All right, everybody. We're going to start talking about NixOS and why it's wonderful.

And I don't even remember what title this talk is, but I find NixOS giving real superpowers in understanding how Linux works, how operating systems are put together, and gives me extreme power to experiment and try stuff. I don't have any slides written for this at all,

and so I'm just going to show some stuff and I'm hoping you'll take it from there, and I'll just show you some cool stuff. I hope that's okay. It should be pretty interesting. So this, just for what it's worth, on my GitHub, which is G-R-A-H-A-M-C, I have just pushed a repository called Tox.

It has all the notes and junk un-curated from what I've put together for everything. I just did a git add everything and then pushed it. So if there's anything missing, I probably didn't make it. Okay, so, okay, here we are. So this one is going to have a lot more typing, so I've moved over here, and we'll just get started.

Let's see, so who here has used NixOS? All right, maybe it'll be easier if I ask the opposite question. Who here has not used NixOS? Okay, cool. Who here feels comfortable? What? Darwin. Darwin, oh, cool. So this will be a little weird for that,

it has the module system, so that's pretty good. Who here is not familiar with the module system? Cool, all right, so this will be fun. Great. So, every NixOS system is, let me back it up a little bit. NixOS is sort of like, it does configuration management,

but Puppet and Chef and Ansel and Salt, they log onto a system and just make some changes, and hopefully it gets you where you want it. NixOS starts the opposite direction, it starts with a specification, it creates a brand new system every single time. That's a little weird, but it uses Nix,

and it uses the caching of Nix, so it's not a ton of work every single time. So let's take a look at what, I need to close widows here so I don't look there, what a NixOS configuration looks like. So at the top, we have i18 console key map, we're at Dvorak.

Can you make it font-related? Yeah, you bet. How's that? That's good? Cool, okay. So console key map is set to Dvorak, I type Dvorak, and this is gonna involve a system that I'm actually typing into, so I don't wanna make a fool of myself.

So, we're gonna build a system, it's console key is gonna be in Dvorak. We're gonna have Nginx enabled. Nginx is gonna serve a single domain for like any request it gets, it'll serve some files, which is in this directory called public, and this is the HTML of the file that we're gonna serve.

And yeah, moving on, we have some firewall configuration. By default, NixOS blocks all the ports, and this will allow port 80 and 443. We don't have Let's Encrypt enabled, but it's pretty trivial to turn it on, but I'm not gonna go there because this won't actually work because it's not on the internet. And it sets my host name to hello.

Under users, it's forced the root user to have an empty password because it's just a demo, so that's fine. Sets mutable users to false. This is pretty neat. With puppet and whatnot, if you add a user, you have to explicitly add a line later if you wanna get rid of it. You have to say, whatever that user was, remove.

With NixOS, immutable users set to false. The list of users defined here is the list of users, and if you make a change, remove somebody, and they're gone. Is it true usually, by default? I think so, yeah, yeah. So the problem with sending mutable users to true

is if you forgot to change your password, or you forgot to put yourself on the wheel for sudo, you've hurt yourself. So it's a little bit safer to start true, but yeah. It also sets this message of the day, which we'll display when we log in, and it has some nice messages there,

including describing what our system looks like. And then finally, it installs vim, which is fine, but I'm gonna change this to max25-knox, which I think is the name of the package, and we'll find out. Any questions about this so far? I guess the package is a version kind of thing?

Sure, yeah. I'll get to that right away. Any other questions about this so far? How, like, the idea of having the attribute set used as an input to the function at the top? Yeah. Packages going from dot, dot, dot? Yeah. Can you, like, explain a little bit on, like...

What the dot, dot, dot is? Yeah, like... Okay, sure, yeah. Talk about that. So this is a NixOS module. NixOS modules have access to the package set, and the rest of the configuration of the system. And so this is gonna be imported, and then as the NixOS system's configuration is evaluated,

the different modules can look at each other's configuration to come up with a final configuration. Does that help? Yeah. So to put a sort of fine pin on it, so we refer to config there, and then down here refer to config.networking.hostnew, right? And we refer to system.nixos.release. All of these are off of the config attribute set.

Yeah, but the dot, dot, dot is basically to say, well, there could be other arguments. Yeah. We don't care about them. Yeah. Like, who calls this module with other arguments? I don't understand, like, why that's convention. Sure, yeah. So there is a way with deep, dark trickery to add more parameters, which I don't do.

