Deploy NixOS configurations on other Machines

Nebucatnetzer · November 2, 2022, 4:40pm

I use two simple scripts which are basically just the following command:

nixos-rebuild switch --use-remote-sudo --build-host localhost --target-host remote-server.domain.local --flake ".#remote-server"

This way my notebooks builds the config for all systems and then pushes them to the remote servers.
I even compile the config for two Raspberry Pis.

This updates all my servers

https://git.2li.ch/Nebucatnetzer/nixos/src/branch/master/scripts/remote_switch.sh

And this takes an argument and updates just a single machine

https://git.2li.ch/Nebucatnetzer/nixos/src/branch/master/scripts/update_single_machine.sh

One could probably make it nicer and get the list of hosts directly from the flake but for the moment it is good enough and allows me to focus on the servers themselves.
One thing which I still have to fix is limit password less sudo to the nix command but that isn’t something which is part of the script but part of the NixOS config.

Atemu · November 2, 2022, 4:43pm

FYI, nixos-rebuild supports remote builds via --target-host. You can run that from your repo and point nixos-config’s NIX_PATH at some machine’s config; i.e. -I nixos-config=configs/machine/default.nix.

ryang · November 2, 2022, 5:11pm

Thanks for the replies, all!

@Atemu @Nebucatnetzer

It looks like nixos-rebuild switch --flake .#<host> --target-host <host> is exactly what I’m looking for.

@misuzu

nix build -L .#nixosConfigurations.remotehost.config.system.build.toplevel
nix copy --to ssh-ng://root@remotehost ./result
ssh root@remotehost nix-env -p /nix/var/nix/profiles/system --set $(readlink ./result)
ssh root@remotehost /nix/var/nix/profiles/system/bin/switch-to-configuration switch

This is very informative, and I suspect what nixos-rebuild is doing under the hood, but is a bit too low-level to be ergonomic.

I am happy to help with Cachix Deploy — documentation

I’m not familiar with Cachix, but I think this is a bit too complicated for my use case. I wasn’t looking for a CI system but rather a script to way to deploy on remote machines. Thank you for the offer though!

@Nebucatnetzer

One could probably make it nicer and get the list of hosts directly from the flake but for the moment it is good enough and allows me to focus on the servers themselves.

I think

hosts=($(echo `nix eval .#nixosConfigurations --apply 'pkgs: builtins.concatStringsSep " " (builtins.attrNames pkgs)'` | xargs ))

might help with this!

Nebucatnetzer · November 2, 2022, 7:36pm

No problem, glad I could help and thanks for the input with the hosts.
Looking forward to test it.

Nebucatnetzer · November 2, 2022, 7:55pm

This is now the updated script:

#!/usr/bin/env bash

hosts=($(echo `nix eval .#nixosConfigurations --apply 'pkgs: builtins.concatStringsSep " " (builtins.attrNames pkgs)'` | xargs ))
skip=(
    "gwyn"
    "loki-test"
    "desktop-vm"
)

rsa_key="$HOME/.nixos/secrets/ssh_keys/ansible/ansible.key"
export NIX_SSHOPTS="-t -i $rsa_key"

for host in "${hosts[@]}"
do
    # Check if the host is in the skip list
    if [[ " ${skip[*]} " =~ " ${host} " ]];then
        continue
    fi
    fqdn="$host.2li.local"
    echo $fqdn
    nixos-rebuild switch -j auto --use-remote-sudo --build-host localhost --target-host $fqdn --flake ".#$host"
    echo "reboot $fqdn"
    ssh -i $rsa_key $fqdn 'sudo reboot'
    echo
    echo
done

ryang · November 17, 2022, 4:39pm

NB this doesn’t work for different architectures nixos-rebuild fails cross-build a flake · Issue #166499 · NixOS/nixpkgs · GitHub.

Adapted from @misuzu’s answer, a workaround is:

$ sudo nix build /etc/nixos#nixosConfigurations.rasp-pi.config.system.build.toplevel --builders 'ssh-ng://rasp-pi aarch64-linux' --max-jobs 0 builders-use-substitutes --option builders-use-substitutes true
# relies on $(readlink ./result) already being in the rasp-pi's nix store from using it as a remote builder
# it would be nice if there was a way to avoid having to copy this back to the workstation machine
$ ssh root@rasp-pi nix-env -p /nix/var/nix/profiles/system --set $(readlink ./result)
$ ssh root@rasp-pi /nix/var/nix/profiles/system/bin/switch-to-configuration switch

https://github.com/NixOS/nixpkgs/issues/200398#issuecomment-1318899763

Nebucatnetzer · November 17, 2022, 5:06pm

It does just fine for me. All mu servers are Raspberry Pi 4.

