There are so many new insights from this talk, that I need to pin them down.
sixos: a nix os without systemd by Adam Joseph (Fahrplan)
sixos is much like NixOS but uses s6 instead of systemd and an alternative configuration mechanism for services called “infusion” instead of nixos’ modules. s6 is a set of small tools that together provide the functionality of process supervision, service dependency mangagement and more.
The s6 site provides A LOT of insight about how to do all of this conforming to the UNIX philosophy. Especially new and interesting to me were the bits about “chain loading” and this rant about systemd. The latter finally convinced me, that systemd is a bad thing and that I should try to get rid of it. - Sorry for being a bit late to the party.
I’ve a dream of creating a replacement for kubernetes. I don’t need such a thing right now, but it would heal some post-traumatic syndroms after two years of kubernetes support. The small and simple tools from s6 together with nix would already cover a lot of ground.
More interesting bits discoverd:
This find quote I want to learn by heart:
“If the users don’t control the program, the program controls the users. With proprietary software, there is always some entity, the “owner” of the program, that controls the program and through it, exercises power over its users. A nonfree program is a yoke, an instrument of unjust power.” — Richard Stallman1
There is no hint to any communication channel for discussions about sixos. But Adam pointed to the tvl channel on hackint during his talk for people interested in improving Nix and he is actually operator of a channel #six on hackint. He is amjoseph on IRC.
Now I’m just curious whether there is a story behind the slogan “ca-bundle.crt is malware” that Adam had on his shirt during the talk.
Joachim Breitner wrote about a Convenient sandboxed development environment and thus reminded me to blog about MicroVM. I’ve toyed around with it a little but not yet seriously used it as I’m currently not coding.
MicroVM is a nix based project to configure and run minimal VMs. It can mount and thus reuse the hosts nix store inside the VM and thus has a very small disk footprint. I use MicroVM on a debian system using the nix package manager.
The MicroVM author uses the project to host production services. Otherwise I consider it also a nice way to learn about NixOS after having started with the nix package manager and before making the big step to NixOS as my main system.
The guests root filesystem is a tmpdir, so one must explicitly define folders that should be mounted from the host and thus be persistent across VM reboots.
I defined the VM as a nix flake since this is how I started from the MicroVM projects example:
{
description = "Haskell dev MicroVM";
inputs.impermanence.url = "github:nix-community/impermanence";
inputs.microvm.url = "github:astro/microvm.nix";
inputs.microvm.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, impermanence, microvm, nixpkgs }:
let
persistencePath = "/persistent";
system = "x86_64-linux";
user = "thk";
vmname = "haskell";
nixosConfiguration = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
microvm.nixosModules.microvm
impermanence.nixosModules.impermanence
({pkgs, ... }: {
environment.persistence.${persistencePath} = {
hideMounts = true;
users.${user} = {
directories = [
"git" ".stack"
];
};
};
environment.sessionVariables = {
TERM = "screen-256color";
};
environment.systemPackages = with pkgs; [
ghc
git
(haskell-language-server.override { supportedGhcVersions = [ "94" ]; })
htop
stack
tmux
tree
vcsh
zsh
];
fileSystems.${persistencePath}.neededForBoot = nixpkgs.lib.mkForce true;
microvm = {
forwardPorts = [
{ from = "host"; host.port = 2222; guest.port = 22; }
{ from = "guest"; host.port = 5432; guest.port = 5432; } # postgresql
];
hypervisor = "qemu";
interfaces = [
{ type = "user"; id = "usernet"; mac = "00:00:00:00:00:02"; }
];
mem = 4096;
shares = [ {
# use "virtiofs" for MicroVMs that are started by systemd
proto = "9p";
tag = "ro-store";
