Add a post on NixOS
This commit is contained in:
parent
3ef359eeb6
commit
d2b1e214e0
1 changed files with 78 additions and 0 deletions
78
content/posts/how_and_why_i_use_nixos/note.md
Normal file
78
content/posts/how_and_why_i_use_nixos/note.md
Normal file
|
@ -0,0 +1,78 @@
|
|||
X-Date: 2023-07-30T19:00:00Z
|
||||
X-Note-Id: 06edbf5a-f446-4b43-83aa-54615de8b103
|
||||
Subject: How and why I use NixOS
|
||||
X-Slug: how_and_why_i_use_nixos
|
||||
|
||||
It's not very easy to explain what [NixOS](https://nixos.org/) is, because there are very few similar systems to compare with.
|
||||
I can only sort of compare it with the concept of [Terraform](https://www.terraform.io/), but applied to the operating system itself
|
||||
and not to the "cloud".
|
||||
|
||||
NixOS, and [home-manager](https://github.com/nix-community/home-manager) in particular apply the concept of of a purely functional
|
||||
programming language in order to configure all aspects of the operating system, and tie the configuration of individual apps
|
||||
together.
|
||||
|
||||
What led me to finally try out NixOS is the constant struggle to maintain PGP and other security configurations. If you've ever
|
||||
tried to set up git commit signing, together with a security key, you know that it's a pain. GnuPG is not exactly the most user-friendly
|
||||
app out there: it looks like the approach for its development can be summarized as "don't fix it if it aint broken".
|
||||
|
||||
Some aspects of PGP complexities are of course due to PGP as a standard being "frozen" in time. There are proposed alternatives,
|
||||
but we are very, very far away from it being replaced.
|
||||
|
||||
If you want a more specific example, here's how I set up a few encryption/signing-related configurations in NixOS:
|
||||
|
||||
```
|
||||
programs.gpg = {
|
||||
enable = true;
|
||||
package = pkgs.gnupg;
|
||||
publicKeys = [{source = ./gpg_public_key.asc; trust="ultimate"; }];
|
||||
settings = {
|
||||
default-key = "0x0560020C9C577C1B";
|
||||
};
|
||||
mutableKeys = false;
|
||||
mutableTrust = false;
|
||||
};
|
||||
|
||||
programs.git = {
|
||||
enable = true;
|
||||
userName = "Konstantin Nazarov";
|
||||
userEmail = "mail@knazarov.com";
|
||||
signing = {
|
||||
gpgPath = "${pkgs.gnupg}/bin/gpg2";
|
||||
key = "0x0560020C9C577C1B";
|
||||
signByDefault = true;
|
||||
};
|
||||
};
|
||||
|
||||
accounts.email = {
|
||||
maildirBasePath = "${config.users.users.knazarov.home}/Maildir";
|
||||
accounts = {
|
||||
personal = let account = "mail@knazarov.com"; in {
|
||||
primary = true;
|
||||
flavor = "fastmail.com";
|
||||
address = account;
|
||||
userName = account;
|
||||
realName = "Konstantin Nazarov";
|
||||
passwordCommand = "cat /run/secrets/fastmail_password";
|
||||
gpg = {
|
||||
key = "0x0560020C9C577C1B";
|
||||
signByDefault = true;
|
||||
};
|
||||
mu.enable = true;
|
||||
msmtp.enable = true;
|
||||
mbsync = {
|
||||
enable = true;
|
||||
# Folders existing on the server, but not locally, will be created.
|
||||
create = "maildir";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
It reads almost plain English, doesn't it? This is due to most of the existing software in NixOS being wrapped into library
|
||||
"modules" which you can pass parameters to.
|
||||
|
||||
And best of all, NixOS has good integration with [sops](https://github.com/getsops/sops) that allows you to store secrets
|
||||
in an encrypted form in a git repository, and easily reference them in the configuration.
|
||||
|
||||
If you're interested, my NixOS configuration can be found [here](https://git.sr.ht/~knazarov/nixos).
|
Loading…
Reference in a new issue