New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos: nixos-generate-config: document all the common things #36274
Conversation
e146864
to
03498de
Compare
# To disable the firewall altogether use the following. | ||
# | ||
# Use only inside trusted networks behind IPv4 NAT and without IPv6 | ||
# support or else bad people across the galaxy will be able to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only because the network has ipv6, does not mean your router does not block incoming connections to you IP.
And also NAT is not a firewall.
Suggestion:
Disable your firewall only in trusted networks with inbound firewalls or if your services are supposed to public on the internet.
# (Actually, not enabling this doesn't disable ALSA because ALSA is | ||
# the Linux kernel default. But you won't get access to ALSA tools | ||
# like alsamixer and your ALSA settings like volume won't get saved | ||
# and restored between reboots without enabling the above.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be shortened:
This option will add alsatools to your system and make ALSA settings such as volumes persistent across reboots.
03498de
to
0cf210e
Compare
Both nitpicks fixed. |
this file is getting huge, but i do think several the tips you recommend are good / useful |
this file is getting huge
It is, but it now documents literally everything you commonly need to know about configuring your system after reading the first 12 items of the installation chapter of the manual. All of my `configuration.nix` files (except those that I use for tests) touch all of the mentioned variables. I assume that most people read first 12 items and then start editing `configuration.nix`, so it is the most appropriate place to put all of that.
The part about `nix-env` and `allowUnfree` should still be copied to the manual (actually, to both `nix` and `nixos` manuals), but that's out of scope of this PR.
|
0cf210e
to
99e8d07
Compare
Fixed a tiny typo/OCD thing. What's holding this? While this ferments some people encounter the problem described in #17126, say "f*ck it" and drop NixOS while others unwittingly enable the PA daemon. Unless there's a problem with this I would merge this ASAP and cherry-pick to 18.03 too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like a good bit of it and would merge most of it.
# You might want to enable this if you run a minimalistic desktop | ||
# environment or work from bare linux ttys/framebuffers. | ||
|
||
# sound.mediaKeys.enable = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think removing this section about mediakeys would make it easier to merge, since mediakeys being an option is a bit contentious.
# (You might need to merge this line with the above mention of | ||
# environment.systemPackages as you can't assign the same attribute | ||
# multiple times in a single nix attribute set.) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should probably drop this previous section, because the section about enabling sound explains it well enough I think.
# networking.hostName = "nixos"; | ||
|
||
# Enable wireless support via wpa_supplicant. | ||
# networking.wireless.enable = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
|
||
# Select internationalisation properties. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these newlines confuse it, where without the newline it is clearly tied to the section.
# environment.systemPackages = with pkgs; [ | ||
# wget vim | ||
# ]; | ||
|
||
# To search by name, run: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"To search packages"
# | ||
# into your ~/.config/nixpkgs/config.nix file. | ||
# | ||
# Finally, note that if you don't use nixos channels, you can still use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the NixOS channels
# Finally, note that if you don't use nixos channels, you can still use | ||
# nix-env by running it directly from the nixpkgs tree like so | ||
# | ||
# \$ nix-env -f ./default.nix -qaP | grep wget |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-qaP '.*wget.*'
# Some programs need SUID wrappers, can be configured further or are | ||
# started in user sessions. | ||
# started in user sessions. Those usually can be configured with | ||
# options under programs.<name> subtree. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add See man configuration.nix.
# Use only inside trusted networks behind another firewall or else | ||
# bad people across the galaxy will be able to access any ports you | ||
# leave open. | ||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably a bit much :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't say it was completely worthless, just a bit much.
# Enable the X11 windowing system. | ||
|
||
# services.xserver.enable = true; | ||
# services.xserver.layout = "us"; | ||
# services.xserver.xkbOptions = "eurosign:e"; | ||
|
||
# Enable touchpad support. | ||
# services.xserver.libinput.enable = true; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think all of the changes following here should probably be in the wiki instead.
I think these newlines confuse it, where without the newline it is clearly tied to the section.
Ok, fixed everywhere. It now groups things with an empty comment line.
"To search packages"
Fixed.
List of packages for the system profile, by attribute name.
