(2024-11-18) Let's put Nix into a Pubnix (feat. nix-portable)
-------------------------------------------------------------
The concept of Pubnixes is very common among the current generation of Gopher
users. Pubnixes are public access shared servers running Unix-like (usually
Linux or BSD) systems and offering shell accounts to users, either for free
or at extremely low prices. They are great for those who can't afford or
just don't need a VPS for their cloud shell activity. Sometimes they also
are called "tildes", hence the name Tildeverse. In general, you are given a
limited user account (although some projects like segfault.net will give you
an isolated root account) and a limited amount of software packages
available for you to run. One of the Pubnixes called Project Segfault (that
sounds terribly similar but has no relation to the segfault.net) gives you a
limited account but offers a Nix package manager to install packages in your
local environment only. I thought: why not try and achieve the same in all
other tildes that don't have Nix available or exposed to your user? Luckily,
there already is a project to ease your life in such a case.

Enter nix-portable ([1]). This is a self-contained binary that offers
everything you need to run a fully isolated Nix package environment under
limited user privileges. It's a rather large file because everything is
built statically inside, but that makes it fully independent from the
underlying distribution and it will work on any Pubnix as long as it runs
Linux on an x86_64 or aarch64 architecture and gives you a large enough disk
quota (do not even attempt to try this out if your quota is under 512 MB: as
an example, I got banned on one shell provider for instantly overquoting its
100 MB with this tool). You may try building nix-portable for other
architectures and platforms as well, I didn't try yet. Anyway, after
downloading the file you just make necessary symlinks (as nix, nix-env and
nix-shell) and you're all set, just specify the packages in shell.nix and
run ./nix-shell. To ease the process, I've created a simple shell script:

#!/bin/sh
WORKDIR=$PWD
echo "Setting up nix-portable in $WORKDIR..."
NIXBIN=$WORKDIR/nix-portable
RELEASEURL=https://github.com/DavHau/nix-portable/releases/latest
curl -L $RELEASEURL/download/nix-portable-$(uname -m) > $NIXBIN
chmod +x $NIXBIN
ln -s $NIXBIN $WORKDIR/nix
ln -s $NIXBIN $WORKDIR/nix-shell
ln -s $NIXBIN $WORKDIR/nix-env
# setup the shell file in the same working directory
echo "Setting up shell.nix in $WORKDIR..."
cat <<EOF > $WORKDIR/shell.nix
let pkgs = import <nixpkgs> {};
in pkgs.mkShell {
 nativeBuildInputs = with pkgs; [
   # list all the Nix packages you need here
 ];
}
EOF
echo "All set, run ./nix-shell and enjoy!"
echo "Edit the package list in ./shell.nix if you need anything else"

After you've run this script and see the nix-portable binary and
corresponding symlinks, you can run ./nix-shell and wait until you end up
being in a Bash prompt with the "nix-shell" as a user name (although in fact
the current user won't change, i.e. the whoami output will be the same as
the user you've run ./nix-shell from). The first run is going to be rather
long as nix-portable will download and setup all the necessary dependencies
and directory structures. Afterwards though, you can edit the shell.nix file
and the next ./nix-shell run will just download and install the new packages
you've added there.

Ironically, I have first successfully used this approach on a root-enabled
Pubnix, as the systemwide package changes you make there are not persistent
across sessions (it's running in a container) but the changes made to your
home directory are. However, it really doesn't matter which user you're
running nix-portable as. In fact, the more limited it is, the more benefit
you get from this kind of setup. One note of warning: it's not a full chroot
(or rather proot in this case) and sometimes the commands can interfere with
the same command from the outer system, so you need to check your current
$PATH to make sure the necessary binaries are loaded. I.e. if the outer
system offers tmux, you'll have a better luck running tmux on the host and
the nix-shell inside it. If it doesn't though, nothing prevents you from
adding tmux package into your Nix environment.

Now, to close it all off, are there any personal free shell account
recommendations of mine? Well, from my own experience, most of them require
you to get a manual approval, write an email, fill out Google Docs forms
(can you believe that?), submit a PR, hang out in IRC channels or go through
all other circles of humiliation (in some cases, it even goes as far as
having to mail a physical postcard!) in order to get an account. There are,
however, a few I can think of which offer decent levels of freedom and
automated signup with no wait or hassle.

* The aforementioned segfault.net ([2]) looks like the best choice so far:
 - no email or password required;
 - no SSH key required (you get a secret env variable that you need to save)
although you can save it if necessary;
 - has fair terms of usage (you can keep your background services running
within 36 hours of your last logout);
 - runs Kali Linux with a lot of pentesting tools pre-installed;
 - routes traffic through three different VPNs;
 - provides you with a (containerized) root account.
* hashbang.sh is a more traditional approach to Pubnixes:
 - no email or password required (only your username and public SSH key);
 - you have to figure out the correct way to register by yourself, but it
just boils down to two REST API calls ([3]);
 - provides you with a limited Linux account, an email account
([email protected]) and a lot of pre-configured stuff.
* ...suddenly, deepnote.com:
 - not a Pubnix per se but offers a free plan with 2 AMD EPYC cores and 5GB
RAM;
 - requires a Google or GitHub account to register;
 - the SSH shell can be obtained via tmate.io from a terminal (that can be
added to the project) like this:
   wget
https://github.com/tmate-io/tmate/releases/download/2.4.0/tmate-2.4.0-static-
inux-amd64.tar.xz \
     && tar xJvf tmate-2.4.0-static-linux-amd64.tar.xz \
     && tmate-2.4.0-static-linux-amd64/tmate -F
   or from a Jupyter notebook by prepending ! to the above command.

I have personally tested my nix-portable setup script on all the shells
listed above, so that you know that it works with no issues whatsoever
there. Well, as of now, you know hot wo have fun with Nix packages on
limited systems, and where to have fun with them. So, have fun!

--- Luxferre ---

[1]: https://github.com/DavHau/nix-portable
[2]: the instructions are available at https://www.thc.org/segfault
[3]: really, just read the website's source code, it's... unusual

You are viewing proxied material from hoi.st. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.