Nix is by far the best way (so far) of package and dev environment managers compared to anything else out there. Especially from the security perspective.
Assuming that you know what Nix is and what problems it solves, I will skip the what and why parts – plenty of posts written on it already.
Nix is complex and once in a while people ask me if they should start using it for their personal environments and how much effort it would require.
The Nix learning curve varies from person to person and potential productivity gains depend on many factors. This post is my take on how you should approach this decision.
Just because you can...
Does it mean you should just migrate your workstation to NixOS / nix-darwin?
Not right away. If you are a programmer, try adopting devshell and flakes for a project you are working on. You won't need to learn the Nix language in the beginning to rip the benefits and progressively expand your knowledge. This low-barrier experiment would allow you to form an opinion and would be a good signal to invest more time into it or not.
If you have worked with any functional language before and if you have a reasonable knowledge of Linux the odds are high that Nix would be a very good fit for you. Regardless, my advice does not change – experiment with an isolated project first to learn and get familiar with Nix.
If you want to go an extra mile with this experiment, you can try packaging your software using Nix as well and even possibly integrating it into a CI/CD pipeline. If it was too easy, you can also try using dockerTools to build container images.
If you decide to continue
Then you can create a Nix repository for declarative configuration of your workstation(s).
If you are using macOS, you can start progressively replacing most of the Homebrew dependencies and OS settings with a combination of
nix-darwin and project-local flakes.
If you are using Linux, you might consider switching to NixOS as well, but you'd need more time on the reinstall. NixOS these days has a graphical installer based on https://calamares.io which supports disk encryption out of the box. I personally use nix-anywhere + disko with LUKS to install things remotely though.
At this point you might discover that Nixpkgs provides by far the largest and the most up-to-date collection of packages in the world. Most likely you won't have problems matching your previous OS configuration. You might want to wait with re-packaging anything bespoke using Nix depending on how familiar you are with Nix language and packaging process already.
Depending on the complexity & sophistication of your workstation config, at this point you might be using Home Manager and moving your existing app configs to your Nix repo. This could take a while and here are some tips on how to make it easier:
- Decide on the secrets management solution early on. I recommend sops-nix.
- Remove all your custom styling. You can progressively replace it with stylix.
- Don't try to migrate everything at once – could be a lot of work
I recommend taking a look at public dotfiles repositories on Github for inspiration.
At some point you might notice that working with anything less than Nix brings pain and frustration. So you might consider using Nix for pretty much everything you can. I won't be the one to talk you out of it. Here are some tips:
- Use a monorepo for all configs. Structure it with flake-parts.
- nix-anywhere + disko to provisioning. deploy-rs for remote deployments
- Terranix + thoenix for nixifying Terraform configs
- Arion for nixifying docker-compose'd services
Be prepared that the last steps will require effort even if you are a pretty good generalist programmer and the whole process take up to a year to get comfortable with everything.
I was skeptical about Nix for a long time before switching to it and I never looked back. It's been a few years since that and my overall experience has been fun and gratifying.
The Nix ecosystem is evolving extremely fast and there is still a lot of room for improvement all around. I've definitely struggled with a number of things but never actually encountered a problem I could not solve and now life became even easier with ChatGPT.