{"id":1661,"date":"2025-07-11T00:07:46","date_gmt":"2025-07-11T00:07:46","guid":{"rendered":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/?p=1661"},"modified":"2025-07-11T00:22:37","modified_gmt":"2025-07-11T00:22:37","slug":"nixos-configuration-and-management","status":"publish","type":"post","link":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/?p=1661","title":{"rendered":"NixOS Configuration and Management"},"content":{"rendered":"\n<figure class=\"wp-block-audio\"><audio controls src=\"http:\/\/172-234-197-23.ip.linodeusercontent.com\/wp-content\/uploads\/2025\/07\/NixOS-Configuration-and-Management.mp3\"><\/audio><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>PODCAST: This extensive documentation outlines the <strong>NixOS operating system<\/strong>, providing a comprehensive guide for <strong>installation<\/strong>, including both graphical and manual methods, as well as instructions for <strong>virtualized environments<\/strong>. It details how to manage <strong>system services<\/strong>, covering aspects like <strong>networking configuration<\/strong>, <strong>user and group management<\/strong>, and <strong>file system setup<\/strong>, with specific instructions for various applications like <strong>PostgreSQL<\/strong>, <strong>Nextcloud<\/strong>, and <strong>GitLab<\/strong>. Furthermore, the text explains <strong>developer tools<\/strong> and the <strong>testing framework<\/strong>, emphasizing the <strong>declarative nature<\/strong> of NixOS for building and upgrading systems, while also offering guidance on <strong>troubleshooting<\/strong> and <strong>contributing<\/strong> to the manual itself.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-opt-id=530937318  fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"https:\/\/ml6vmqguit1n.i.optimole.com\/w:1024\/h:585\/q:mauto\/f:best\/https:\/\/172-234-197-23.ip.linodeusercontent.com\/wp-content\/uploads\/2025\/07\/image-267.png\" alt=\"\" class=\"wp-image-1663\" srcset=\"https:\/\/ml6vmqguit1n.i.optimole.com\/w:1024\/h:585\/q:mauto\/f:best\/https:\/\/172-234-197-23.ip.linodeusercontent.com\/wp-content\/uploads\/2025\/07\/image-267.png 1024w, https:\/\/ml6vmqguit1n.i.optimole.com\/w:300\/h:171\/q:mauto\/f:best\/https:\/\/172-234-197-23.ip.linodeusercontent.com\/wp-content\/uploads\/2025\/07\/image-267.png 300w, https:\/\/ml6vmqguit1n.i.optimole.com\/w:768\/h:438\/q:mauto\/f:best\/https:\/\/172-234-197-23.ip.linodeusercontent.com\/wp-content\/uploads\/2025\/07\/image-267.png 768w, https:\/\/ml6vmqguit1n.i.optimole.com\/w:1135\/h:648\/q:mauto\/f:best\/https:\/\/172-234-197-23.ip.linodeusercontent.com\/wp-content\/uploads\/2025\/07\/image-267.png 1135w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>NixOS offers two distinct approaches for managing containers: <strong>declarative container management<\/strong> and <strong>imperative container management<\/strong>. These methods differ primarily in how containers are defined, updated, and integrated with the host system.<\/p>\n\n\n\n<p>Here&#8217;s a breakdown of each approach and their differences:<\/p>\n\n\n\n<p><strong>1. Imperative Container Management<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Method:<\/strong> This approach uses the <code>nixos-container<\/code> command-line utility.<\/li>\n\n\n\n<li><strong>Creation and Management:<\/strong> Containers are created with <code>nixos-container create &lt;name><\/code> and can be started, stopped, updated, and destroyed using commands like <code>nixos-container start &lt;name><\/code>, <code>nixos-container update &lt;name><\/code>, and <code>nixos-container destroy &lt;name><\/code>.<\/li>\n\n\n\n<li><strong>Configuration:<\/strong>\n<ul class=\"wp-block-list\">\n<li>When created, an imperative container gets its root directory in <code>\/var\/lib\/nixos-containers\/&lt;name><\/code> and a configuration file in <code>\/etc\/nixos-containers\/&lt;name>.conf<\/code>.<\/li>\n\n\n\n<li>Its initial system configuration is stored at <code>\/nix\/var\/nix\/profiles\/per-container\/&lt;name>\/system<\/code>.<\/li>\n\n\n\n<li>Configuration changes can be made by editing <code>\/var\/lib\/nixos-containers\/foo\/etc\/nixos\/configuration.nix<\/code> on the host and then running <code>nixos-container update foo<\/code>.<\/li>\n\n\n\n<li>Alternatively, a new configuration can be specified directly on the command line, which will overwrite the container&#8217;s <code>configuration.nix<\/code>.<\/li>\n\n\n\n<li>Configuration changes can also be made <em>from within the container<\/em> using <code>nixos-rebuild switch<\/code> (after <code>nix-channel --update<\/code>).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Networking:<\/strong> Imperative containers by default get their own <strong>private IPv4 address in the range 10.233.0.0\/16<\/strong>. They operate within their own network namespace and possess the <code>CAP_NET_ADMIN<\/code> capability, allowing them to configure network settings (like firewall rules) without affecting the host&#8217;s network. To enable outside network access, <strong>Network Address Translation (NAT) rules<\/strong> must be set up on the host.