Lollypops - simple, parallel, stateless NixOS deployment tool

Hi folks!

I’ve been working on a deployment tool for NixOS build as a thin, pure-nix layer around go-task. It manages flake-based systems and provides parallel deployment, secret provisioning from any external source and configuration in nix itself among other features.

:lollipop: Some features

  • Stateless
  • Parallel deployments (--parallel)
  • Configured in pure nix
  • Easily extensible and customizable
  • Minimal overhead and easy debugging
  • Secret provisioning from any source (e.g. pass,
    bitwarden, gnupg, plaintext files…)
  • Fully flake compatible

:lollipop: See it in action


It is quite new, but I have been using it successfully on my own systems for a while and wanted to throw it out there hoping it might be useful for others. If you find any bugs or have questions or feature requests let me know. Any tips for improvement or feedback would be greatly appreciated!

:lollipop: GitHub - pinpox/lollypops: Lollypop Operations - NixOS Deployment Tool


Any particular reason that you decided to roll your own rather than use colmena, morph, deploy-rs, nixops or something else?


Just a few that come to mind in no particular order:

I was looking for a specific features set and like the simplicity of my solution, which will allow me to extend it’s functionality in the future easily. I also wanted a flakes-first approach with the configuration of secrets and deployment being part of the nixosConfiguration of the host that is being deployed. Of course part of it was also interest in exploring nix and nixos and writing the tool. Using go-task gives me great flexibility regarding parallelism with only a bit of nix code wrapping it. For me this approach is very easily understandable, extensible and debuggable while not having compromises on features that I want.

I have tried most of the other solutions and they are all great tools, but I find my solution more transparent and flexible (for me) having exactly the features that I need.


Took me a while to figure out you meant pure Nix, not GitHub - purenix-org/purenix: Nix backend for PureScript. Transpile PureScript code to Nix.

hey @pinpox, thanks for sharing. I wanted to ask you what’s the purpose for the configuration of the directory where to save the configuration:

what’s its purpose? Why don’t just copy it somewhere temporary an evaluate it from there?

If you wan’t a temporary location you can of course set that here. I wanted this to be configurable because I like having the full configuration on the hosts itself. This allows to debug or recover if something goes wrong on the host itself, since I can still ssh into it and run nixos-rebuild from the host itself. I’ve had occasions in the past where I messed up some network configuration for example and having the option to rebuild on the host was very helpful. If you would rather not have it, just set it to some temporary filesystem, it should work the same way.