Nix / NixOS

Related HN thread discussing NixOS:

• https://news.ycombinator.com/item?id=46095087

I've been trying to run native linux games with lutris but can't get it to work. As far as ik, i can either use steam-app in my termianl, which works, or I can use nix-ld which i did setup and also works when running the game's executable from the terminal

I've setup nix-ld like so:

  programs.nix-ld = {
      enable = true;

      libraries = [(pkgs.runCommand "steamrun-lib" {}
  "mkdir $out; ln -s ${pkgs.steam-run.fhsenv}/usr/lib64 $out/lib")];
};

But for some reasons, when running the game's executable in lutris, it just fails instantly, and I'm kinda out of ideas, if anyone knows what to do that'd be real helpful please

Edit: Ok well apparently it just solved itself ??? I realized i could install lutis using programs.lutris.enable = true; instead of just putting it in home.packages, and apparently it fixed the issue. Idk why or how but ig if u use home manager, insall lutris like so

I learned how to do this recently, and I wanted to share. Once you know what to do VPN confinement is easy to set up on NixOS.

The scenario: you want selected processes to run through a VPN, but you want everything else to not run through the VPN. On Linux you can do this with a network namespace. That's a kernel feature that defines a network stack that is isolated from your default network stack. Processes can be configured to run in a new namespace, and when they do they cannot access the usual not-VPN-protected network interfaces. Network namespaces work along with other types of namespaces, like process namespaces, to allow Docker containers to function almost as though they are separate machines from the host system. Actually Docker containers are regular processes that are carefully isolated using namespaces, cgroups, and private filesystems. Because of that isolation Docker containers are a popular choice for VPN confinement. But since all you really need is network isolation you can skip the middleman, and use network namespaces directly.

There is a third-party NixOS module that automates this, VPN-Confinement. Here's an example that runs a Borg backup job through a VPN connection. (This example also uses the third-party sops-nix module to encrypt VPN credentials.)

{ config, ... }:

let
  vpnNamespace = "wg";
in
{
  # Define the network namespace for VPN confinement. Creates a VPN network
  # interface in the namespace; creates a bridge; sets up routing; creates
  # firewall rules to prevent DNS leaking. The VPN-Confinement module requires
  # using Wireguard as the VPN protocol.
  vpnNamespaces.${vpnNamespace} = {
    enable = true;
    wireguardConfigFile = config.sops.secrets.wireguard_config.path;
  };

  # Set up whatever service should run via VPN
  services.borgbackup.jobs.homelab = {
    paths = "/home/jesse";
    encryption.mode = "none";
    environment.BORG_RSH = "ssh -i /home/jesse/.ssh/id_ed25519";
    repo = "ssh://offsite.sitr.us/backups/homelab";
    compression = "auto,zstd";
    startAt = "daily";
  };

  # Modify the systemd unit for your service to run its processes in the VPN
  # namespace.
  #
  # - sets Service.NetworkNamespacePath in the systemd unit
  # - sets Service.InaccessiblePaths = [ "/run/nscd" "/run/resolvconf" ] to prevent DNS leaking
  # - adds a dependency to the unit that brings up the VPN network namespace
  #
  # I found the name of the systemd service that services.borgbackups.jobs
  # creates by looking at the Borg module source. You can find the source for
  # NixOS modules by searching for config options on https://search.nixos.org/options
  systemd.services.borgbackup-job-homelab = {
    vpnConfinement = {
      enable = true;
      inherit vpnNamespace;
      # `inherit vpnNamespace;` has the same effect as `vpnNamespace = vpnNamespace;`
      # I used a variable to be certain that the value here matches the name
      # I used to set up the namespace on line 11.
    };
  };

  # Load your wireguard config file however you want. Your VPN provider probably
  # supports wireguard, and will likely generate a config file for you.
  sops.secrets.wireguard_config = {
    sopsFile = ./secrets.yaml;
    owner = "root";
    group = "root";
  };
}

This setup assumes using the Wireguard VPN protocol, and assumes that programs you want to be VPNed are run by systemd. VPN providers mostly support Wireguard, including Tailscale. But my understanding is that Tailscale's mesh routing requires additional setup beyond creating a Wireguard interface. So you'd likely want a different setup for confinement with Tailscale. You can run the Tailscale client in a network namespace (there is a start on such a setup here); or you might use Tailscale's subnet router feature to blend VPN and local network traffic instead of selective confinement.

