NixOS Adventure Guide From a Beginner

The installation mostly works, but I had to twiddle with things a bit. Note that there’s the Nix package manager and then there’s NixOS. Both manage things quite differently with different files and commands.

• Download page
• Quick Start

Nix takes a lot more space than a standard distribution. I made an LVM volume for nix and mounted it on nix . Note that a symlink doesn’t work, so if you are not using LVM and just put it in your home directory, you’ll have to mount it:

mount -o bind /path/to/nix /nix

So obviously, what versions you install depend on what channel that you are using. What’s not obvious is where the channels are. I combed through several wiki pages and then finally went to IRC to figure out why firefox was stuck at version 78 instead of 81 like it listed. Turns out I was using nixpkgs unstable which was stuck for some reason instead of nixos unstable. Easy fix - once you know what you’re looking for.

So some important resources:

• Nix channels
• Channel URLs
• Channel status

Useful commands:

$ nix-channel add https://nixos.org/channels/nixos-unstable nixos

$ nix-channel --list
nixos https://nixos.org/channels/nixos-unstable
nixos-19.03 https://nixos.org/channels/nixos-19.03
nixos-20.09 https://channels.nixos.org/nixos-20.09
nixpkgs https://nixos.org/channels/nixpkgs-unstable

$ nix-channel --update

$ nix-env -f channel:nixos-19.09 -i package_name

Note that the version that you download on the update is not pinned in your configuration, so it’s not fully reproducible. There’s something called Nix Flakes that are supposed to solve that problem which I haven’t investigated.

So after establishing that NixOS works reasonably enough for regular packages, it was time for Emacs. And despite having the instructions in a gist, it was pretty difficult.

Some links regarding gcc Emacs

• Wiki
• Official Development Log
• Nix installation

And our guide:

• GccEmacs on Nix Guide

So the first step in the gist is to install an overlay (which is great if you know what an overlay is and where to install it).

• Overlays

Now despite reading the first line, I didn’t quite get it because I had no idea what packageOverride and overridePackages are. After using Nix for 2 weeks, well, the documentation is quite clear. What’s missing from the picture is what contained in “main” and what can be overridden.

I ended up using option 2 despite not understanding a damn thing:

echo "import (builtins.fetchTarball {
      url = https://github.com/nix-community/emacs-overlay/archive/master.tar.gz;
    })" >> $HOME/.config/nixpkgs/overlays/emacs.nix

Vterm compiliation as a binary inside emacs inside Nix really does deserve a separate section. You can’t install libvterm outside of emacs because emacs won’t be able to find it. Luckily, the gist had an incomprensible section to me at the time which I added to /etc/nixos/configuration.nix and hoped for the best.

{
emacsWithPackages = (pkgs.emacsPackagesGen pkgs.emacsGcc).emacsWithPackages (epkgs: ([epkgs.vterm]));
}

A specific note was to use the overlay from the nixos-unstable channel, not the nixpkgs-unstable channel. In hindsight, everything is simple.

$ nix-channel --list
nixos https://nixos.org/channels/nixos-unstable
nixos-19.03 https://nixos.org/channels/nixos-19.03
nixos-20.09 https://channels.nixos.org/nixos-20.09
nixpkgs https://nixos.org/channels/nixpkgs-unstable

nix-env -iA nixpkgs.emacsGcc                    # what is in the gist and installed 27.1
nix-env -iA nixos.emacsGcc                      # what I should have used based on my channels
nix build -f channel:nixos-unstable emacsGcc    # what I ended up using

Since this is a post about Nix and not the wonders of Emacs with native-comp, let’s just say it worked and Emacs is incredibly faster visually. Anecdotally, it was using from 25-50% cpu on a 43 inch screen at 4k resolution doing close to nothing with a typing lag of 100-200ms. Now it’s using less than 10% and the typing lag is not noticable.

If you install enough versions of packages with different versions of different channels, you may have a lot of the same packages installed with different versions of glibc, etc. Also, hidden in the nix-build man page, nix-build creates a symlink called “result”. If this symlink is not removed, all those packages will not be garbage collected.

Useful commands:

nix-env --list-generations
nix-env --delete-generations +1d    # deletes all the generations older than 1 day.
nix-collect-garbage

I never installed home-manager, but according to the cheatsheet, it might be possible to put everything in: ~/.nixpkgs/config.nix

For NixOS, everything goes into /etc/nixos/configuration.nix

I have a bunch of machines I manage with ansible. I do some config generation that’s delegated to the localhost, so ansible needs to find various python libraries which are now no longer being installed at the system level. Installing ansible as a standalone package didn’t give it access to setuptools, which was needed to setup the virtual environment for the sub-commands to run. Yes, nix-shell could also be used instead of setting up the virtual env, but no reason for a playbook to suddenly be dependent on nix.

Again, not on the nix+ubuntu install, but on NixOS in /etc/nixos/configuration.nix

  environment.systemPackages = with pkgs; [
    # ansible installs its own python, which then is missing setuptools
    (python38.withPackages(ps: with ps; [ setuptools ansible]))
  ];

The ansible playbook also needed a bit of a change since it was upgraded and using python3 to use a {{ venv }}/exec as the precursor to the shell command.

