Hey folks, I’ve been making lots of progress configuring NixOS systems and deploying software. Now I’m looking to deploy something I wrote/containerized myself and am struggling a bit to figure out the best way to do it.
For starters, I’m familiar with doing all of this in Docker/Podman. The answer may be that NixOS containers aren’t quite there yet and I should stick with OCI images. If that’s what I should likely do, let me know. 
I’m putting this first in case, and also because I’ve been reading up on building OCI images with flakes so know it can be done.
First, development. For context, I have a Rust workspace project that needs a background service (redis), as well as potentially a few of its own binaries like the sidekiq worker started. I’ve worked pretty hard on a development flake for this project. Can I reuse that as a docker-compose of sorts–start redis and maybe somehow make it easier to start/stop the services I made via Nix modules/shell scripts? Or is there any other way to have a docker-compose-like experience from a flake? It’s not specifically container-related, but given that I’d like to eventually set up containers for the web server/sidekiq setup, maybe I could reuse those here? I’m already using direnv, and it’d be neat if I could bring up my dev environment automatically as soon as the directory is entered. So far I’m installing tooling just fine so now services are my next step.
Next, CI. I’d like to set up a Forgejo action to deploy this on release, but it looks like NixOS containers explicitly need to be imperatively created as root, and unfiltered root access is obviously a no-go for my CI runners. I’m vaguely wondering if sudo might work here, but the runners look pretty locked-down including via dynamic users, and I’m not sure a) to what degree I can configure a dynamic user via sudoers if at all and b) if the various systemd hardening would prevent sudo in the service. Either way, if there’s some other footgun I’m sure to encounter, or if there’s a better way to manage NixOS containers via CI than trying to cobble together a list of restricted sudo commands, I’m interested.
Does anyone use NixOS containers like this? I’ve used them declaratively and they’re great, but either they’re not ready for this use case yet or I’m not quite clear on whether I can safely use them at all.
Thanks.