Minimal NixOS config for Nixops deployment

courajs · September 3, 2019, 3:19pm

I’ve set up a single NixOS instance running on vultr.com, using the NixOS 18.09 ISO.
What do I have to do to get a minimal nixops deployment working?
I tried creating a trivial logical config:

{
  network.description = "Connote server";

  server = 
    {config, pkgs, nodes, ...}:
    {
      networking.firewall.allowedTCPPorts = [ 80 443 22 ];
    };
}

And a trivial physical config:

{
  server =
    { config, pkgs, ... }:
    { deployment.targetHost = "<redacted>"; };
}

I created the nixops deploy, but when I attempt to run it, I get server> could not connect to root@<redacted>.

What do I have to change from the stock ISO to get my first deploy running? I assume I need to do things like add a password for the root user, enable ssh, through the vultr terminal.
This is just a basic personal thing, so not high-security, but I would like to know what basic security hygiene I should apply.

markuskowa · September 3, 2019, 8:29pm

In a standard image you need to activate ssh and add key for root. That is the minimum for nixops to work, since it needs to root access via ssh.

users.users.root.openssh.authorizedKeys.keys = [ <yourkey> ];
services.openssh.enable = true;

tokudan · September 3, 2019, 8:46pm

18.09 is old and does not receive security updates anymore. The current release is 19.03 and in about a month we’ll probably get 19.09.
Also you don’t have to open the ssh port in the firewall, the ssh module takes care of that. Not all other modules will do that though.