hngopher.com

       [HN Gopher] Hard User Separation with NixOS
       ___________________________________________________________________
        
       Hard User Separation with NixOS
        
       Author : ingve
       Score  : 46 points
       Date   : 2022-11-01 09:21 UTC (1 days ago)
        
 (HTM) web link (www.tweag.io)
 (TXT) w3m dump (www.tweag.io)
        
       | matthews2 wrote:
       | You could also use systemd-homed with dm-crypt or cryptfs to have
       | two users with two different encrypted home partitions.
        
       | solatic wrote:
       | This seems really dangerous. Wouldn't running garbage collection
       | on the nix store while in the work partition clean out nix paths
       | required by the home partition's install, and vice versa?
        
         | Ambroisie wrote:
         | I think both specializations are in the same profile, which is
         | a GC root.
        
       | freedinosaur wrote:
       | TIL specialisations: https://nixos.wiki/wiki/Specialisation
       | 
       | I plan to use this for testing changes to my boot units.
       | 
       | In theory, plain old generations allow you to safely test changes
       | to boot units, by allowing you to jump to the previous
       | generation. In practice, this involves remembering which
       | generations have known-good boots.
       | 
       | Specialisations will allow me to run a stable and candy track, on
       | per generation.
       | 
       | What other usecases do specialisations improve?
        
         | freedinosaur wrote:
         | This makes testing changes easier in other ways too: when I
         | make experimental changes, I'm reluctant to commit them until I
         | know they're working, since I like being able to checkout an
         | old commit and know it boots. In practice this means I end up
         | with a dirty checkout, and uncertainty on which changes have
         | been tested.
         | 
         | In theory I could manage this with git rebasing and/or tagging,
         | but in practice I lose confidence in whether I've accurately
         | tracked.
         | 
         | With specialisations, I'd comfortably commit an experimental
         | change to my canary track, even though it might break, safe in
         | the knowledge that the stable track continues to boot.
        
         | freedinosaur wrote:
         | > Specialisations will allow me to run a stable and candy
         | track, on per generation.
         | 
         | Typos:
         | 
         | Specialisations will allow me to run a stable and canary track,
         | one per generation.
        
       ___________________________________________________________________
       (page generated 2022-11-02 23:00 UTC)