The Linux Tier List

The devil tier is obviously because of the anti-user decisions these companies keep making. I agree Gentoo is not for tryhards. When I wasn’t a sysadmin yet, my colleagues were using Gentoo on all their servers.

They were compiling stuff only for security and bug fixes and making sure they get the best performance out of the servers (because they needed low latency audio processing for the asterisk pbx they were using).

I started using NixOS relatively recently and it just clicked with me on first try. Everything you do, you either as in configuration.nix or in hardware-configuration.nix if you want something specific for your system and if you want to have custom, different services on settings on a per-server basis, you make another .nix config file and add everything there, including systemd services. Just add that new config to the main cfg.nix.

I made 1-shot systemd unit files in the nix config, because I’m using a tmpfs root that gets wiped on reboot. The 1-shot makes symlinks to my shell rc profile, because I opted for immutable users and did not want a persistent /home. Everything wipes out of reboot as well.

Unfortunately, I’m not getting the benefits of a tmpfs /, because most of the stuff there is just symlinks and a few autogenerated config files that need to be accounted for. But I find it better than having a snapshot of an empty / and reverting to it on boot, best to just clean the ram.

NixOS is definitely great for business and a unique distro. Using NixOS is not as easy as using a normal distro, but it makes you learn some discipline on config files. And if you go the empty root way, it also makes you learn to minimize cruft and only backup the essentials, that being the data, persistent config files and NixOS .nix files.

Are you sure you were using the NixOS configuration.nix to install the programs? If you used the nix-env shell, you would only get ephemeral programs installed under your user’s profile. Just add the programs in the config and nix takes care of it a “nixos-rebuild switch” later (or test, or boot depending on what you want to do).

I’m no Guru or coder. My experience with Linux began when my first windows PC which I loved kept getting the blue screen of death. I wasn’t tech savvy didn’t know anyone that knew computers. I would hit the forums, BB & chat rooms. When I heard of linux I must of wiped my drive & reinstalled 100s of times. I got linux cds w/linux books and the only one I was able to install was slackware. Once I learned to dual boot I continued with windows & slackware till windowsXP, then I just stopped wasting my time w/ windows. Last yr my hardware was 15 yrs old & I was forced to build new boxes. I ran into a problem with UEFI, I don’t quite understand and started Linux distro hopping for the first time. I will be installing slackware base vm, arch base vm, debian base, and an ARCO base with a few WMs for a daily driver. Slackware never crashed on me other than my borking it. I don’t need apps that I have no use for or a bunch of apps that for the same thing.
Bottom line Linux Distros are only as good as its’ operators. So follow youtubers who sculpt their own distros with the tools that work for them. Your use will define the distro that fits you.

I am nIx curious and maybe you can sway me to invest the 1-3 days to learn it.?.

Here is my situation… The reproduce-able builds sound cool, but after getting over the initial excitement I realize that is scratching an itch I just don’t have. I don’t have a lot of packages installed, I don’t install weird things, and I don’t f-around with my system configs for fun. If I change things I know how to put it back. If I do anything interesting I use containers. At this point, I should say for my server setups my base OS is bare bones minimal. Everything is in containers. So I have reproducibility there without the need to learn something new. And ansible is always available too.

Which is the crux of it. Why learn all the linux tools plus the nix config language if you are going to have a bare bones host and containerize everything?

This is why I haven’t tried nix. That and I really do not have 1-3 days to dig into it. Arch is good enough for me.

I don’t like the idea of persuading people to use something else, but lately I’ve been telling people to choose whatever, but to stay away from anything RHEL-based (unless absolutely necessary) and for a long time, to absolutely stay away from manjaro.

I don’t just change my defaults either. I’ve had bad experiences with arch over the years myself, some were arch problems, some were hardware, but that other distros would’ve very likely handled better, but I haven’t given it another chance. My opinion could get changed, but I never made use of the AUR (most of the installs I ran were “pure” and kept up to date and still borked themselves - although all were desktops config, never tried it as a server), so why even use arch then? That’s just me, if it works for you, keep at it. Changing your config just for sake of change is silly, unless you have a goal in mind (like learning or getting a highly paid job that requires nixos knowledge - although by that point it won’t be "just for the sake of change).

