Rendered at 08:25:32 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
arikrahman 1 days ago [-]
What's most amazing is how easy it is to switch kernels on NixOS as this article touched on. This prompted me to switch to Cachy kernels, and after some caching delay (apparently need to switch once before caches set) I was able to take advantage of a completely different OS's core strength. Truly the one OS to rule them all.
bilkow 1 days ago [-]
Sorry, I am a bit confused about the caching delay, which seems to suggest you can switch kernels without rebooting? That's not what the wiki suggests[0], and what even happens to running programs?
Or do you mean just changing the "default" boot to a different kernel, which in other distros would require changing the boot loader config?
If memory serves the cachyos-nix flakes sets a cache for pre-built kernels, but that cache isn't available until you rebuild. So if you want to use the cache you need to do two steps, add cachyos to your inputs, rebuild, switch the kernel, rebuild.
Then reboot to use the new kernel.
arikrahman 9 hours ago [-]
Correct, I should've worded that better for more clarity.
cwel 7 hours ago [-]
The article does not mention switching kernels. It comments on the size of the kernel + modules; and trimming down unused modules.
Of all the things to get nixpilled over, this isn't one.
craftkiller 4 days ago [-]
That's how I manage all of my virtual machines: building an ISO from a NixOS config and booting it as a virtual machine. I'm going to take some time to see what bits of this I can copy to slim down my ISOs.
One additional benefit: I build all my software from source (by disabling the nix cache) so stripping out these extra programs will not only slim down my ISOs but it will also reduce the build time.
funcDropShadow 1 days ago [-]
You could manage those VMs with https://microvm-nix.github.io/microvm.nix/ that helps with mounting the nix store read only from the host into the vm. That should save more space than trying to reduce the dependencies of the system closure of the vm.
khuedoan 4 days ago [-]
Curious bout your use case for building all software from source, is it because you're worried about the supply chain since nixpkgs builds don't have reproducibility guarantee?
craftkiller 4 days ago [-]
I was already building the vast majority of it from source because I enable CPU optimizations for the specific microarchitecture in the machine (nixpkgs.hostPlatform.gcc.arch and nixpkgs.hostPlatform.gcc.tune), so once I learned about the risk of supply chain attack on the nix cache, disabling it entirely was a pretty small change.
So far, I'd say the biggest negative (aside from the build times that I was already experiencing due to the optimizations) is that GNU savannah will temporarily IP ban you when you download too much from them. For example, building the grub that is used for the ISOs downloads like 70+ patches from GNU Savannah which frequently triggers the IP ban.
chickensong 8 hours ago [-]
> the risk of supply chain attack on the nix cache
Do you not trust hydra, the infra hosts, the people, all of it? What could be done to improve the cache's posture?
BobbyTables2 1 days ago [-]
I assume you like it more than Gentoo?
Building from stage1 with customized CFLAGS was all the rage then…
xyzzy_plugh 1 days ago [-]
> we should be able to disable shipping Nix entirely, by setting nix.enable = false.
It was at this point I began to question the entire exercise. If you don't want nix to even be installed, do you really want NixOS at all?
It would probably be much simpler to just build an image from scratch with the packages you want, composed in the way you want them, rather than contort the NixOS "UX" to produce the image you want.
isityettime 1 days ago [-]
Nah this kind of thing is pretty common for servers or little embedded computers. If you're always building the image on some other machine, there's no compelling reason to include that binary or it's dependency closure on the system.
Typically someone who goes for this indeed likes and runs "full fat" NixOS on some systems. What they want is to get really small images for some special purpose, like containers or disk images for a puny old Raspberry Pi, and build them using their usual NixOS workstation or server or whatever.
Chu4eeno 7 hours ago [-]
Well, if someone wants a less painful method just install and run buildroot instead (and if you enjoy pain use yocto and bitbake).
isityettime 6 hours ago [-]
For Nixers, this isn't painful; it's magical! :'D
One of the great joys of NixOS is that configuration of existing features is continuous with development of new features. Both are just NixOS modules. In the same way, configuring your desktop is continuous with configuring a server is continuous with preparing a netboot image for an embedded device. If you know how to configure a NixOS desktop, you also know how to prepare your own custom NixOS install media. If you want it to, Nix can cure the stomach ache HCL gives you when you write Terraform.
Nixpkgs is also the largest collection of packages in existence.¹ Anything you could want to throw into an image is likely already there.
The author of the blog post is already a Nixpkgs/NixOS contributor, too, so they might also be thinking "some of the improvements I make in shrinking dependency closures or finding deeper ways to turn off certain features are potentially upstreamable".
And even if the experiment is a wash, in exploring this kind of (ab)use of NixOS for generating tiny images, a NixOS user is also learning more about the dependency relations and other structure of the NixOS systems they're already running, which might be interesting or rewarding.
