Hi,
I’m using nix on Ubuntu and I’m planning to use it on a multi-user Ubuntu server. What would you recommend to keep all the nix packages updated ? My primary concern is getting security updates.
On Ubuntu, there is unattended-upgrades that can automatically install security updates (or all updates depending on configuration).
I was thinking about a systemd service that does nix-channel --update && nix-env -u.
Just don’t use nix-env, but use home-manager and a lot of project specific shell.nix/.envrc.
Also don’t do automatic updates.
home-manager does not really work for most multi-user systems for non-technical reasons. E.g., we have Nix on some of our compute machines because I use it and colleagues find it practical that I can share software with them by sending them the right nix-env invocation. Some of them may do an occasional nix run to use something that is not available on Ubuntu or will not be installed system-wide. But for most colleagues it’s very unlikely that they will want to learn Nix, let alone home-manager. So, you end up with a lot of old stuff in the Nix store, because things get installed once and are never updated.
So they’ll end up with an exploding hard disk anyway, because there is no one collecting their garbage…
Maybe I’m a bit strict in my opinion, but if people don’t want to learn the tools, don’t give hand them over.
Use centralised management to install software on the computer.
If they don’t want to learn how to properly do package management in their respective system, just give them snap and allow it for non root. (I never actually did this, but heard it were possible)
I have to agree with @NobbZ if you’re already diving into NixOS, you may as well use the tooling which works exceptionally well.
To the user’s original question about automatic updates on ubuntu. I’m not aware of anything.
Updating for nix-env:
nix-channel --update
sudo nix-channel --update #sometimes nix-env will traverse and install from nixos channel
nix-env -u
Updating for home-manager:
nix-channel --update
home-manager switch
there is an system.autoUpgrade.enable option for nixos, but that wouldn’t be available for ubuntu
If this runs as your user, it will most likely work.
One argument against doing automatic updates is that a package you care about might fail to build, and then you would want to control what profiles are being created.
Note that I was talking about Ubuntu too. And I was under the impression that the topic starter wanted to automatically update profiles of all users, since it is a multi-user system.
I think this is a missed opportunity, they may not (want to) be Nix users now, but could be in the future because what they have seen. It would be nice to have the tooling to do system-wide updates of user profiles (whatever they have installed with nix-env).
To be honest, I consider it a big plus of nix, to not force everyone to be on the same version.
But if OP really wants to, I’m pretty sure it will just work when they provide a systemd timer + service, that does run the exact two commands from the OP.
I’d still never suggest to do unsupervised updates. If stuff breaks, its hard to find out why and when that happened.
Besides of that, nix-env -i doesn’t really work for a lot of things, as further tweaking of configuration is required through nix, or by hand, where other package managers might do more “magic” behind the curtains when installing stuff.
nix-env -i won’t setup systemd units, it won’t add users necessary to run services, it won’t configure anything. To achive those installations properly one needs to describe them declaratively in a nix file at a central place or per project in a shell.nix and this still doesn’t work for all programs (postgres database in a shell.nix? Not sure how that should work…)
apt, snap, or even brew might be in an advantage here, as they take care for such stuff in their imperative forms.
snap even does automatic updates, no need to ask for it… It will break totally on its own… Without user interaction, isn’t that progress?
Agreed. Probably a system-wide unit to run nix-channel --update and a user unit to run nix-env -u. With a user unit, users could even decide themselves whether they want to run automatic updates and how often.
I think this argumentation is centered around specific use cases. There is a very large number of packages in nixpkgs that do not require that kind of setup. To take an example from our field, say that someone needs fastText. There is no package in Ubuntu for fastText. They could hand compile it, or they could just do nix-env -i fastText and be done with it, the same is true for probably 90% of the software in nixpkgs.
I don’t see the need to be cynical about this. Apparently, (sometimes containerized) user installs is something that people need and want. Despite their faults, snap and flatpak have been trying to address this use case. Coming back to nixpkgs I don’t see why one should expect updates on a stable branch to break.
(Note: personally I don’t even use nix-env, but I think that it’s a ‘gateway drug’ for new people to Nix.)