-
Notifications
You must be signed in to change notification settings - Fork 1
Nixos
NixOS is a GNU/Linux distribution that aims to improve the state of the art in system configuration management. One of the many innovative features is its Declarative system configuration model. The entire operating system — the kernel, applications, system packages, configuration files, and so on — is built by the Nix package manager from a description in a purely functional build language like .json or .yaml.
Below is a minimal configuration of a machine running an `SSH daemon:
{
boot.loader.grub.device = "/dev/sda";
fileSystems."/".device = "/dev/sda1";
services.sshd.enable = true;
}
- Running the
$ nixos-rebuild switchcommand does everything necessary to make the configuration happen, including downloading and compiling OpenSSH, generating the configuration files for the SSH server, and so on. - Upgrades are atomic.This means that if the upgrade to a new configuration is interrupted, the system will still be in a consistent state: it will either boot in the old or the new configuration.
- Because the files of a new configuration don’t overwrite old ones, you can (atomically) roll back to a previous configuration.
$ nixos-rebuild switch --rollback - NixOS’ declarative configuration model makes it easy to reproduce a system configuration on another machine.
- NixOS makes it safe to test potentially dangerous changes to the system, because you can always roll back.
- The Nix package manager ensures that the running system is ‘consistent’ with the logical specification of the system, meaning that it will rebuild all packages that need to be rebuilt.
- On NixOS, you do not need to be root to install software. In addition to the system-wide ‘profile’ (set of installed packages), all user have their own profile in which they can install packages. Nix allows multiple versions of a package to coexist, so different users can have different versions of the same package installed in their respective profiles
We will install NixOS from our Archlinux desktop. There are of course classic methods with a net installer, USB key or DVD.
NOTE: once you can boot NixOS, you can remove all what has been doing on the Linux host (in our case, Arch).
1- let's install nix package manager and archlinux-nix. Nix package manager is by default installed in the /nix folder.
2- run:
# archlinux-nix setup-build-group
The above command will:
- create a group called nixbld, and a set of ten system users, nixbld{1..10};
- add a build-users-group line to nix.conf;
- kill the nix-daemon if it's running (so that it can pick up the new settings); and
- fix the ownership on the nix store to be writable by the build users.
3- run:
# archlinux-nix bootstrap
# archlinux-nix status
Nix installed via package manager (/usr/bin/nix)
Configured build group: nixbld
Group exists: yes
Users exist: yes
Using sandbox (recommended): yes
Sandbox installed: yes
Sandbox paths:
....
4- To run Nix with unprivileged account, run as normal user:
$ sudo chown -R $USER. /nix/var/nix/{gcroots,profiles}
5- To add channel:
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
$ nix-channel --update
$ nix-env -u
That's all for the Archlinux part
It will reset SSD's cells to the same virgin state they were manufactured. Write performance is known to degrade over time even on SSDs with native TRIM support, thus we are restoring it to its factory default write performance.
# hdparm -I /dev/sdb
.....................
Security:
supported
not enabled
not locked
frozen
If the command output shows "frozen" as above, one cannot continue. In this case, we must suspend the disk first.
# systemctl suspend
On resume, the hdparmcommand will show the device is marked as not frozen.
Choose any password as it is only temporary. The password will at least be set back to NULL.
# hdparm --user-master u --security-set-pass Trollolo /dev/sdb
When issuing again the # hdparm -I /dev/sdb command, output shall now display enabled.
Security:
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
400min for SECURITY ERASE UNIT. 400min for ENHANCED SECURITY ERASE UNIT.
# hdparm --user-master u --security-erase Trollolo /dev/sdb
The drive shall now be erased. The output of the # hdparm -I /dev/sdb command will look like this:
Security:
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
400min for SECURITY ERASE UNIT. 400min for ENHANCED SECURITY ERASE UNIT.
Once Nix has been installed and our drive ready, let's do the install itself.
1- Switch to the NixOS channel:
$ nix-channel --list
nixpkgs https://nixos.org/channels/nixpkgs-unstable
As that channel gets released without running the NixOS tests, it will be safer to use the nixos-* channels instead:
$ nix-channel --add https://releases.nixos.org/nixos/19.09/nixos-19.09.1208.ef8c34c472
$ nix-channel --update
2- install some packages
$ nix-env -iE "_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"
3- generate the NixOS configuration file
$ sudo nixos-generate-config --root /mnt/nixos
NOTE: you may have some errors with PERL complaining
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.UTF-8"
To solve this issue, run in your terminal some commands to set variables in your environment:
% export LANGUAGE=en_US.UTF-8
% export LC_ALL=en_US.UTF-8
% cat /mnt/nixos/etc/nixos/hardware-configuration.nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/03effb15-e472-4737-8f5e-cb531debc1b4";
fsType = "xfs";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}
Edit the /etc/nixos/configuration.nix to specifie the intended configuration of the system.