1. 37
  1.  

  2. 7

    Thanks for sharing. Similarly, I’ve been using deploy-rs to deploy Flake-based configurations to my own low powered devices (PCEngines APU, RPi). Works really well!

    1. 2

      Nice, thank you! I haven’t taken the time to grok flakes yet but I’ll be sure to take a look at deploy-rs when I do. It might take me a while though…

      1. 1

        I only spent an afternoon or two with deploy-rs (had been quite new to Nix in general), and enjoyed it, but didn’t need multiple profiles and found it to be a bit slow. Secret management did not seem to be included either, so that would require an extra tool and while hacking on that, I found https://github.com/zhaofengli/colmena which I am using since. It’s still a prototype officially but works well for me

        1. 1

          For secrets management agenix (or rangenix) seems to be the best option for me since I can push the secrets to the public repository. Still, it’d be nice to have features of both agenix and deploy-rs in a standard tool like NixOps.

          1. 2

            colmena has support for secrets included. One can even specify custom commands, which use together with pass with great pleasure :)

            1. 0

              That’s neat. I assume that keyCommand is executed on the local machine instead of the deployment target (though I couldn’t find it in the docs). Agenix, on the other hand, decrypts secrets using the target’s SSH host key at activation time. Both approaches make sense, I’m just more conformable with agenix way—“stateless” encrypted secrets in the Nix store so I can rollback secrets along with the system configuration.

              I also like that deploy-rs uses flake’s nixosConfigurations output, meaning that I can use plain nix for local deployments. Is it possible to do something similar with colmena-based configuration?

              1. 1

                Yes, key command is executed locally - which i personally prefer for my use case but does not allow for unattended reboots - that could be regarded as a limitation or a feature depending on the project.

                Is it possible to do something similar with colmena-based configuration?

                Yes, colmena uses NixOS modules like anything else, but does not use nixosConfigurations, so one needs a smallish wrapper to support both, nixosConfigurations and colmena in the same flake. I could try to polish mine a bit and publish it, but haven’t done so yet because I am still new to nix so there might be better ways to do so ;)

                1. 1

                  Ouch, doesn’t look like colmena supports automatic rollbacks for borked configurations. https://reddit.com/comments/kgj6ir/_/gggcmyo

                  That’s an absolute deal breaker for me since I tend to tinker with network configs way more than I probably should.

        2. 5

          I’ve been simply doing

          nixos-rebuild switch --flake ~/Documents/dotfiles#machine-1 --target-host machine-1 --build-host localhost
          

          For building on my local machine, and deploying/upgrading other 4 machines (to save on bandwidth mostly) without a problem for several months. What benefit do nixops provide over the above? The article emphasises on “build in local deploy on remote”, but that don’t seem to be an issue with nixos-rebuild itself.

          I am kinda new to Nix, so if I need to do some reading to understand this I’ll appreciate some links (as opposed to dig into nixops head first; skimming through the first few pages of docs didn’t englighten me much).

          1. 1

            Probably nothing? I’m not great at Nix myself and you probably just have a better understanding of it :)