rootless setup with home-manager fails

[msackman]

Running NixOS 23.11, with home-manager.

The following additions to home-manager work fine:

    imports = [
      nix-snapshotter.homeModules.default
    ];
    nixpkgs.overlays = [ nix-snapshotter.overlays.default ];
    virtualisation.containerd.rootless = {
      enable = true;
      nixSnapshotterIntegration = true;
    };

However, when I attempt the final change (and nixos-rebuild switch):

    services.nix-snapshotter.rootless = {
      enable = true;
    };

I get the error error: nix-snapshotter cannot be found in pkgs

I've tried this both with and without flakes enabled at the nixos level, and the error is the same.

Curiously, removing the problematic final change above, and adding home.packages = with pkgs; [ nix-snapshotter ] does not give an error. So clearly pkgs is being correctly extended with nix-snapshotter, but for some reason it's not appearing for services.nix-snapshotter.rootless.

Any thoughts?

[elpdt852]

@msackman Do you have your nix files somewhere and a branch / commit I can reproduce this on? Preferably a flake.

[elpdt852]

Could it be this? https://discourse.nixos.org/t/module-make-overlay-changed-pkgs-available-to-home-manager/26723/2

[elpdt852]

I managed to reproduce this but unsure if its your exact scenario.

If home-manager.useGlobalPkgs = true then you should apply overlay to NixOS instead of home-manager. Otherwise, if home-manager.useGlobalPkgs = false then applying overlay to home-manager via nixpkgs.overlays should work.

[msackman]

That's amazing sleuthing there - you're absolutely right - I have useGlobalPkgs = true. Thank you for your time and help.

As you suggest, by adding the imports and overlays to nixos, I've been able to make it all happy.

Is there any real difference to enabling these features at the nixos level rather than home level? I'm thinking in terms of users that can access the services, or the users under which the services run etc etc - any real difference in security provided?

Currently, in order to keep the service only defined in my home, I have the imports and overlays at nixos level, and then the imports and services at home level. This does appear to work, but it's certainly not something you've suggested in the docs, and I'm wondering whether there's any real advantage to this anyway?

[elpdt852]

If you are running a production server, I’d recommend running the non-rootless version at the NixOS level. Rootless mode is still in its early stages, but seems to be at the point where I can daily drive it on my laptop.

For personal use, if you don’t use home manager then I’d recommend the NixOS rootless services. If you do, then I recommend the Home Manager rootless services. The reason is that although rootless is less mature, it is the more secure mode as the container runtime runs as an unprivileged user. If something exploits a container escape mechanism they only escape as a regular user rather than root.

See https://rootlesscontaine.rs/ for more details.

In your case, since you use both NixOS & Home Manager, I’d recommend applying the nix-snapshotter overlay at the NixOS level & using the Home Manager rootless services.

I don’t think you need the NixOS import, only NixOS overlay and Home Manager import & service enabled.

[msackman]

I don’t think you need the NixOS import, only NixOS overlay and Home Manager import & service enabled.

You are absolutely right.

Many thanks for your advice.