Fixed.
`-qaP '.*wget.*'`
Fixed everywhere.
the NixOS channels
Fixed.
Maybe add `See man configuration.nix.`
Done.
Probably a bit much :)
It's not. See https://www.youtube.com/watch?v=yBA6u5IsXyc
I think removing this section about mediakeys would make it easier to merge, since mediakeys being an option is a bit contentious.
IIRC the contention was "I run X11, my WM does this, I don't want this, please remove it". Since it's not enabled by default I don't think it's a valid argument.
Anyway, I moved that doc to the mediaKeys docstring and made into a tiny note. This way it should make the thing much less contentious, I hope. If you think it's still too much, I'm ok with removing it, but I think it's useful to keep it.
Should probably drop this previous section, because the section about enabling sound explains it well enough I think.
I disagree, grepping the whole of nixpkgs for `apulse` gives no results that explain how and when to use it except this. Since Mozilla keeps pushing people to PA I think it's only fair to inform people that they can work around it with a single line of config.
Anyway, I rewrote that part to be shorter.
I think all of the changes following here should probably be in the wiki instead.
I disagree.
I think the default `configuration.nix` should include everything you need to set to reboot into the new configuration and see properly working X11 desktop (including acceleration) with your favorite apps. So allowUnfree, GPU and desktop stuff is essential.
The network user account thing is more contentious, I agree. Note, however, that NixOS already does exactly this for system (as opposed to user) services (hence, another reason to distrust PA, just sayin') and that is not considered contentious for some reason (I suppose, because it requires zero configuration). However, I think it's essential to inform as many users as possible of the easiness of doing things this way. Many security-oriented sites recommend installing software that manages your keys/wallets onto your Android phone (seriously, Android phone!) instead of your desktop because Android does separate users for different apps by default. This makes me mad (because they recommend keeping secrets on a device that almost never updates it's kernel), twice so since they are essentially correct that it still gives more security than your average Linux install (because of the above), trice so since it's super easy to fix on OSes with declarative configs like NixOS. Which is why I wrote this part in the first place.
Anyway, I moved the `stateVersion` thing to the top, and added "you can ignore all of this" note before the thing to make it less contentious. I think it should stay. (Actually, I hope to eventually add notes on QubesOS-like setups there too, when NixOS accepts patches required to do that.)
Also, I think the wiki is either dead or should be dead and everything should be greppable directly in the repo. Also, related, I hate that most code in nixpkgs refers to manual pages via nixos.org URLs instead of just pointing to the text files in the repo itself. This is crazy, but it is understandable, because those files are in unreadable docbook format. The only thing that prevents "you only need to clone nixpkgs and you get everything" utopia is docbook. But that's outside of the scope of this PR.
Anyway, see the new patch. Will squash if all is ok.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't speak to the docbook, but nixos.wiki is a happy and healthy source of pretty high quality information now, thanks to fadenb, lassalus, makefu, mic92, samueldr, and many many others. The risk of putting too much in this file is it is never updated again, making it drift further and further away from reality. I like the idea of putting more information here, but want it to lead to updatable sources.
# servers. You should change this only after NixOS release notes say you | ||
# should. | ||
system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment? | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👎 it shouldn't be near the top if they shouldn't touch it.
# List packages installed in system profile. To search by name, run: | ||
# \$ nix-env -qaP | grep wget | ||
# List of packages installed in system profile (by attribute name). | ||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
# still use nix-env by running it directly from the nixpkgs tree like so | ||
# | ||
# \$ nix-env -f . -qaP '.*wget.*' | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that the whole point of not showing unfree software by default is to not promote the use of unfree software, adding detailed instructions to the default configuration.nix is questionable IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@edolstra Well, it is half of the point — the other half is that we have too many different evaluation contexts to ever be sure that allowUnfree
is not silently true in one of them.
(I do personally agree with the point you make, although I value the fail-safe part more and I am not sure if people stopping opening issues like #17126 is worth documenting this in more places)
# started in user sessions. | ||
# started in user sessions. Those usually can be configured with | ||
# options under programs.<name> subtree. See configuration.nix(5) | ||
# man page. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
# Use only inside trusted networks behind another firewall or else | ||
# bad people across the galaxy will be able to access any ports you | ||
# leave open. | ||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't say it was completely worthless, just a bit much.
