nixos2105 1

Table of Contents

Introduction

Nix is a purely functional package manager. This means that it treats packages like values in purely functional programming languages such as Haskell — they are built by functions that don’t have side-effects, and they never change after they have been built. Nix stores packages in the Nix store, usually the directory /nix/store, where each package has its own unique subdirectory such as

 
/nix/store/b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z-firefox-33.1/

where b6gvzjyb2pg0… is a unique identifier for the package that captures all its dependencies (it’s a cryptographic hash of the package’s build dependency graph). This enables many powerful features.

Multiple versions

You can have multiple versions or variants of a package installed at the same time. This is especially important when different applications have dependencies on different versions of the same package — it prevents the “DLL hell”. Because of the hashing scheme, different versions of a package end up in different paths in the Nix store, so they don’t interfere with each other.

An important consequence is that operations like upgrading or uninstalling an application cannot break other applications, since these operations never “destructively” update or delete files that are used by other packages.

Complete dependencies

Nix helps you make sure that package dependency specifications are complete. In general, when you’re making a package for a package management system like RPM, you have to specify for each package what its dependencies are, but there are no guarantees that this specification is complete. If you forget a dependency, then the package will build and work correctly on your machine if you have the dependency installed, but not on the end user’s machine if it’s not there.

Since Nix on the other hand doesn’t install packages in “global” locations like /usr/bin but in package-specific directories, the risk of incomplete dependencies is greatly reduced. This is because tools such as compilers don’t search in per-packages directories such as /nix/store/5lbfaxb722zp…-openssl-0.9.8d/include, so if a package builds correctly on your system, this is because you specified the dependency explicitly. This takes care of the build-time dependencies.

Once a package is built, runtime dependencies are found by scanning binaries for the hash parts of Nix store paths (such as r8vvq9kq…). This sounds risky, but it works extremely well.

Multi-user support

Nix has multi-user support. This means that non-privileged users can securely install software. Each user can have a different profile, a set of packages in the Nix store that appear in the user’s PATH. If a user installs a package that another user has already installed previously, the package won’t be built or downloaded a second time. At the same time, it is not possible for one user to inject a Trojan horse into a package that might be used by another user.

Atomic upgrades and rollbacks

Since package management operations never overwrite packages in the Nix store but just add new versions in different paths, they are atomic. So during a package upgrade, there is no time window in which the package has some files from the old version and some files from the new version — which would be bad because a program might well crash if it’s started during that period.

And since packages aren’t overwritten, the old versions are still there after an upgrade. This means that you can roll back to the old version:

 
$ nix-env --upgrade --attr nixpkgs.some-package
$ nix-env --rollback

Garbage collection

When you uninstall a package like this…

 
$ nix-env --uninstall firefox

the package isn’t deleted from the system right away (after all, you might want to do a rollback, or it might be in the profiles of other users). Instead, unused packages can be deleted safely by running the garbage collector:

 
$ nix-collect-garbage

This deletes all packages that aren’t in use by any user profile or by a currently running program.

Functional package language

Packages are built from Nix expressions, which is a simple functional language. A Nix expression describes everything that goes into a package build task (a “derivation”): other packages, sources, the build script, environment variables for the build script, etc. Nix tries very hard to ensure that Nix expressions are deterministic: building a Nix expression twice should yield the same result.

Because it’s a functional language, it’s easy to support building variants of a package: turn the Nix expression into a function and call it any number of times with the appropriate arguments. Due to the hashing scheme, variants don’t conflict with each other in the Nix store.

Transparent source/binary deployment

Nix expressions generally describe how to build a package from source, so an installation action like

 
$ nix-env --install --attr nixpkgs.firefox

could cause quite a bit of build activity, as not only Firefox but also all its dependencies (all the way up to the C library and the compiler) would have to be built, at least if they are not already in the Nix store. This is a source deployment model. For most users, building from source is not very pleasant as it takes far too long. However, Nix can automatically skip building from source and instead use a binary cache, a web server that provides pre-built binaries. For instance, when asked to build /nix/store/b6gvzjyb2pg0…-firefox-33.1 from source, Nix would first check if the file https://cache.nixos.org/b6gvzjyb2pg0….narinfo exists, and if so, fetch the pre-built binary referenced from there; otherwise, it would fall back to building from source.

Nix Packages collection

We provide a large set of Nix expressions containing hundreds of existing Unix packages, the Nix Packages collection (Nixpkgs).

Managing build environments

Nix is extremely useful for developers as it makes it easy to automatically set up the build environment for a package. Given a Nix expression that describes the dependencies of your package, the command nix-shell will build or download those dependencies if they’re not already in your Nix store, and then start a Bash shell in which all necessary environment variables (such as compiler search paths) are set.

