# Journey into the world of NixOS deployment tools

# Journey into the world of NixOS deployment tools

- author: - Solène Rapenne - Tweag.io
- date:
- September 08, 2022

---

# Why does it matter?

- sysadmins enjoying NixOS on their workstation
- it can be intimidating to deploy on a server
- you can't use traditional tools like ansible, salt, puppet ...
- some sysadmin won't use NixOS because of this
- this hurts Nix adoption in general

---

# Comparison

https://github.com/nix-community/awesome-nix#deployment-tools

| Tool | Active? | Target | Method | Notes |
|-----------------|------------|------------------|------------------------------|--------------------------------------------------------------|
| pushnix | no | NixOS | git push config + ssh + hook | run nixos-rebuild through a git hook upon receiving |
| KubeNix | no | Kubernetes | - | generate k8s resources, no documentation |
| KuberNix | no | Kubernetes | - | broken with nixpkgs-unstable (2022-09-07) |
| Nixery | yes | Docker | - | on the fly Docker images generator |
| nixos-shell | not much | Qemu VMs | - | use NixOS on any platform with Nix, run a VM + mounts $HOME |
| terranix | yes | Terraform | - | Use nix syntax and power of modules, translates as terraform |
| nixos-rebuild | - | NixOS | local / remote | base tool |
| autoUpgrade | - | NixOS | local | module, auto reboot, reboot time window |
| terraform-nixos | not really | Cloud | terraform + nixos | declare cloud NixOS servers with terraform |
| krops | yes | NixOS | ssh push config | nix style wrapper around nixos-rebuild |
| Cachix deploy | yes | NixOS | pull through an agent | remote build, rollback, support per-profile, proprietary |
| colmena | yes | NixOS | ssh push / ssh push closure | good documentation, can trigger a build remotely |
| NixOps | yes | Cloud/ VM /NixOS | API / SSH push closure | automatically provision resources to match config / mgmt |
| Morph | yes | NixOS | SSH push closure | batch deploy, health check |
| NixUS | yes | NixOS | SSH push closure | rollback, automatic ssh key exchange between hosts |
| deploy-rs | yes | NixOS | ssh push closure | can push profiles, rollback |
| Bento | yes | NixOS | pull over SFTP | fleet tracking, async pull, rollback |

---

# Secret management

https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes

- the nix store is world readable, don't ever store secrets in it
- 4 schemes available
- with pros and cons
- may be specific to the tool (NixOps)

---

# Which one should you use?

"it depends"

---

# Recommandations per use case

## your workstation / autonomous management

- autoUpgrade
- nixos-rebuild

Require a manual update every 6 months if using releases

## full cloud - full Nix

- NixOps: it can provisionates and help remote management

## Remote servers (available 24/7)

- deploy-rs
- Morph
- Colmena

## Anything that isn't time sensitive

- Cachix deploy?
- Bento

---

# Why did I write Bento?

- I can't push gigabytes of data with a DSL line
- my computers are not always connected, so push method doesn't work
- asynchronous is fun and challenging
- Convinced NixOS is a good corporate OS
- fits a central management and many remote asynchronous systems
- easily bypass firewalls
- can locally trigger an update using the web browser!

---

# Questions ?