Nebucatnetzer · November 17, 2022, 5:19pm

Ah I see you’re building on a remote system with different architecture while I build on localhost an x86_64-linux system configurations for aarch64-linux systems.

breakds · October 12, 2023, 5:02pm

Not sure this is similar to what you have but I am running

nixos-rebuild switch --flake .#emerald --target-host user@<raspberry-pi-ip>

On a x86_64-linux laptop and trying to deploy to a raspberry pi, whose configuration looks like:

      emerald = nixpkgs.lib.nixosSystem {
        system = "aarch64-linux";
        modules = [
          ...
        ];
      };

This run into the problem as mentioned above:

error: build of '/nix/store/48x117xydlkij563h99xwk9npwl0ggc9-ensure-all-wrappers-paths-exist.drv' on 'ssh-ng://nixbuilder@radahn' failed: error: a 'aarch64-linux' with features {} is required to build '/nix/store/48x117xydlkij563h99xwk9npwl0ggc9-ensure-all-wrappers-paths-exist.drv', but I am a 'x86_64-linux' with features {benchmark, big-parallel, kvm, nixos-test}

kind of suspect that I messed up with the system = ... – this has been quite confusing for me.

Atemu · October 12, 2023, 7:15pm

You also need --build-host.

breakds · October 12, 2023, 10:04pm

Thanks! I forgot to mention that the target system, though can be accessed via ssh, is not connected to internet. I assume --build-host would fail in this case?

Nebucatnetzer · October 13, 2023, 6:00am

You can add this line to your PC then you can build for aarch64 as well and push it to the Pi.

You then need to set —build-host localhost in order to build it on your PC.
Since we now have a binary cache for aarch64 the whole thing is quite fast.

Atemu · October 13, 2023, 7:46am

In that case you could perhaps add it as a remote builder. IIRC remote builders always gather deps on the controlling machine and copy them over. This is annoying in most cases but probably what you want here.

breakds · October 13, 2023, 3:39pm

Thanks. Actually had that line on my laptop, and running nixos-rebuild switch --target-host from the laptop does not work, error is still about not being able to build aarch64-linux.

Haven’t tried that from the pi side though, will give it a try.

breakds · October 13, 2023, 3:40pm

Yep I think you are right. Worst case I will add another pi that connects to the internet as the remote builder.

Nebucatnetzer · October 13, 2023, 5:06pm

The important part would be —build-host.
The full command would then be

nixos-rebuild switch -j auto --use-remote-sudo --build-host localhost --target-host user@pi.local --flake ".#target"

breakds · October 13, 2023, 6:01pm

Worked like a charm. Thanks!

ghostbuster91 · December 22, 2023, 9:09am

it doesn’t work for me when the target architecture is different than the host architecture that calls the command.

This one works as it targets the same arch - x86_64-linux

nixos-rebuild switch --flake .#deckard --target-host deckard --use-remote-sudo

Now, a similar command but I am targeting an aarch64 machine and using nixbuild builder (this one also works):

nixos-rebuild build --max-jobs 0  --build-host "eu.nixbuild.net" --target-host surfer --use-remote-sudo  --flake .#surfer

However if I replace build with switch the command fails:

$ nixos-rebuild switch --max-jobs 0  --build-host "eu.nixbuild.net" --target-host surfer --use-remote-sudo  --flake .#surfer
/nix/store/5yksn2xwy3aif5pxz353i64i0fwvj5gp-nixos-rebuild/bin/nixos-rebuild: line 382: /nix/store/zlh7zakv2fn97fb4q2y6abzsdp6jflfd-coreutils-9.3/bin/mktemp: cannot execute binary file: Exec format error

Any idea what could be wrong?

Atemu · December 22, 2023, 9:29am

Did you declare the hostSystem in surfer’s config?

ghostbuster91 · December 22, 2023, 10:19am

No, I only have system = "aarch64-linux. I thought that hostSystem property is only required when doing some cross-compilation, isn’t it?

I kind of solved my problem, i.e. I found the correct set of flags that work but I would like to understand what is going on.

The correct command looks as follow:

nixos-rebuild --max-jobs 0  --builders "ssh://eu.nixbuild.net aarch64-linux - 100 1" --flake .#surfer --target-host surfer --fast --use-remote-sudo switch

what is interesting is that the documentation says:

--fast
Equivalent to --no-build-nix. This option is useful if you call nixos-rebuild frequently (e.g. if you’re hacking on a NixOS module).

where:

--no-build-nix
Normally, nixos-rebuild first builds the nixUnstable attribute in Nixpkgs, and uses the resulting instance of the Nix package manager to build the new system configuration. This is necessary if the NixOS modules use features not provided by the currently installed version of Nix. This option disables building a new Nix.

However running it with --no-build-nix instead of --fast fails as before:

 nixos-rebuild --no-build-nix --max-jobs 0  --builders "ssh://eu.nixbuild.net aarch64-linux - 100 1" --flake .#surfer --target-host surfer switch
/nix/store/5yksn2xwy3aif5pxz353i64i0fwvj5gp-nixos-rebuild/bin/nixos-rebuild: line 382: /nix/store/zlh7zakv2fn97fb4q2y6abzsdp6jflfd-coreutils-9.3/bin/mktemp: cannot execute binary file: Exec format error