Hey folks! After using Fedora Atomic for quite a while and really appreciating its approach, I’ve been eyeing one particular feature from NixOS: its congruent system management. Inspired from Graham Christensen’s “Erase your darlings” post, I’d like to explore implementing something similar to NixOS’ impermanence module on Fedora Atomic as one step towards better state management.

Why not just switch to NixOS? Well, while NixOS’s package management and declarative approach are incredible, I specifically value Fedora’s stringent package vetting and security practices. The nixpkgs repository, despite its impressive scope, operates more like a user repository in terms of security standards.

I’ve already made some progress with the following:

  • Fedora Atomic’s shift to bootable OCI containers has helped with base system reproducibility when one creates their own images. This process has thankfully been streamlined by templates offered by either uBlue or BlueBuild
  • Using chezmoi for dotfiles (would’ve loved home-manager if it played nicer with SELinux)

My current (most likely naive and perhaps even wrong) approach involves tmpfs mounts and bind mounts to /persist, along with systemd-tmpfiles. I’m well aware this won’t give me the declarative goodness of NixOS, nor will it make the system truly stateless - there’s surely plenty of state I’m missing - but I’m hoping it might be another step in the right direction.

Particularly interested in:

  • Best practices for managing persistent vs temporary state
  • Working with rpm-ostree’s (or bootc’) assumptions
  • Tools or scripts that might help
  • Alternative approaches that achieve similar goals

Thanks in advance!

  • jamesbunagna@discuss.onlineOP
    link
    fedilink
    arrow-up
    2
    ·
    1 day ago

    Sorry for late response.

    Also didn’t know about secureblue

    Yup. It’s a relatively new project and doesn’t try to be very newbie-friendly. Hence, will not be talked about commonly in threads. Rightfully so, as I’d argue exquisitely hardened systems simply have to prefer security over convenience.

    But it’s definitely neat and had its fair share of users. As the folks over at GrapheneOS and Privacy Guides seem to be enthusiastic on it, I wouldn’t be surprised if it receives a new influx/stream of users once community members of GOS have launched a dedicated website on it (which is already in the works) and the peeps responsible for PG’s recommendations have finally included secureblue as their de facto Linux recommendation.

    hopefully it can all work together

    So do I 😊!

    Thank you for the chitchat! I wish you the best!

    • QuazarOmega@lemy.lol
      link
      fedilink
      arrow-up
      2
      ·
      1 day ago

      Neat, it’s all in the right places, I’ve Aldo recently moved over to Graphene so I’m excited for that!

      Thank you for the chitchat! I wish you the best!

      Ahh same to you, happy holidays!