hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

9.9K
active users

kyle

Question for NixOS users — Do you put things in containers for isolation or not worry about it? Thinking mainly about services — stuff like mastodon, postgres, miniflux, etc..

@kyles There is an excellent blog post by @cadey I've been using as security guidance for the system I set up recently and just went with separate user accounts for each service xeiaso.net/blog/paranoid-nixos

Xe's BlogParanoid NixOS SetupParanoid NixOS Setup - Xe's Blog

@easyas314159 @kyles pro mastodon tip! If you use the tag #nixos more people will see it! There's no algorithmic boosting, just people like me stalking the hashtag every so often.

@kyles I definitely do not

Containers are a fancy combination of multiple kernel namespaces features, e.g. process namespace, mount namespace, etc, etc.

systemd is able to do similar things, but focused on what I need: locking down the attack surface.

type `systemd-analyze security`
not everything is perfect, but what I want is to reduce the scope of all these systemd units

containers do not really provide for this, ~not even rootless one

@kyles (assuming you trust systemd to not introduce *more bugs* than, e.g. your favorite containerization tooling, assuming that the syscall filter features do not introduce more bugs, etc, etc. as always)

@raito Interesting -- I was mainly thinking of containers as an easy way to keep installations isolated and easy to clean up. Delete the container; everything is gone. The file sprawl on a system seems less of an issue since most things are in the nix store, which initially got me rethinking containers.

Namespace isolation is a part that I have yet to consider. Since you are using systemd, what are your thoughts on NixOS containers which use systemd-nspawn (nixos.wiki/wiki/NixOS_Containe)?

nixos.wikiNixOS Containers - NixOS Wiki

@kyles

NixOS is sufficiently mad about reproducibility and rigor so that "file sprawling" is close to impossible for system services, state is neatly arranged in /var/{lib,run,log,etc.} properly.

I do not use too much NixOS containers in systemd-nspawn as they require computing a whole NixOS system closure vs a systemd unit on my host system, plus all the network configuration (NAT, etc, etc.).

I much prefer to run IPv6 on host and isolate using systemd.

@kyles Nevertheless, I still use systemd-nspawn when I need to do quick one-off things, that sometimes NixOS cannot support because of its super rigor requirements.

@kyles I put them in containers and then do wireguard from the containers to a wg instance on my router and reverse proxy out to the net if needed.

@church@social.chatsubo.cafe Heading towards the same architecture, just rethinking the need for containers. 🤔

@kyles Nifty, it's pretty easy. Feel free to ask questions/I have config snippets.