But there are some other parameters, like lib is passed in. So there's just a few more things. But I don't have a list or anything. Will this config work if you remove the dot, dot, dot? No. It doesn't work? Because more params are definitely passed in.

We could, like, find out an exhaustive list, but, like, 99% of the ones I've written start with that. Yeah. Actually, I think the module checks which arguments it needs to pass, and then just pass these. So maybe it will work even without the dots.

Interesting. I don't think it does, but I would defer to you. So, cool. The last thing is, like, system. Yeah. Where's system? The system? Yeah. So that is on, so config dot system. Oh, OK. It's with config, OK. All right.

Go ahead. Now, you said that by default, all ports are closed. So when you install an application that's using a port, the package of the application is opening the port? The only exception is OpenSSH. If you enable OpenSSH, it will open port 22. No other applications open ports. How do they work?

So you need a port? Sure. So that's up to you. So it's up to you to decide, is this, like, database supposed to be listening publicly, or is it just a local thing? And that's up to you to sort out. But by default, we try to keep the system minimal and secure. And so the other thing about this allowed T-speed ports

is it's opening up on all interfaces. And you might want to do some especially elaborate firewall config, which can be annoying to override later. OK. Sound good? Cool. Let's run this. Oops. Oh, boy. Typed in the wrong spot again. All right.

So in NixOS, you do this. Hm, it's quite long, isn't it?

Is that too confusing? If I type down here, let's actually

make that slightly longer. Cool. All right. One more. OK, perfect. Clear. Great. So we can use nixos-rebuild. This is a little bit of a misnomer, because it's used to build.

And we want to typically, nixos-rebuild looks at the configuration at etsy nixos-configuration.nix. But we want to use a different one, so we will pass a different one. OK? So at this point, it is going to get

Nix packages from my channel. And that determines what version of Nix packages it needs. I could override that and specify specific Nix packages, but whatever my system currently has is fine. Oh boy. OK, I need to pass a self command. So let's do build.

OK, that's not right. That's fine. It is complaining, because I haven't told it where to write the bootloader. But it has a secret command called build EM. It's not really a secret, but it is what it is.

Like a secret of your secrets. Yeah. OK, so here we go. It's built a system path. It's built all of what should be in the etsy directory. It's put all of these pieces into one. This system that I just created is very similar to my host, so it really didn't need to build very much. It just has less, frankly. So I have this result sylink, right?

Everybody's familiar with this result sylink? And if I do result bin, I can run the VM. And here we go. All right. I don't know if I can make this bigger. Hmm.

Cool. We'll see what that does. All right. So we're working with root. It doesn't have a password, so it just drops it right in. There's that method of the day, or the message of the day. Is this readable, or is this terrible? What?

Made a little bit of both? Hmm, yikes. That's pretty tough. Is it made of both? Is that right? Is it open anymore? Yeah. Let's actually, let's do, let's move this to screen 2. And more screen.

What's that? It's a little better? All right, I wish I could do better. I'm going to finish the stage. So this is actually a virtual machine, or? Yeah, so it's like a, OK, so it's not

like a live container, or a dot org. It's an actual number. And you have a dedicated CPU, and all that, or what? Yeah. Yeah, it's not contained. Yeah. So it's a virtual machine running in QEMU. And it's on system D. It has a certain number

of processors of RAM and disk space allocated to it. And in fact, if we, OK, move that around, go over to 2 and 3. Let's see. What is the specific file for the host?

So there's a hello.kickout2. So that's the root file system of that VM. Yeah. Where do you specify all the configurations for hosting virtual machines? On your? So there's no configuration. So it just needs some defaults? So this configuration of Nix that we were looking at,

that's the complete configuration for the VM. And then it uses QEMU to run it as a VM as my user. So there's no host configuration. So for your user, you have to give you a QEMU as a virtualization technology, right? I mean, do you set up all the parameters? No. No, it's just, let's kill this.

So if we look at the result, then run hello VM. It's just a script that uses QEMU and sets up some paths. Is that answering your question? Yes, it got this copy as well. There's no previous script.

You can win testing, for example, I don't use this command. You test with the testing infrastructure. You can set how many gigs you want to give to the VM and so on. This is temporary. This isn't a thing you'd win in production.

