2023-07-30 18:27:25 +00:00
|
|
|
X-Date: 2023-07-30T19:00:00Z
|
|
|
|
X-Note-Id: 06edbf5a-f446-4b43-83aa-54615de8b103
|
|
|
|
Subject: How and why I use NixOS
|
|
|
|
X-Slug: how_and_why_i_use_nixos
|
|
|
|
|
|
|
|
It's not very easy to explain what [NixOS](https://nixos.org/) is, because there are very few similar systems to compare with.
|
|
|
|
I can only sort of compare it with the concept of [Terraform](https://www.terraform.io/), but applied to the operating system itself
|
|
|
|
and not to the "cloud".
|
|
|
|
|
|
|
|
NixOS, and [home-manager](https://github.com/nix-community/home-manager) in particular apply the concept of of a purely functional
|
|
|
|
programming language in order to configure all aspects of the operating system, and tie the configuration of individual apps
|
|
|
|
together.
|
|
|
|
|
|
|
|
What led me to finally try out NixOS is the constant struggle to maintain PGP and other security configurations. If you've ever
|
|
|
|
tried to set up git commit signing, together with a security key, you know that it's a pain. GnuPG is not exactly the most user-friendly
|
|
|
|
app out there: it looks like the approach for its development can be summarized as "don't fix it if it aint broken".
|
|
|
|
|
|
|
|
Some aspects of PGP complexities are of course due to PGP as a standard being "frozen" in time. There are proposed alternatives,
|
|
|
|
but we are very, very far away from it being replaced.
|
|
|
|
|
|
|
|
If you want a more specific example, here's how I set up a few encryption/signing-related configurations in NixOS:
|
|
|
|
|
|
|
|
```
|
|
|
|
programs.gpg = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.gnupg;
|
|
|
|
publicKeys = [{source = ./gpg_public_key.asc; trust="ultimate"; }];
|
|
|
|
settings = {
|
|
|
|
default-key = "0x0560020C9C577C1B";
|
|
|
|
};
|
|
|
|
mutableKeys = false;
|
|
|
|
mutableTrust = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
programs.git = {
|
|
|
|
enable = true;
|
|
|
|
userName = "Konstantin Nazarov";
|
|
|
|
userEmail = "mail@knazarov.com";
|
|
|
|
signing = {
|
|
|
|
gpgPath = "${pkgs.gnupg}/bin/gpg2";
|
|
|
|
key = "0x0560020C9C577C1B";
|
|
|
|
signByDefault = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
accounts.email = {
|
|
|
|
maildirBasePath = "${config.users.users.knazarov.home}/Maildir";
|
|
|
|
accounts = {
|
|
|
|
personal = let account = "mail@knazarov.com"; in {
|
|
|
|
primary = true;
|
|
|
|
flavor = "fastmail.com";
|
|
|
|
address = account;
|
|
|
|
userName = account;
|
|
|
|
realName = "Konstantin Nazarov";
|
|
|
|
passwordCommand = "cat /run/secrets/fastmail_password";
|
|
|
|
gpg = {
|
|
|
|
key = "0x0560020C9C577C1B";
|
|
|
|
signByDefault = true;
|
|
|
|
};
|
|
|
|
mu.enable = true;
|
|
|
|
msmtp.enable = true;
|
|
|
|
mbsync = {
|
|
|
|
enable = true;
|
|
|
|
# Folders existing on the server, but not locally, will be created.
|
|
|
|
create = "maildir";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
```
|
|
|
|
|
|
|
|
It reads almost plain English, doesn't it? This is due to most of the existing software in NixOS being wrapped into library
|
|
|
|
"modules" which you can pass parameters to.
|
|
|
|
|
|
|
|
And best of all, NixOS has good integration with [sops](https://github.com/getsops/sops) that allows you to store secrets
|
|
|
|
in an encrypted form in a git repository, and easily reference them in the configuration.
|
|
|
|
|
2024-09-11 23:12:15 +00:00
|
|
|
If you're interested, my NixOS configuration can be found [here](https://git.knazarov.com/knazarov/nixos).
|