# a host's /nix/store will be picked up so that no
# squashfs/erofs will be built for it.
source = "/nix/store";
mountPoint = "/nix/.ro-store";
} {
proto = "virtiofs";
tag = "persistent";
source = "~/.local/share/microvm/vms/${vmname}/persistent";
mountPoint = persistencePath;
socket = "/run/user/1000/microvm-${vmname}-persistent";
}
];
socket = "/run/user/1000/microvm-control.socket";
vcpu = 3;
volumes = [];
writableStoreOverlay = "/nix/.rwstore";
};
networking.hostName = vmname;
nix.enable = true;
nix.nixPath = ["nixpkgs=${builtins.storePath <nixpkgs>}"];
nix.settings = {
extra-experimental-features = ["nix-command" "flakes"];
trusted-users = [user];
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
services.getty.autologinUser = user;
services.openssh = {
enable = true;
};
system.stateVersion = "24.11";
systemd.services.loadnixdb = {
description = "import hosts nix database";
path = [pkgs.nix];
wantedBy = ["multi-user.target"];
requires = ["nix-daemon.service"];
script = "cat ${persistencePath}/nix-store-db-dump|nix-store --load-db";
};
time.timeZone = nixpkgs.lib.mkDefault "Europe/Berlin";
users.users.${user} = {
extraGroups = [ "wheel" "video" ];
group = "user";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa REDACTED"
];
password = "";
};
users.users.root.password = "";
users.groups.user = {};
})
];
};
in {
packages.${system}.default = nixosConfiguration.config.microvm.declaredRunner;
};
}
I start the microVM with a templated systemd user service:
[Unit]
Description=MicroVM for Haskell development
Requires=microvm-virtiofsd-persistent@.service
After=microvm-virtiofsd-persistent@.service
AssertFileNotEmpty=%h/.local/share/microvm/vms/%i/flake/flake.nix
[Service]
Type=forking
ExecStartPre=/usr/bin/sh -c "[ /nix/var/nix/db/db.sqlite -ot %h/.local/share/microvm/nix-store-db-dump ] || nix-store --dump-db >%h/.local/share/microvm/nix-store-db-dump"
ExecStartPre=ln -f -t %h/.local/share/microvm/vms/%i/persistent/ %h/.local/share/microvm/nix-store-db-dump
ExecStartPre=-%h/.local/state/nix/profile/bin/tmux new -s microvm -d
ExecStart=%h/.local/state/nix/profile/bin/tmux new-window -t microvm: -n "%i" "exec %h/.local/state/nix/profile/bin/nix run --impure %h/.local/share/microvm/vms/%i/flake"
The above service definition creates a dump of the hosts nix store db so that it can be imported in the guest. This is necessary so that the guest can actually use what is available in /nix/store. There is an effort for an overlayed nix store that would be preferable to this hack.
Finally the microvm is started inside a tmux session named “microvm”. This way I can use the VM with SSH or through the console and also access the qemu console.
And for completeness the virtiofsd service:
[Unit]
Description=serve host persistent folder for dev VM
AssertPathIsDirectory=%h/.local/share/microvm/vms/%i/persistent
[Service]
ExecStart=%h/.local/state/nix/profile/bin/virtiofsd \
--socket-path=${XDG_RUNTIME_DIR}/microvm-%i-persistent \
--shared-dir=%h/.local/share/microvm/vms/%i/persistent \
--gid-map :995:%G:1: \
--uid-map :1000:%U:1:
The nix package manager is available in Debian since May 2020. Why would one use it in Debian?
$HOME/.configEspecially the last point nagged me every time I set up a new Debian installation. My emacs configuration and my Desktop setup expects certain software to be installed.
Please be aware that I’m a beginner with nix and that my config might not follow best practice. Additionally many nix users are already using the new flakes feature of nix that I’m still learning about.
So I’ve got this file at .config/nixpkgs/config.nix1:
with (import <nixpkgs> {});
{
packageOverrides = pkgs: with pkgs; {
thk-emacsWithPackages = (pkgs.emacsPackagesFor emacs-gtk).emacsWithPackages (
epkgs:
(with epkgs.elpaPackages; [
ace-window
company
org
use-package
]) ++ (with epkgs.melpaPackages; [
editorconfig
flycheck
haskell-mode
magit
nix-mode
paredit
rainbow-delimiters
treemacs
visual-fill-column
yasnippet-snippets
]) ++ [ # From main packages set
]
);
userPackages = buildEnv {
extraOutputsToInstall = [ "doc" "info" "man" ];
name = "user-packages";
paths = [
ghc
git
(pkgs.haskell-language-server.override { supportedGhcVersions = [ "94" ]; })
nix
stack
thk-emacsWithPackages
tmux
vcsh
virtiofsd
];
};
};
}Every time I change the file or want to receive updates, I do:
nix-env --install --attr nixpkgs.userPackages --remove-allYou can see that I install nix with nix. This gives me a newer version than
the one available in Debian stable. However, the nix-daemon still runs as the
older binary from Debian. My dirty hack is to put this override in
/etc/systemd/system/nix-daemon.service.d/override.conf:
[Service]
ExecStart=
ExecStart=@/home/thk/.local/state/nix/profile/bin/nix-daemon nix-daemon --daemonI’m not too interested in a cleaner way since I hope to fully migrate to Nix anyways.
Note the nixpkgs in the path. This is not a config file
for nix the package manager but for the nix package collection. See the
nixpkgs manual.↩︎