Ensuring Update Survival on Unattended Systems with NixOS

"But it works on my machine!"
"Well, then let's ship your machine!"
– an old joke about Docker

Maintaining unattended systems requires confidence that updates won't render them inoperable. While mirroring the client and test environments might seem like the solution, achieving true parity can be incredibly challenging. Discrepancies in module versions, configuration errors, and other unforeseen issues can easily arise.

NixOS offers a robust solution to this problem through its declarative configuration approach. At its core, NixOS relies on two key files: `flake.nix` and `flake.lock`.

• `flake.nix`: This file defines the system's desired state, outlining software packages, system services, and configurations.
• `flake.lock`: This file acts as a snapshot, capturing checksums for all dependencies and source code used to build the system.

This combination ensures reproducible builds.  By replicating the `flake.nix` and `flake.lock` files on the target system, you guarantee a bit-for-bit identical environment, eliminating the risk of inconsistencies and ensuring update survival.

While technically possible to manage the entire system configuration within these two files, NixOS allows for modular configurations for practicality and convenience. However, the fundamental principle of reproducible builds through `flake.nix` and `flake.lock` remains, providing a reliable foundation for unattended system updates.