [(
            pkgs.python311Packages.buildPythonPackage rec {
              pname = "serpapi";
              version = "0.1.5";
              src = pkgs.python311Packages.fetchPypi {
                inherit pname version;
                sha256 = "b9707ed54750fdd2f62dc3a17c6a3fb7fa421dc37902fd65b2263c0ac765a1a5";
              };
            }
)];

All in all, it works, and I have no doubt I've made a reproducible environment. What attracts me is I've never had an easier time setting up cuda/cudnn/tensorrt/... system drivers have been near effortless, and much faster to setup than on debian. Tools like sentence-transformers and torch default to packages which leverage the GPU.

What pushes me away, is I've had failures in each of the three methods for specifying package dependencies, even though one of the three eventually was the fix for integrating the dependencies into my shell. For now, I'll stick with it, but it's hard for me to suggest to a team we use this in development

My server is currently running fedora and it has a encrypted raid attatched. Now i wanna move my server to nixos but i cant find anything on how to automount it. Any advice ? Thanks for your time and have a nice day!

I've been spending a couple weeks unable to modify my system, because using my window manager was ungodly slow (like 1fps.) Luckily NixOS lets you pick a previous generation to load so I could make changes, build a new generation, and try again.

It took me too long to find, but I realized I had both the x session managed by both nixos and home manager. Removing this fixed the problem. I assume this had 2 xsessions open and they were competing for resources or something. Be cautious! :)

Every now and then I see a program that doesn't have a default.nix or flake.nix in the source, doesn't have an entry in nixpkgs, and otherwise can't find a derivation for. So I write them myself.

What's the best way to share these? Should I contribute to nixpkgs? (does this count if I'm making flakes?) Do I maintain a single repo for each program? Or do I create a repo with a collection of flakes? Something else?

Used nix last year but dropped it after home-manager decided to unlink the apps from the Applications directory.

How is the current situation on usability of nix-Darwin + home-manager + brew?

Packages still fails to get indexed correctly in spotlight? I really like a fully repro environment but the fact that the usu ability was low bothered me a lot.

I recently wanted to try out (aider)[https://aider.chat], and ran into a problem that I continually run into: how do I install one-off, experimental software into my environment, without being a nix master, or spending an extreme amount of time on every new package.

In this case, it is a new python package available in pip. It isn't available in nixpkgs, and isn't nixified. pip2nix doesn't work on arm64 Macs (bug here)[https://github.com/nix-community/pip2nix/issues/88], so I can't use that to try and create a flake that works with this package. It isn't using poetry, so poetry2nix is out.

How are you dealing with this problem? Are you all experts in nix, and writing flakes for every piece of software that you want to play around with? Do you have a "dirty" part of your environment that you install this kind of stuff into? (I looked into using pipx to install this, however that (also has a bug)[https://github.com/NixOS/nixpkgs/issues/171429] in nixpkgs.)

Thoughts?

Hi there! I'm trying to make php and composer work. I have this in environment.systemPackages:

    (pkgs.php82.buildEnv {
      extensions = ({ enabled, all }: enabled ++ (with all; [
        xdebug
        redis
      ]));
      extraConfig = ''
        memory_limit=2G
        xdebug.mode=debug
      '';
    })
    php82Extensions.redis

The problem is that while running php -m correctly prints that redis extension is installed, composer does not, because it uses a different php:

• file $(which php) prints the path /nix/store/igx8j4qjxy9jyj8kjyccwarnzqq5vsml-php-with-extensions-8.2.9/bin/php
• cat $(which composer) shows that it's a wrapper for '/nix/store/lv4prxa52zifr54ws56iz3b9kdhs1b5w-php-with-extensions-8.2.9/bin/php' --add-flags '/nix/store/avqj0662f4gg2s875zlbbjajx6fm6bl0-php-composer-2.5.5/libexec/composer/composer.phar'

Note that the path to php is different. Is there any way to correct it on my side? I'd like to avoid having to install composer manually

Hi all, I've been getting into nix lately (I've been posting here frequently) and wanted to know what projects everyone is working on. Are you trying to integrate nix into an existing project? Contribute to nixpkgs? Experiment with your configs?

Short video from Vimjoyer on how to setup a firefox install using home manager and flakes. In particular, the focus of this video was how to use an external flake as a source for firefox extensions, since they aren't available in nixpkgs.

I came across this article when wondering how to integrate the "building" aspect of nix (that is, not just a devshell) with static websites or other projects that involve some output that is not an executable.

