Almost every NixOS tutorial I encounter, be that blog or video, says to use Flakes and Home Manager. While that definitely speaks to the value of these tools, I find myself, instinctually, wanting to avoid them. I’ve attempted to get them working multiple time, and encountered more issues than they solved, for me. I interpret this to mean my knowledge and/or use case of NixOS is not ready for me to use these tools effectively. On top of that, something about a set of files that could all be put into a single unified config appeals to me (which flakes/hm can probably do too, but hopefully to get my vibe).
My reasoning aside, this has made me curious if there is some way for me to “backport” all these configs I encounter into my set of more default style configs. The primary goal I have that lead me to this is rootless Podman and declaring my containers in the config. If anyone has any guidance or resources you could point me to it would be much appreciated.
I don’t see anything in your goals that would really require flakes or home manager. Maybe the podman containers, there seem to be some sharp edges around NixOS support for podman from what I can tell.
You might not want to share your entire config but you could share snippets of what you’re trying to do and isn’t working.
Moving on to more concrete suggestions:
If you aren’t already doing so, you should be using the option search liberally. And you should also read the code of the modules and packages, at least sometimes. Sorry, I know nixpkgs Nix can be quite obtuse, but honestly without it I don’t think it’s possible to really grok how NixOS works.
Secondly, a lot of people seem to think you need flakes to configure multiple systems in one repo, but you can actually also do that just fine with stable nix using the
-Iflag. It’s even possible to build an arbitrary Nix expression using the (unfortunately undocumented)-fand-Aflags like flakes would.Edit: For secrets, I would recommend using agenix, mostly just because it uses SSH instead of GPG. Instead you can also put them in a separate Nix file and gitignore that, but your secrets will end up in /nix/store that way which is a vulnerability if they’re important (also Flakes also break this completely).
I already use Unix pass as my password manager and have a private git server for it. Is there a nice way to get that working with secrets in my config? I know that directly goes against the suggestion of SSH vs GPG, but I’ve already got lots of data saved within that system.
Unfortunately I don’t think there’s a nice way to do that. You can retrieve secrets from
pass(albeit with quite a bit of working around the intended evaluation model) but I don’t see a good way to actually deploy the secrets without just putting the plain text into the Nix store (unless you also use a big server management thing like NixOps, as the author of that blog is, but in the time since blog was written NixOps has decided people shouldn’t be using it anymore… so it’s a bit of a mess). You’d really want something like sops-nix or agenix for that.You can of course decide you don’t care about the secrets being in the Nix store. It “just” means that every local user on the system can read them, as can anyone booting a live USB if the disk isn’t encrypted. And, while this almost certainly isn’t relevant to you right now, if you use the system as a binary cache for other systems those can get the plaintext secrets too. But you might not actually actually care about any of these.