Hacker News

Have you heard of any good projects for running isolated containers in NixOS that are cheaply derived from your own NixOS config? Because that is what I want. I want a computer where I can basically install every non stock app in its own little world, where it thinks "huh, that is interesting, I seem to be the only app installed on this system".

Basically, I want to be able to run completely unverified code off of the internet on my local machine, and know that the worst thing it can possibly due is trash its own container.

I feel like NixOS, is one path toward getting to that future.

Nix in CI seems like a really excellent match. I don’t care much about the ATproto space - but Tangled has built their CI system on Nix and I find that really compelling. CI Caching is just awful with GitHub actions - so it made me disappointed that Forgejo went that route.

It doesn't help that there are two NixOS wikis. nixos.wiki and wiki.nixos.org.

wiki.nixos.org claims that nixos.wiki is outdated and unofficial. But both appear to receive updates, and which one wins the SEO game is a coinflip whenever i google a nixos question.

A lot of us use NixOS/nix yet haven't read any documentation nor hand-written nix ourself. That's Claude Code's job.

ChatGPT is very good at pulling it together to give you working code. Not on the first try, but on the third try it usually works.

Hm. How it's different from home-manager?

I've never really understood how version pinning is meant to work with devenv.sh or Nix more generally. If I whack a .tool-versions file in my repo, everyone who works on it can use install the exact same versions of the relevant tools using asdf. That's low tech and imperfect (and certainly not a replacement for all of Nix's features), but it works as far as it goes. None of the examples on the devenv.sh page demonstrate pinning of tools/packages to specific versions.

As best I can tell, Nix enthusiasts think that this is an XY problem and that I shouldn't want to pin individual tools/packages to arbitrary versions. But the thing is that I am a rude barbarian who very much does want to do this, however philosophically misguided it might be.

Can you help me understand why devenv is needed instead of a shell like this/what is gained?

    { pkgs }:
    
    pkgs.mkShell {
      nativeBuildInputs = with pkgs; [
        # build tools
        cmake
        ninja
        gnumake
        pkg-config
      ];
    
      buildInputs = with pkgs; [
        # java
        jdk8
    
        # compilers
        gcc
        clang
        llvmPackages.libcxx
    
        # libraries
        capstone
        icu
        openssl_3
        libusb1
        libftdi
        zlib
    
        # scripting
        (python3.withPackages (ps: with ps; [
          requests
          pyelftools
        ]))
      ];
    
      # capstone headers are in include/capstone/ but blutter expects include/
      shellHook = ''
        export CPATH="${pkgs.capstone}/include/capstone:$CPATH"
        export CPLUS_INCLUDE_PATH="${pkgs.capstone}/include/capstone:$CPLUS_INCLUDE_PATH"
      '';
    }

So Discord, and quite a lot of software like this has actually two layers of updates. There's updates of the web page (which is basically writing a bunch of JS to the home directory) which NixOS does nothing to prevent, and then there's updates of the host program (i.e. Electron) which NixOS disables.

Jetbrains Toolbox is in a sort of different category with tools like Rustup, since it's a package manager of its own. If you manage your IDEs with Toolbox, then your IDE versions are "outside Nix" and not managed by Nix. It's just packaged into its own pretend FHS environment and then doesn't know anything about it being on Nix. That said, updates of Toolbox itself will need to happen through your package manager.

As a last comment, why run Docker Desktop on Linux at all? Like I understand on Windows and Mac - docker is inherently tied to Linux so the Windows/Mac apps abstract away the fact that it's running a VM and doing a bunch of port mapping and filesystem mounting under the hood so you can pretend it's not running on a VM, but on Linux I've always just installed docker straight onto the host.

No there’s a nerd who will obsessively submit the latest version of any popular software that does that to nixpkgs. Or suggest you use the flatpak.

That's not much different than other distros, because the way auto-update usually works, is it can't use root permissions or the system package manager (in any distro), so it has to install the newer version in $HOME. Once the update is installed, the system package becomes a trampoline to that.

I tried Discord, and this one seems to download some updates on first run, but the version sticks to the one from the system (0.0.127, latest is 0.0.129). So I assume it just doesn't update, or it tries to and fails.

