Trying out Immutable/Atomic Linux: Secureblue, Guix and NixOS

Background with Kicksecure

Last year, I set up my Monero Wallet with Kicksecure and happy about it. This distro is really lightweight and easy to use. However, it failed completely after a recent upgrade, which was a major version leap from Debian 12 to 13.

It lost drivers, desktop environment stopped working and probably much more which I couldn’t discover because I stacked at a login screen loop. After troubleshooting for a couple of hours, it turns out all lightdm related DEs are unusable and Gnome and KDE are working.

I guess because of the project is trying to move the default DE away from Xfce to lxqt, with that and the base system upgrade, too many unstable implementation crashed altogether.

I can’t fix it and don’t want to switch DE for a workaround. I think the only easy fix would be a fresh install with the latest stable image and copy back my home folder.

However, to prevent it in the future, I’d either be more careful before doing every full upgrade by making a system backup, or switch to some atomic/immutable distributions which may handle this better, like NixOS, Secureblue and Guix. As someone values stability over features, I’m not a typical distrohopper, but in the case of risk mitigation, I do change my system quite a lot, strategically.

These latest advancements do provides technical advantages, and traditional Debian-based distributions are too boring to work with. Another problem (at least for me) is that the development of Kicksecure is more leaning toward Qubes-Whonix ecosystem as a specialized VM system rather than a baremetal build. So, this time I decide to hop from Kicksecure to Secureblue as a pre-hardened alternative.

Some issue with Secureblue & Guix

The verification and installation of Secureblue is as simple as vanilla Fedora, which also comes with KDE. The secureblue team recommends Flatpak and Homebrew which I don’t like so much, thankfully with run0 and rpm-ostree, I can virtually install any fedora packages as wish.

To enable rpmfusion repo for a larger software pool, just run these in the terminal:

rpm-ostree install \
  https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
  https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

systemctl reboot

To enable 3rd party repo and install software like Mullvad browser, run in terminal:

dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
rpm-ostree install mullvad-browser

After some testing, my ThinkPad loves secureblue very much but it boots and runs very slow on my very out-dated ThinkCentre. Furthermore, the customized keymapping scripts for my Kensington trackball needs X11 which is removed in Secureblue, so I have to move on to the next option for the ThinkCentre.

My tests on Guix went very well, as this distro supports even i686 hardwares. However, the software pool of Guix is lockdown with free only. I like Gnu’s idea and would like to follow whenever it’s possible. But for this use case, I want a less crippling system. Sorry.

Goodness of NixOS

My next boat is either Nonguix or NixOS. While I’m testing Guix, I found out that the documentation of this project is significantly limited comparing to NixOS, whether from official or community.

For a better learning and troubleshooting experience, I decide to go with NixOS as my final hop of this journey.

To verify the image file, just run sha256sum nixos*.iso and compare to the latest .sha256 file

Then use DD or Etcher to flash it into a USB drive and boot it on the designated machine.

The graphical installer is very intuitive and super simple to complete. Their official documentation is extremely detailed so I don’t have to add anything to it.

Except the steps that I took for allowing one-click-to-run .AppImage files:

Just by adding following content to the config file sudo nano /etc/nixos/configuration.nix

  programs.appimage = {
    enable = true;
    binfmt = true;
  };

Then run sudo nixos-rebuild switch to apply the changes, and that is it!

Search and install packages using official wiki is way faster than cli. For example, I love to monitor my system status with btop/bpytop/bashtop, in their repo it’s btop.

There are many ways to install the application, using nix-shell -p btop to temporarily install and try it out. This brings my memory of using Sandboxie on Windows, which was a very pleasant experience for many years, although these tools have different implementations.

For permanent installation, nix-env -iA nixos.btop is the traditional way, just like most distros. But by editing /etc/nixos/configuration.nix is the recommended way and that is the purpose of using this system.

NixOS boots and runs very fast and I’ll update this post if there is problem later when I’m doing full OS upgrade.