For example, the following command gets all dependencies of the Pan newsreader, as described by its Nix expression:

 
$ nix-shell '<nixpkgs>' --attr pan

You’re then dropped into a shell where you can edit, build and test the package:

 
[nix-shell]$ unpackPhase
[nix-shell]$ cd pan-*
[nix-shell]$ configurePhase
[nix-shell]$ buildPhase
[nix-shell]$ ./pan/gui/pan

Portability

Nix runs on Linux and macOS.

NixOS

NixOS is a Linux distribution based on Nix. It uses Nix not just for package management but also to manage the system configuration (e.g., to build configuration files in /etc). This means, among other things, that it is easy to roll back the entire configuration of the system to an earlier state. Also, users can install software without root privileges. For more information and downloads, see the NixOS homepage.

License

Nix is released under the terms of the GNU LGPLv2.1 or (at your option) any later version.

Supported Platforms

Nix is currently supported on the following platforms:

  • Linux (i686, x86_64, aarch64).

  • macOS (x86_64, aarch64).

Installing a Binary Distribution

To install the latest version Nix, run the following command:

 
$ curl -L https://nixos.org/nix/install | sh

This performs the default type of installation for your platform:

  • Multi-user:
    • Linux with systemd and without SELinux
    • macOS
  • Single-user:
    • Linux without systemd
    • Linux with SELinux

We recommend the multi-user installation if it supports your platform and you can authenticate with sudo.

The installer can configured with various command line arguments and environment variables. To show available command line flags:

 
$ curl -L https://nixos.org/nix/install | sh -s -- --help

To check what it does and how it can be customised further, download and edit the second-stage installation script.

Installing a pinned Nix version from a URL

Version-specific installation URLs for all Nix versions since 1.11.16 can be found at releases.nixos.org. The directory for each version contains the corresponding SHA-256 hash.

All installation scripts are invoked the same way:

 
$ export VERSION=2.19.2 
$ curl -L https://releases.nixos.org/nix/nix-$VERSION/install | sh

Multi User Installation

The multi-user Nix installation creates system users and a system service for the Nix daemon.

Supported systems:

  • Linux running systemd, with SELinux disabled
  • macOS

To explicitly instruct the installer to perform a multi-user installation on your system:

 
$ curl -L https://nixos.org/nix/install | sh -s -- --daemon

You can run this under your usual user account or root. The script will invoke sudo as needed.

Single User Installation

To explicitly select a single-user installation on your system:

 
$ curl -L https://nixos.org/nix/install | sh -s -- --no-daemon

In a single-user installation, /nix is owned by the invoking user. The script will invoke sudo to create /nix if it doesn’t already exist. If you don’t have sudo, manually create /nix as root:

 
$ su root
# mkdir /nix
# chown alice /nix

Installing from a binary tarball

You can also download a binary tarball that contains Nix and all its dependencies:

Example

 
$ pushd $(mktemp -d)
$ export VERSION=2.19.2
$ export SYSTEM=x86_64-linux
$ curl -LO https://releases.nixos.org/nix/nix-$VERSION/nix-$VERSION-$SYSTEM.tar.xz
$ tar xfj nix-$VERSION-$SYSTEM.tar.xz
$ cd nix-$VERSION-$SYSTEM
$ ./install
$ popd

The installer can be customised with the environment variables declared in the file named install-multi-user.

Native packages for Linux distributions

The Nix community maintains installers for some Linux distributions in their native packaging format(https://nix-community.github.io/nix-installers/).

macOS Installation

We believe we have ironed out how to cleanly support the read-only root file system on modern macOS. New installs will do this automatically.

This section previously detailed the situation, options, and trade-offs, but it now only outlines what the installer does. You don’t need to know this to run the installer, but it may help if you run into trouble:

  • create a new APFS volume for your Nix store
  • update /etc/synthetic.conf to direct macOS to create a “synthetic” empty root directory to mount your volume
  • specify mount options for the volume in /etc/fstab
    • rw: read-write
    • noauto: prevent the system from auto-mounting the volume (so the LaunchDaemon mentioned below can control mounting it, and to avoid masking problems with that mounting service).
    • nobrowse: prevent the Nix Store volume from showing up on your desktop; also keeps Spotlight from spending resources to index this volume
  • if you have FileVault enabled
    • generate an encryption password
    • put it in your system Keychain
    • use it to encrypt the volume
  • create a system LaunchDaemon to mount this volume early enough in the boot process to avoid problems loading or restoring any programs that need access to your Nix store

Installing Nix from Source

If no binary package is available or if you want to hack on Nix, you can build Nix from its Git repository.

Prerequisites

  • GNU Autoconf (https://www.gnu.org/software/autoconf/) and the autoconf-archive macro collection (https://www.gnu.org/software/autoconf-archive/). These are needed to run the bootstrap script.