# Note that you don't need to enable PulseAudio daemon to get either | ||
# of sound playback or software sound mixing. It will out of the box | ||
# over ALSA. If you do want to run PulseAudio daemon, however, you | ||
# may safely disable `sound.enable`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about "you may set `sound.enable` to `false`."
?
# quality to be connected to untrusted data sources like the browser | ||
# by default). | ||
# | ||
# environment.systemPackages = [ pkgs.apulse ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👎 but would accept For more information, see nixos.wiki/something-about-sound...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why refer to a wiki here? I agree with @oxij: this is unlikely to change for a long time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think "some people claim"-type information belongs here. I too would prefer a link to a deeper dive.
# }; | ||
|
||
# If you're in a hurry, you may stop editing your configuration.nix now | ||
# and completely ignore everything below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👎 this file will be immediately out of date because nothing can update it. We shouldn't be talking about best practices or general techniques. This belongs in other documentation elsewhere. The parts about unfree software are universally true. The remainder of this should definitely not be in this config file, but instead in the documentation or wiki.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, this is the main problem with this PR. It's fine to install a small configuration.nix with some options to get people started, but it should not duplicate the manual or try to cover a gazillion use cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, experimental evidence shows that not enough people read the manual anyway…
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to removing the following. Using a separate user to run e.g. firefox sounds like a great idea, but the boilerplate in configuration.nix is not the soapbox from which to broadcast this position. People approaching this file for the first time just want to get NixOS running, which already has enough mind-blowing paradigm shifts to absorb.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, 👎 on the somewhat niche and cumbersome desktop-only per-software user approach here. It would be better to a link to general information about running NixOS on the desktop with a section on per-software users.
# services.xserver.displayManager.sddm.enable = true; | ||
# services.xserver.desktopManager.plasma5.enable = true; | ||
|
||
# Or maybe you want to enable Xfce Desktop Environment and Slim |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👎 on the addition of xfce / slim and the following, they'll need to find the full list of options somehow, and this file isn't in the business of describing every use case. We should be teaching them to fish here.
# services.xserver.displayManager.sddm.enable = true; | ||
# services.xserver.desktopManager.plasma5.enable = true; | ||
# Enable graphical acceleration for NVIDIA GPUs (requires unfree | ||
# packages, see above). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👎 this information is too likely to get out of date, and really can't cover all the important cases. This should lead to external documentation.
I can't speak to the docbook, but nixos.wiki is a happy and healthy source of pretty high quality information now, thanks to fadenb, lassalus, makefu, mic92, samueldr, and many many others.
While I appreciate the work, I don't like the idea. I think we already had a wiki before and saw what that turned itself into. The problem with wikis tied to software projects is that after initial wave of enthusiasm they get out of sync with the code even faster than the documentation that ships with the code.
Ask yourself. Your last ten nixpkgs problems. How many solutions to them were on the wiki? Somewhere else on the web? In GitHub issues? In the `git log`? I usually start by grepping the repo, the git log, and GitHub issues (I archive and index all of them, so searching them is easy) (in parallel with a simple script), 99.9% of the time I find the solution before the web browser window appears on my screen.
My point is that we should point users to places developers update directly, because that's where all the fish is. Unless nixos.wiki becomes a submodule of nixpkgs I will not touch it. (But if it becomes a submodule then I would ask why can't we just rewrite all nixpkgs documentation in a saner format and just assimilate the wiki up.)
In short, I think documentation related to nixpkgs usage should be in the nixpkgs repo itself, updatable simultaneously with the code, and browsable with just `grep`, `cat` and `git log`.
Arch and Gentoo Linux wikis and StackOverflow are, IMHO, nice examples of how things get outdated fast. Every singe topic I know anything about usually has a bunch of outdated info in the most prominent places of the articles/answers.
Philosophically, what I think is needed here are not wikis, but proper upstream documentation that is compiled into a typechecked hypertext. Bear with me for a second.
