I’m working on setting up a small tilde/shell server to share with friends and am struggling to find resources on what shared hosting related permissions management looks like in NixOS.
I’ve been using NixOS in my home environment for at most six months and while I’m reasonably comfortable as the only user (at least one with shell access), I’m not sure what to be aware of in a shared environment.
From the Multi-User Installation documentation I understand that even with nix-daemon running:
binary caches are not available to unprivileged users
packages compiled by unprivileged users have to be compiled per-user
While this results in maybe slower build-times than I’m used to when I use binary packages, this doesn’t seem like a massive problem for me. If nix compilations regularly take up too many resources I can limit simultaneous builds and presumably there’s a way to limit CPU usage on the nix-daemon-launched builders?
Is there anything else that is nixos-specific and divergent from the other linux security tightening requirements in Linux systems that I might expect?
… isn’t all that relevant. It’s the default installation method, and how your user interacts with nix as well. Unless you’ve explicitly made your user trusted, any other users will be able to use nix exactly the way you do.
The only good reason I know of to make general purpose users trusted is so they can use the nixConf output of flakes they use, mostly to add binary caches for random flakes. Allowing this is almost certainly a bad idea on a shared host, but you may get users nagging you about it.
Other than that, just make sure not to put secrets anywhere close to where nix may touch them, as that can enable privilege escalation. This is always worth doing, but especially important on a shared host. Even just building a flake will add its repository with world-readable permissions to the nix store. If you use local path: urls, those will place even untracked files you might not think of in there.
That makes sense, I definitely misread the context of that section of the article. It’s not that binary caches are unavailable it’s that new ones can’t be added without privilege. I also clearly misunderstood how built packages become available. Thank you!
I guess I was wrong to assume there were nixos specific considerations beyond nix-store secrets! That’s very good to know.