From d2b1e214e0e5053e7cf9d2d676acb2969ab338d8 Mon Sep 17 00:00:00 2001 From: Konstantin Nazarov Date: Sun, 30 Jul 2023 19:27:25 +0100 Subject: [PATCH] Add a post on NixOS --- content/posts/how_and_why_i_use_nixos/note.md | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 content/posts/how_and_why_i_use_nixos/note.md diff --git a/content/posts/how_and_why_i_use_nixos/note.md b/content/posts/how_and_why_i_use_nixos/note.md new file mode 100644 index 0000000..c37b152 --- /dev/null +++ b/content/posts/how_and_why_i_use_nixos/note.md @@ -0,0 +1,78 @@ +X-Date: 2023-07-30T19:00:00Z +X-Note-Id: 06edbf5a-f446-4b43-83aa-54615de8b103 +Subject: How and why I use NixOS +X-Slug: how_and_why_i_use_nixos + +It's not very easy to explain what [NixOS](https://nixos.org/) is, because there are very few similar systems to compare with. +I can only sort of compare it with the concept of [Terraform](https://www.terraform.io/), but applied to the operating system itself +and not to the "cloud". + +NixOS, and [home-manager](https://github.com/nix-community/home-manager) in particular apply the concept of of a purely functional +programming language in order to configure all aspects of the operating system, and tie the configuration of individual apps +together. + +What led me to finally try out NixOS is the constant struggle to maintain PGP and other security configurations. If you've ever +tried to set up git commit signing, together with a security key, you know that it's a pain. GnuPG is not exactly the most user-friendly +app out there: it looks like the approach for its development can be summarized as "don't fix it if it aint broken". + +Some aspects of PGP complexities are of course due to PGP as a standard being "frozen" in time. There are proposed alternatives, +but we are very, very far away from it being replaced. + +If you want a more specific example, here's how I set up a few encryption/signing-related configurations in NixOS: + +``` +programs.gpg = { + enable = true; + package = pkgs.gnupg; + publicKeys = [{source = ./gpg_public_key.asc; trust="ultimate"; }]; + settings = { + default-key = "0x0560020C9C577C1B"; + }; + mutableKeys = false; + mutableTrust = false; +}; + +programs.git = { + enable = true; + userName = "Konstantin Nazarov"; + userEmail = "mail@knazarov.com"; + signing = { + gpgPath = "${pkgs.gnupg}/bin/gpg2"; + key = "0x0560020C9C577C1B"; + signByDefault = true; + }; +}; + +accounts.email = { + maildirBasePath = "${config.users.users.knazarov.home}/Maildir"; + accounts = { + personal = let account = "mail@knazarov.com"; in { + primary = true; + flavor = "fastmail.com"; + address = account; + userName = account; + realName = "Konstantin Nazarov"; + passwordCommand = "cat /run/secrets/fastmail_password"; + gpg = { + key = "0x0560020C9C577C1B"; + signByDefault = true; + }; + mu.enable = true; + msmtp.enable = true; + mbsync = { + enable = true; + # Folders existing on the server, but not locally, will be created. + create = "maildir"; + }; + }; + }; +}; +``` + +It reads almost plain English, doesn't it? This is due to most of the existing software in NixOS being wrapped into library +"modules" which you can pass parameters to. + +And best of all, NixOS has good integration with [sops](https://github.com/getsops/sops) that allows you to store secrets +in an encrypted form in a git repository, and easily reference them in the configuration. + +If you're interested, my NixOS configuration can be found [here](https://git.sr.ht/~knazarov/nixos).