Deploying a NixOS server on DigitalOcean

procedure.md

Prerequisites

We'll use NixOps to deploy, so we need to install it

nix-env -i nixops

And to deploy on DigitalOcean we need to have an account and create an API access token for it.

Configuring

Let's start by configuring our server, I'll store mine in testserver.nix. This is just the same as your plain old configuration.nix for the server but assigned to a variable. This allows us to declare multiple different servers.

It's also possible to declare some details about the network of servers in the configuration. Currently description and enableRollback are supported. These were hard to find but seems to be defined by the python script development.py

{
  network.description = "Network description";
  
  servername = { config, pkgs, ... }: {
    # server configuration
  }
}

Before we can deploy we'll need to define the environment for the server to run in. This can be done through the deployment.* directives in a server configuration. For sanitys sake I'll keep it in a separate file testserver_hw.nix. In this file I'll also store the references to the ssh-keys with

resources.sshKeyPairs.ssh-key = {
  publicKey = builtins.readFile ./tstKey.pub;
  privateKey = builtins.readFile ./tstKey;
}

Lastly we'll generate these ssh-keys by running ssh-keygen and name them the the same as in the configuration.

Deploying

So now that we're all configured. We'll tell NixOps to add the network

nixops create ./testserver.nix ./testserver_hw.nix --deployment testserver_DO

We can see that the operation was successfull by entering the command

$ nixops info --deployment testserver_DO
Network name: testserver_DO
Network UUID: 80b97b02-f857-11e7-985d-1002b500deb7
Network description: Test server
Nix expressions: /path/to/testserver.nix /path/to/testserver_hw.nix

+------------+----------------------+--------------+-------------+------------+
| Name       |        Status        | Type         | Resource Id | IP address |
+------------+----------------------+--------------+-------------+------------+
| testserver | Missing / Up-to-date | digitalOcean |             |            |
| ssh-key    |   Up / Up-to-date    | ssh-keypair  |             |            |
+------------+----------------------+--------------+-------------+------------+

Now, the deployment.digitalOcean.authToken option doesn't seem to work, so we'll add it to our environmnet variables instead

export DIGITAL_OCEAN_AUTH_TOKEN={{API TOKEN}}

And finally we can deploy it

nixops deploy --deployment testserver_DO

NixOps will create an Ubuntu droplet and try to change it to NixOS and deploy the server. This might take a while. In the end you'll hopefully see testserver_DO> deployment finished successfully

testserver.nix

{
  network.description = "Test server";

  testserver = { config, pkgs, ... }: {

    services.openssh.enable = true;


    # Web server
    networking.firewall.allowedTCPPorts = [ 22 4343 8080 ];
    services.nginx = {
      enable = true;
      virtualHosts."localhost" = {
        root = "/www/webroot";
        listen = [
          { addr = "0.0.0.0"; port = 4343; ssl = true; }
          { addr = "0.0.0.0"; port = 8080; }
        ];

      };
    };

  };

}

testserver_hw.nix

{
  resources.sshKeyPairs.ssh-key = {
    publicKey = builtins.readFile ./tstKey.pub;
    privateKey = builtins.readFile ./tstKey;
  };

  # Hardware config
  testserver = { config, pkgs, ... }: {
    deployment.targetEnv = "digitalOcean";
    deployment.digitalOcean.enableIpv6 = true;
    deployment.digitalOcean.region = "ams2";
    deployment.digitalOcean.size = "512mb";
   # deployment.digitalOcean.authToken = "Doesn't seem to work";
  };
}

I'm surprised a Nix-hosted auth token is even an option, considering it would inevitably end up somewhere in the /nix/store aka world readable.