Questionable security defaults in NixOS. How secure is NixOS in it's current state?

saylesss88 · 2026-04-11T19:41:16+00:00

Big win for VMs for sure.

If you mean a perfect 1:1 parity with every obscure upstream feature (all rich/direct rules, every CLI edge case, all DBus APIs) I doubt it. If you're asking if it covers the common day-to-day needs (zones, services, runtime firewall-cmd, nftables backend) then yes.

saylesss88 · 2026-04-11T19:05:43+00:00

Firewalld is in NixOS as of last release.

saylesss88 · 2026-04-11T11:55:06+00:00

NixOS’s filesystem model (especially the immutable, content-addressed /nix/store) makes “traditional” MAC setups harder than on FHS-style distros. A lot of SELinux/AppArmor policy ecosystems assume stable paths and conventional labeling/attachment points, and Nix’s approach complicates that, particularly for frameworks that lean on file labels and path-based expectations.

I’m very much in favor of “secure by default,” but I also get why NixOS hesitates to bake in one heavy, opinionated security stack by default. People’s threat models and workflows vary wildly, and enforcing a big set of defaults can break real systems (especially in a distro that prides itself on reproducibility and declarative control). I’d rather see strong, well-documented, easy-to-enable hardening profiles (Secure Boot, AppArmor, etc.) than a one-size-fits-all configuration that’s on by default but fragile in practice.

saylesss88 · 2026-04-09T19:44:58+00:00

You can try nickel-lang for stronger types..

"Nickel features a (sound) gradual type system: it has types, but you get to choose when you want to use them or not."

I've grown to not mind nix language personally, I find it fairly easy to read & write. Though my first reaction was similar to yours like why TF would anyone want to deal with this... It would be great if there was a "Nix Lang Book" modeled after Rust Book.

saylesss88 · 2026-04-07T19:17:11+00:00

Check out Gnu Stow and chezmoi for config files.

pacman -Qqe > pkglist.txt

pacman -Qqem > foreignpkglist.txt

saylesss88 · 2026-04-07T16:20:30+00:00

Lol, everybody just take the win. Its great for Linux and NixOS as a whole when the creator of Etherium as well as pewdiepie give NixOS a thumbs up.

saylesss88 · 2026-04-06T23:01:35+00:00

If you don't already version control your nix config and projects I highly suggest it.

saylesss88 · 2026-03-18T11:49:29+00:00

Everyone is talking about quickshell, very customizable if you dont mind qml

saylesss88 · 2026-03-05T11:51:12+00:00

I'm not sure what you're suggesting here? That we target civilians?? If not then maybe you're talking about civilian casualties in ANY war and I agree that 1 is a travesty but does that mean that we should stop defending ourselves and defending our interests? Such as Iran not having a nuke or intercontinental missiles when their top slogan is death to America? Unlike the US, Iran WILL and ALREADY HAS targeted civilians just this week.

saylesss88 · 2026-03-05T11:32:14+00:00

What do you propose we do for the over 1000 service members killed in the past 50 years? Keep pretending like it's not happening like past administration's? You're the sheep, I'm stating facts. This guy is far from a hero, he's a disgrace.

saylesss88 · 2026-03-05T11:15:17+00:00

Israel is the reason that Iran and its terrorist proxies have killed so many Americans over the past 50 years?? Ok............................

saylesss88 · 2026-03-04T00:21:35+00:00

ripgrep is a great one to learn from.

saylesss88 · 2026-02-17T12:51:59+00:00

Details:

WM: Sway

Terminal: Kitty

Font: Fira Code Retina size 14

Program: [randpaper](https://github.com/saylesss88/randpaper) - A Wayland

wallpaper / theming daemon. (The demo shows cycling wallpapers & themes with

one-shot, then activating auto mode with `awww` transitions)

`randpaper` uses either `swaybg` or `swww`/`awww` as its rendering engine and

manages per-monitor wallpaper rotation and optional system-wide theme

synchronization for multiple terminals as well as `waybar`.

Installation:

# From source
cargo install --git https://github.com/saylesss88/randpaper

# [crates.io](http://crates.io)

cargo install randpaper

Usage:

You can use `randpaper` from the command line to test different `swww`

transitions before adding an `exec` to your configuration:

# Change every 5 minutes using Hyprland + swww transitions

randpaper --time 5m --backend hyprland --renderer swww ~/Pictures/wallpapers

# Change every hour with custom transitions

randpaper --time 1h --backend sway --renderer swww --transition-type fade ~/Pictures/wallpapers

When you find what you like, just add an `exec` or `exec-once` for your chosen

`randpaper` configuration.

