-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnixos-pros-cons.html
452 lines (390 loc) · 12.7 KB
/
nixos-pros-cons.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link
rel="stylesheet"
href="/styles.1b8b925727a47aa0b397d2326344c60a14f98d348ccd63b9047f3a72456552ad.css"
type="text/css"
/>
<link
rel="icon"
href="/favicon.1d9d66e8e0f6f92db8c49e54f947c1f74da9a1a71ab0a0749fb43679df437515.svg"
type="image/svg+xml"
/>
<title>NixOS review: 8 important pros and cons - anthesis</title>
<meta name="description" content=
"Curious about the benefits and drawbacks of NixOS? Read my review to
decide whether NixOS is a good daily driver for you."
/>
<meta name="color-scheme" content="light dark"/>
<link rel="canonical" href="https://www.anthes.is/nixos-pros-cons.html"/>
<link rel="alternate" type="application/atom+xml" href="/rss.xml"/>
</head>
<body>
<header>
<nav class="navbar">
<ul>
<li><a href="/" hreflang="en">Home</a></li>
<li><a href="/contact.html" hreflang="en">Contact</a></li>
<li><a href="/src.html" hreflang="en">Source code</a></li>
</ul>
</nav>
</header>
<main>
<h1>NixOS review: 8 important pros and cons</h1>
<article>
<p>
Last updated: <time datetime="2023-06-19">June 19th, 2023</time>
</p>
<p>
Before you continue on with my review of NixOS,
here’s a short list of the advantages and
disadvantages I talk about for reference.
</p>
<dl>
<dt>Strengths</dt>
<dd>Abstraction</dd>
<dd>Reproducible builds</dd>
<dd>Atomic upgrades</dd>
<dd>Rollbacks</dd>
<dd>Immutability</dd>
<dt>Weaknesses</dt>
<dd>The learning curve</dd>
<dd>Some security concerns</dd>
<dd>Requires systemd</dd>
</dl>
<section>
<h2 id="what-is-nixos">What is NixOS and why might you use it?</h2>
<p>
<a href="https://nixos.org/" hreflang="en">NixOS</a>
is a unique Linux distribution. The main thing that
makes NixOS special is the ability to describe your
desired system layout with the Nix language. To do
this, you edit a file named
<code>/etc/nixos/configuration.nix</code> and then
rebuild the system.
</p>
<p>
Declarative package management and system
configuration have some benefits over the imperative
approach used by more traditional operating systems.
But to meaningfully review the pros and cons of
NixOS, we must first understand these terms and how
they relate to one another.
</p>
<p>
If you already know the differences between them,
<a href="#nixos-advantages">feel free to skip ahead</a>.
</p>
</section>
<section>
<h2 id="imperative-vs-declarative">What do imperative and declarative mean?</h2>
<p>
The easiest way for me to explain these two concepts
is to talk about them in the context of software
development.
</p>
<p>
<em>Imperative</em> programming languages are things
like Python and C. To make languages like this
useful, you provide step-by-step instructions that
lead to your end goal. In other words,
<strong>imperative means you write out how to do something</strong>.
</p>
<p>
Meanwhile, Haskell and Nix are examples of
<em>declarative</em> programming languages. Their
design allows them to perform the necessary steps on
their own when given a proper description. In other
words,
<strong>declarative means you describe what the end result should be</strong>.
</p>
<p>
Let’s compare the process of activating an SSH
service on Arch Linux and NixOS to demonstrate the
differences between these two paradigms.
</p>
</section>
<section>
<h3 id="enable-ssh-arch">Enable SSH imperatively</h3>
<ol>
<li>
<p>
Install the <code>openssh</code> package.
</p>
<pre># <kbd>pacman -S openssh</kbd></pre>
</li>
<li>
<p>
Enable the service.
</p>
<pre># <kbd>systemctl enable ssh</kbd></pre>
</li>
</ol>
<h3 id="enable-ssh-nixos">Enable SSH declaratively</h3>
<ol>
<li>
<p>
Edit the
<code>/etc/nixos/configuration.nix</code> file.
</p>
<pre><kbd>services.sshd.enable = true;</kbd></pre>
</li>
<li>
<p>
Rebuild and switch to the new configuration.
During the build, NixOS detects that the
<code>sshd</code> service depends on the
<code>openssh</code> package, so it installs it.
</p>
<pre># <kbd>nixos-rebuild switch</kbd></pre>
</li>
</ol>
</section>
<section>
<h2 id="nixos-advantages">NixOS advantages</h2>
<section>
<h3 id="abstraction">Pro #1: Abstraction</h3>
<p>
The nice thing about NixOS is that a lot of
different software can be configured using the
same syntax. Compare the way that default fonts
are set in the Extensible Markup Language (XML)
to the Nix expression.
</p>
<p>
You may notice that the XML sample only defines
serif. Yet right below it, Nix is able to
declare default serif, sans-serif, and monospace
fonts in less space.
</p>
<pre><code><?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<alias>
<family>serif</family>
<prefer>
<family>Liberation Serif</family>
</prefer>
</alias>
</fontconfig></code></pre>
<pre><code>fonts.fontconfig.defaultFonts = {
serif = [ "Liberation Serif" ];
sansSerif = [ "Liberation Sans" ];
monospace = [ "Victor Mono" ];
};</code></pre>
<p>
Note that this will <em>not</em> install font
packages for you. There is a separate
<code>fonts.fonts</code> option where you list
each package out.
