Case Study: Conference Arcade Machine
At Cyberus Technology, we developed a custom arcade machine to showcase our expertise at conferences and trade shows. This system runs a simple game on CTRL-OS and serves as an excellent demonstration of CTRL-OS benefits in practice.
Creating a secure & maintainable Conference Demonstrator with NixOS
Our arcade machine travels to conferences throughout the year, requiring security updates before each event. However, NixOS 24.05 is no longer maintained, leaving the system without any security patches. This makes it an ideal candidate for CTRL-OS, which provides:
- Continued security updates for unmaintained NixOS versions
- Minimal maintenance overhead
- Consistent, reliable deployments
From NixOS to CTRL-OS (and SBOM generation)
The arcade machine runs on x86 hardware with Sway as the window manager and a game that starts automatically at boot. The original configuration used standard NixOS packages:
{
description = "NixOS configuration of the arcade machine";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
};
outputs = { nixpkgs, ... }: {
nixosConfigurations = {
"arcade" = nixpkgs.lib.nixosSystem {
modules = [
./nixos/configuration.nix
./nixos/hardware-configuration.nix
];
};
};
};
}
Migrating to CTRL-OS required only a single change - updating the Nixpkgs input to use the CTRL-OS release channel:
{
description = "NixOS configuration of the arcade machine";
inputs = {
nixpkgs.url = "https://channels.ctrl-os.com/channel/ctrlos-24.05.tar.xz";
};
outputs = { nixpkgs, ... }: {
nixosConfigurations = {
"arcade" = nixpkgs.lib.nixosSystem {
modules = [
./nixos/configuration.nix
./nixos/hardware-configuration.nix
];
};
};
};
}
The migration is complete! With this single change, the arcade machine now receives security updates through CTRL-OS 24.05. It no longer runs on the unmaintained NixOS 24.05 base.
CTRL-OS covers security updates for the release-small (or nixos-minimal) NixOS package set as well as additional packages supported for paying customers.
In order to receive updates for our system, we need to send the SBOM to Cyberus so that they include it into the package set supported by CTRL-OS.
Let's include the required tools:
{
description = "NixOS configuration of the arcade machine";
inputs = {
nixpkgs.url = "https://channels.ctrl-os.com/channel/ctrlos-24.05.tar.xz";
nix-sbom-helper.url = "github:cyberus-technology/nix-sbom-helper";
};
outputs = { self, nixpkgs, nix-sbom-helper, ... }: {
nixosConfigurations = {
"arcade" = nixpkgs.lib.nixosSystem {
modules = [
./nixos/configuration.nix
./nixos/hardware-configuration.nix
];
};
};
sboms = nix-sbom-helper.sbomsForFlakeOutputs self;
};
}
With the nix-sbom-helper tooling, the SBOMs can be built:
$ nix build .#sboms.nixosConfigurations.arcade
[...]
$ ls -l result/
total 9304
-r--r--r-- 2 root root 3034413 Dec 31 1969 eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-nixos-system-ctrlos-YY.MM.yyyymmdd.dirty.cdx.json
-r--r--r-- 2 root root 1007169 Dec 31 1969 eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-nixos-system-ctrlos-YY.MM.yyyymmdd.dirty.csv
-r--r--r-- 2 root root 5482030 Dec 31 1969 eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-nixos-system-ctrlos-YY.MM.yyyymmdd.dirty.spdx.json
Cyber Resilience Act Compliance & Security Improvements
Without CTRL-OS, we have three options:
- Remain vulnerable to any CVEs discovered since November 2024. This is not an option for the European market because the Cyber Resilience Act (CRA) requires fixing any vulnerabilities in products on the market
- Update all packages ourselves. This may be feasible for smaller projects, but requires multiple engineering days a months to classify CVEs, implement, and test updates.
- Upgrade to a newer NixOS release. Again, this requires engineering effort to implement and test the upgrade. Certified use-cases often require an additional re-certification.
The migration to CTRL-OS provided immediate security benefits by addressing multiple vulnerabilities that would otherwise remain unpatched. Dependency track can compare vulnerabilities of the arcade system on NixOS 24.05 and CTRL-OS 24.05. Our switch to CTRL-OS reduces the number of CVEs to 1. A fix for the remaining CVE is in progress in the upstream library and will be included in CTRL-OS once it is released.
| NixOS 24.05 | CTRL-OS 24.05 | |
|---|---|---|
| Critical Severity Vulnerabilities | 14 | 0 |
| High Severity Vulnerabilities | 40 | 0 |
| Medium Severity Vulnerabilities | 36 | 1 |
| Low Severity Vulnerabilities | 5 | 0 |
| Unassigned Vulnerabilities | 0 | 0 |
Note that CVE data accuracy is inherently challenging. We manually filtered our data sources for false positives and CVEs that do not apply to this use-case. The table is here demonstrates how many CVEs have added up in the 10 months since support for NixOS 24.05 has officially ended. While this table may not be perfectly accurate, it serves to provide a good overview for a real-world use-case.
CVE-2025-8114 remains open in CTRL-OS because there is no upstream fix available at this point.
Enabling long-term secure NixOS Systems with CTRL-OS
Migration Benefits
- Single-line configuration change (Nixpkgs input URL)
- Zero downtime during migration
- All existing functionality & certifications preserved
- Continued security maintenance for unmaintained NixOS versions
While upgrading to a newer NixOS version would also provide security updates, this approach is often impractical for certified systems that require expensive re-certification after major version changes. CTRL-OS solves this problem by providing security updates within the same NixOS version, eliminating certification concerns.
This case study demonstrates how CTRL-OS enables organizations to maintain secure, up-to-date NixOS systems with minimal operational overhead - particularly valuable for certified systems where version upgrades are cost-prohibitive.