There is a similar question on the site which must not be named.
My question still has a little different spin:
It seems to me that one of the biggest selling points of Nix is basically infrastructure as code. (Of course being immutable etc. is nice by itself.)
I wonder now, how big the delta is for people like me: All my desktops/servers are based on Debian stable with heavy customization, but 100% automated via Ansible. It seems to me, that a lot of the vocal Nix user (fans) switched from a pet desktop and discover IaC via Nix, and that they are in the end raving about IaC (which Nix might or might not be a good vehicle for).
When I gave Silverblue a try, I totally loved it, but then to configure it for my needs, I basically would have needed to configure the host system, some containers and overlays to replicate my Debian setup, so for me it seemed like too much effort to arrive nearly at where I started. (And of course I can use distrobox/podman and have containerized environments on Debian w/o trouble.)
Am I missing something?
Another aspect I like about Nix compared to what I understand from Ansible (which I used a bit but not much) is that your configuration describes your system without any hidden state. Yes, you only get your dependencies through full evaluation, but what I mean is this: Let’s say you install something on a system, i.e. you add it to your list of packages, which you later remove. To my knowledge, Ansible won’t remove the package if not explicitly asked. However, if you explicitly tell Ansible to not have it installed, what happens if that package is later introduced as a dependency?
Ansible will always operate on a stateful system, which is kind of the combination of what others have already mentioned – it’s idempotent and there’s no hidden state that will break something down the way.
Ansible works on tasks, and to your hypothetical there, if you have a task that calls the package manager to put a package in the state ‘absent’, but it is another package’s dependency, it will have little to do with ansible, and just follow the package manager’s behaviour. (Up to some details. Like for ‘apt’, ansible runs the command with ‘-y’, which has a little different behaviour than just removing the interaction part and assuming yes). If the package manager removes the depending package, and your playbook has first a task that installs it, then a taks that removes the dependency, you will always get ‘changed’ on both tasks everytime you run the playbook, even if your playbook puts the machine in the same state as before.