This article also talks about adding inputs from GitHub that aren't necessarily flakes. I've used this myself to pull some example configurations for certain programs that I haven't felt like tinkering with myself yet.

I'm been wanting to move over my main desktop for almost a year now. But from 3+ years of tinkering, installing applications, and configurations Ive been super hesitant. The jump from Ubuntu to NixOS would be a big one. I have a laptop running nixos thats given me some exposure to the nix language, but when it comes to my main rig, I still have the worry of "what if something I need wont be available?" and "what if I forget something?"

Well I finally tried home manager and wow, its the absolute perfect way to slowly transition to nixos. I'm slowly going through my package managers (cargo, npm, pip, apt, snap) and checking for applications that I can just drop into my home.nix. And every now and then I see an app I cant install (say, vtracer from cargo, very cool app). Well, I just make a mark and eventually I'll build my own derivation around it.

Home manager has been easing my worries as I make the transition. For those of you also unsure, I recommend integrating with home manager. You can do such small jumps at a time, no need to go full blown nix all at once.

Interesting idea.

tl;dr image buildable with some patches

South California Linux Expo is looking for papers.

I have a config that I share on github. I share the whole thing and there are keys in it but they are obviously not the complete key (as is standard throughout the community). Just enough to point to the real key with Nix.

Anyway, I have finally gotten around to learning the power of git-crypt. Today, I went through my whole config and took everything out that could even remotely be used by a hacker to find out security holes in my config (permitted insecure packages, specific hardware ID's, github username and email address, for example all went into nix files into the secrets folder with imports where they used to reside) and put those files into a folder at top level called secrets. Then, I encrypted all of the files in that folder and pointed the rest of the config to them so they remain encrypted on my github but perfectly usable in evaluation and build of my config derivation.

My question is: Have I done something clever that will significantly decrease the chances of exploit or do you recommend that everyone does this and I'm just late to the security party?

If this technique is just standard, what else could one do to harden their system without causing difficult to solve issues on deployment of their config? For example, I now need to decrypt that folder when I use that config on a new system and anyone else building it wouldn't be able to get through the evaluation.

I've heard of Sops-Nix and other such security handlers. How can I use sops-nix to aid in that initial git-crypt setup when I spin up a new system, for example?

What do you as a fail safe when there isnt a flake or nix package for what you need, and you don't have the time or ability to create it?

Here's my particular example. I need the beta version of OpenSCAD, which is only delivered as a flatpak in the beta flatpak channel, which I have tried but have been unsuccessful in doing. I havent even attempted building from source. Only the stable version is in nixpkgs. In this case, what would you do?

And in general, what do you do? Install things using a different package manager, like pip, npm, cargo, etc and manage at the user level? Do you run a VM? Docker? Let me know what your backup plan is on NixOS.

I recently followed https://www.arthurkoziel.com/installing-nixos-on-a-macbookpro/ to install NixOS on a macbookpro5,1 (from 2008). OSX hasn't supported that hardware since El Capitan and it was incredibly slow even then.

With Nix it works, but I'm frequently running into issues similar to https://askubuntu.com/questions/1114612/rcu-sched-self-detected-stall-on-cpu-watchdog-bug-soft-lockup-cpu3-stuck. The first 3 times I tried logging in after the install it hung after accepting the password. It was just logging the rcu stall error every few seconds, not responding to any keys. I was able to create a user account on the 4th boot, but still haven't installed anything extra on it.

It's also really slow to boot. A few minutes in stage 1 before it asks me for the decryption password and then another few minutes to get to the login prompt.

All of this is without any graphical environment. I was planning to go with a low resource desktop like xfce or cinnamon (are they still maintained?), but any tips on what to look at before I possibly introduce more instability?

gvolpe, the person I forked my NixOS config from wrote this excellent article. I feel like the least I could do is share this amazing blog post.

Remote builds enable interesting use cases and experiments. Besides building for different architectures, another use case that comes to mind would be having a low-resource machine building a derivation that would require heavy CPU usage (e.g. a Rust application) on the fly, without having to rely on CI builds or binary caches, effectively used as a development environment.

My understanding is like this. For multi-user computers, you'd manage packages with home manager. If you're developing a project or need some kind of specific built tool or dependency, define in it in a flake.nix or shell.nix or build.nix in the project folder. And for single user computers, or maybe admin accounts install at NixOS configuration.

Whats the intent for each location? The current question Im asking myself is "why install home manager when Im on a single user instance and can just update configuration.nix?"