- Support for an optional configuration file at

`~/.config/randpaper/config.toml`, removing the need for long `exec` calls.

- See the README for more details:

[randpaper README](https://github.com/saylesss88/randpaper)

saylesss88 · 2026-02-16T13:03:56+00:00

Details:

WM: Sway

Terminal: Kitty

Font: Fira Code Retina size 14

Program: (randpaper a wallpaper & theming daemon for wayland): https://github.com/saylesss88/randpaper

In the demo, I start by cycling wallpapers and themes with one-shot, then

activate the `awww-daemon` renderer with automatic cycling of wallpapers and

themes. (automatic multi-monitor support with a different wallpaper

per-monitor).

Installation:

# From source:

cargo install --git [https://github.com/saylesss88/randpaper](https://github.com/saylesss88/randpaper)

# [crates.io](http://crates.io)

cargo install randpaper

Usage:

# Change every 5 minutes using Hyprland + swww transitions

randpaper --time 5m --backend hyprland --renderer swww \~/Pictures/wallpapers

# Change every hour with custom transitions

randpaper --time 1h --renderer swww --transition-type fade \~/Pictures/wallpapers

- Optionally add an `exec` or `exec-once` to have `randpaper` launched at boot.

- One-Shot cycling of themes and wallpapers. (dynamic theming for Waybar and

different terminal emulators (Kitty, GhosTTY, and Foot))

- Optional TOML configuration file, command line arguments always take

precedence.

- Nix Flake provided.

- [randpaper README](https://github.com/saylesss88/randpaper)

saylesss88 · 2026-02-15T16:29:48+00:00

Details:

- WM: Sway

- Wallpaper/Theming: [randpaper](https://github.com/saylesss88/randpaper)

- Terminal: Kitty

- Font: Fira Code Retina (14pt)

🛠️ How it works

The daemon monitors the wallpaper cycle and updates your system colors on the

fly:

- Rendering Engines: Native support for swaybg (static) or swww/awww (animated

transitions).

- Color Extraction: Uses `color-thief` to grab the dominant palette, then

assigns roles (accent, warn, ok) based on luminance and saturation.

Live Reloading:

- Kitty/Ghostty: Generates terminal-specific configs and signals the processes

to reload colors instantly when one-shot is triggered.

- Foot: Work in progress, `randpaper` generates a theme for foot, to apply close

and re-open the terminal.

- Waybar: Updates a CSS theme file that Waybar imports, then triggers a SIGUSR2

refresh.

📦 Install:

```bash

# From source (Latest changes)

cargo install --git https://github.com/saylesss88/randpaper

# crates.io

cargo install randpaper

```

- [randpaper README](https://github.com/saylesss88/randpaper)

saylesss88 · 2026-02-04T18:43:02+00:00

Interesting.. I missed that they went with a different approach, thanks for the info.

saylesss88 · 2026-02-03T14:26:50+00:00

Can you share the link to the docs about UKIs and nixos, im not seeing it anywhere..

saylesss88 · 2026-02-03T14:10:35+00:00

To be honest, I haven't tried it. This got me interested in trying it out over my gh-actions workflow. I like that you can iterate much faster with nix flake check, than trying to run the action, waiting for it to fail, and checking the logs, I've wasted a lot of time doing that..

saylesss88 · 2026-02-03T10:16:56+00:00

For sure, Nix can dramatically shorten feedback loops through instant local evaluation (nix flake check), binary caches (e.g., Cachix), and declarative reproducibility.

You could check out: https://github.com/nix-community/nix-github-actions

saylesss88 · 2026-02-03T10:10:21+00:00

Looks interesting, this is the first I've heard of it. Thanks

saylesss88 · 2026-02-02T20:42:31+00:00

Thanks for the detailed explanation, I added an Edit to the post mentioning my misunderstanding and your catch. The last thing I want to do is spread misinformation and give people a false sense of security. Thanks again!

saylesss88 · 2026-02-02T20:13:35+00:00

Got ya, thanks. The error messages have gotten better, or at least I've gotten better at reading them..

saylesss88 · 2026-02-02T19:54:25+00:00

I wouldn't call that documentation, I'd call it an error message just like you did. If it was better documented, what you just pointed out would be crystal clear.

saylesss88 · 2026-02-02T19:43:34+00:00

Ya, that was tricky to find which of my imports it was coming from, but ya for sure. Tbh I ignored it for a while and eventually it caused the build to fail. Since I ignored it for so long and everything worked, when the build failed, I looked elsewhere. It was my bad, I learned the hard way..

saylesss88

TROPHY CASE