A review of Nix/NixOS after using it on all my machines for three years. I'll cover what works, what doesn't, and why it's the first OS that's stuck with me.
So, I’ve only played around with NixOS on a Raspberry Pi, but… Don’t people usually split their config up in multiple files, and then store than in a Git repository?
The process then still is: check out that Git repository, except there’s another step: copy over your private key so that you can decrypt your secrets.
Is that correct? Or did I make things needlessly complex for myself?
The process then still is: check out that Git repository, except there’s another step: copy over your private key so that you can decrypt your secrets.
The ssh key to access the private git repo is on the same yubikey as the decryption key (they are technically different GPG slots but I don’t need to care about that, just plug the key in, type in the pin, and it all works automagically)
Way over complex lol. I don’t copy anything to online source for better or worse. I auto script backups. The only backups you’ll ever need are nix config. Nothing else aside from your home folder obviously. With those two you can boot on any machine, anytime, as if you never left. I am not shilling. It’s been dead stable so far, aside from tweaks I done to break my own builds testing.
Hmm yeah, I guess the question is: is it overly complex if I do want to store my backup of my Nix config online, version-controlled, preferably publicly?
I don’t have any secrets in my config or a private key or anything and I’m currently running 4 servers from the same config (it used to be 8 or even more machines at some point even, including desktops).
But yes, it’s a multi-file config, it would be absolutely crazy to not split it up with how large it is.
Is that just because your four servers aren’t used for anything that need a secret? e.g. I wanted to put my wifi password in there, and the password for my user account.
So, I’ve only played around with NixOS on a Raspberry Pi, but… Don’t people usually split their config up in multiple files, and then store than in a Git repository?
The process then still is: check out that Git repository, except there’s another step: copy over your private key so that you can decrypt your secrets.
Is that correct? Or did I make things needlessly complex for myself?
I store my secrets in a separate private git repo and automatically decrypt them with my hardware key (https://github.com/balsoft/nixos-config/blob/master/modules/secrets.nix) so for me it’s literally just plug in my yubikey and
nixos-install github:balsoft/nixos-config#hostnameHow do you access the private Git repo then? Don’t you need a secret to access it?
The ssh key to access the private git repo is on the same yubikey as the decryption key (they are technically different GPG slots but I don’t need to care about that, just plug the key in, type in the pin, and it all works automagically)
That’s neat!
Way over complex lol. I don’t copy anything to online source for better or worse. I auto script backups. The only backups you’ll ever need are nix config. Nothing else aside from your home folder obviously. With those two you can boot on any machine, anytime, as if you never left. I am not shilling. It’s been dead stable so far, aside from tweaks I done to break my own builds testing.
Hmm yeah, I guess the question is: is it overly complex if I do want to store my backup of my Nix config online, version-controlled, preferably publicly?
If you do then your golden. That’s the way to go. I dislike online things. Personal preference. There’s advantages going the GIT method as well.
No. There are many of us that do that, I do, I found two random people online that did that and used their configs as a help when I was learning.
I don’t have any secrets in my config or a private key or anything and I’m currently running 4 servers from the same config (it used to be 8 or even more machines at some point even, including desktops).
But yes, it’s a multi-file config, it would be absolutely crazy to not split it up with how large it is.
Is that just because your four servers aren’t used for anything that need a secret? e.g. I wanted to put my wifi password in there, and the password for my user account.