# Journey into the world of NixOS deployment tools - author: - Solène Rapenne - Tweag.io - date: - September 08, 2022 --- # Why does it matter? - sysadmins enjoying NixOS on their workstation - it can be intimidating to deploy on a server - you can't use traditional tools like ansible, salt, puppet ... - some sysadmin won't use NixOS because of this - this hurts Nix adoption in general --- # Comparison https://github.com/nix-community/awesome-nix#deployment-tools | Tool | Active? | Target | Method | Notes | |-----------------|------------|------------------|------------------------------|--------------------------------------------------------------| | pushnix | no | NixOS | git push config + ssh + hook | run nixos-rebuild through a git hook upon receiving | | KubeNix | no | Kubernetes | - | generate k8s resources, no documentation | | KuberNix | no | Kubernetes | - | broken with nixpkgs-unstable (2022-09-07) | | Nixery | yes | Docker | - | on the fly Docker images generator | | nixos-shell | not much | Qemu VMs | - | use NixOS on any platform with Nix, run a VM + mounts $HOME | | terranix | yes | Terraform | - | Use nix syntax and power of modules, translates as terraform | | nixos-rebuild | - | NixOS | local / remote | base tool | | autoUpgrade | - | NixOS | local | module, auto reboot, reboot time window | | terraform-nixos | not really | Cloud | terraform + nixos | declare cloud NixOS servers with terraform | | krops | yes | NixOS | ssh push config | nix style wrapper around nixos-rebuild | | Cachix deploy | yes | NixOS | pull through an agent | remote build, rollback, support per-profile, proprietary | | colmena | yes | NixOS | ssh push / ssh push closure | good documentation, can trigger a build remotely | | NixOps | yes | Cloud/ VM /NixOS | API / SSH push closure | automatically provision resources to match config / mgmt | | Morph | yes | NixOS | SSH push closure | batch deploy, health check | | NixUS | yes | NixOS | SSH push closure | rollback, automatic ssh key exchange between hosts | | deploy-rs | yes | NixOS | ssh push closure | can push profiles, rollback | | Bento | yes | NixOS | pull over SFTP | fleet tracking, async pull, rollback | --- # Secret management https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes - the nix store is world readable, don't ever store secrets in it - 4 schemes available - with pros and cons - may be specific to the tool (NixOps) --- # Which one should you use? "it depends" --- # Recommandations per use case ## your workstation / autonomous management - autoUpgrade - nixos-rebuild Require a manual update every 6 months if using releases ## full cloud - full Nix - NixOps: it can provisionates and help remote management ## Remote servers (available 24/7) - deploy-rs - Morph - Colmena ## Anything that isn't time sensitive - Cachix deploy? - Bento --- # Why did I write Bento? - I can't push gigabytes of data with a DSL line - my computers are not always connected, so push method doesn't work - asynchronous is fun and challenging - Convinced NixOS is a good corporate OS - fits a central management and many remote asynchronous systems - easily bypass firewalls - can locally trigger an update using the web browser! --- # Questions ?