Hey folks! After using Fedora Atomic for quite a while and really appreciating its approach, I’ve been eyeing one particular feature from NixOS: its congruent system management. Inspired from Graham Christensen’s “Erase your darlings” post, I’d like to explore implementing something similar to NixOS’ impermanence module on Fedora Atomic as one step towards better state management.

Why not just switch to NixOS? Well, while NixOS’s package management and declarative approach are incredible, I specifically value Fedora’s stringent package vetting and security practices. The nixpkgs repository, despite its impressive scope, operates more like a user repository in terms of security standards.

I’ve already made some progress with the following:

  • Fedora Atomic’s shift to bootable OCI containers has helped with base system reproducibility when one creates their own images. This process has thankfully been streamlined by templates offered by either uBlue or BlueBuild
  • Using chezmoi for dotfiles (would’ve loved home-manager if it played nicer with SELinux)

My current (most likely naive and perhaps even wrong) approach involves tmpfs mounts and bind mounts to /persist, along with systemd-tmpfiles. I’m well aware this won’t give me the declarative goodness of NixOS, nor will it make the system truly stateless - there’s surely plenty of state I’m missing - but I’m hoping it might be another step in the right direction.

Particularly interested in:

  • Best practices for managing persistent vs temporary state
  • Working with rpm-ostree’s (or bootc’) assumptions
  • Tools or scripts that might help
  • Alternative approaches that achieve similar goals

Thanks in advance!

  • jamesbunagna@discuss.onlineOP
    link
    fedilink
    arrow-up
    2
    ·
    2 days ago

    That sounds a bit funny, when those technologies are just (despite me not liking to use this term) inferior

    Perhaps I should have worded that better 😅. It was meant as a textbook example of status quo bias; anything found by default on a ‘product’ that’s deliberately opinionated will see its audience gravitate towards said defaults. Even if those defaults are inferior to other options.

    So, in this case, uBlue initially had a script within ujust (or just) that installed the Nix package manager. It wasn’t necessarily the perfect fit, but it definitely had its use cases:

    • Installation of CLI software was better handled by Nix than the alternatives (read: either Toolbx/Distrobox or layering with rpm-ostree)
    • Flatpak was even more restricted than today. So Nix offered an additional avenue for installing GUI software without layering.
    • The nixpkgs repository supersedes even Fedora’s own repositories in terms of available packages, effectively making it their atomic AUR.

    But then, not long after the troubling conflicts between Nix and SELinux, brew was inaugurated as the de facto alternative for CLI and the rest is history.

    in terms of packaging, only flatpak really shines because of its embedded permission model

    Yup, can’t agree more.

    Yeah, I think you should at least give it a shot and see how you like it, it’s not as easy right out of the box as the other 2 you mentioned, of course, so you should find out for yourself what you feel more comfortable using.

    FWIW, I have actually used Nix sparingly in the past. IIRC, it broke on me at some point 😅. That could be on me, though. Unfortunately, I don’t recall the details. It could also be related to the hardening found on secureblue.

    • QuazarOmegaA
      link
      fedilink
      arrow-up
      1
      ·
      2 days ago

      That’s really insightful!

      Also didn’t know about secureblue, it looks really interesting, hopefully it can all work together