If you have many machines to manage and want to make sure everything is consistent (changing SSH keys and passwords often, maybe once every blue moon add a new software that you want deployed on all systems etc.), then nixos is the way to go. If you don’t care about that, maybe nix isn’t for you and that’s fine. Nix does have a lot more things up its sleeves and flakes are just one of them. I haven’t delved too deep into it, but lately I’ve been dealing with microvm.nix. This allows you to run a minimal nixos VM using technologies like firecracker, which saves a ton of resources, gives you the advantage of containers, but has a full kernel (so it’s a micro VM in the literal sense). You can define your VMs in a config file and even if the full system somehow gets screwed (all by itself I mean) and you have your user data (say a DB dump and a few documents), then all you need to do is reinstantiate the nix VM and everything will be rebuilt exactly the same, no need to recover from backups (so you don’t even need backups as large to get the whole OS recovered).

This is similar to how OCI containers work, but much more refined and applies to an entire OS, not just a container OS. But nix comes with yet another ace. Every installed program version is definable. Unlike OCI containers, which will not always recreate the same system, nix will. Nix goes way further for reproducible builds. When you run a docker build based on some program versions you define, like mysql 8 and nginx 1.25.1 today, your system (particularly the OS you choose, say alpine) will not build the same today as it will in 5 weeks from now. NixOS will. The best part about it? You can run nixos in an OCI or linux container (say, replacing alpine with nixos) and get the benefit of nix without dropping your currently preferred stack. You just need to add the stack definitions.

The above is a highly sought for enterprise feature. For example, I think the library of congress in the US were running older RHEL and trying to relaunch a broken mysql db, but compiling the precise mysql version and whatever else was difficult. So they just switched to nixos and recovered, managed to launch the db and get the data out of it. Probably there are more example like these.

What does it mean for the home user? Nothing really, since most home usage will have the systems running close-to or actual bleeding edge. Again, I’m not trying to convince you to switch.

As for ansible, I find it to be a worse version of nixos. Ansible doesn’t have generations like nix does. Let’s say you deploy ytop to 3 systems using ansible. And then after a while, you find out it’s deprecated, so you want to remove it. Let’s say 1 of these 3 systems is down.

How would you remove it in ansible? Just deleting the entry to install ytop from ansible is not enough. You have to specify “uninstall ytop” in your playbook. It goes to the 2 systems and uninstalls it. Then you remove the line “uninstall ytop” to keep your playbook clean. Then later on, you start your offline system, but didn’t realize it also had ytop installed, so now whenever ansible runs, it will not uninstall ytop, because you removed the definition from the playbook. You have to add it again. And you want to keep your playbook minimal to avoid redundant things like install ytop, then uninstall ytop on a fresh system.

How this can be achieved in nix? You just remove the package entry “nixos” and your whole system gets regenerated, without ytop. Think of a generation as a system snapshot, that’s always recreatable. You pushed your nixos config to the 2 systems, they generated a new generation without ytop and are running it. You power on your last system and you notice ytop is still there, meaning the configuration.nix (or whatever config you keep for just programs, there are good reasons for compartmentalizing) has not been changed. just push your latest configuration.nix to the last system and you’ve got the last system running the exact config as the other 2.

With ansible, you manage the state of the system. With nix, you define the state and nix recreates it entirely.

With nixos, you can get even more insane and make the system immutable.
https://grahamc.com/blog/erase-your-darlings
https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/

The first guide is what made me want to switch to nix. The second one is the one I’m actually running on the few systems I have that run nixos. I’ve got a /nix/persist folder in which I keep all my user data and persistent config files (like configuration.nix, hardware.nix and custom.nix) and I define the pointers to them in the nix config.

I had a similar config with diskless alpine install. You can just back up the lbu ovl file and slap it on another system, but it’s not as refined as nixos and you’re also backing up the things like binaries, which is just cruft.

I was thinking, later in the future if I keep digging into nix, to have a single “main system” with the nix-store sharing it via NFS to systems that are in read-only mode with the nix-store (well, nix-store by default is read-only, but what I mean is that the slave systems would not be able to install software in the store themselves).

This is inspired by the gentoo NFS wiki, but I’d have to manage multiple generations, one for each system I have and make sure I don’t nuke one of the running generations. I already have delved into tftp pxe booting and root-on-nfs systems, but adapting it to nix would certainly be difficult.
https://wiki.gentoo.org/wiki/Diskless_nodes

This was just to showcase what cool (and useful) things you could do with nixos.