Yeah? Does that help? Yes, a lot. Okay. Cool. Cool. Let's do, great. So the next question I think I'll try to answer is where are these options coming from and how do you find out about them? Does that sound cool? Do people want to know that?

All right. Let's go to three. And we'll move our browser over to three. And so typically what I'll do is I'll go to nixos.org slash nixos slash options dot HTML and that's linked to from the homepage. So just the options and look options

and then like what's some software people run? All right. There's a service for Emacs. Probably runs Emacs daemon. And let's see, install. Install these user services if you want. You can specify the exact package you want. How about what's something cool?

What? Nginx. Nginx? Sure. So Nginx. Yeah. So here's like there's a ton of config for Nginx. Like virtual hosts add SSL. This like turns on Let's Encrypt automatically. Yes. You can force SSL, stuff like that.

Cool. Right? Question. Can you show the open SSH? And if there's a way to disable firewall plots, Yeah. that's open. Sure. Which probably leads me to my next question. Yeah. I love this question. Okay. So. I don't want plots 22 to be open by default.

Right. So I think that is workable. Yeah. So I just typed in open service to open a stage. The open firewall defaults to true. You said it's false. My next question was, if this wasn't set, how could I override the module?

What do you mean? I would like to override an existing module. Okay. Tell me more. In the same way that I override the package. Sure. In order to change some of the functionality of that particular module. So Diag tends to copy past the whole module. Okay. So like what do you want to do with Diag play?

For instance, I tend to, I'll use an example I used. And I set up a VPN and then I use multiple services that only bind to a particular IP address. So that they are never available anywhere else except VPN IP address. Okay. I do that with Kubernetes and a bunch of other stuff.

Okay. I'm going to make a note to cover overriding service, but I don't want to get to that just yet. Okay. When you get an open SSH, if you're not modifying the code, you can just modify the config. So if there's a kind of mix, kind of config option for open SSH, you can probably do

the binding from that. We'll cover that later. It gets a bit specific. All right. So any other questions so far? Cool. All right. Go ahead. Can you show how to see this from the code line? Yeah, yeah, absolutely. Do you want to see it in VM or where you can actually read it?

So there's two ways. First, there's a man page for configuration.nix. And it's large. It's very large. Quite large.

Almost 100,000 lines. And so this contains every single Nix OS option that the entire operating system supports. So, like, services.opensh.openfirewall. There you are. Default is true. And there's that definition. Cool?

Cool. All right. What's something we should do? All right. Can you show Nix OS dash option? Oh, sure. Yeah, Nix OS dash. This will show from my laptop, actually, which could be cool. So Nix OS dash option lets you interrogate a configuration. So, like, programs.sway.

I think I used that one. Okay. So programs.sway isn't the full one. So maybe enable. So there you are. Programs.sway. I set it to true. The default is false. Sample, you can set it to true.

And the description that's embedded in Nix packages. It's kind of poorly formatted, but for sure. And here's where it's declared. And this is where I specified the value I want. All right? So maybe let's take a look at that file, because it's pretty cool that it shows it like that.

Yeah? Oh, yeah. I think you're about to answer my question, which would have been, what's the thing with programs.sway.enable? And instead of just plugging, putting sway into the system packages. Like, what's it doing? Yeah, what is it doing? Yeah. I think we will see it.

Yeah, yeah. So this is where I feel like Nix OS gives me superpowers. Because you install, like, on a WM system or something, or Ubuntu, you have to install KDE or Plasma. And it just installs a bunch of hooks, and then your system's doing what? I don't know. And all these programs have different hooks that are all interacting together.

And I don't feel like it is clear to me how to know what it's going to do. So let's take a look at what programs.sway.enable will do. And I'll do this in the browser, because I think that will be a bit nicer. So programs.sway.enable. Cool.

And I'll make this bigger. All right. So on the web interface, it takes you to GitHub, which is cool. Okay. So we'll skip across the top, because this is all just some background stuff. Remember, Nix is a lazy language, so let's read this a bit lazily.

So the first section in a module like this is where you define some options. These are just a description of the options that you want to be available. And so there's that config, the description that we saw in the man page. We have another option here, extra session commands, where you can just run some arbitrary commands when things start up.

Some extra packages. So this, for example, installs by default, SwayLock, SwayIdle, SwayBG, X-wayland, RGT, and Dmenu. So what if you enable Sway?