Normally when you turn on a VPN your VPN client software creates a network interface that transparently sends traffic through an encrypted tunnel, and configures a default route to send network traffic through that interface. So traffic from all programs is routed through the tunnel. VPN-Confinement creates that network interface in the isolated namespace, and sets that default route in the namespace, so that only programs running in the namespace are affected. There is much more detail in this blog post. The VPN-Confinement module differs from the setup in that post in a couple of ways: it has some extra setup to block DNS requests that aren't properly tunneled; it creates a network bridge instead of a simple virtual ethernet cable for port forwarding; and it provides more options for firewall and routing configuration.

VPN-Confinement has an option to forward ports from the default network stack into the VPN namespace. This is useful if you want all outbound traffic to go through the VPN, but you want to accept inbound traffic from programs on the host, or from other machines on your local network, or anywhere else. This is handy if, for example, you're running a program on a headless server that provides a web UI for remote administration. Here's an expanded VPN namespace example:

vpnNamespaces.${vpnNamespace} = {
  enable = true;
  wireguardConfigFile = config.sops.secrets.wireguard_config.path;

  # Forward traffic to specified ports from the default network namespace to
  # the VPN namespace.
  portMappings = [{ from = 8080; to = 8080; }];
  accessibleFrom = [
    # Accept traffic from machines on the local network, and route through the
    # mapped ports.
    "192.168.1.0/24"
  ];
};

Requests to mapped ports from the host machine need to be addressed to the network bridge that VPN-Confinement sets up. You can configure its addresses using the bridgeAddress and bridgeAddressIPv6 options. By default the addresses are 192.168.15.5 and fd93:9701:1d00::1. If you're configuring addresses elsewhere in your NixOS config you can use an expression like this:

url = "http://${config.vpnNamespaces.${vpnNamespace}.bridgeAddress}:8080/";

If you look at the source for VPN-Confinement you'll see that namespace configuration and routing require a lot of stateful ip commands. I think it would be nice if there were an alternative, declarative interface to iproute2. But VPN-Confinement is able to encapsulate the stateful stuff in systemd ExecStart and ExecStopPost scripts.

I ran into an issue where mDNS stopped working while the VPN network namespace was active. I fixed that problem by configuring Avahi to ignore VPN-Confinement's network bridge:

services.avahi.denyInterfaces = [ "${vpnNamespace}-br" ];

Edit 2025-11-23: I deleted a comment that implied that if the VPN namespace string doesn't match in the two places where it is used traffic won't be tunneled. I tested again, and if the names don't match the service that is supposed to be protected won't start. You'll see an error like, Failed to restart test-unit.service: Unit wrong-name.service not found.. If you bypass VPN-Confinement by hand, and set Service.NetworkNamespacePath to a path that doesn't exist the unit will fail with an error like, test-unit.service: Failed to open network namespace path /run/netns/wrong-name: No such file or directory.

