I mean, it’s like a fucking drug. The learning curve is steep AF but past some point, when it starts making sense, it’s just incredible. I’m currently moving my whole setup to NixOS and I’m in love.
Even when using in a basic way, I think it has one very tangible advantage: the fact that you can “compartmentalize” different aspects of your configuration.
Let’s say I set up a specific web service that I want to put behind a reverse proxy, and it uses a specific folder that doesn’t exist yet, like Navidrome which is a web-based audio player. It requires a set of adjustments of different system parts. My nix file for it looks like this:
All settings related to the service are contained in a single file. Don’t want it anymore? Comment it out from my main configuration (or whereever it’s imported from) and most traces of it are gone, the exception being the folder that was created using systemd.tmpfiles. No manually deleting the link from sites-available or editing the list of domains for my certificate. The next generation will look like the service never existed.
And in my configuration, at least the port could be changed and everything would still work – I guess there is room for improvement, but this does what I want pretty well.
I mean, it’s like a fucking drug. The learning curve is steep AF but past some point, when it starts making sense, it’s just incredible. I’m currently moving my whole setup to NixOS and I’m in love.
Even when using in a basic way, I think it has one very tangible advantage: the fact that you can “compartmentalize” different aspects of your configuration.
Let’s say I set up a specific web service that I want to put behind a reverse proxy, and it uses a specific folder that doesn’t exist yet, like Navidrome which is a web-based audio player. It requires a set of adjustments of different system parts. My nix file for it looks like this:
{ config, ... }: let domain = "music." + toString config.networking.domain; in { services.navidrome = { enable = true; settings = { Address = "127.0.0.1"; Port = 4533; MusicFolder = "/srv/music"; BaseUrl = "https://" + domain; EnableSharing = true; Prometheus.Enabled = true; LogLevel = "debug"; ReverseProxyWhitelist = "127.0.0.1/32"; }; }; services.nginx = { upstreams = { navidrome = { servers = { "127.0.0.1:${toString config.services.navidrome.settings.Port}" = {}; }; }; }; }; services.nginx.virtualHosts."${domain}" = { onlySSL = true; useACMEHost = config.networking.domain; extraConfig = '' include ${./authelia/server.conf}; ''; locations."/" = { proxyPass = "http://navidrome"; recommendedProxySettings = false; extraConfig = '' include ${./authelia/proxy.conf}; include ${./authelia/location.conf}; ''; }; }; systemd.tmpfiles.settings."navidrome-music-dir"."${toString config.services.navidrome.settings.MusicFolder}" = { d = { user = "laser"; mode = "0755"; }; }; systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/run/systemd/resolve/stub-resolv.conf"]; security.acme.certs."${config.networking.domain}".extraDomainNames = [ "${domain}" ]; }All settings related to the service are contained in a single file. Don’t want it anymore? Comment it out from my main configuration (or whereever it’s imported from) and most traces of it are gone, the exception being the folder that was created using
systemd.tmpfiles. No manually deleting the link from sites-available or editing the list of domains for my certificate. The next generation will look like the service never existed.And in my configuration, at least the port could be changed and everything would still work – I guess there is room for improvement, but this does what I want pretty well.