Imagine a world where all the documentation is written in `org-mode` format. The beauty of it is that not only it's easy to read and write, but it's also easy to parse (line-based) and it can be compiled to all the common formats like HTML or texinfo (I once wrote `wiki->HTML` converter in three pages `sed`, just for fun, org-mode is even simpler), and it supports references by GUIDs and a set of org-mode files can be checked for broken links automagically.
Now imagine that all upstream packages have proper documentation in said org-mode format. Now, not only can you refer directly to any piece of their documentation, but you can also build your own documentation by linking and including pieces of documentation from upstream projects and that could be compile-time checked.
I.e. imagine NixOS manual having something like
```org
* Setting up sound
** ALSA {{INCLUDESUBTREE|${pkgs.alsaLib}/share/doc/alsa/index.org}}
** JACK {{INCLUDESUBTREE|${pkgs.jackd}/share/doc/jack/index.org}}
** PulseAudio {{INCLUDESUBTREE|${pkgs.pulseaudio}/share/doc/pulseaudio/index.org}}
```
or
```org
* Setting up sound
** ALSA {{INCLUDESUBTREEBYID|ca45533c-1e07-413c-8a87-8b4d1e4cade3}}
** JACK {{INCLUDESUBTREEBYID|...}}
** PulseAudio {{INCLUDESUBTREEBYID|...}}
```
(`{{}}` are macros, nice names for them are up to debate) and the documentation build would then just check those links and fail if something gets out of sync.
But since the human race is not yet ready for this alien technology I prefer to put everything into a single repo and generate all kinds of usable documentation formats from it (not just HTML, see #11499).
(Also note that I didn't mention SLNOS even once in the above :])
The risk of putting too much in this file is it is never updated again, making it drift further and further away from reality. I like the idea of putting _more_ information here, but want it to lead to updatable sources.
Then how about adding "review `nixos-generate-config`" to the release checklist. You do have release checklist, right?
I didn't say it was completely worthless, just a bit much.
Please elaborate what exactly is your problem here. The "galaxy"? How would you write it?
+ # Note that you don't need to enable PulseAudio daemon to get either
+ # of sound playback or software sound mixing. It will out of the box
+ # over ALSA. If you do want to run PulseAudio daemon, however, you
+ # may safely disable `sound.enable`.
+
+ # Also note that you can emulate PulseAudio API over ALSA for apps
+ # that refuse to work over ALSA themselves by running them under
+ # apulse. This way you can run one daemon less which benefits your
+ # security (some people claim that PulseAudio codebase lacks in
+ # quality to be connected to untrusted data sources like the browser
+ # by default).
+ #
+ # environment.systemPackages = [ pkgs.apulse ];
👎 but would accept `For more information, see nixos.wiki/something-about-sound...`
I don't understand which part you disagree with. Do you want me to stop mentioning `apulse`? Do you want me to stop informing users that, contrary to a common misconception, they probably don't even need to run PulseAudio daemon to get all the features they want. Both? (I'm not trolling, I honestly don't understand the argument.)
See above about the wiki.
👎 it shouldn't be near the top if they shouldn't touch it.
Ok, will fix.
👎 this file will be immediately out of date because nothing can update it.
Eh? "nothing can update it"? What?
If you mean keeping it in sync, then we can add some more markup to the file and the add some nixos tests that would check that different combinations of uncommented options evaluate or whatever.
We shouldn't be talking about best practices or general techniques. This belongs in other documentation elsewhere. The parts about unfree software are universally true. The remainder of this should definitely not be in this config file, but instead in the documentation or wiki.
See above about the wiki.
However, on this and the rest of your 👎s, I do see you point. I now see that, indeed, this is not the best place to present a bunch of stuff that gets updated frequently, GPU and DE stuff should be moved to the `configuration.nix(5)` manual and only pointers should be left here.
However, I feel that this argument does not apply to PA stuff above. Because that piece tries to resolve a common misconception born out of suckiness of ALSA documentation. Until ALSA gets a proper documentation we can refer to directly I would like the above piece about PA to stay there.
