> Something that is genuinely terrifying to set up to me is GitLab. It just has too many moving parts. To deploy it with NixOS, I have this in my configuration:
To me, my first thought is to always deploy applications through containers (Podman + Systemd is my personal preference).
I see this as at least some isolation, I know containers are not a fool proof security system, but it at least some other layer, simple to deploy elsewhere, etc.
Is there a reason to preference running something "natively" in Nix over just using containers? Is Nix giving me anything if I mostly deploy containers? My servers are bootstrapped via pyinfra, and generally I just need to setup ssh, wg and a container runtime, so config drift isn't really much of an issue.
You can run containers on NixOS (also through systemd) and get the same benefits explained in this article. NixOS supports both Podman and Docker as a runtime. There is also the option to run native NixOS containers. See: https://nixos.wiki/wiki/NixOS_Containers.
This is what I'm using, I've written a module for Podman pods (which behave a bit like docker-compose stacks, though with a lit less powerful networking).
You can also run NixOS containers[1] - so you have a "real" NixOS configuration for your service that is still separated from the rest of the system via systemd-nspawn.
Regarding the linked page about containers: a major gripe of mine is when people make content which includes "don't do this part in production!" - but then never bother to explain what the production equivalent is. If it's out of scope for your guide then fine, but at least provide some keywords and links.
The big advantage of using nix modules to run a service is they usually work out of the box, with sane/secure/reasonably production ready defaults. Similar to why you might choose to use a Helm chart to deploy to a k8s cluster. Quality of modules varies greatly, though, depending on their popularity.
Common services usually have undergone some amount of hardening as well, so you probably aren't giving up much in terms of security vs. containers. Again, your mileage varies tremendously depending on the package, so I do strongly recommend reading the source of the nix module of security is a concern.
I also find that consulting the nix source for a service lets me quickly understand the different pieces that go into a deployment - this may not be an advantage to you if you aren't inclined to dive into nixpkgs source on the regular.
Finally, if you are at all bought in to Nix/NixOS then you will greatly appreciate being able to configure your services using module options that have already been created. You can also run docker containers in NixOS, but you'll experience quite a lot of friction if you want to expose service configuration as nix options. Using an existing NixOS module means someone else has done that work for you.
In addition to what was already said: systemd exposes (some of?) the same isolation features that are used by podman et al. to it's services as well. This can go as far as making the services software see only its state directory and nothing else, for example. DynamicUser is also a pretty cool feature in that realm. Some of the NixOS modules use these features to provide isolation for the services they define. In my experience these features are used much more extensively in NixOS than in other distributions.
To me, my first thought is to always deploy applications through containers (Podman + Systemd is my personal preference).
I see this as at least some isolation, I know containers are not a fool proof security system, but it at least some other layer, simple to deploy elsewhere, etc.
Is there a reason to preference running something "natively" in Nix over just using containers? Is Nix giving me anything if I mostly deploy containers? My servers are bootstrapped via pyinfra, and generally I just need to setup ssh, wg and a container runtime, so config drift isn't really much of an issue.