Why not to use installer configuration for production?

[mleonhard]

Hi Roberto, Thanks so much for making the SD image builder.

I am very happy to build the Rpi4 base image on my laptop, from a static config file. I would like to avoid updating the image with manual commands run on the Rpi4. That's why I was confused when I found this in the readme:

the installer configuration (which is the one you edited in the config/ folder) is different than the system configuration. The installer configuration is only used to build the image -- using an installer configuration on a production system is an error and will lead to weirdness.

Once you have a valid configuration in /etc/nixos/configuration.nix, run nixos-rebuild switch as root, and optionally run nix-collect-garbage -d to remove all the leftover stuff from the installation that is not required.

Would you please explain why one would not use an installer configuration on a production system? What problems could occur?

Thanks, Michael

[Robertof]

Hi Michael,

thanks for reaching out!

I completely get your point and it's something which has been raised and asked on the official channels. The reason for the need of two config files is the fact that you are not building an image containing the target system directly, you're building an installer which can bootstrap the final target system.

To go more in depth, here is the actual base configuration that is used to build the SD image:

https://github.com/NixOS/nixpkgs/blob/e3209fae77495cdbcb07378a8e68f1a2edc28eaa/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix

This contains all the necessary stuff to build a .img file with the whole system. If you look into what that file requires, you can find:

https://github.com/NixOS/nixpkgs/blob/e3209fae77495cdbcb07378a8e68f1a2edc28eaa/nixos/modules/profiles/base.nix

which as you see contains all the hardcoded packages for an installation medium... and most importantly this:

https://github.com/NixOS/nixpkgs/blob/e3209fae77495cdbcb07378a8e68f1a2edc28eaa/nixos/modules/profiles/installation-device.nix

which makes a lot of assumptions on what an installation device should contain and provide, including the built-in nixos account.

With that being said, it should be clear that the installation-device configuration makes a lot of assumptions and thus you can't really use that as the configuration for your definitive system! I remember reading of this on some other NixOS-related discussion, but I can't find the thread I was thinking about at the moment.

Here are a few pointers which might be useful for you anyway:

• you might want to use NixOps which should be able to provision machines on demand. There has been one user here which was successfully able to deploy with NixOps (#5) so it definitely is possible!
• whilst convoluted, it should also be possible to change the SD image builder (either the previously linked sd-image-aarch64 if you're using a RPi 3 or the duplicate of sd-image-raspberrypi4 I have in this repo), strip out any imports to the installation devices and merge it with the definitive configuration of your system. It would actually be very interesting to try, but I lack a second sandbox RPi to run these tests on!
• you might also want to reach out to #nixos or #nixos-aarch64 on IRC @ freenode, there are certainly more skilled people than me that can help you out!

Hope that helped! Keep me posted and thanks again for contributing and using this.

Have a good day!

[dfrankland]

I was able to get this to work by using a systemd service to copy the configuration.nix and run nixos-rebuild switch. You can inspect the script and surrounding setup here: https://github.com/dfrankland/nixos-rpi-sd-image/blob/50bee6fe136daf5450323f154695348cb49de831/nixos-rpi-sd-image/sd-image-init.nix

[Robertof]

Hey @dfrankland, thank you for reaching out! I've taken a look at the whole repository and it looks gorgeous, very well done! Wish I knew of nixos-generators when I made this! 😄

I'll look into adding a section in the README mentioning the work you've done -- perhaps one day I'll have the time to add support for something like that natively here, but for now I think that should suffice!