- pip:
    name: ['package1', 'package2', 'package3']
    virtualenv: "{{ venv }}"
    virtualenv_command: "python -m venv"
  delegate_to: localhost
  become: false
  run_once: true

- copy:
    dest: "{{ venv }}/exec"
    mode: 0755
    content: |
      #!/bin/sh
      source {{ venv }}/bin/activate
      $@
  delegate_to: localhost
  become: false
  run_once: true

I use wine for an ancient windows program that I used to run on Win98. Still works and the fonts look nicer, too.

Wireless setup from the default configuration file.

  networking.hostName = "x230a"; # Define your hostname.
  networking.networkmanager.enable = true;
  networking.useDHCP = false;
  networking.interfaces.enp0s25.useDHCP = true;
  networking.interfaces.wlp3s0.useDHCP = true;

Important commands:

sudo nmcli dev wifi connect theSSID password thePassword

This is definitely a highlight. Firstly, you absolutely need to know about option search:

• Window manager options

You can actually try/rollback between 34 different window managers by just adding a single line. The following is my desktop configuration and X configuration. I wanted to use the emacs that I compiled, so I didn’t enable the default exwm.

  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio.enable = true;
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;

  # Enable the X11 windowing system.
  services.xserver = {
    enable = true;
    layout = "us";
    xkbOptions = "ctrl:swapcaps";
    displayManager.sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
  };

  services.xserver.windowManager.session = lib.singleton {
    name = "none+exwm";
    start = ''
      emacs
    '';
  };
  services.xserver.deviceSection = lib.mkDefault ''
    Option "TearFree" "true"
  '';

  #services.xserver.windowManager.icewm.enable = true;
  #services.xserver.windowManager.exwm.enable = true;

  # Enable touchpad support.
  services.xserver.libinput.enable = true;

For instance, to start some services, you can:

  # For thinkpad
  services.tlp.enable = true;

  # Battery power management
  services.upower.enable = true;

  # User services
  systemd.user.services."xcape" = {
    enable = true;
    description = "xcape to use CTRL as ESC when pressed alone";
    wantedBy = [ "default.target" ];
    serviceConfig.Type = "forking";
    serviceConfig.Restart = "always";
    serviceConfig.RestartSec = 2;
    serviceConfig.ExecStart = "${pkgs.xcape}/bin/xcape";
  };

Now, I didn’t find any secrets management, so I ended up using gpg to encrypt the secret. I like routing all my traffic through the tunnel, and as usual, there is just enough documentation to figure it out between github, discourse, and the wiki.

• Wireguard wiki
• Discourse
• Nixpkgs src for wireguard and wg-quick

There are two interfaces that are listed - wireguard and wg-quick. So which is the one we’re supposed to use - the one on the top of the page or the one on the bottom? Well, if we’re keeping count, it’s the one on the bottom.

Also, just because it’s setup, doesn’t mean that you want it on all the time or on startup. There’s some special flags to create symlinks and force systemd service to be there instead of purged via lib.mkForce. I’m copying and pasting for posterity.

{ config, lib, pkgs, ... }:
{
  environment.etc = {
    "wireguard/wgdmz.key".source = "/etc/nixos/secrets_unlocked/wgdmz.key";
  };

  systemd.services."wg-quick-wgdmz" = {
    enable = true;
    #unitConfig.StopWhenUnneeded = true;
    wantedBy = lib.mkForce [];
  };

  networking.wg-quick.interfaces = {
    wgdmz = {
      # Determines the IP address and subnet of the client's end of the tunnel interface.
      address = [ "10.0.10.3/32" ];
      #dns = ["10.0.10.1"];
      privateKeyFile = "/etc/wireguard/wgdmz.key";

      peers = [
        {
          # Public key of the server (not a file path).
          publicKey = "Taa4kZJvUzT27UG2UZWsDRMadf9DwwzJb1j+nJEzEwk=";
          allowedIPs = [ "0.0.0.0/0" ];
          endpoint = "1.2.3.4:50000";
          persistentKeepalive = 25;
        }
      ];
    };
  };
}

Another extremely cool thing is that every time that you rebuild, a new entry shows up in your GRUB configuration. I mostly used nixos-rebuild switch. So it’s extremely tough to have a broken configuration. Of course, I’m using emacs with native compilation, so that makes things a bit more complicated.

I got everything I tried working after a bit of searching.

1. Sound/video on firefox and vlc through pulseaudio
2. Emacs gcc with various custom compilation
3. Python packages were a bit trickier to figure out than I would have liked.
4. 3rd party FHS binaries like zoom and redream are workable.
5. Declarative management works and cleans up the system nicely. My full laptop nix configuration is 350 lines with tons of comments. This post is nearing 450 lines.
6. Desktop environment switching is incredible.
7. Managing services declaratively is slick.
8. Having the option to boot into a working config from grub is very nice.
9. Wireless, bluetooth, xkbOptions, ssh-agent, gpg-agent, locales, timezone, networking, different services, power management are all functional on the desktop environment on the X230 installation.
10. Helpful community.
    • Discourse
    • IRC Logs
    • Wiki
    • Other contacts

The documentation only makes sense after you already know how everything works in the first place. Very difficult to find the options you need unless you search discourse or github issues. Few easily found examples. And having no default secret management for a configuration engine is strange.

Searching for random repos on Github for examples on how to do things. Either you get lucky or you don’t.

NixOps and MobileNix. If you’re a power user with a PinePhone, well, it might be worth getting into the Nix world.

• Mobile Nix
• Nix Ops
• Another deployment tool

A lot more immature, but perhaps worth trying.

• Guix Advanced Operating System
• Guix Manual