At the very least I want it to mention that you don't need PA for most sane things and refer to apulse for insane things. I'm ok with moving the snarky comments into the docstring for `apulse` package and halving the space it takes. Will that be agreeable?
|
Once this file is generated, it is installed as |
For the record: it turned out that a MediaWiki with an open registration requires either too much skill or too much effort to prevent from becoming a spam dump (with spam even overwriting content). Nixos.Wiki seems to hope that a unique CAPTCHA will delay this problem, and in the worst case GitHub login can be made the only option. |
@7c6f434c you are only partly right. The first step to fight spam obviously is a technical measure (captchas), however the new wiki is watched over closely by by a number of volunteers. There is a wiki-update bot in Some time ago someone asked how the archlinux wiki can stay such a wealthy resource and the answer was simple, there were people who cared. Now that the wiki is lead by a number of people and not a single person i think we can do something similar for the nixos community. If you would like to help the effort you can join |
@makefu well, you still need technical foundation to match — I mean, at some point I tried to roll back a spam attack on the old NixOS MediaWiki and suddenly understood that I just cannot understand how to untangle this sequence of history-masking-redirection-tricks. Some people did try to care, it just turned out that the people who cared at any given moment didn't have a combination of skill (and maybe MediaWiki access level?) to maintain defense efficiently. Of course I do not deny the main effort of the team — creating and maintaining high-quality content. I just say that you have enough technical options to guarantee avoidance of the despair event horizon that the old wiki had. (As for me, I am a person who can entertain people by describing how non-trivially my system is configured, and how it is not fully NixOS — so I can help people debug via IRC, but writing useful Wiki content without immediate feedback would be hard) |
# or | ||
# services.xserver.videoDrivers = [ "nvidiaLegacy304" ]; | ||
# or | ||
# services.xserver.videoDrivers = [ "nvidiaLegacy173" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All of this should be detected automatically and emitted in hardware-configuration.nix
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. As discussed above.
# # but you probably don't want to give it direct DRI access | ||
# # since OpenGL video drivers are pretty buggy and giving DRI | ||
# # access to WebGL might not be the best of ideas. | ||
# # ++ [ "video" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This instruction should be absolutely unnecessary: logged-in users should automatically have access to sound and video devices via loginctl / udev rules. If not, that's a bug that should be fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And how not to give DRI access to a user even when logged in?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should automatically have access to sound and video devices via loginctl / udev rules
So you have a machine with a bunch of ssh accounts shared by a whole organization. Everyone should have access to sound and video devices by default? What about the "input" group that allows you to emulate key presses on evdev devices? I absolutely disagree.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oxij in that case the loginctl/udev rules would definitely need adjusting. Only logging in on the console should give you these permissions.
# umask 077 | ||
# | ||
# into your ~/.xsession file. You should probably put the above | ||
# xhost line there too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This absolutely does not belong in configuration.nix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As noted above (#36274 (comment)), I disagree, but fine, if we leave the user setup and then point to the manual for the rest, I would be ok with that.
882be98
to
16ea319
Compare
16ea319
to
d69db85
Compare
Updated. Most frequently changing things are now gone to the configuration.nix(5). I left some of the DE setup in because xfce and slim are the most stable pieces of DE software ever, they are not going to change frequently (unlike Gnome and KDE). If you want to remove those lines I suggest we remove all DE setup then starting with KDE, since it's the most frequently changing thing in this config. Unfree examples use "hello-unfree" package and so they are very un-corporate now. I think I answered to all other nitpicks, feel free to reiterate if you disagree with the current state of the file. |
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: hello-unfree Partial log (click to expand)
|
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: hello-unfree Partial log (click to expand)
|
58993f8
to
3c61c27
Compare
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: hello-unfree Partial log (click to expand)
|
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: hello-unfree Partial log (click to expand)
|
3c61c27
to
ec4dad8
Compare
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: hello-unfree Partial log (click to expand)
|
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: hello-unfree Partial log (click to expand)
|
ec4dad8
to
9841f05
Compare
9841f05
to
8f3724a
Compare
# \$ sudo -Hiu network firefox &disown | ||
# \$ sudo -Hiu network qtox &disown | ||
# | ||
# from the account logged in into X11. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Honestly this feels like it should be a whole new option,which will add the required wrappers and sudo configurations.