These will be installed with it. If you disable Sway, those packages will no longer be installed. And an example there. We will move on. Okay. So here we go. So here's the actual implementation of the module, of where it's actually doing a thing.

If it's enabled, CFG just refers to packages.sway.enable. Or, yeah, programs.sway.enable. If that's enabled, it adds some environment items, so it adds Sway and the extra packages to your environment. It adds an etsy, slash etsy slash sway slash config file, which is a symlink to this default config.

It enables SwayLock in PAM. It enables OpenGL. Enables some fonts, and enables deconf. And that's it. That's what happens when you do programs.sway.enable.

Equals true. Cool. Make sense? Yeah, man. And everything in here is... I need to move, man. I'm listening, I can see. And everything in here is undone. So if you enable Sway and then you turn back off, all of the stuff goes away. That file in etsy will no longer be there.

Let's take a look at another one. Why are those two lines long? Uh, yeah. I don't know. That's a great question. I'm sure you're good. Can you explain a bit, like, make option default? Sure, yeah. So, okay, yes.

So this gets a little bit into the weeds, but so, uh, this just adds the default... So, like, the Sway package comes with a default config, so it can start. And maybe you want to specify your own Sway config. And so you can override that file in your own config, and then it will take precedence.

So make option default makes a very low precedence. And if you, um, if you set it without make option default, it's a higher precedence. Make sense? Cool. All right. Hmm, yeah. So, uh, Nix OS modules are a delightful bit of programming tricks in order to make

all the modules merge together. And so one of the tricky things is Nix can't know if, like, so if in this block you could do programs.sway.enable equals false, right?

And the module system needs to know ahead of time the total sum of every configuration before it's merged so that it can merge together. And that makes it... It's a magic trick to get rid of recursion problems. All right?

Yeah, so every module can do that. Yeah, so, cool. Let's, um, let's take a look at another one. Maybe we could look at OpenSSH. And, uh, look, is that a complicated one? Yeah.

No, I don't want a complicated one. I just want to give them, like, the tools to go explore the complicated ones. Oh, yeah. Well, all right. So this one turned out to be complicated.

So here we have services.openssh set as option. Enable, start when needed. Some other common flags that you have for OpenSSH. We'll get past... This is all, like, documentation and option setup. None of this is actually doing anything. Now at the end, we have that make config.enable.

And, uh, so here we are. It creates its own user for isolation. It adds some SSH files to etsy. And sets up a systemd service. So this systemd service, let's see. Wanted by multi-user.

It needs network to start. Staff changes false so if you changed it, it doesn't kick you out of your server. That's pretty nice. And then some scripts that it will start execute as it starts up. Like generating the host keys. This turned out to be a bit more complicated than I was expecting.

So maybe we'll take a look at a different one. Maybe the user one. Telnet. I'm not even sure we have telnet. Yeah, we don't have telnet, so thank goodness. Let's see. Let's just go play around with this VM a little bit. Does that sound good?

So we've got this configuration. It had nginx. It did demonstrate curl working in the VM. I'm not sure it did. All right.

Curl 12721. All right. So there's that website that we had defined earlier on. Let's see. All right. So let's change that.

Let's disable nginx. So just setting that to false. And this is obnoxious.

And then we'll rebuild. So this is a brand new system configuration. It's going to reuse the hard disk that we had before. So we can do...

So we'll hold that VM. It's going to boot all up again. And if we run curl, it's not running. So nginx is no longer running on the host. There's essentially no trace on it.

There should be logs. Nginx doesn't log very much. I hope I spelled it correctly. So there you are. We can see that it did run nginx at one point. Because this system has logs. Inside the VM, do you have access to the ninx tools? Like ninx build? And would you build a VM in the VM?

And if you see nginx configuration, would the ninx file present? Just like you had it in the whole system? Is it a full-fledged ninx OS installation? No, it's a full thing.

Would you build a reduced version which would only have the services that you had previously specified and not the ninx tools? Maybe for a constrained system, like an event system or so? Oh, so like to turn off ninx, so you don't even have ninx. Yes, so you don't have ninx in the build directory.

Yeah, that's a cool idea. I don't think you can do that right now, but I think you should be able to do that. That's a great idea. That's a good idea. Just got to get rid of the ninx. Cool.

Actually, I have a question. Yeah. So we just turned off the nginx, right? Yeah. Can we enable the nginx inside the virtual machine? Hmm.