</p>
</section>
<section>
<h3 id="reproducible-builds">Pro #2: Reproducible builds</h3>
<p>
Reproducibility and deterministic behavior
are dense topics. When it comes to NixOS,
the idea is that it’s easy to recreate
a given system configuration. You can copy
<code>/etc/nixos/configuration.nix</code>
over to a different machine and build from
it. Assuming that file contains valid Nix
expressions, it should yield the same system
state.
</p>
<p>
This means that NixOS is a good Linux
distribution for cloud servers, as reliable
system deployment is straightforward and
built into the OS itself. Additionally, Nix
itself is a powerful collaborative tool
because creating a development environment
with the same version of important libraries
is relatively easy to do.
</p>
</section>
<section>
<h3 id="atomic-rollbacks">Pro #3: Atomic upgrades</h3>
<p>
Another really helpful feature Nix
developers included is the avoidance of
partial states. When software is designed
around this principle, either everything
takes effect or nothing does. This is also
known as <em>atomicity</em>.
</p>
<p>
Upgrading NixOS is an atomic transaction.
Here’s a practical example of how that
can be useful: if a power outage happens
during a rebuild, the packages are still in
a consistent state. The system will either
use the entire working set of packages from
before or after.
</p>
</section>
<section>
<h3 id="rollbacks">Pro #4: Rollbacks</h3>
<p>
“Generations” are a key feature
of NixOS. If you mess something up, you can
roll back to a previous working
configuration. The boot loader includes a
list of generations to select from as well.
</p>
</section>
<section>
<h3 id="immutability">Pro #5: Immutability</h3>
<p>
Packages are installed in unique locations
within the Nix store
(<code>/nix/store</code>), and always remain
the same once built. The subdirectory for
each package is derived from a cryptographic
hash of its build dependency graph.
</p>
<p>
Setting the jargon aside, this means you can
easily use multiple versions of the same
software—actually, this even applies
to identical versions with different build
dependencies/flags as far as I know.
</p>
</section>
</section>
<section>
<h2 id="nixos-disadvantages">NixOS disadvantages</h2>
<section>
<h3 id="learning-curve">Con #1: The learning curve</h3>
<p>
To manage your system effectively, you’ll
need to invest some time and effort into
learning Nix and related tools. After all, most
of the system configuration you would perform by
hand with another Linux distro is instead handled
with a programming language.
</p>
<p>
Here’s my recommendation: experiment with
Nix and see how you feel about it before
installing NixOS on bare metal. You’ll
want to check the
<a
href="https://nixos.org/guides/nix-language.html"
hreflang="en"
rel="nofollow"
>Nix language guide</a>
and follow along to get a sense of how the
language works.
</p>
</section>
<section>
<h3 id="security-concerns">Con #2: Some security concerns</h3>
<p>
It’s always a good idea to see what open
issues a software project has before using
it—especially those pertaining to
security. Here are a few issues in the
<a
href="https://github.com/NixOS/nixpkgs"
hreflang="en"
>nixpkgs repository</a>
to consider before using NixOS.
</p>
<ul>
<li>
<a
href="https://github.com/NixOS/nixpkgs/issues/24288"
hreflang="en"
rel="nofollow"
>World-readable secrets inside the Nix store</a>
</li>
<li>
<a
href="https://github.com/NixOS/nixpkgs/issues/11908"
hreflang="en"
rel="nofollow"
>Many NixOS services needlessly run as root</a>
</li>
<li>
<a
href="https://github.com/NixOS/nixpkgs/issues/121293"
hreflang="en"
rel="nofollow"
>chmod leaves opportunity to leak secrets</a>
</li>
<li>
<a
href="https://github.com/NixOS/nixpkgs/issues/156400"
hreflang="en"
rel="nofollow"
>Secrets provided in arguments are exposed to unprivileged users</a>
</li>
<li>
<a
href="https://github.com/NixOS/nixpkgs/issues/55370"
hreflang="en"
rel="nofollow"
>nobody/nogroup shouldn't be used</a>
</li>
</ul>
<p>
Of course, every software project of notable
size and scope has <em>some</em> security
issues. Decide for yourself what an acceptable
threshold is. You might also consult the
<a
href="https://nixos.org/community/teams/security.html"
hreflang="en"
rel="nofollow"
>NixOS security page</a>.
</p>
</section>
<section>
<h3 id="requires-systemd">Con #3: Requires systemd</h3>
<p>
<a
href="https://github.com/NixOS/nixpkgs/issues/126797"
hreflang="en"
rel="nofollow"
>NixOS depends on systemd</a>. There’s no
option to use something different like OpenRC or
runit. This will probably remain the case for
the foreseeable future.
</p>
<p>
If you’re fine with using a Linux
distribution that has systemd, then perhaps this
isn’t a concern for you. All the same, one
drawback of NixOS is that it doesn’t enjoy
the level of freedom that something like Gentoo
has in this regard.
</p>
</section>
</section>
<section>
<h2 id="conclusion">Concluding my NixOS review</h2>
<p>
Every system has its strengths and weaknesses,
whether it’s a Linux distro or otherwise.
Software is a tool: to select the right tool for the
job, you need to first understand the problem
you’re looking to solve.
</p>
<p>
I hope that my NixOS review has given you some
reasons to explore the Nix ecosystem, as well as
some knowledge to arm yourself with when you do so.
Assuming the benefits were compelling to you and the
drawbacks seem like things you can live with, you
may as well give it a try. Experience is one of the
best ways to learn.
</p>
</section>
</article>
</main>
</body>
</html>