Nix / NixOS

Colmena is a simple, stateless NixOS deployment tool modeled after NixOps and morph, written in Rust. It's a thin wrapper over Nix commands like nix-instantiate and nix-copy-closure, and supports parallel deployment.

Starter template: https://github.com/logandonley/fleet
Colmena: https://github.com/zhaofengli/colmena

Related discussion:

• https://discourse.nixos.org/t/ctrl-os-open-beta-nixos-lts-with-5-year-support/68754

Related blog posts:

• Introducing Long-Term Support for NixOS: 5 Years of Stability and Security for Critical Systems
  • https://cyberus-technology.de/en/articles/introducing-nixos-long-term-support/
• CTRL-OS Open Beta: CRA-Ready NixOS with 5-Year Enterprise Support Now Available
  • https://cyberus-technology.de/en/articles/ctrlos-open-beta-announcement/

Related discussion:

• https://news.ycombinator.com/item?id=45167049

Related Repo:

• https://github.com/jimmyff/nixfiles/

Fair criticism, although the larger discussion thread this garnered earlier this year was an interesting read. Over +300 comments:

• https://news.ycombinator.com/item?id=42666851

• Video format of written guide:
  • https://youtube.com/watch?v=5WKoqJoJ3YE
• Source code for example NixOS config:
  • https://github.com/EmergentMind/nix-config

This is a quick and painless tutorial on how to install and configure NixOS from Scratch. It involves starting off with Home manager and Flakes before even rebuilding your system.

• Video format of written guide:
  • https://youtube.com/watch?v=2QjzI5dXwDY
• Source code for example NixOS config
  • https://github.com/tonybanters/nixos-from-scratch

I thought the example using builtins.mapAttrs with create_symlink for xdg.configFile was cleverly simple.

As a developer I often need to run code I cannot trust, especially dependencies from NodeJS and Python projects, on my dev machine. In order to protect my system from potentially malicious code, I built NixWrap, an adhoc sandboxing tool for NixOS.

NixWrap wraps bubblewrap (oh dear), running it with convenient defaults and offering easy to use command line flags to toggle custom options. An invocation to NixWrap is typically way shorter than the bubblewrap equivalent.

E.g. npm install can be wrapped with wrap -n npm install to gain network access and write access to the current working directory.

• https://news.ycombinator.com/item?id=45116657
• https://discourse.nixos.org/t/nixwrap-easy-adhoc-applicaton-sandboxing/68863

Any suggested changes since this was published a year prior?

Related discussions:

• https://lobste.rs/s/wnnymx/you_don_t_have_use_nix_manage_your_dotfiles

Any notable advance in this regard as compared to when the original article was published in 2015?

I recently reinstalled my nixos (long story). but for some reason, tailscale refuses to install. when i reinstalled, i just copied over my configuration.nix to replace the default one from the install (not sure if that is part of the problem?). or maybe its just broken right now, and i need to wait it out?

...

ok tailscale.com/net/tstun 0.034s

ok tailscale.com/packages/deb 0.028s

--- FAIL: TestGetList (0.00s)

portlist_test.go:19: seek /proc/net/tcp: illegal seek

--- FAIL: TestIgnoreLocallyBoundPorts (0.00s)

portlist_test.go:40: seek /proc/net/tcp: illegal seek

--- FAIL: TestPoller (0.00s)

portlist_test.go:61: seek /proc/net/tcp: illegal seek

FAIL

FAIL tailscale.com/portlist 0.016s

FAIL

error: builder for '/nix/store/18r5bq5bx8n79mgpv69mnfjq8w7z05b0-tailscale-1.82.5.drv' failed with exit code 1

error: 1 dependencies of derivation '/nix/store/pd0225japsibj036hgfzj48q960wx8k4-system-generators.drv' failed to build

error: 1 dependencies of derivation '/nix/store/572pg1xc24wdd01v7cyvvrdijn7qb20y-system-path.drv' failed to build

error: 1 dependencies of derivation '/nix/store/hln81111gkd51fzm7napkb40wd3rx9ig-nixos-system-wwt-25.05.809261.7c815e513adb.drv' failed to build

It does not require root, user namespaces support or disabling SELinux, but it relies on proot and other hacks instead. It uses a fork of Termux-the-terminal-emulator app, but has no relation to Termux-the-distro.

https://nixpacks.com/docs/getting-started

I'm on a fresh installation with KDE. Kate is available, but what's the best way to get (n)vim up and running, or better yet, Helix? (I'm new to Nix. I do have a good amount of Linux experience though.)

Hi, I'm currently using a script to update my various NixOS hosts from a central machine, using the nh utility (https://github.com/nix-community/nh). By default, the command nh os switch . -H "..." --target-host "..." outputs the dependency graph of the build, as well as all the build logs. I like the dependency graph, however the build logs tend to push the diff result of the previous builds off of the terminal screen, so I have to watch the whole time in case I miss it. I've tried using the --no-nom flag, however this removed the dependency graph also. Is there a way in bash of selectively suppressing the build logs but not the dependency graph? Or is this an issue to raise with the project itself? The full bash script I'm using is shown below:

#!/usr/bin/env bash
# From: https://discourse.nixos.org/t/deploy-nixos-configurations-on-other-machines/22940/8

hosts=($(echo `nix eval .#nixosConfigurations --apply 'pkgs: builtins.concatStringsSep " " (builtins.attrNames pkgs)'` | xargs ))
skip=(
    "..."
)

rsa_key="$HOME/.config/sops-nix/secrets/keys/nixos-deploy-key"
export NIX_SSHOPTS="-t -i $rsa_key"

for host in "${hosts[@]}"
do
    # Check if the host is in the skip list
    if [[ " ${skip[*]} " =~ " ${host} " ]];then
        continue
    fi

    fqdn="$host"
    echo " ### $fqdn ### "
    echo

    initDir=($(ssh -i $rsa_key $host "readlink /run/current-system"))

    # Build config and list changes
    nh os switch . -H "$host" --target-host "deploy@$fqdn"

    ssh -i $rsa_key $host "nvd diff $initDir /run/current-system"
    echo
done

Any help is greatly appreciated, thanks!

For those who prefer to have a reference or need assistance troubleshooting, the accompanying GitHub repository, nix-intro-examples, includes the full project and all intermediate steps, captured through commits.

Related discussion:

• https://news.ycombinator.com/item?id=44986251