Back to nix flakes. I mentioned the microvm.nix, but there are other flakes, like dns.nix (running bind using a defined nix config, a bit gimmicky, but I suppose I could see uses for it - and it does solve the insane DNS zones configs, with the nix language structure, which looks like json). There’s NixOps (which is a nixos deployment tool, similar to terraform, but from what I’m reading, not as good as terraform), containers.nix, qemu-vm.nix, virtualization.nix (this one is part of nixops I think). The list goes on. It’s basically like a way more advanced AUR, people come up with all kinds of new ways of running and deploying software.

I’ve been running nixos on 2x raspberry pi 3s. Initially I was testing pi-hole in lxc on another distro (which failed, because I couldn’t bridge a wifi connection), then I tried docker (because it was easier to NAT, it’s just the default - I failed to NAT the wifi to the lxc network). But at some point the SD on one of them got corrupted when I plugged something into the same multi-port USB brick and cut the power to one of the pis.

Then when I switched to nixos (as I already had it on other SBCs, like my HC4) and wanted to have the same easily replicable system, because I couldn’t be bothered to back up docker containers for something that doesn’t even keep traffic logs - I was running in anonymous mode and the /var/log was tmpfs). I found that adguard home and blocky were present in the nix.pkgs. How cool is that? I just switched to blocky running straight on the system and couldn’t be happier. I could’ve slapped armbian on the pis and run the pi-hole install script, but then I’d have to again configure the user, hostname, wifi connection and so on. A royal PITA for me. NixOS does things much better.

As I’m expanding my home lab again (I was forced to start from scratch a few years ago), I’m looking for ways to save time, as I can’t seem to find the time to work on my homelab as often (neither the energy).

NixOS saves me time. I don’t have to think about how I install my next project, I just edit my custom.nix config and send it to the live nix iso along with the generic configuration.nix (unless it’s a VM, I just generate a new hardware.nix file on the system, it’s just one command).

This got too ranty, I’m sorry.

Wow, great points! I’ll have to spend a little time digesting all that (which I will). Here’s my initial take away.

I should have asked my question another way. Don’t bother persuading me so much as show me why you do what you do. That is persuasive in an indirect way. And you did that in spades. Very compelling arguments. I will have to put nix somewhere around third on my list of things to learn. Which is a bump from… well, let’s be honest my list is not that long, time is short with family life so it was basically off the list for the time being. After your post, nix is on the list. I still have some things I feel I have to learn first (mostly for fun and resume padding), redoing my knowledge of the basic workings of my OS is just too much for me right now, I need to focus further up the stack.

I really like the declarative arguments you made. Makes sense but I did notice both situations required some recognition and some action. The nix action might be smaller and more straight forward, but you choose to make it with nix in your example. With that said, I get what you were aiming at and buy your argument.

The versioning setup for nix is cool. Cleaner than my btfs setup. I have a number of programs that require old java or are just a PITA to update. Honestly, I keep those containers stagnant for a long time. When I do mess with them I am not doing simple upgrades, I am rebuilding a new container with the same config and cutting over to it. Data is separated. With this I can test the new config and only roll to it when I know it is good. This is probably more labor intensive on one level, but conceptually simple for a monkey like me.

That last point ties into another point I thought about on my walk yesterday. Security. With nix I would still want to run my services in unprivileged containers for the sand boxing benefits, correct? Nix would be my bare bones host OS, which arguably should be a super simple config (but also less advantageous given it’s super simple nature, right??) and give my host OS all the benefits of nix. That is great, but I want some added security which I think necessitates containers, bubblewrap, or VMs. Which puts me right back into admin’ing with containers. I could run those guest os’es with nix and have all the benefits of nix, but I would be doing the same laborious rebuilding with those PITA systems.?. I have to think about that one. Maybe nix is easier to use old packages in the declarative syntax? Or maybe it is faster in large environments with lots of containers? The roll back would be faster for sure. Especially for the host os. But that os is so simple I don’t even need ansible to bring it back up in under a handful of minutes - assuming hardware failure that necessitates full hands on action.

