NixOS
Show Patches contained in a NixOS Build
Example: OpenSSH
First create the .drv
file by passing the path to the current OpenSSH
version to nix-store --deriver
. Then use it to show the patches.
$ nix-store -q --deriver /nix/store/ik1hrivpiw5lkmarlzmpk8armfgpxwcf-openssh-9.7p1
$ nix-store -q --binding patches /nix/store/9n6abwsahsgzp4kwhv9z2jqq5lzfsfyn-openssh-9.7p1.drv | tr ' ' '\n' | cat
/nix/store/isik6ifcjxpw22sfh3kz37galficc78c-locale_archive.patch
/nix/store/6id7rg81nbkx9r9pxvax7nssr11xdaas-gss-serv.c.patch?id=a7509603971ce2f3282486a43bb773b1b522af83
/nix/store/ybb4xs45dkngdf3x1xnxqgzn5zmv5alf-dont_create_privsep_path.patch
/nix/store/7jbzj9s2wkbznn93ga3aqka6vfx06gjg-ssh-keysign-8.5.patch
/nix/store/19h9868xxidcxz9jal6rzchn1kf6ayb1-openssh-9.6_p1-CVE-2024-6387.patch
/nix/store/bzcv443j20xn17fm8vgwgcf9rasbbnzn-openssh-9.6_p1-chaff-logic.patch
Installing NixOS with UTM on MacOS
Download the AArch64 image. More ARM specific information can be found at the same page.
Official installation instructions
After creating the VM in UTM and plugging the ISO in as boot image, NixOS can be installed.
Installation
Execute as root
.
sudo -i
Create partitions.
parted /dev/vda -- mklabel gpt
parted /dev/vda -- mkpart primary 512MiB -1GiB
parted /dev/vda -- mkpart primary linux-swap -1GiB 100%
parted /dev/vda -- mkpart ESP fat32 1MiB 512MiB
parted /dev/vda -- set 3 esp on
Format the partitions.
mkfs.ext4 -L nixos /dev/vda1
mkswap -L swap /dev/vda2
mkfs.fat -F 32 -n boot /dev/vda3
Mount partitions and activate swap.
mount /dev/disk/by-label/nixos /mnt
mkdir -p /mnt/boot
mount /dev/disk/by-label/boot /mnt/boot
swapon /dev/vda2
Generate initial configuration file.
nixos-generate-config --root /mnt
Configuration file in /mnt/etc/nixos/configuration.nix
.
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "nixos";
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# only enable DHCP for interface enp0s8
networking.useDHCP = false;
networking.interfaces.enp0s8.useDHCP = true;
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = {
# "eurosign:e";
# "caps:escape" # map caps to escape.
# };
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with ‘passwd’.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
# packages = with pkgs; [
# firefox
# thunderbird
# ];
# };
users.users.mk = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # add "docker" for docker.
};
# List packages installed in system profile. To search, run:
# $ nix search wget
# environment.systemPackages = with pkgs; [
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
# ];
environment.systemPackages = with pkgs; [
git
neovim
htop
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ];
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
# settings of the blog guide dude
# services.vscode-server.enable = true;
# virtualisation.docker.enable = true;
# services.openvpn.servers = {
# vpn = {
# config = "config /home/user/client.ovpn";
# authUserPass = {
# username = "REDACTED";
# password = "REDACTED";
# };
# autoStart = false;
# };
# };
}
Then install it:
nixos-install
After configuration changes:
Build and switch and change boot default.
nixos-rebuild switch
Do changes and switch currenlty running system but don't change boot default:
nixos-rebuild test
Only build:
nixos-rebuild build
Set profile name (shows up in boot menu)
nixos-rebuild switch -p test-name
Upgrade NixOS
Check the documentation to upgrade NixOS.
nixos-rebuild switch --upgrade
Switch channels with nix-channel
. Show current channel with
nix-channel --list
Note that channel are set per user. So, you probably want to run this as root
.
Garbage collection: Delete all packages, which are not in use.
nix-collect-garbage
Locating Binaries in Packages
nix-shell -p nix-index
# create the index
nix-index
# search for a binary
nix-locate --top-level mkfs.fat
Generating a Password with mkpasswd
The generated hashed password can be put into the file used with
passwordFile = ./passwd-user.enc
.
nix-shell -p mkpasswd
mkpasswd -m sha-512