So, let's see. So it's kind of unfortunate, because the font really sucks. So it's kind of hard to see. But what we could do is we could copy this config in and do a ninx OS rebuild. Yeah. I'm interested if we would be able to enable it

inside the virtual machine, and then we would shut down the virtual machine and turn it off if it would be still enabled. Yeah. Yeah. Yeah, as long as you're inside the VM, you did a ninx OS rebuild switch, it would write to disk and have a new bootloader and bring up the new one. So then you have a ninx config,

and then you have the virtual machine that's not the same. That's kind of dangerous. How do you avoid this situation? Yeah, sure. So when I deploy to real things, like with nixops, which is sort of a similar idea to this, I do this thing where I taint it.

So inside, I add a custom configuration.nix, which fails saying you're on your server. I'll do that. Does that make sense?

Go ahead. So as you said, the configuration.nix is not in slash nix, sorry, in slash... That's the nix OS configuration. Yeah, it's not there in the VM by default, is it? Not in this one, no. Why not? Well, it doesn't need it.

Well, okay. So ideally for demo purposes, it would. Like this demo, it would, so I could be in there and just pack it around and play it and stuff. But it doesn't, unfortunately. So usually when I'm working on a nix OS module, I usually like... You want to iterate? Yeah. And then what I end up doing is

reboot the whole VM every time, which takes time. So this could be nice. So you should totally be able to have a config in there and nix OS rebuild switch and do updates to your system. Yeah. It got me when I first took that. I was looking for, wanted to rebuild my VM and there was no configuration nix, so I just import it and then rebuild like that. I think, I don't know if it's...

I don't know if it's a feature or... Some things in nix don't make sense until you start doing it and then it goes, oh, I see why they are doing that. No. So let's take a look at my system config because I think there's some kind of interesting stuff in there. Let's see.

All right. Okay. So there was a question about overriding services and overriding options in services. One thing you can do is... So let's take a look. So I have this definition here of nix GC

where it garbage-collects nix automatically. Let's move the browser into the window and go to the nix OS options. So services.nix GC, oops, nix GC, nix.gc.

All right. So there's this option nix GC automatic. You turn that on. It'll periodically collect garbage out of the system. Garbage being nix store pads that are not used by any other store pads on the system. So this is fairly familiar.

I think at this point we've defined a few options, specifically automatic, which is interesting. And let's see. So it always creates the nix GC service, but only creates a reason to tell systemd to start it if you specify automatic.

And so that's all this is. Pretty simple. Any questions about this? I'm worried I lost a bunch of you. And I apologize if I have. But OK. So I'd like this. This is pretty good.

I have configured my laptop to run garbage collection every five minutes. Yeah, well, every 10 minutes. OK. So I've specified nix GC. Oh, that's not good. It's an automatic tutorial.

And I told systemd, start this every 10 minutes. Collect all the garbage you can. It's super annoying. That's why I work on a project called LORICA. And actually, I did this because I wanted to make LORICA. Anyway, so this is pretty good. But what is really annoying is if I'm on an airplane or I am unplugged and can't plug in,

and garbage collects all this stuff, and I have to spend a bunch of battery power rebuilding all this stuff. And you can see that this module has specified systemd.services.nix-gc. And so we can go fiddle with it.

So here we are. We have systemd.services.nix-gc. And we can extend it. So I have added this unit config called condition acpower. And so only if I am plugged into the power will nix GC start. Thank you. You're welcome. I have a few of these.

Do you have an existing kernel? Well, why? Usually. For instance, like the start command that was already defined in GC. Can you override it there?

Yes. Let me show just one more, and then I'll get back to it. So here's another one. I use zfs in my file system. And zfs-scrubs means read everything on your disk and make sure it's good. And that's not nice to run while you're not on battery power either. And so it doesn't. It prevents it. Okay, let's look at that other one. You could upstream these things.

I can't believe you have this level of control of your services. I know. Normally you'd have to look around for ages to get that shit to work. That's really nice. That's why I like nix. Yeah, me too. Because it works. It's a genius thing. Me too. All right, so the script. Can you talk about the script? Yeah, okay. Yeah, so we could totally do that.

We could, let's see. We'll break this up a little bit. So we'll make this a little more normal. So that's the same thing, right? And we can totally do script equals, right? So we could do that.