I thought it was just installing a Linux distro. "Try NixOS," they said. "It’s not just an OS, it’s a way of life." Even my wife was supportive: "Didn't you say you wanted more control over your system?" That was the last time she looked at me with hope. I didn’t choose Ubuntu or Fedora like a sane person. No, I chose NixOS — as if I wanted to watch my marriage collapse in real-time. The first day, I spent 12 hours writing a configuration.nix just to get Wi-Fi working. When my wife brought dinner, I waved her off: "I’m just setting up a declarative Bluetooth module, it’ll only take a minute..." She asked if we could go hiking over the weekend. "Sure," I said, "right after I finish setting up home-manager and figuring out why my shell isn't reproducible." That was three weeks ago. She tried everything to pull me out. "Let’s go for a coffee," she said. "Sorry, I’m debugging why my system rebuild keeps pulling a different glibc version." "Maybe just watch a movie together?" "Good idea! First I need to package mpv myself, I don't trust the default derivation..." Then came the final blow: One night, she found me at 3 a.m., half-naked, whispering into the void: "If I can just get this flake to build... I can declare our entire marriage in a flake.nix..." She stared at me — a broken woman surrounded by YAML, JSON, and cryptic build errors. "I married a person, not a package manager." she said. She left a sticky note on the monitor: "I’m going to find someone who just uses Arch. They might be unstable, but at least they notice when I'm in the room." I still wonder... Can I nixos-rebuild switch into a timeline where she stayed? (I miss you Hatsune)

Related discussion thread:

• https://programming.dev/post/41096132

cross-posted from: https://lemmy.ml/post/38988050

Almost every NixOS tutorial I encounter, be that blog or video, says to use Flakes and Home Manager. While that definitely speaks to the value of these tools, I find myself, instinctually, wanting to avoid them. I’ve attempted to get them working multiple time, and encountered more issues than they solved, for me. I interpret this to mean my knowledge and/or use case of NixOS is not ready for me to use these tools effectively. On top of that, something about a set of files that could all be put into a single unified config appeals to me (which flakes/hm can probably do too, but hopefully to get my vibe).

My reasoning aside, this has made me curious if there is some way for me to “backport” all these configs I encounter into my set of more default style configs. The primary goal I have that lead me to this is rootless Podman and declaring my containers in the config. If anyone has any guidance or resources you could point me to it would be much appreciated.

I have installed NixOS on WSL behind Appgate, that runs a proxy and replaces the SSL certificates of the sites, I am visiting.

When I try to execute: sudo nix-channel --update I get the SSL errors, as I don't have imported the root CA certificate of the Proxy.

I have tried to manually download the file and import its path to the configuration.nix but it still fails and shows me the same SSL error.

I am pretty happy with my configs now, with home manager but no flakes so far. I am, however, annoyed by all the dotfiles that I didn't define, and I'm worried how many other files are laying around without getting imperatively defined.

I'm sort of picturing a kiosk mode, where every time I reboot everything is wiped and I only have what I defined. Any files I want to keep are on other partitions or network locations mapped in my config. If a new config file is created by changing a setting in an application, I want to be notified so I can add it to my Nix configs.

Is this possible? Is it a terrible idea?

The biggest challenge I see is in installing games, because it looks like they often leave bits all over the place.

In my previous post, I asked whether a certain subvolume layout would work well for NixOS, and if not, how it could be adapted.

Now that I know the layout does work as intended, I’m wondering what NixOS-specific subvolumes might be worth adding to it. The layout was originally designed for more traditional Linux distributions, so I’d like to tailor it a bit more to NixOS.

My goal is to achieve the same kind of clean, minimal system snapshots — ones that let me roll back safely without accidentally losing files or user data.

I’d really appreciate any advice or examples of good NixOS-oriented subvolume setups. Thanks in advance! 🙏

Related discussion:

• https://discourse.nixos.org/t/nix-ci-benchmarks/71086

Related discussion:

• https://news.ycombinator.com/item?id=45592401

root → / home → /home opt → /opt cache → /var/cache gdm → /var/lib/gdm libvirt → /var/lib/libvirt log → /var/log spool → /var/spool tmp → /var/tmp snapshots → /snapshots

I want to have similar kind of results for my next install of NixOS.

Related discussion:

• https://discourse.nixos.org/t/why-nix-will-win-and-whats-stopping-it-a-3-year-production-story/70621

https://github.com/antholeole/nixconfig

Not the most major step, but a good start. Mostly talks about caching and CUDA

Nix related discussion starts around the the 0:14:00 min mark.