Hard user separation with NixOS

For once, I’ve been able to write something innovative :partying_face:


This IS innovative! It is always such an astonishment for me when I find ideas like this.


I did something similar a few years ago: Multiple Linux Systems on One ZFS Pool

I used different grub entries but I did eventually switch to using specialisation as you did (it’s so much cleaner). I was also using my old method of encrypting /boot. Don’t use that; I now consider it a bad idea.

Nice! With ZFS you can share the same available disk space, which is more practical than set defined partitions.

Yea that’s one of the things I liked about it. Your use of LVM allows that to a reasonable extent though. If your FS supports shrinking, you can even dynamically reallocate on the fly; which is what RedHat’s stratis system does to do ZFS-like things using only traditional block and FS layers, though requiring a daemon.

And btw, anyone interested in this thread may also be interested that @lheckemann did something sorta similar but very different with switch-root to boot an entirely different distro. I postulated in my ZFS blog post that it could be applied to boot any ZFS-supporting distro in the same pool, but never got around to trying it. He actually did it, and in a very interesting way.


Hi @Solene!

In the Discord there is currently a user having problem following the tutorial. They encounter an impure error:

error: access to absolute path '/dev/pool/root' is forbidden in pure eval mode (use '--impure' to override)

From code like this:

boot.initrd.luks.devices.crypto = "/dev/pool/root";

Looking at the option search boot.initrd.luks.devices.crypto is a submodule, so my understanding is, that the string is coerced into a path, and then the module system tries to import from this path, which of course is not allowed in pure evaluation mode.

Has something changed since the tutorial was written (doesn’t look like it from the option search) or has someone removed some words from the examples?

1 Like

@NobbZ shouldn’t it be this?

boot.initrd.luks.devices.crypto.device = "/dev/pool/root";

I think the same from the option search, though the tutorial suggests something else

oh, it seems it’s missing the .device attribute :frowning:

It’s there in the GitHub repository with examples files https://github.com/tweag/nixos-specialisation-dual-boot/blob/21cc442157293101d26d3f8c48f2347131c324d6/configuration/private.nix#L25

I’ll fix it as soon as possible, thanks for having reporting it :pray:t3:

1 Like

The examples are fixed now :slight_smile: