Question for NixOS users — Do you put things in containers for isolation or not worry about it? Thinking mainly about services — stuff like mastodon, postgres, miniflux, etc..
@kyles There is an excellent blog post by @cadey I've been using as security guidance for the system I set up recently and just went with separate user accounts for each service https://xeiaso.net/blog/paranoid-nixos-2021-07-18
@easyas314159 @kyles pro mastodon tip! If you use the tag #nixos more people will see it! There's no algorithmic boosting, just people like me stalking the hashtag every so often.
@kyles I definitely do not
Containers are a fancy combination of multiple kernel namespaces features, e.g. process namespace, mount namespace, etc, etc.
systemd is able to do similar things, but focused on what I need: locking down the attack surface.
type `systemd-analyze security`
not everything is perfect, but what I want is to reduce the scope of all these systemd units
containers do not really provide for this, ~not even rootless one
@kyles (assuming you trust systemd to not introduce *more bugs* than, e.g. your favorite containerization tooling, assuming that the syscall filter features do not introduce more bugs, etc, etc. as always)
@raito Interesting -- I was mainly thinking of containers as an easy way to keep installations isolated and easy to clean up. Delete the container; everything is gone. The file sprawl on a #NixOS system seems less of an issue since most things are in the nix store, which initially got me rethinking containers.
Namespace isolation is a part that I have yet to consider. Since you are using systemd, what are your thoughts on NixOS containers which use systemd-nspawn (https://nixos.wiki/wiki/NixOS_Containers)?
NixOS is sufficiently mad about reproducibility and rigor so that "file sprawling" is close to impossible for system services, state is neatly arranged in /var/{lib,run,log,etc.} properly.
I do not use too much NixOS containers in systemd-nspawn as they require computing a whole NixOS system closure vs a systemd unit on my host system, plus all the network configuration (NAT, etc, etc.).
I much prefer to run IPv6 on host and isolate using systemd.
@kyles Nevertheless, I still use systemd-nspawn when I need to do quick one-off things, that sometimes NixOS cannot support because of its super rigor requirements.
@church@social.chatsubo.cafe Heading towards the same architecture, just rethinking the need for containers.