Deploying to DigitalOcean · nixos

Stream: nixos

Topic: Deploying to DigitalOcean

Srid (Dec 01 2023 at 15:40):

I'm trying to find the best way to deploy NixOS to DigitalOcean.

Traditional way

Create a Ubuntu 22.04 droplet
Install NixOS atop using nixos-infect
Enable flakes, copy hardware configuration to Git repo, refactor the flake

New way

In particular, can all of this be automated by directly installing from a Git flake input? Similar to nixos-anywhere.

(Will update this topic based on what I find out)

Srid (Dec 01 2023 at 17:38):

Building DigitalOcean NixOS Image

In flake.nix,

      perSystem = { pkgs, ... }: {
        packages.doImage =
          let
            config = {
              imports = [
                "${pkgs.path}/nixos/modules/virtualisation/digital-ocean-image.nix"
              ];
              nix.settings.experimental-features = [ "nix-command" "flakes" ];
              users.users.admin = {
                isNormalUser = true;
                openssh.authorizedKeys.keys = [
                  # Srid's public key
                  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQRxPoqlThDrkR58pKnJgmeWPY9/wleReRbZ2MOZRyd"
                ];
              };
              system.stateVersion = "23.11";
            };
          in
          (pkgs.nixos config).digitalOceanImage;
      };

nix build .#doImage => ./result/nixos.qcow2.gz

Then you upload it to DO console

Srid (Dec 01 2023 at 18:49):

Needs a services.openssh.enable = true; in the config, but yes - that works to one-click install the latest NixOS with flakes enabled.

SSH session on droplet

Srid (Dec 01 2023 at 18:59):

Deployment

Next, need to figure out deployment ...

Gonna try colmena, rather than deploy-rs, this time because it has built-in support for secrets: https://colmena.cli.rs/unstable/features/keys.html

Srid (Dec 01 2023 at 19:59):

Needed to add admin to Nix's trusted-users in the DO image. Then deployment works.

Proof of concept: https://github.com/fpindia/fpindia-chat/pull/1

colmena deployment

Srid (Dec 01 2023 at 20:16):

Two potential shortcomings of colmena, per https://lobste.rs/s/pka4na/nixops_is_easier_than_i_thought

No automatic rollbacks
Doesn't recognize nixosConfigurations output like deploy-rs does

Srid (Dec 01 2023 at 21:23):

Secrets

https://colmena.cli.rs/unstable/features/keys.html

colmena configured to read secrets form 1Password during deployment:

  deployment.keys."matrix-shared-secret.secret" = {
    keyCommand = [ "op" "read" "op://Juspay/fpindia-chat secrets/matrix-shared-secret" ];
    user = config.systemd.services.matrix-synapse.serviceConfig.User;
  };

(This could be any secret manager of course; in 1Password's case I get prompted to use TouchID)

We don't really need the complexity of sops-nix!

Last updated: Nov 15 2024 at 12:33 UTC