Hard user separation with NixOS

Solene · November 1, 2022, 8:57am

For once, I’ve been able to write something innovative

kfiad · November 1, 2022, 6:22pm

This IS innovative! It is always such an astonishment for me when I find ideas like this.
Congratulations!

ElvishJerricco · November 1, 2022, 8:40pm

I did something similar a few years ago: Multiple Linux Systems on One ZFS Pool

I used different grub entries but I did eventually switch to using specialisation as you did (it’s so much cleaner). I was also using my old method of encrypting /boot. Don’t use that; I now consider it a bad idea.

Solene · November 1, 2022, 9:25pm

Nice! With ZFS you can share the same available disk space, which is more practical than set defined partitions.

ElvishJerricco · November 1, 2022, 10:15pm

Yea that’s one of the things I liked about it. Your use of LVM allows that to a reasonable extent though. If your FS supports shrinking, you can even dynamically reallocate on the fly; which is what RedHat’s stratis system does to do ZFS-like things using only traditional block and FS layers, though requiring a daemon.

And btw, anyone interested in this thread may also be interested that @lheckemann did something sorta similar but very different with switch-root to boot an entirely different distro. I postulated in my ZFS blog post that it could be applied to boot any ZFS-supporting distro in the same pool, but never got around to trying it. He actually did it, and in a very interesting way.

NobbZ · December 13, 2022, 10:32pm

Hi @Solene!

In the Discord there is currently a user having problem following the tutorial. They encounter an impure error:

error: access to absolute path '/dev/pool/root' is forbidden in pure eval mode (use '--impure' to override)

From code like this:

boot.initrd.luks.devices.crypto = "/dev/pool/root";

Looking at the option search boot.initrd.luks.devices.crypto is a submodule, so my understanding is, that the string is coerced into a path, and then the module system tries to import from this path, which of course is not allowed in pure evaluation mode.

Has something changed since the tutorial was written (doesn’t look like it from the option search) or has someone removed some words from the examples?

ElvishJerricco · December 13, 2022, 10:39pm

@NobbZ shouldn’t it be this?

boot.initrd.luks.devices.crypto.device = "/dev/pool/root";

NobbZ · December 13, 2022, 10:41pm

I think the same from the option search, though the tutorial suggests something else

Solene · December 14, 2022, 8:07am

oh, it seems it’s missing the .device attribute

It’s there in the GitHub repository with examples files https://github.com/tweag/nixos-specialisation-dual-boot/blob/21cc442157293101d26d3f8c48f2347131c324d6/configuration/private.nix#L25

I’ll fix it as soon as possible, thanks for having reporting it

Solene · December 14, 2022, 8:59am

The examples are fixed now