I'm not saying that as a Nix enthusiast I'd never use Buildroot or Yocto, but I understand the appeal of exploring how far NixOS can be pushed for this and how easy or hard it is to do.
While we're here we should also note that NixOS isn't really the Nix tool for this job anyway. There's a cool project called not-os² where minimization is one of the goals that has already succeeded in getting the image size down to < 50 MB.
There's also a project targeting commodity wifi routers called Liminix, which likewise takes some NixOS ideas and uses them to produce teeny-tiny images, (presumably even smaller than not-os, given many of the target devices don't include so much as 50 MB of flash).
> build an image from scratch with the packages you want
Using what? Using NixOS to configure a system is orthogonal to the system actually running the Nix binary. Nix/Nixpkgs provide well maintained package derivations and module configuration for the largest amount of software of any ecosystem. IMO it's far simpler than Yocto or Buildroot or the dozen OCI container builder ecosystems that go in and out of favor.
xyzzy_plugh 18 hours ago [-]
Using Nix of course.
My point is that if you care deeply about what is being installed in the image, size, dependencies, bloat, etc. then perhaps using the NixOS abstraction is the wrong approach. Instead of building "down" by taking things away, build "up"
bow_ 11 hours ago [-]
> My point is that if you care deeply about what is being installed in the image, size, dependencies, bloat, etc. then perhaps using the NixOS abstraction is the wrong approach. Instead of building "down" by taking things away, build "up"
Those aren't necessarily oppposing points.
NixOS is a declarative distro. It also happens to come with some defaults that, I assume, caters to the commonly expected use case (and maybe has some historical roots as well).
NixOS is not a minimal, build-from-scratch distro. It's more opinionated than e.g. Arch. For example, it ships with firewall turned on by default (https://nixos.wiki/wiki/Firewall). Another example: the default list of packages is somehow Perl, rsync, and strace (https://search.nixos.org/options?channel=26.05&query=default...). Blanking this default to an empty list is IME harmless.
The declarative nature is probably the subtext the author is trying to convey: what are the things one can do to disable these defaults, to reach a very minimal system (ISO really) that one can then build as one wishes.
nh2 11 hours ago [-]
Seems to me that such boolean flags do not force you to think about "building up" or "building down". You just declare what _is_. Who cares what the default is? When you're building a minimal thing, changing some defaults is fine.
xyzzy_plugh 4 hours ago [-]
As your sibling points out, it's not just about boolean flags: it's about the abstraction, which is opinionated.
I posit that it is perhaps more laborious to untangle those abstractions than to just write your own.
It's like improving the lighting in your house by going to the breaker panel and flipping breakers and splicing extension cables that you run up your stairs and down your halls.
whateveracct 5 hours ago [-]
Yes? Because NixOS is configured by Nix code. But the user of the image itself doesn't need to run `nix`
brianjlogan 9 hours ago [-]
Pretty common method these days to build something just for the task at hand and consider deployment immutable requiring a new build of the ISO.
It's unfortunate that Perl and Python are core deps, as well as Bash
nh2 11 hours ago [-]
Note that's somewhat out of date:
> `bin/switch-to-configuration` is a Perl script from the beginning
Since NixOS 24.11 the default is `switch-to-configuration-ng`, in Rust. That is a 2.8 MB binary, compared to NixOS's 55 MB Perl distribution. Thus such Perl-less systems shrunk that dependency by 20x regarding activation switching.
Hey, thanks, nice adventure! I will have a look. I'm trying to ditch Arch for NixOS and I'm starting from Distrobox probably. Super useful!
HardwareLust 10 hours ago [-]
Why ditch Arch?
lordkrandel 2 hours ago [-]
Mainly because I favor NixOS's idea of control over the system, and because Arch is getting too popular (steamos, omarchy), making it a target. The recent AUR plague is actually a symptom, to me.
whazor 3 hours ago [-]
I wonder if it makes sense to create distroless containers like this.
siraben 10 hours ago [-]
I got a bootable NixOS iso down to 91 MB. Pointed Claude at the Nixpkgs repo and asked it to strip things aggressively and inspect the build closure iteratively.
I miss tomsrtbt and all the other single floppy distros, it was surprisingly complete for 1.44MB (including networking, with more protocols than the average browser, and text editors): https://web.archive.org/web/19990506100919/http://www.toms.n... (mulinux iirc boasted about having 100 commands or something like that)
overtone1000 10 hours ago [-]
It's always fun to see an interrobang in the wild.
Or do you mean just changing the "default" boot to a different kernel, which in other distros would require changing the boot loader config?
[0] https://nixos.wiki/wiki/Linux_kernel
Then reboot to use the new kernel.
Of all the things to get nixpilled over, this isn't one.
