💾 Archived View for perso.pw › blog › articles › static › deployments-tools-slides.txt captured on 2023-09-08 at 16:38:59.

View Raw

More Information

⬅️ Previous capture (2023-05-24)

-=-=-=-=-=-=-

# Journey into the world of NixOS deployment tools

- author: - Solène Rapenne - Tweag.io
- date:
- September 08, 2022

---

# Why does it matter?

- sysadmins enjoying NixOS on their workstation
        - it can be intimidating to deploy on a server
- you can't use traditional tools like ansible, salt, puppet ...
- some sysadmin won't use NixOS because of this
        - this hurts Nix adoption in general

---

# Comparison

https://github.com/nix-community/awesome-nix#deployment-tools

| Tool            | Active?    | Target           | Method                       | Notes                                                        |
|-----------------|------------|------------------|------------------------------|--------------------------------------------------------------|
| pushnix         | no         | NixOS            | git push config + ssh + hook | run nixos-rebuild through a git hook upon receiving          |
| KubeNix         | no         | Kubernetes       | -                            | generate k8s resources, no documentation                     |
| KuberNix        | no         | Kubernetes       | -                            | broken with nixpkgs-unstable (2022-09-07)                    |
| Nixery          | yes        | Docker           | -                            | on the fly Docker images generator                           |
| nixos-shell     | not much   | Qemu VMs         | -                            | use NixOS on any platform with Nix,  run a VM + mounts $HOME |
| terranix        | yes        | Terraform        | -                            | Use nix syntax and power of modules, translates as terraform |
| nixos-rebuild   | -          | NixOS            | local / remote               | base tool                                                    |
| autoUpgrade     | -          | NixOS            | local                        | module, auto reboot, reboot time window                      |
| terraform-nixos | not really | Cloud            | terraform + nixos            | declare cloud NixOS servers with terraform                   |
| krops           | yes        | NixOS            | ssh push config              | nix style wrapper around nixos-rebuild                       |
| Cachix deploy   | yes        | NixOS            | pull through an agent        | remote build, rollback, support per-profile, proprietary     |
| colmena         | yes        | NixOS            | ssh push / ssh push closure  | good documentation, can trigger a build remotely             |
| NixOps          | yes        | Cloud/ VM /NixOS | API / SSH push closure       | automatically provision resources to match config / mgmt     |
| Morph           | yes        | NixOS            | SSH push closure             | batch deploy, health check                                   |
| NixUS           | yes        | NixOS            | SSH push closure             | rollback, automatic ssh key exchange between hosts           |
| deploy-rs       | yes        | NixOS            | ssh push closure             | can push profiles, rollback                                  |
| Bento           | yes        | NixOS            | pull over SFTP               | fleet tracking, async pull, rollback                         |

---

# Secret management

https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes

- the nix store is world readable, don't ever store secrets in it
- 4 schemes available
- with pros and cons
- may be specific to the tool (NixOps)

---

# Which one should you use?

"it depends"

---

# Recommandations per use case

## your workstation / autonomous management

- autoUpgrade
- nixos-rebuild

Require a manual update every 6 months if using releases

## full cloud - full Nix

- NixOps: it can provisionates and help remote management

## Remote servers (available 24/7)

- deploy-rs
- Morph
- Colmena

## Anything that isn't time sensitive

- Cachix deploy?
- Bento

---

# Why did I write Bento?

- I can't push gigabytes of data with a DSL line
- my computers are not always connected, so push method doesn't work
- asynchronous is fun and challenging
- Convinced NixOS is a good corporate OS
        - fits a central management and many remote asynchronous systems
        - easily bypass firewalls
        - can locally trigger an update using the web browser!

---

# Questions ?