Deploying with Nix
Whats up meat bags and digital brains.
I am still riding the pre AI wave and like to do things myself. So no gen-content in this post.
Why post? Because one thing you want to have control over is your personal/work network. Including your machines and everything connected to them. There is no space for digital anxiety. Then again there is no time for maintaining highly manual setups. Unless you are into that kind of pain - then just view this as a peek onto the other side of the fence.
TL;DR: This post is about auto-deploying Nix machines/clusters with WireGuard overlay networks and keeping them easily managed. Jump here if you want to get hands-on immediately.
Tools
When you first get started with Nix it can be overwhelming. Checking awesome-nix has a lot of things, but which are good?
Probably most of them - but not all are maintained or up to date, so let me give you my tools of choice:
Bootstrapping
The first thing you need is a machine with NixOS. To get Cloud servers running go with:
- https://nix-community.github.io/nixos-anywhere/quickstart.html
- https://nix-community.github.io/srvos/
- https://github.com/nix-community/disko
Deployment
- colmena
- only evaluates what it deploys
- comes with nice integration for external secret management
Other ones I have used
- deploy-rs was pretty good to get started - it has some nice rollback features
Secrets
One of the first things you will have to take note of in the Nix world is the following:
If you are using flakes, Nix will copy the entire flake (everything tracked by git) into the Nix store during evaluation. This means that all files as checked out by git are world-readable, including the ones managed by filter-based encryption tools like git-crypt.
So we need something else, an external tool.
For smaller teams or solo ops the recommendation is pass. Its dead simple if you have a GPG key, and if you don’t just make one.
For bigger teams you might want to check out vault - IDK though.
The main takeaway for you: Colmena will call an external tool to get the secrets safely deployed. So just use whatever you want that can deliver secrets that way.
Overlay Networking
WireGuard - in most cases why even use anything else?
Obviously you do not want to spend hours on end debugging network traffic with tcpdump
when you change something on that layer,
so it only makes sense to use it when its automated.
Enter the tool I wrote for this: wired.
It will turn something like:
[network]
name = "example"
type = "web"
cidrv4 = "10.0.0.0/24"
[servers]
[servers.server]
ip = "10.0.0.1"
listenport = 20202
# TODO: Add the IPv4 here
endpoint = ""
persistentkeepalive = 5
output = "nix"
encryption = "colmena:pass"
[clients]
[clients.wg-quick]
ip = "10.0.0.2"
[clients.qr]
ip = "10.0.0.3"
output = "qr"
into ready to use configuration files and creates statefiles you can back up securely.
Want to add a peer? Just rerun wired
with the new peer and redeploy. Done.
Other way
If you only have NixOS peers on the overlay you can check out wirenix. Seems solid!
Combining it all
Reading about the tools is mildly interesting, but seeing them in action will probably get you hooked. If you have 15min (experts) to X hours (beginner ops) and want to see what all the Nix hype is about I created https://github.com/b-m-f/nixos-deployment-example that comes with instructions for you to spawn a secure Gitea instance.
Final thoughts
Nix is good stuff.
Welcome to the platinum age of the internet. Don’t blame me if you get hooked and happy hacking