How to remove packages installed with some core module?

BoredSquirrel · April 15, 2025, 3:17pm

I have a minimal KDE Plasma system installed, and want to remove some “preinstalled” ones.

This works for packages installed with KDE Plasma:

environment.plasma6.excludePackages = with pkgs.kdePackages; [
    oxygen
    elisa
    xwaylandvideobridge
];

I want to remove the packages orca restic and sudo (using sudo-rs).

How can I do that? Do I need to find the module these packages are installed with, or is there a global option?

waffle8946 · April 15, 2025, 4:29pm

Yes, then figure out which options control it.

BoredSquirrel · April 23, 2025, 10:22pm

Update: I was still not able to find an option that installs it.

Another example, I want to remove the suid binaries sudo, su, pkexec, chsh.

How can I remove these packages?

Some might have options, but su, pkexec, chsh and more dont seem to do so.

rhendric · April 24, 2025, 2:01am

Security wrappers are controlled via security.wrappers. You could turn them all off with security.enableWrappers. Or you can use nixos-option security.wrappers to see which modules define wrappers and disable them individually.

BoredSquirrel · April 24, 2025, 9:21am

Cool, so disabling the wrappers automatically removes suid, but does not remove the binaries right?

I started setting suid to false yesterday, but this is even easier

But how could I remove packages?

It is pretty odd, imperative stuff like usermod and useradd exist, why?

rhendric · April 24, 2025, 9:55am

Because users.mutableUsers defaults to true. Set it to false if you don’t want mutable users.

Each of these commands has its own story. In general, if you don’t know why a binary is in your path, follow the symlinks until you find out what package it’s in, then find the module that adds that package to environment.systemPackages, then read the options for that module to find the way to disable it if you really want to (but some of these things you’d be disabling are pretty core; getting rid of absolutely everything you don’t personally use on a NixOS system is kind of a fool’s errand).

TLATER · April 24, 2025, 9:34pm

Especially since most won’t really be gotten “rid” of, but just live in /nix/store used by random systemd services that you also don’t know exist

sudo-rs at least makes sure sudo doesn’t also exist, so I wouldn’t worry about that. It’s a drop-in replacement.

envionment.systemPackages being a list is kind of a PITA though, since overriding its contents is pretty difficult. There have been proposals to replace it with an attrset that would make this much nicer (imagine e.g. environment.systemPackages.sudo.enable = lib.mkForce false;, or environment.systemPackages.sudo.overrideAttrs = ...). Maybe one day.

rhendric · April 24, 2025, 9:44pm

There are quite a few listy things in NixOS that would be nice to override in subtractive ways. I wonder if we should have a lib.mkFilter function for this, so you could do something like:

environment.systemPackages = lib.mkMerge [
  [
    ...
  ]
  (lib.mkFilter (p: p.pname or "" != "sudo"))
];

and collect and apply all of the filters at the end of the merge. I don’t think I’ve seen that concept proposed yet, but maybe it’s in one of the libraries people are using as layers on top of the module system?