  • GNU Make.

  • Bash Shell. The ./configure script relies on bashisms, so Bash is required.

  • A version of GCC or Clang that supports C++20.

  • pkg-config to locate dependencies. If your distribution does not provide it, you can get it from http://www.freedesktop.org/wiki/Software/pkg-config.

  • The OpenSSL library to calculate cryptographic hashes. If your distribution does not provide it, you can get it from https://www.openssl.org.

  • The libbrotlienc and libbrotlidec libraries to provide implementation of the Brotli compression algorithm. They are available for download from the official repository https://github.com/google/brotli.

  • cURL and its library. If your distribution does not provide it, you can get it from https://curl.haxx.se/.

  • The SQLite embedded database library, version 3.6.19 or higher. If your distribution does not provide it, please install it from http://www.sqlite.org/.

  • The Boehm garbage collector (bdw-gc) to reduce the evaluator’s memory consumption (optional).

    To enable it, install pkgconfig and the Boehm garbage collector, and pass the flag --enable-gc to configure.

    For bdw-gc <= 8.2.4 Nix needs a small patch to be applied.

  • The boost library of version 1.66.0 or higher. It can be obtained from the official web site https://www.boost.org/.

  • The editline library of version 1.14.0 or higher. It can be obtained from the its repository https://github.com/troglobit/editline.

  • The libsodium library for verifying cryptographic signatures of contents fetched from binary caches. It can be obtained from the official web site https://libsodium.org.

  • Recent versions of Bison and Flex to build the parser. (This is because Nix needs GLR support in Bison and reentrancy support in Flex.) For Bison, you need version 2.6, which can be obtained from the GNU FTP server. For Flex, you need version 2.5.35, which is available on SourceForge. Slightly older versions may also work, but ancient versions like the ubiquitous 2.5.4a won’t.

  • The libseccomp is used to provide syscall filtering on Linux. This is an optional dependency and can be disabled passing a --disable-seccomp-sandboxing option to the configure script (Not recommended unless your system doesn’t support libseccomp). To get the library, visit https://github.com/seccomp/libseccomp.

  • On 64-bit x86 machines only, libcpuid library is used to determine which microarchitecture levels are supported (e.g., as whether to have x86_64-v2-linux among additional system types). The library is available from its homepage http://libcpuid.sourceforge.net. This is an optional dependency and can be disabled by providing a --disable-cpuid to the configure script.

  • Unless ./configure --disable-unit-tests is specified, GoogleTest (GTest) and RapidCheck are required, which are available at https://google.github.io/googletest/ and https://github.com/emil-e/rapidcheck respectively.

Obtaining the Source

The most recent sources of Nix can be obtained from its Git repository. For example, the following command will check out the latest revision into a directory called nix:

 
$ git clone https://github.com/NixOS/nix

Likewise, specific releases can be obtained from the tags of the repository.

 

Building Nix from Source

After cloning Nix’s Git repository, issue the following commands:

 
$ autoreconf -vfi
$ ./configure options...
$ make
$ make install

Nix requires GNU Make so you may need to invoke gmake instead.

The installation path can be specified by passing the --prefix=prefix to configure. The default installation directory is /usr/local. You can change this to any location you like. You must have write permission to the prefix path.

Nix keeps its store (the place where packages are stored) in /nix/store by default. This can be changed using --with-store-dir=path.

Warning

It is best not to change the Nix store from its default, since doing so makes it impossible to use pre-built binaries from the standard Nixpkgs channels — that is, all packages will need to be built from source.

Nix keeps state (such as its database and log files) in /nix/var by default. This can be changed using --localstatedir=path.

 

Security

Nix has two basic security models. First, it can be used in “single-user mode”, which is similar to what most other package management tools do: there is a single user (typically root) who performs all package management operations. All other users can then use the installed packages, but they cannot perform package management operations themselves.

Alternatively, you can configure Nix in “multi-user mode”. In this model, all users can perform package management operations — for instance, every user can install software without requiring root privileges. Nix ensures that this is secure. For instance, it’s not possible for one user to overwrite a package used by another user with a Trojan horse.

 

Single-User Mode

In single-user mode, all Nix operations that access the database in prefix/var/nix/db or modify the Nix store in prefix/store must be performed under the user ID that owns those directories. This is typically root. (If you install from RPM packages, that’s in fact the default ownership.) However, on single-user machines, it is often convenient to chown those directories to your normal user account so that you don’t have to su to root all the time.

 

Multi-User Mode

To allow a Nix store to be shared safely among multiple users, it is important that users are not able to run builders that modify the Nix store or database in arbitrary ways, or that interfere with builds started by other users. If they could do so, they could install a Trojan horse in some package and compromise the accounts of other users.

