# Journey into the world of NixOS deployment tools
- author: - Solène Rapenne - Tweag.io
- date:
- September 08, 2022
---
# Why does it matter?
- sysadmins enjoying NixOS on their workstation
- it can be intimidating to deploy on a server
- you can't use traditional tools like ansible, salt, puppet ...
- some sysadmin won't use NixOS because of this
- this hurts Nix adoption in general
---
# Comparison
https://github.com/nix-community/awesome-nix#deployment-tools
| Tool | Active? | Target | Method | Notes |
|-----------------|------------|------------------|------------------------------|--------------------------------------------------------------|
| pushnix | no | NixOS | git push config + ssh + hook | run nixos-rebuild through a git hook upon receiving |
| KubeNix | no | Kubernetes | - | generate k8s resources, no documentation |
| KuberNix | no | Kubernetes | - | broken with nixpkgs-unstable (2022-09-07) |
| Nixery | yes | Docker | - | on the fly Docker images generator |
| nixos-shell | not much | Qemu VMs | - | use NixOS on any platform with Nix, run a VM + mounts $HOME |
| terranix | yes | Terraform | - | Use nix syntax and power of modules, translates as terraform |
| nixos-rebuild | - | NixOS | local / remote | base tool |
| autoUpgrade | - | NixOS | local | module, auto reboot, reboot time window |
| terraform-nixos | not really | Cloud | terraform + nixos | declare cloud NixOS servers with terraform |
| krops | yes | NixOS | ssh push config | nix style wrapper around nixos-rebuild |
| Cachix deploy | yes | NixOS | pull through an agent | remote build, rollback, support per-profile, proprietary |
| colmena | yes | NixOS | ssh push / ssh push closure | good documentation, can trigger a build remotely |
| NixOps | yes | Cloud/ VM /NixOS | API / SSH push closure | automatically provision resources to match config / mgmt |
| Morph | yes | NixOS | SSH push closure | batch deploy, health check |
| NixUS | yes | NixOS | SSH push closure | rollback, automatic ssh key exchange between hosts |
| deploy-rs | yes | NixOS | ssh push closure | can push profiles, rollback |
| Bento | yes | NixOS | pull over SFTP | fleet tracking, async pull, rollback |
---
# Secret management
https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes
- the nix store is world readable, don't ever store secrets in it
- 4 schemes available
- with pros and cons
- may be specific to the tool (NixOps)
---
# Which one should you use?
"it depends"
---
# Recommandations per use case
## your workstation / autonomous management
- autoUpgrade
- nixos-rebuild
Require a manual update every 6 months if using releases
## full cloud - full Nix
- NixOps: it can provisionates and help remote management
## Remote servers (available 24/7)
- deploy-rs
- Morph
- Colmena
## Anything that isn't time sensitive
- Cachix deploy?
- Bento
---
# Why did I write Bento?
- I can't push gigabytes of data with a DSL line
- my computers are not always connected, so push method doesn't work
- asynchronous is fun and challenging
- Convinced NixOS is a good corporate OS
- fits a central management and many remote asynchronous systems
- easily bypass firewalls
- can locally trigger an update using the web browser!
---
# Questions ?