<\/li>\n\n\n\n<li><strong>Login and Execution:<\/strong> You can log in as root using <code>nixos-container root-login &lt;name><\/code> (host root access required) or get a regular login prompt with <code>nixos-container login &lt;name><\/code>. Arbitrary commands can be executed inside the container using <code>nixos-container run &lt;name> -- &lt;command><\/code>.<\/li>\n<\/ul>\n\n\n\n<p><strong>2. Declarative Container Management<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Method:<\/strong> Containers are defined directly within the <strong>host&#8217;s <code>configuration.nix<\/code> file<\/strong>.<\/li>\n\n\n\n<li><strong>Creation and Management:<\/strong> When <code>nixos-rebuild switch<\/code> is run on the host, the container is built. If it&#8217;s already running, it&#8217;s updated in place without a reboot. Containers can be configured to <strong>start automatically<\/strong> by setting <code>containers.&lt;name>.autoStart = true<\/code>. They are started and stopped via their corresponding systemd service, e.g., <code>systemctl start container@&lt;name><\/code>.<\/li>\n\n\n\n<li><strong>Configuration:<\/strong> The container&#8217;s configuration is specified as a Nix expression directly within the host&#8217;s <code>configuration.nix<\/code>.<\/li>\n\n\n\n<li><strong>Networking:<\/strong> By default, declarative containers <strong>share the network namespace of the host<\/strong>, allowing them to listen on (privileged) ports, but they <strong>cannot change the network configuration<\/strong>. They can be given their own private network by setting <code>privateNetwork = true<\/code>, along with <code>hostAddress<\/code> and <code>localAddress<\/code>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Differences Summarized:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Configuration Location:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Imperative:<\/strong> Managed by individual configuration files (<code>\/etc\/nixos-containers\/&lt;name>.conf<\/code>) and directories (<code>\/var\/lib\/nixos-containers\/&lt;name><\/code>) on the host.<\/li>\n\n\n\n<li><strong>Declarative:<\/strong> Defined directly within the <strong>host&#8217;s central <code>configuration.nix<\/code> file<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Update Mechanism:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Imperative:<\/strong> Containers are configured and <strong>updated independently<\/strong> from the host system using <code>nixos-container update<\/code> or <code>nixos-rebuild switch<\/code> from within the container.<\/li>\n\n\n\n<li><strong>Declarative:<\/strong> Containers are <strong>upgraded along with the host system<\/strong> when <code>nixos-rebuild<\/code> is run.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Network Isolation (Default):<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Imperative:<\/strong> By default, imperative containers receive a <strong>private IPv4 address<\/strong> and have their own network namespace, allowing them to perform arbitrary network configurations.<\/li>\n\n\n\n<li><strong>Declarative:<\/strong> By default, declarative containers <strong>share the host&#8217;s network namespace<\/strong>, meaning they don&#8217;t have independent network configuration capabilities.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Important Note:<\/strong> NixOS containers are <strong>not perfectly isolated<\/strong> from the host system. A user with root access inside a container can affect the host, so it is advised <strong>not to grant container root access to untrusted users<\/strong>.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PODCAST: This extensive documentation outlines the NixOS operating system, providing a comprehensive guide for installation, including both graphical and manual methods, as well as instructions for virtualized environments. It details how to manage system services, covering aspects like networking configuration, user and group management, and file system setup, with specific instructions for various applications like&hellip;&nbsp;<a href=\"https:\/\/172-234-197-23.ip.linodeusercontent.com\/?p=1661\" rel=\"bookmark\"><span class=\"screen-reader-text\">NixOS Configuration and Management<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1664,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[14,7],"tags":[],"class_list":["post-1661","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-podcast","category-the-truben-show"],"_links":{"self":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts\/1661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1661"}],"version-history":[{"count":5,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts\/1661\/revisions"}],"predecessor-version":[{"id":1672,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts\/1661\/revisions\/1672"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/media\/1664"}],"wp:attachment":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}