Bye bye Fedora - Hello NixOS

Harald Hoyer October 27, 2023 #Fedora #NixOS

After over twenty years of using Red Hat and Fedora, it’s time to move on to explore other possibilities. Although my secure boot laptop still uses VerityBook, which is based on Fedora, my other machines are now running NixOS.

How come? Well, for the Enarx Project and generally for software running in a TEE, the desired state is to run reproducible binaries. And in this field NixOS really shines. Not only can it produce the binaries reproducibly, but also docker images, disk images and the like. This also comes handy in my current job at MatterLabs, where I am working on stuff TEE related (soon to be open sourced and blogged about).

With NixOS I can keep my system configuration for several machines in just one file (although split with an include like mechanism) and have reusable parts across machines.

Also, the configuration of one service affects the configuration of other services automatically, so you don’t have to micromanage every configuration file. It’s like having something like Ansible or Terraform built into a kickstart file.

With nixos-rebuild I can reconfigure remote machines via ssh and sudo and with nixos-anywhere I can even format the disks and deploy NixOS on nearly every existing Linux machine (replacing the old distro).

In the future I want to explore the mantra of “Erase your darlings”, where one attempts to extract the parts, which are not generated by the nix configuration (and are part of the backup).

Another interesting feature of the nix configuration is the possibility to create VM images, which I might turn into a VerityBook like partition image with dmverity, which can then be signed and used for a secure boot setup. Build the image on a trusted machine, sign it and deploy the image to the machines, just like with VerityBook. But those plans have to wait until I have more time.

To overcome the steep learning curve for the nix language these tutorials helped me a lot:

The only downside so far have been the slow response times to security issues due to the missing infrastructure for mass rebuilds. I hope a solution for this can be found in the future.

Sorry Fedora community, you have served me well over 2 decades. It’s time to move on and explore new possibilities.

Comment on Mastodon