This would be fine. Actually, it gets merged together. Oh, it does it? Oh, so it'll run this first and then? Yeah. Okay, so it will merge them. How about make-force? All right, so in this case, it will just add some more script to run. But we could use lib.make-force. And this will make it a higher priority

and say nothing what is by default. Just do this. I need to go back and look at the code now. Okay, good. Yeah, okay, so cool. So let's try that. Is that cool? Let's try nix. rebuild-switch.

Come on now. So this is my actual laptop. Oh, boy. All right, so I have a custom branch of nix packages, so I need to set that. Cool, so this is going to use just the checkout of nix packages that I have

and use that version of nix packages to build my system. Well, I can't believe you do live demos. What's that? You do live demos of this. It still works on stage. Oh, yeah, yeah. So let's try that. So we'll start nix-gc. And I'm doing a live demo on my actual laptop.

So there we go. Instead of running garbage collector, I just print, not today. What's that? Yeah. So I actually don't want that, so I'm going to delete that and return it back to normal.

Sometimes I like to do things that feel a little scary. In an earlier demo, I did a nix build which deleted everything in my system, but it did work because it was in a nix build. But if I'm being honest with you, I actually do erase a lot of my system in every boot.

So every time my system boots, I run zfs rollback on the root file system, and everything on my root file system gets erased. That does not impact my nix directory or my home directory, but everything else is done. And this is fine. NixOS can boot without anything in your root. It doesn't need anything in etsy.

It doesn't need anything in user, or in var, or lib, or anything like that. It's just fine. It's fine booting just from nix-store. Where do you do it? Just for security? Just for fun. It's like having always clean inflation.

Yeah, yeah. So one thing that really was annoying about this. So one thing I do is my network configurations, like my joined wi-fi networks, that's not erased. But my bluetooth configs are erased, and my very nice headphones stopped pairing, so I have to buy new headphones, which is not so nice.

Do I map time? Do I map time? Op, op, sorry? Op time? Oh, op time. All right. Oops. Yeah, so a few hours. A few hours, yes. Yeah. All right. Is this important to you? Op time? No, no. Okay.

I've got loads of machines, and one goes down, and the other ones take over. Let's see. Let's do, what else is kind of cool in here?

Craig, can I ask you about this merging, that I don't understand, or is that too complicated? We can talk about merging. A mere mortal, I need them then. Yeah, let's talk about merging. A configuration merging? Yeah, I don't understand the concept. Yeah, sure. That's totally reasonable. So, and here I have this environment, like, to take this example, I have environment, and inside environment is variables,

and then some variables that I've specified. And other places said environment dot variables too. So, what's that? I'll get to understand that. These things are vying for the same variables, perhaps. That's not floating.

Oh, there we go. All right. So, we'll ignore that one. Here's a place in XDG portals, where it sets some more environment variables, and some input method variables are set, and all of this comes down to the make option.

So, NixOS options, many of them have merge behavior. So, if two or more places define the same value, they'll merge in some way. In this case, the value is an attribute set, so the merge behavior is take the two attribute sets and get the sum of the two.

With lists, the default behavior is to take all the lists and just append them in order. And what order I could tell you exactly. So, here is a kind of complicated one, profile relative environment variables, and this is an attribute set of lists.

And so, in this case, the attribute sets would merge, and the lists inside of them would merge. Does that explain merging? Yeah. One thing is like, if these services were like Nixified, and they knew about the store and the derivations, and stuff, could they? Because there's a lot of fudging to get traditional generic UNIX services

to work in this framework. So, if say OpenSSH went, well, Nix is great. Here's a module. Yeah, I mean, would that make things simpler to maintain and make a better system hand together, or? It's a bit tricky. So, part of the superpowers I think Nix gives me,

and Nix packages gives me, is everything's in one place. Yeah. But if I have to get the OpenSSH package to look at it, I feel like that's a lot more complicated. You have a question? Yeah. Are you going to show how basically modules, like the modules infrastructure, as in not the modules themselves, but like the code?

No. No, it's too much. Yeah. How do you know if the options are set for mergeable or not mergeable? Yeah, so it's by type. Almost all of them are mergeable. Some don't have sensible merges. You can't merge a true and a false, right? So, if you declare a type as a Boolean, and one place declares it as enabled and another disabled,

it'll be an error, and it won't create a system. Does that answer it? Yeah. Okay. Pretty much all are mergeable. Yeah, pretty much all are mergeable, and I think in a way that is intuitive. Yeah. How do you match your secrets? My secrets?