I will read the erase your darlings article later today. I like the concepts I think he is getting at, which I have heard expressed as pets vs cattle. I have never been big enough to have the need for dozens of “cattle” systems that are created and destroyed quickly. My containers are pets (or darlings) and are uniquely customized to a large degree. I buy the argument that nix would make this process better, I just am still wrestling with the cost/benefit of it.

At the end of the day I will eventually learn nix to some degree, maybe then I will fully understand the benefits. The same process happened to me with arch. I didn’t get it until after I used it for a while. Arch is just a blank slate with small updates. Simple. Nix is a lot more complicated and nuanced. A paradigm shift that is hard for a monkey like me to asses the costs & benefits. But you helped me a lot, I will eventually learn it but it might be a few years.

Thanks my friend!

EDIT: after thinking about this some more, I realized my thought process for a full hardware restore was off a little. With nix I could have one big config, or a bunch of them, that would restore not only my host OS but also all the containers in one shot. That does save time from my current setup of pulling containers from backups. I can see why guys who swap hardware a lot really dig nix. I am the opposite guy. I run my gear into the ground. So saving an hour or three every 7 years is nice and all, but the cost/benefit may just not be there for me. Correct me if I am wrong.

Short answer, probably yes. Running things straight on nix by itself, not exactly secure. All programs have access to anything on the system, depending on what you run them as. If root, then obvious… if you launch them as an unprivileged user (which you can via a systemd service file declared in the configuration.nix), then again, pretty much access everywhere (except not for edit, but in theory could be exploited to get root access).

You could even run it in systemd-nspawn on nix (probably either using the same nixos config, or maybe using containers.nix flake, haven’t tried either). You can run nixos under nspawn on any other OS (just like you can run nixos inside docker).

Which goes to the point about security. If you run your programs on nixos, using whatever version of things you want (including older java and multiple versions of java, nix doesn’t care about dependency hell, because everything has its own path in the nix-store), then no security, other than the user the program is being run as. With nix inside containers (lxc, nspawn, OCI) then you get the same security benefit as any other confined container. With microVMs it gets even better, as the whole OS is virtualized, but you need to manage the OS inside it (well, technically in containers you’d have to manage the OS too, unless you ripped out all the OS parts and keep the run dependencies only in your containers).

But microVMs are not nix specific (as mentioned, I’m playing with opennebula to try to get any microvm working), but with nix, it’s relatively easy to launch a nixos microvm (compared to deploying the ON stack, which requires that you have vlans configured on your NIC from what I’m reading).

Depends. You still get all the benefits of generations and with nixos as the host system, you can get into things like nixops and other flakes, like containers.nix and microvm.nix mentioned before. It would still be a minimal configuration. But the point of nixos as I see it is being able to get rid of all the system states (“cruft”) that builds up and having easily reproducible builds (because keeping things immutable helps with that, although immutability in nix is something you have to deal with yourself, it’s not the default - check the links I posted in my previous message about root of zfs and root on tmpfs). The immutability is mostly what I seek in nix, but because nixos is such an easily configurable system, I just stick with it, as opposed to trying to learn microOS or silverblue (which I couldn’t figure out).

Yes.

Or microvms, but the managing is still there. It just changes from docker build files to nix configs (be them nixos or just plain nix). By the way, you can run nix (the package manager and most of the flakes) within another OS, like arch, or even macOS. But I really like NixOS, since everything just goes in one place and don’t have to manage both nix and another OS and package manager.

Everything you do in nix is declarative. Otherwise, you’re doing it wrong (or you’re running something that hasn’t been added to the nix repo yet). It should be easier in nix, because you just pin the version. If you don’t know how nixos works, the next link will be confusing, but this is how the configuration.nix looks like (it’s not that hard to grasp though if you play with it for an hour).

The pinning has the sha256sum of the package homeAssistant. All nix packages are bundled under the nix-store under their sha256sum directory. Here’s an example of htop 3.2.2

$ ls -lh /run/current-system/sw/bin/htop
lrwxrwxrwx 1 root root 63 Jan  1  1970 /run/current-system/sw/bin/htop -> /nix/store/5gjwb2mw6a42zby5swl1wl7p3manjp7g-htop-3.2.2/bin/htop

$ ls -lh /nix/store/5gjwb2mw6a42zby5swl1wl7p3manjp7g-htop-3.2.2/ 
total 8.0K
dr-xr-xr-x 2 root root 4.0K Jan  1  1970 bin
dr-xr-xr-x 6 root root 4.0K Jan  1  1970 share

Because of the way the nix-store works, dependency hell is impossible, since everything is bundled under its own path. With larger programs you’d see the lib directories there too. Everything that gets built by nix got in a “pseudo-root” underneath the sha256sum dir.