To prevent this, the Nix store and database are owned by some privileged user (usually root) and builders are executed under special user accounts (usually named nixbld1nixbld2, etc.). When a unprivileged user runs a Nix command, actions that operate on the Nix store (such as builds) are forwarded to a Nix daemon running under the owner of the Nix store/database that performs the operation.

Note

Multi-user mode has one important limitation: only root and a set of trusted users specified in nix.conf can specify arbitrary binary caches. So while unprivileged users may install packages from arbitrary Nix expressions, they may not get pre-built binaries.

Setting up the build users

The build users are the special UIDs under which builds are performed. They should all be members of the build users group nixbld. This group should have no other members. The build users should not be members of any other group. On Linux, you can create the group and users as follows:

 
$ groupadd -r nixbld
$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
    -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
    nixbld$n; done

This creates 10 build users. There can never be more concurrent builds than the number of build users, so you may want to increase this if you expect to do many builds at the same time.

Running the daemon

The Nix daemon should be started as follows (as root):

 
$ nix-daemon

You’ll want to put that line somewhere in your system’s boot scripts.

To let unprivileged users use the daemon, they should set the NIX_REMOTE environment variable to daemon. So you should put a line like

 
export NIX_REMOTE=daemon

into the users’ login scripts.

Restricting access

To limit which users can perform Nix operations, you can use the permissions on the directory /nix/var/nix/daemon-socket. For instance, if you want to restrict the use of Nix to the members of a group called nix-users, do

 
$ chgrp nix-users /nix/var/nix/daemon-socket
$ chmod ug=rwx,o= /nix/var/nix/daemon-socket

This way, users who are not in the nix-users group cannot connect to the Unix domain socket /nix/var/nix/daemon-socket/socket, so they cannot perform Nix operations.

Environment Variables

To use Nix, some environment variables should be set. In particular, PATH should contain the directories prefix/bin and ~/.nix-profile/bin. The first directory contains the Nix tools themselves, while ~/.nix-profile is a symbolic link to the current user environment (an automatically generated package consisting of symlinks to installed packages). The simplest way to set the required environment variables is to include the file prefix/etc/profile.d/nix.sh in your ~/.profile (or similar), like this:

 
source prefix/etc/profile.d/nix.sh

NIX_SSL_CERT_FILE

If you need to specify a custom certificate bundle to account for an HTTPS-intercepting man in the middle proxy, you must specify the path to the certificate bundle in the environment variable NIX_SSL_CERT_FILE.

If you don’t specify a NIX_SSL_CERT_FILE manually, Nix will install and use its own certificate bundle.

Set the environment variable and install Nix

 
$ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
$ curl -L https://nixos.org/nix/install | sh

In the shell profile and rc files (for example, /etc/bashrc/etc/zshrc), add the following line:

 
export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt

Note

You must not add the export and then do the install, as the Nix installer will detect the presence of Nix configuration, and abort.

If you use the Nix daemon, you should also add the following to /etc/nix/nix.conf:

 
ssl-cert-file = /etc/ssl/my-certificate-bundle.crt

Proxy Environment Variables

The Nix installer has special handling for these proxy-related environment variables: http_proxyhttps_proxyftp_proxyno_proxyHTTP_PROXYHTTPS_PROXYFTP_PROXYNO_PROXY.

If any of these variables are set when running the Nix installer, then the installer will create an override file at /etc/systemd/system/nix-daemon.service.d/override.conf so nix-daemon will use them.

 

Upgrading Nix

Note

These upgrade instructions apply where Nix was installed following the installation instructions in this manual.

Check which Nix version will be installed, for example from one of the release channels such as nixpkgs-unstable:

 
$ nix-shell -p nix -I nixpkgs=channel:nixpkgs-unstable --run "nix --version"
nix (Nix) 2.18.1

Warning

Writing to the local store with a newer version of Nix, for example by building derivations with nix-build or nix-store --realise, may change the database schema! Reverting to an older version of Nix may therefore require purging the store database before it can be used.

Linux multi-user

 
$ sudo su
# nix-env --install --file '<nixpkgs>' --attr nix cacert -I nixpkgs=channel:nixpkgs-unstable
# systemctl daemon-reload
# systemctl restart nix-daemon

macOS multi-user

 
$ sudo nix-env --install --file '<nixpkgs>' --attr nix -I nixpkgs=channel:nixpkgs-unstable
$ sudo launchctl remove org.nixos.nix-daemon
$ sudo launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist

Single-user all platforms

 
$ nix-env --install --file '<nixpkgs>' --attr nix cacert -I nixpkgs=channel:nixpkgs-unstable

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Treyzz
Services
Courses
Shopping
Scroll to Top