Also for desktop users you should probably point to programs.firejail
# Note that you don't need to enable PulseAudio daemon to get either | ||
# of sound playback or software sound mixing. It will out of the box | ||
# over ALSA. If you do want to run PulseAudio daemon, however, you | ||
# may safely disable `sound.enable`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about "you may set `sound.enable` to `false`."
?
# quality to be connected to untrusted data sources like the browser | ||
# by default). | ||
# | ||
# environment.systemPackages = [ pkgs.apulse ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think "some people claim"-type information belongs here. I too would prefer a link to a deeper dive.
# Enable the X11 windowing system. | ||
# | ||
# services.xserver.enable = true; | ||
# services.xserver.layout = "us"; | ||
# services.xserver.xkbOptions = "eurosign:e"; | ||
|
||
# | ||
# Enable touchpad support. | ||
# services.xserver.libinput.enable = true; | ||
|
||
# Enable graphical acceleration in X11. See configuration.nix(5) man | ||
# page for possible options. | ||
# | ||
# services.xserver.videoDrivers = [ "<name-of-the-driver>" ]; | ||
|
||
# Enable support for 32-bit OpenGL libraries on x86_64 which is | ||
# useful if you want to run 32-bit OpenGL applications | ||
# | ||
# hardware.opengl.driSupport32Bit = true; | ||
# | ||
# E.g., games under Wine | ||
# | ||
# environment.systemPackages = with pkgs; [ wine winetricks ]; | ||
|
||
# Some of the X11 drivers above might not work with the current Linux | ||
# kernel, so you might end up overriding that too. | ||
# | ||
# boot.kernelPackages = pkgs.linuxPackages_4_9; | ||
|
||
# Define a user account. Don't forget to set a password with ‘passwd’. | ||
# | ||
# users.users.me = { | ||
# isNormalUser = true; | ||
# uid = 1000; | ||
# extraGroups = [ "input" "audio" "video" "cdrom" ] | ||
# ++ [ "wheel" ]; # for sudo | ||
# openssh.authorizedKeys.keyFiles = [ /etc/nixos/id_rsa.pub ]; | ||
# }; | ||
|
||
# Enable the KDE Desktop Environment. | ||
# | ||
# services.xserver.displayManager.sddm.enable = true; | ||
# services.xserver.desktopManager.plasma5.enable = true; | ||
|
||
# Define a user account. Don't forget to set a password with ‘passwd’. | ||
# users.users.guest = { | ||
# Or maybe you want to enable Xfce Desktop Environment and Slim | ||
# display manager? | ||
# | ||
# services.xserver.displayManager.slim.enable = true; | ||
# services.xserver.desktopManager.xfce.enable = true; | ||
|
||
# Or maybe you just want to automatically login into your .xsession | ||
# script? Then don't enable any desktopManagers and uncomment the | ||
# following. | ||
# | ||
# services.xserver.displayManager.auto = { | ||
# enable = true; | ||
# user = "me"; | ||
# }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this whole section could be marked as "for desktop use only"? Move the user stuff below it though.
# # but you probably don't want to give it direct DRI access | ||
# # since OpenGL video drivers are pretty buggy and giving DRI | ||
# # access to WebGL might not be the best of ideas. | ||
# # ++ [ "video" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oxij in that case the loginctl/udev rules would definitely need adjusting. Only logging in on the console should give you these permissions.
# }; | ||
|
||
# If you're in a hurry, you may stop editing your configuration.nix now | ||
# and completely ignore everything below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, 👎 on the somewhat niche and cumbersome desktop-only per-software user approach here. It would be better to a link to general information about running NixOS on the desktop with a section on per-software users.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
There some useful bits in here that could be cherry-picked into our configuration. However given that the author is no longer working on this pull request, I will close this one. |
Motivation for this change
Combination of #17126 (comment) and #35292 (comment) got me over the edge.
Things done
Feel free to point to typos I probably missed.