Hey folks! After using Fedora Atomic for quite a while and really appreciating its approach, I’ve been eyeing one particular feature from NixOS: its congruent system management. Inspired from Graham Christensen’s “Erase your darlings” post, I’d like to explore implementing something similar to NixOS’ impermanence module on Fedora Atomic as one step towards better state management.

Why not just switch to NixOS? Well, while NixOS’s package management and declarative approach are incredible, I specifically value Fedora’s stringent package vetting and security practices. The nixpkgs repository, despite its impressive scope, operates more like a user repository in terms of security standards.

I’ve already made some progress with the following:

  • Fedora Atomic’s shift to bootable OCI containers has helped with base system reproducibility when one creates their own images. This process has thankfully been streamlined by templates offered by either uBlue or BlueBuild
  • Using chezmoi for dotfiles (would’ve loved home-manager if it played nicer with SELinux)

My current (most likely naive and perhaps even wrong) approach involves tmpfs mounts and bind mounts to /persist, along with systemd-tmpfiles. I’m well aware this won’t give me the declarative goodness of NixOS, nor will it make the system truly stateless - there’s surely plenty of state I’m missing - but I’m hoping it might be another step in the right direction.

Particularly interested in:

  • Best practices for managing persistent vs temporary state
  • Working with rpm-ostree’s (or bootc’) assumptions
  • Tools or scripts that might help
  • Alternative approaches that achieve similar goals

Thanks in advance!

  • jamesbunagna@discuss.onlineOP
    2·
    7 days ago

    That sounds a bit funny, when those technologies are just (despite me not liking to use this term) inferior

    Perhaps I should have worded that better 😅. It was meant as a textbook example of status quo bias; anything found by default on a ‘product’ that’s deliberately opinionated will see its audience gravitate towards said defaults. Even if those defaults are inferior to other options.

    So, in this case, uBlue initially had a script within ujust (or just) that installed the Nix package manager. It wasn’t necessarily the perfect fit, but it definitely had its use cases:

    • Installation of CLI software was better handled by Nix than the alternatives (read: either Toolbx/Distrobox or layering with rpm-ostree)
    • Flatpak was even more restricted than today. So Nix offered an additional avenue for installing GUI software without layering.
    • The nixpkgs repository supersedes even Fedora’s own repositories in terms of available packages, effectively making it their atomic AUR.

    But then, not long after the troubling conflicts between Nix and SELinux, brew was inaugurated as the de facto alternative for CLI and the rest is history.

    in terms of packaging, only flatpak really shines because of its embedded permission model

    Yup, can’t agree more.

    Yeah, I think you should at least give it a shot and see how you like it, it’s not as easy right out of the box as the other 2 you mentioned, of course, so you should find out for yourself what you feel more comfortable using.

    FWIW, I have actually used Nix sparingly in the past. IIRC, it broke on me at some point 😅. That could be on me, though. Unfortunately, I don’t recall the details. It could also be related to the hardening found on secureblue.

    • QuazarOmega@lemy.lol
      1·
      7 days ago

      That’s really insightful!

      Also didn’t know about secureblue, it looks really interesting, hopefully it can all work together

      • jamesbunagna@discuss.onlineOP
        2·
        1 day ago

        Sorry for late response.

        Also didn’t know about secureblue

        Yup. It’s a relatively new project and doesn’t try to be very newbie-friendly. Hence, will not be talked about commonly in threads. Rightfully so, as I’d argue exquisitely hardened systems simply have to prefer security over convenience.

        But it’s definitely neat and had its fair share of users. As the folks over at GrapheneOS and Privacy Guides seem to be enthusiastic on it, I wouldn’t be surprised if it receives a new influx/stream of users once community members of GOS have launched a dedicated website on it (which is already in the works) and the peeps responsible for PG’s recommendations have finally included secureblue as their de facto Linux recommendation.

        hopefully it can all work together

        So do I 😊!

        Thank you for the chitchat! I wish you the best!

        • QuazarOmega@lemy.lol
          2·
          1 day ago

          Neat, it’s all in the right places, I’ve Aldo recently moved over to Graphene so I’m excited for that!

          Thank you for the chitchat! I wish you the best!

          Ahh same to you, happy holidays!