[Nix-dev] 5 somewhat related questions

Sat Jun 24 21:07:27 CEST 2017

I had some of the same thoughts as Klass about nix-env vs.
/etc/nixos/configuration.nix when I started using NixOS about a year
ago.  Since all the machines I run it on are single-user, I've found
it simplest to never run nix-env, and just 'sudo emacs
/etc/nixos/pkgs-configuration.nix && sudo nixos-rebuild switch' to
install new packages.  (I've modularized my
/etc/nixos/configuration.nix.)

I keep /etc/nixos under git version control, so that I can move
between versions of the machine config independently of versions of
nixpkgs.  This also has the benefit of making in very easy to keep
configuration changes in sync between my different NixOS machines
(they all push/pull to/from each other as remote repos).

Rather than using nix-channel to manage my channels, I've instead just
relied on a clone of the nixpkgs repo.  If you do 'git remote add
channels git://github.com/NixOS/nixpkgs-channels.git', then 'git fetch
--all' will pull down channels/nixos-unstable etc. branch pointers,
and you can track them locally very easily.  'nixos-version
--revision' will report the commit hash that your currently-running
system was build from -- very handy for bisects etc.  It's also part
of the system derivation name.

Having a local nixpkgs repo lowers the barrier to contributing fixes
back into it, too.  :)

I also use the 'nox' tool to preview nixpkgs updates before applying
them.  Following is a short script that I wrote to handle it.  It
fetches the latest nixos-unstable, checks whether there's anything new
in it, and if so, uses 'nixos-rebuild build' to build (but not swtich
to) it.  Then if that succeeds, it uses 'nox-update' to generate a
summary report of the differences between the current system and the
newly-built system.  This lets me know what to keep an eye on WRT
possible breakages.

The only major downside of this approach is that I have to always
remember to give '-I nixpkgs=...' arguments to all the usual nix
commands.  But that's become pretty second nature to me by now.  :)

#!/usr/bin/env bash

set -o errexit
set -o nounset

git fetch --all

current=$(nixos-version --revision);

if git merge-base --is-ancestor channels/nixos-unstable $current; then
    echo "current version ($current) already contains latest nixos-unstable";
    exit 0;
fi;

d=$(date +%Y-%m-%d-%H-%M)

wt=/home/matt/git/nixos/nixpkgs-update-$d

git worktree add -b update-$d $wt $current

pushd $wt

git merge channels/nixos-unstable -m "Merge remote-tracking branch
'channels/nixos-unstable'";

nixos-rebuild build -I nixpkgs=$wt

echo;
echo "rebuild complete, computing changes";
echo;

nox-update --quiet /run/current-system result | \
    grep -v '\.drv : $' | \
    sed 's|^ */nix/store/[a-z0-9]*-||' | \
    sort -u > \
         update-${d}.txt

popd;

mv $wt/update-$d.txt .;

rm -rf $wt;
git worktree prune;

echo;
echo "to review changes:";
echo;
echo "less update-$d.txt";
echo;
echo "to switch to new system:";
echo;
echo "git merge --ff-only update-$d";
echo "sudo nixos-rebuild boot -I nixpkgs=$(pwd)";
echo;