Like the GPG piece? Yeah, sure. So, SSH keys, I copy them in, or I use a hardware dongle. I don't put those in my next OS config. I have some, like, Wi-Fi secrets. Those are, I mean, so a typical system, and in fact...

Wait, so for SSH, you use hardware dongle because you don't remove your user data, so you don't have... So, I mean, I do that just like anybody else. So, I have, like, an SSH directory,

and I have a config, and I have some keys in there, and Nix doesn't touch that. For other secrets, I try to put them elsewhere. Secrets in Nix OS is a bit of an unsolved problem, and the only real concrete advice is don't put your secrets in Nix, because you don't want them in your Nix store.

NixOps has a way to avoid you putting them in. Yeah, yeah, but that's way too far. So, basically, you configure your own software, your main client would ever point it to your USB, your USB dongle, touch the credentials, or copy...

No, just, like, SSH keys and GPG keys, like, that's on a UPG. No, no, no, no, no. The credentials are not going to be made by the Java client ever. Yeah, I mean, I use tools like other people use, too, so, like, pass, or even just, like, a lockdown file in my .config directory.

Nothing special, is what I'm saying. Do you have database backups or something? Yeah. Is it like states that you have in a database? Yeah, yeah, good point. So, he's saying secrets are like state, and I agree with that. So, typically, secrets have a different life cycle

than your system. If I were to reboot, and, like, I rolled over a bunch of my SSH keys, I wouldn't want to roll back and have the old SSH keys again. So, I treat them as completely separate. Thank you. Yeah. How are you doing in backups? Sure.

Okay, so, I... So, I use ZFS, so I feel like this is cheating a little bit, but the only thing I backup is my home directory. I trust my system, and it wasn't exhaust fault, it was our fault, because we had too much beer, and we managed to restore the whole system with its .config,

without any backups, with the old rip-off system, and it was fantastic. So, I rescued the system, I got the data off, but I got the system back to the state it was before we dragged too much. What was this with? With our machine at home, so...

Oh, yeah. It was just like, well, it does some important stuff, so... Gotcha. Yeah, I can't remember how we fucked it up, but we did. Okay. So, we couldn't boot it, it panicked, it could have panicked the boot. So, we did a Nixos, I think we actually installed Nixos from a USB drive,

and then made a new partition, and then did a Nixos rebuild switch, and got all the new config in, and it kind of all worked. It's like, holy crap. Right on. So, we're way over time. Wow, I'm sorry, I didn't mean to do that. Can you just show me one more thing, which are real cool things,

that when you're changing, say, the configs of Nginx and stuff like that, all the changes you've ever done go into the store, and that got me out of some trouble, because I've got like a hashed revision versioning by a side effect of how Nix works. So, I've knackered up my Nginx config, so I was able to, it wasn't a git,

but it was in the Nix store, so I was supposed to do a diff back and find out what the problem was. Yep, yep. So, okay, so every Nixos system has this thing called add profile, and so my current system is this, whatever that is, and my booted system is probably the same. Actually, no, it's different, because I played with the GC tuning options.

And also, I can do Nixos rebuild rollback, right? And, nope. Yep, switch. And so what this will do, oops, gotta be rude.

So, I'm on version 252, and it's going back to 251, and in fact, I could do that again, and I'm back at 250, and eventually this is gonna break, because my networking configuration, maybe this time even, and that is all in Nix profile system.

Oops, too many. So, these are all the systems I've had. Almost, it starts at number 100, and those are all, let's see, oh, no, it doesn't start at 100. It starts at number maybe four, three.

That's pretty good. Is there a two? I see a two. You see a two? Oh, there's a two. I don't think I have a one. So, there's my config from January of 2019, and if I wanted to, I could roll back to that. I wish I had a different desktop setup,

because I could also do it at the bootloader. If I reboot, I can, it will show me a list of all the configuration versions I've ever had, and I can pick one and boot to it. There is a file at the bus slash current slash current system slash SW, and it's actually a link to the output bus of the store to the system,

and I was wondering why it's not a link to the profile of the system. So, current system itself is like a symlink.

So, it's all self-contained in there, and so linking to a profile would be variable, whereas this is fixed. Anyway, we're super over time, so I feel bad keeping you all here. We should take a minute, let people leave, and then if people have more questions, keep asking questions.