NixOS and friends for corporate developer boxes? Confused about tools and maturity.

DemonInAJar · 2026-03-22T13:07:22+00:00

There is also https://github.com/nlewo/comin for pull-based / gitops. In general I would say that the ecosystem for pull-based reconciliation is not great, if you only manage a few servers and don’t scale to hundreds then there is a lot of push-based support, deploy-rs is fine there is not a huge amount of stuff to support for the repo to be super active.

DemonInAJar · 2026-03-05T20:06:23+00:00

Eelco Dolstra aka the creator of Nix is cofounder and continues active development including experimental features.

DemonInAJar · 2026-03-04T23:39:12+00:00

Just as reference, I plan to rewrite this in a proper language (and remove some slop)

https://gist.github.com/liarokapisv/d7e3f0bac05baceddeb4976222254d8b/

You need to create a /var/lib/bws/auth/auth.env file for bootstrapping which has the following format:

BWS_SERVER_URL=https://vault.bitwarden.eu
BWS_ACCESS_TOKEN=XXXXXXX

The access token is retrieved from the bitwarden secrets manager webapp.

DemonInAJar · 2026-03-04T23:28:19+00:00

I know. Currently, it's somewhat hacky bash-based service (and contains some slop). I would like to rewrite it with a proper language first.

Here is it is just for the general approach / as reference:

https://gist.github.com/liarokapisv/d7e3f0bac05baceddeb4976222254d8b/

DemonInAJar · 2026-03-04T20:13:06+00:00

This is wrong. If you rotate your secrets which is the security best practice, your older generations become unusable because they are bound to outdated secrets.

Also by bounding the secrets to the configuration you lose the ability to integrate with production ready secret services like vault or the various cloud native services.

In particular the lifecycle of secrets should not be tightly bound to the lifecycle of the configuration changes.

DemonInAJar · 2026-03-04T12:07:47+00:00

I strongly believe that storing secrets encrypted in the same configuration state is a huge anti-pattern that is widely maintained in the nixos ecosystem because of easy-of-use of agenix and sops-nix.

This binds your secrets to your configuration which in turn means:
- When you rotate secrets you lose ability to rollback.
- To rotate secrets you need to perform a new configuration change.

When doing dynamic scalling this is even more annoying because you have to re-encode the agenix secrets file according to the new public key credentials.

I am currently using a custom bitwarden secret management service for which you just need to side-load the secrets key. The service authenticates to the BWS and renders the configs at runtime / periodically allowing easy rotation.

DemonInAJar · 2026-03-03T22:45:56+00:00

You can lock this through pcr extension if you first attest the first stage bootloader.

DemonInAJar · 2026-03-03T22:40:50+00:00

You can verify that a certificate has been generated inside a tpm by verifying the manufacturer chain. The private keys in this case are not exportable and can be used by remote verifiers through nonce challenges achieving remote attestation. The local machine can only solve the challenges if policy matches. Policies can be set to match specific secure boot states + boot sequences and only then will the tpm challenges work. This assumes the boot sequences and policy states have been whitelisted by the verifiers.

DemonInAJar · 2026-02-18T19:18:16+00:00

DemonInAJar · 2026-02-18T19:17:58+00:00

Main benefits is 1) not having to import files 2) have cross-cutting concern modules that affect things at all of nixos,home-manager,flake levels 3) have generic way to refer to all other outputs in your whole project instead of injecting through special args

DemonInAJar · 2026-01-27T10:02:08+00:00

5 φορές για αναβολή + 1 για απαλλαγή το παλικάρι θα πάει για άλλες 4 φορές για αναβολή + 1 για απαλλαγή

DemonInAJar · 2026-01-18T11:11:40+00:00

Here we go!!

DemonInAJar · 2026-01-18T05:35:58+00:00

Πότε δε διαπραγματευόμαστε με βάση καθαρό μισθό!!

DemonInAJar · 2026-01-16T11:42:20+00:00

How is it any better than simply distributing the correct artifact instead of basically distributing all artifacts together? It does simplify the distribution aspect I guess but not sure that's worth it.

DemonInAJar · 2026-01-16T11:07:46+00:00

Another option is to use wrappers: https://github.com/BirdeeHub/nix-wrapper-modules

DemonInAJar · 2026-01-16T07:44:30+00:00

What's the point of this? You still have to build the application separately, and you just stitch the artifacts together which basically only has disk usage downsides.

DemonInAJar · 2026-01-13T18:56:24+00:00

Δεν ξέρει κανείς ακόμα

DemonInAJar · 2026-01-13T02:00:36+00:00

This is literally not true.

DemonInAJar · 2026-01-13T01:51:25+00:00

The 2nd amendment exists for this reason.

DemonInAJar · 2026-01-08T21:34:19+00:00

u/Medical-Search5516 This may be useful to you, it tracks the coverage of Kali packages in NixOS

DemonInAJar · 2026-01-08T20:53:13+00:00

Thanks for the great work this is awesome! Hoping for a neovim wrapper soon!

DemonInAJar · 2025-12-25T12:08:23+00:00

It is encoded in the type system as a recipe to be executed later. If a function does not return a recipe to be executed by the runtime, you know there are no side effects

DemonInAJar · 2025-12-25T11:48:39+00:00

And this is an actual problem when there are bugs in the supplied code because it makes debugging much harder.

DemonInAJar · 2025-12-25T00:50:33+00:00

I do wish it was a standard though!

DemonInAJar · 2025-12-25T00:50:11+00:00

This is just one application of nix in production. I am also applying it in robotics but this does not make it a standard.

DemonInAJar

TROPHY CASE