One additional benefit: I build all my software from source (by disabling the nix cache) so stripping out these extra programs will not only slim down my ISOs but it will also reduce the build time.
So far, I'd say the biggest negative (aside from the build times that I was already experiencing due to the optimizations) is that GNU savannah will temporarily IP ban you when you download too much from them. For example, building the grub that is used for the ISOs downloads like 70+ patches from GNU Savannah which frequently triggers the IP ban.
Do you not trust hydra, the infra hosts, the people, all of it? What could be done to improve the cache's posture?
Building from stage1 with customized CFLAGS was all the rage then…
It was at this point I began to question the entire exercise. If you don't want nix to even be installed, do you really want NixOS at all?
It would probably be much simpler to just build an image from scratch with the packages you want, composed in the way you want them, rather than contort the NixOS "UX" to produce the image you want.
Typically someone who goes for this indeed likes and runs "full fat" NixOS on some systems. What they want is to get really small images for some special purpose, like containers or disk images for a puny old Raspberry Pi, and build them using their usual NixOS workstation or server or whatever.
One of the great joys of NixOS is that configuration of existing features is continuous with development of new features. Both are just NixOS modules. In the same way, configuring your desktop is continuous with configuring a server is continuous with preparing a netboot image for an embedded device. If you know how to configure a NixOS desktop, you also know how to prepare your own custom NixOS install media. If you want it to, Nix can cure the stomach ache HCL gives you when you write Terraform.
Nixpkgs is also the largest collection of packages in existence.¹ Anything you could want to throw into an image is likely already there.
The author of the blog post is already a Nixpkgs/NixOS contributor, too, so they might also be thinking "some of the improvements I make in shrinking dependency closures or finding deeper ways to turn off certain features are potentially upstreamable".
And even if the experiment is a wash, in exploring this kind of (ab)use of NixOS for generating tiny images, a NixOS user is also learning more about the dependency relations and other structure of the NixOS systems they're already running, which might be interesting or rewarding.
I'm not saying that as a Nix enthusiast I'd never use Buildroot or Yocto, but I understand the appeal of exploring how far NixOS can be pushed for this and how easy or hard it is to do.
While we're here we should also note that NixOS isn't really the Nix tool for this job anyway. There's a cool project called not-os² where minimization is one of the goals that has already succeeded in getting the image size down to < 50 MB.
There's also a project targeting commodity wifi routers called Liminix, which likewise takes some NixOS ideas and uses them to produce teeny-tiny images, (presumably even smaller than not-os, given many of the target devices don't include so much as 50 MB of flash).
--
1: https://repology.org/repositories/statistics/nonunique
2: https://github.com/cleverca22/not-os
3: https://www.liminix.org/
Using what? Using NixOS to configure a system is orthogonal to the system actually running the Nix binary. Nix/Nixpkgs provide well maintained package derivations and module configuration for the largest amount of software of any ecosystem. IMO it's far simpler than Yocto or Buildroot or the dozen OCI container builder ecosystems that go in and out of favor.
My point is that if you care deeply about what is being installed in the image, size, dependencies, bloat, etc. then perhaps using the NixOS abstraction is the wrong approach. Instead of building "down" by taking things away, build "up"
Those aren't necessarily oppposing points.
NixOS is a declarative distro. It also happens to come with some defaults that, I assume, caters to the commonly expected use case (and maybe has some historical roots as well).
NixOS is not a minimal, build-from-scratch distro. It's more opinionated than e.g. Arch. For example, it ships with firewall turned on by default (https://nixos.wiki/wiki/Firewall). Another example: the default list of packages is somehow Perl, rsync, and strace (https://search.nixos.org/options?channel=26.05&query=default...). Blanking this default to an empty list is IME harmless.
The declarative nature is probably the subtext the author is trying to convey: what are the things one can do to disable these defaults, to reach a very minimal system (ISO really) that one can then build as one wishes.
I posit that it is perhaps more laborious to untangle those abstractions than to just write your own.
It's like improving the lighting in your house by going to the breaker panel and flipping breakers and splicing extension cables that you run up your stairs and down your halls.
Here's another good article on the topic
It's unfortunate that Perl and Python are core deps, as well as Bash
> `bin/switch-to-configuration` is a Perl script from the beginning
Since NixOS 24.11 the default is `switch-to-configuration-ng`, in Rust. That is a 2.8 MB binary, compared to NixOS's 55 MB Perl distribution. Thus such Perl-less systems shrunk that dependency by 20x regarding activation switching.
And since NixOS 25.11, `nixos-rebuild-ng` in Python replaces its former Perl counterpart, see https://wiki.nixos.org/wiki/Nixos-rebuild
But the resulting ISO:
- has no network
- can't switch configurations
- doesn't have a text editor
https://gist.github.com/siraben/a8fce9912891d85e1ec3cf74081b...