For nixos, the update process is just nixos-rebuild switch and the rollback is nixos-rebuild --rollback switch. You can also reboot and pick the generation in your bootloader (grub, systemd-boot, zfs-boot-menu, many are supported) and then manually remove the newer generation.

If you just scp your previous config file, you’ll be up and running with nixos in a minute (given fast download speeds). You could do a shell script for arch to configure the disk as minimal as possible, configure your user accounts and other preferences, but that would take more time than writing a configuration.nix file. Still, both systems could be revived in less than 5 minutes if you have everything prepared beforehand (when I changed my 2nd pi to nixos, all I had to do was copy the nixos config file and edit the hostname and IP address and everything came up just like the 1st one, took me like 10 minutes, because I had to write the SD card with nix, which was painfully slow).

I disagree about being more complicated. It’s just a different paradigm. It is slightly difficult to remove your muscle memory you build with something like arch or gentoo (or other minimal systems), but it isn’t particularly hard, takes like a day or two once you start editing your first configuration.nix file.

Yes.

This would only apply if you run an OS that never gets updated, like say RHEL 6.10 or CentOS 7.9, until the hardware kicks the bucket. If you update your system and something goes wrong, then you have to go through the painful process of reinstalling and reconfiguring, or to reimage a large backup (like say a clonezilla .img file), or running ReaR to recover your previous system state.

With NixOS, besides OS updates borking the system being impossible, assuming that your storage disk dies, all you have to do is boot a NixOS live boot (like any other distro), format the disk and mount the partitions (like any other distro), but then only have to run nixos-generate-config --root /mnt, transfer the configuration.nix (or more configs.nix if you split the main config) and overwrite everything but the hardware.nix generated file, run the nixos-install, reboot and you’re done.

Just that easy. With any OS, if you get new hardware, reimaging doesn’t always work, so it’s better to just install fresh anyway and then recover everything from backup. With nix, you don’t have to worry about your OS kicking the bucket and you don’t have to spend countless hours again configuring your programs, because everything you have backed up is all you need to get the system back up and running in minutes.

NixOS by design is more stable than Debian and almost as bleeding edge as Arch. If you use the unstable branch (which is just the latest packages versions, like debian unstable) you just get everything at the latest. And there is no dependency hell or anything that can cause trouble.

I mentioned before I had trouble with arch in the past borking itself without even using the AUR and updating and rebooting frequently. I am glad that may not be an issue you encountered, but I personally don’t want to go through something like that again. Thankfully all the distros I’ve used were rock solid (despite some being actually rolling release).

For your container managing hell, there might be this project which might serve you better.

I haven’t tried it myself just yet, but it’s on my radar. It’s based on nixos and not-os and it’s specialized in running lxc. But then you also get back into learning how to manage things with osctld instead of docker, so the pain points are still there. Probably NixOS with docker as a first, then NixOS inside docker / lxc / nspawn later would be what you’re looking for, to avoid having to painstakingly rebuild old containers.

Personally, I found LXD to be the least hard to learn (I eventually delved into docker and podman, but not that far in and I still preferred LXD), but I don’t like the takeover of the project. Waiting for Incus to show up and hoping it can save the day for me (and it’s also being made to be easily portable to other distros too).

Anyway, good luck and feel free to ask me more.

The problem with people like Chris Titus is they have quit their job and rely fully on Youtube. This means they have to make a lot videos to make a living. Since you can’t continue making videos about just 1 distro, the best according to you, you make videos about a lot of them. For him this also means Windows.
This means one day distro A is the best and now my daily driver, tomorrow it is distro B, then Windows again then C where he bashes Windows. He jumps all over the place.
Just read the website of a distro, enter the forum, the wiki if they have one, and if it looks good then download a live version and try it out, see what works, what not, is it easy to get the programs you need/want. Don’t let looks get the better of you, this can all be changed. If it still looks good, backup the data on your harddisk and go for it, install the distro and have fun. No matter what people like Titus say, if it works for you it is a good distro.