hi I’m still exploring stuff and I was thinking about nix, with all his stuff, what do you guys think? maybe someone with experience can tell me if I should stay away from that or could be a good choice for privacy, anonimity and security
Most distros are somewhat equal when it comes to privacy, anonymity and security; with the likes of Fedora and openSUSE known for taking it more seriously out of the box than the other ‘big bois’, while some smaller distros like Kicksecure are known for their best-in-class[1] hardening that they offer by default.
As for NixOS, it’s really its own thing (together with Guix), and thus very different from any other distros. If you conquer it, you would be delightfully met by a system that enables you to do things unheard of in other distros. However, the learning curve is very steep. And perhaps even hardening it to the level that Fedora or openSUSE provide by default might not be trivial.
- Qubes OS is technically not a Linux distro. But it’s worth mentioning as one generally tends to run Linux within a qube (read: VM), and in regards to security and privacy; Qubes OS is simply unmatched, period.
Beyond this, TailsOS would be more anonymous.
There’s that Spectrum distro
It’s like Qubes, but on Nixos (it’s in early stages yet)
If you don’t have much experience with linux you should not use nixos. I don’t think nixos is any different from debian or fedora in privacy, anonymity, or security. Many people even reduce their privacy by putting their config on github.
I mean yes you reduce your privacy by interacting with Microsoft GitHub in general, but posting your Nix config to the public isn’t much of a privacy concern since you shouldn’t have any plaintext secrets anyhow as a best practice since it would be compiled into the Nix store. There are a couple of different ways to encrypt secrets, as well as just not committing private *.nix to a public repository.
Other people will know what bootloader you use, what apps you use, etc. Yeah I guess its not a huge concern, but its something.
It’s like giving a map of your infrastructure to a hacker, but it depends on your thread model. Most of the attacks on home servers are automated, so it shouldn’t be a consern
Another thing if your thread model is different, then the situation is not that good, but you can encrypt a lot of stuff, especially when you’re making your config reproducible
Nixos can be more secure than classic distros. First of all, you have atomic states of your system, so nothing can be added without rebuilding the whole system and giving it a new name
Also you can do impermanence to ensure nothing can slip in for sure, because the system will be recreated every boot
I don’t know what gave you the idea that a particular distro would be an especially good/bad choice for privacy, etc. They’re all GNU/Linux with only minor differences in compile-time options in the kernel and different defaults in user-space. But they’re just that, defaults. You can reconfigure them to your preference.
With that out of the way, the issue NixOS attempts to address is reproducibility. You get a central configuration infrastructure that defines everything, from partition layout, through user creation and package installation to software configuration. The central idea being that migrating to a new machine or setting up a new development environment should only take a few commands.
What you do with that is up to you. You can barricade the whole system if you like. The defaults are sane, but not overly focused on privacy, etc.
Also it’s quite a learning curve as the documentation/wiki is incomplete and/or outdated.Yeah Nix documentation kind of sucks right now. There are like a 10 different ways to set-up flakes
Not to mention that they’re still considered experimental.
And entirely optional.
Obviously
No, not obviously.
People new to Nix/NixOS always seem to think that flakes are some kind of fundamental shift or something and if you don’t use flakes, you’re not going to be ready for the future or whatever.
No, they’re not. They’re “just” a standardised method of composing separate Nix projects.In the most common NixOS case (and especially when starting out) you have exactly one external Nix project you depend on and that’s Nixpkgs. Flakes provide very little (if any) benefit in this specific case.
If you’re starting out, you don’t need to care one bit about flakes, experimental features and the documentation of features that are not intended to be commonly used yet (especially not for beginners).
The wiki is not even recommended, since some time already nobody has access to the wiki, even to put a banner “stay away, everything is not working and outdated”
So we have to piece information together from the manual and random blogs? Like cavemen? Or worse, like Windows users??
The Matrix room is the recommended channel of support
I personally think it’s a bit a waste of somebody’s time to always sit there and reply
Also, when you start understanding how this stuff works, you can start using github’s search code so you can find snippets of code and make your own (or just look at the packages’ code, it’s very basic inside)
Ah, and forgot to mention because it’s too obvious, nixpkgs search, this is basically all you need for free movement inside “nixverse”
In cases like this, if you have to ask, you should probably avoid the OS. There’s nothing wrong with experimenting, but Linux’s extremely open nature allows you to make a lot of blunders that a more seasoned security expert would advise against.
And by “you,” I mean “me.” I have made a lot of security blunders.
Nix is awesome for experienced Linux users, AND that want to constantly play with their config file. If you do things and install things at the user level (which way too many do) then you’ve removed the benefit. That said, do it right, and recovering, moving, or duplicating your system could possibly be any faster/smoother.
Not saying it’s hard to learn, but if you’re not used to the CLI and editing config files, I’d start with it in a VM. If you decide you like it after you’ve totally set it up there, then the magic of Nix comes when you install it for real and just redeploy an exact clone thanks to the config file.
If you do things and install things at the user level (which way too many do) then you’ve removed the benefit.
? 😅 nix-shell, nix-env? also home-manager? I’m running some machines user only, no root
One of my admin friends said it’s not really made with desktop users in mind but more for people who need to set up (lots of) computers / servers quite often (= admins). If you’re not planning on distro hopping or reinstalling your system all the time it doesn’t really do anything for you that any other distro plus a good backup strategy already does. Plus you can use the Nix package manager without installing NixOS on the distro you’re on right now, if you wanna check it out.
How do people here feel about this evaluation?
I switched from arch to nixos about three weeks ago. I can’t imagin ever using another distro again.
While it differently seems like it would be made for admins because of how easy it is to setup more computers from your config. I think its actually made for software devs.
I don’t plan on disto hoping or reinstalling a lot. But its nice knowing If I break nixos with a update all I have to do is reboot back to the last good build. Or worst case I just clone my got repo to a new install and rebuild my whole setup in one command.
While as you said this is possible with other distros and good backups. Nixos makes it so much simpler. Well once you learn how to config with nix. Which brings me to my favorite part about nixos. Everything is configured in one place. Well two including home manager. everything. My zsh, starship, tmux, neovim, zerotier, docker, syncthing, steam, desktop environment. All configured in just those 2 files. Along with a list of every package you install. Which if you remove a package or switch to a different DE. Everything your not using is just removed from you system entirely. When I’m using gnome I have all the gnome programs. Then when I switch back to hyprland they are all gone again.
I said that was my favorite part but I think my actual favorite part is how dependencies work. As I understand it. Say two packages both need python. They each get there own python package instead of sharing. That way every program has the exact versions of the dependencies that it needs. But as you said you can install nix package manager on any distro for that part. I just love having all these features plus more all in one.
I’m not sure if all the this rambling gets across what I was trying to say. I’m just have been blown away and so excited about nixos since I tried it. It feels like I’m using a system from the future.
Tldr: Your Friend is mostly correct. It can all be done on other distros. But the nixos way of doing it is amazing. Once you learn it.
If you want privacy/security, check out qubes
NixOS can be a real pain when it comes to pre boot encryption and secure boot. If you’re intending on going deep into hardware security I’d avoid it.
Say more?
NixOS supports headless LUKS, which was an improvement for me in my last distro-hop. The NixOS wiki even has an example of running a TOR Onion service from initrd to accept a LUKS unlock credential.
The situation is changing, they are actively working on it, if not finished already