For a personal desktop environment, I just install them normally when there's no up to date nixified option.

For some things I've vibe-coded a nix module on github that uses a scheduled github action to check for underlying app updates and then it generates a new hash and tags a release.

I've done that for claude code and cursor, which is also an opportunity to let me manage their config files from my nix config.

really good question.

right now I have bought into the Nix koolaid a bit.

I have NixOS Linux machines and then nix-darwin on my Mac.

I use Nix to install Brew and then Brew to manage casks for things like Chrome what I'm sure updates itself. So the "flake.lock" probably isn't super accurate for the apps you described.

Same. I have a full homelab and multiple macs, can’t say I’ve written a line of real Nix code by hand.

If you’re itching to try Nix, now is the time.

guix would like a word

Same but with kernel. What lead me to nixos: company gave me a laptop with iGPU that wasn't supported by any released linux kernel. There were patches waiting to be merged, with nixOS making an installer image that supports my machine was simple.

I'm not sure if I live in some kind of parallel world, because I never had any problems grokking Nix or NixOS. I started with this book[0] and haven't ever really been confused.

[0]: https://nixos-and-flakes.thiscute.world

>I haven’t given it a shot in the LLM age

I haven't tried it in almost a year, but using Claude Code for setting up my nix config back then worked amazingly well. I've only dabbled in NixOS, and I'm very tempted to it for my workstation when I reinstall it in the next month.

Given how much Claude Code + Opus have improved in the last year, I'd give it a fighting chance to make a nice Nix config. I'll probably start setting up a spare laptop to get the base configs dialed in before switching over to it.

LLMs are a real gamechanger for Nix, highly recommend giving it a go again.

Flakes are de facto standard at this point. Expressions are easy once you get used to them - in fact the Nix language grows on many of us, including myself, once you internalize it.

Using AI to generate Nix config is a superpower. Because the entire system is declared in a single set of config, you can basically spell cast any system you want. I one-shotted a Linux distro with custom branding for boot, installation screen, and login screen, and VPN and dev tools installed and configured by default, at a fortune 500 tech company.

Obligatory Guix plug. I've found it way easier to understand, but it has teething issues that NixOS doesn't (latest for me was a few problems with DMs). And according to an acquaintance of mine, it works reasonably well with an LLM.

What would the in between be?

Yep disk space and learning curve are the two major downsides to Nix. The former has never been a problem for me in practice, just run garbage collection once a month. The latter was a big problem, but is now mitigated for most people by LLMs.

Yes, however the space is not „used up” in a classic sense. It’s a cache, so you can give up some of it and reclaim your space. Fresh after a full cleanup it won’t take much more than a regular distro.

Yes. But disk space isn't exactly the most valuable resource you have as a developer/power user

actually once I garbage collect, nixos actually uses up less disk space for me than other distros

Use nix.optimise.automatic = true in the config and perform nix-collect-garbage if necessary. With this it doesn't take much.

For me, it's the difference between taking your medicine a bit at a time on your own schedule or taking it all at once as an unwelcome surprise. Sure, setting up file system mounts or adding udev entries is easier to do once in Ubuntu than in NixOS, but I only need to do it the one time with NixOS. Thereafter, the config serves as both documentation and backup. For a hobby self hoster like me who occasionally shoots himself in the foot and has to rebuild a system, it is ideal. I don't know if it really saves me time, but I do know it saves my sanity.

I am no nix whiz, but it's the only OS I run outside of containers. Anything I can't easily get with my nix config I shove into a container, run it as a quadlet, and call it good.

Imo it's the opposite. Since the system is defined in config files, an AI agent can look at live system state/errors vs. the config file and do all the work of figuring out the issue.

Also, using higher level modules like home manager makes things more declarative and less fiddly since someone else is maintaining the lower level.

Maybe nix is a downgrade for what you do. But I loved nix so much that I also migrated to nix on macOS (nix-darwin). No more homebrew.

nixos updates tend to be a lot less eventful than others distro, in fact the way it largely prevent system borking when updating, is spiritually freeing.