Hi all Nix experts,

I recently started using nix to manage my dev environment on my immutable distro, and I need some help.

I was wondering if I am using a large package like TexLiveFull, how to make sure nix don’t delete large packages after I close the shell? I also don’t want this package to be available in my global environment, as I don’t need to use it outside vscode.

Another question is how to keep my packages up-to-date. I don’t do serious development work, thus I typically perfer my package and dev-tools to be on the latest version. I prefer to have a little management of this as possible. Ideally, every time I start up a nix shell, the package manager will grab the latest version of the package if possible without requiring additional interaction from me. Is this possible?

Finally, is there any way to bubblewrap programs installed by nix to only access the file within the starting path of the shell? I don’t imagine this is possible, but it would definitely be nice if nix has some security feature like this.

Thanks in advance for your help! I understand parts of this post might be ridiculous. I am still new to nix. Please correct me if I am not using nix in the “correct” way.

  • qqq@programming.devEnglish
    5·
    9 months ago

    Another question is how to keep my packages up-to-date. I don’t do serious development work, thus I typically perfer my package and dev-tools to be on the latest version. I prefer to have a little management of this as possible. Ideally, every time I start up a nix shell, the package manager will grab the latest version of the package if possible without requiring additional interaction from me. Is this possible?

    Definitely sounds like you should look into using https://direnv.net/. Once you direnv allow the directory, as soon as you enter the directory it will create per-project isolated development environments.

    The in the .envrc file you could have something like:

    nix flake update
use flake

    If your using nix flakes which also imply you’re using git.

    However, without flakes you could use a tool like:

    And run their update command from the .envrc

    Or if you don’t want to use direnv, then perhaps run a update command from the nix shellHook.

    shellHook =
  ''
    echo "Hello shell"
    export SOME_API_TOKEN="$(cat ~/.config/some-app/api-token)"
  '';

    Sorry, I’m not sure about your last question.

    Edit:

    If you’re using git and a forge like GitHub, then you could use a GitHub action to automate the update and create a PR. Such as a GH action like https://github.com/DeterminateSystems/update-flake-lock

    Personally, for projects I use direnv + flakes and that github action above, but I can understand if you don’t want to mess with learning git.