Reproducible and Immutable OS Images with NixOS

https://media.ccc.de/v/all-systems-go-2024-251-reproducible-and-immutable-os-images-with-nixos Many consider NixOS a great tool for declarative definition of their OS, but only few know about its capabilities for Image-based Linux. NixOS offers the tools to combine modern technologies such as discoverable disk images (DDIs), unified kernel images (UKIs), and TPM-based measured boot for transforming declarative configurations into security-focused and immutable OS images for both the server and the desktop. This talk showcases how we build such reproducible and immutable DDIs with NixOS, and how ukify, systemd-repart, dm-verity and measured boot are involved in that process. We will also briefly cover the support of SecureBoot in NixOS through the Lanzaboote project, and what else is yet to come for image-based NixOS. Moritz Sanft https://cfp.all-systems-go.io/all-systems-go-2024/talk/MRDURE/ #asg2024 Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/