Non-root profile service deployment

I’d like to continuously deploy some software on a NixOS system with a separate cadence to the system profile. I can’t seem to find much about this, although I’ve seen it referred to in various posts, e.g. Home-manager is a false enlightenment mentions using nix-store --realise and nix-env --set.

I would want to be able to run some command on the server itself, ideally not as the same user that the service runs as, nor root.

Triggering is not a problem, I’d probably use a systemd path unit for this, watching the artefact output directory of the CI runner (laminar).

It seems as though deploy-rs has half the machinery that I want, namely multi-profile support (albeit without an activation function for this approach). I’m wondering what else I would need, or, alternatively, what other (simpler?) options there are, particularly since I don’t need to be able to do this remotely.

I’ve explored this some myself, but there’s no “tool” which provides this for you. At work we use a well known file path and a predefined systemd unit which points to the well know path, and we orchestrate a realize/restart. As far as i’ve found, at this point you’ll have to build it yourself.

I am sure I am missing something, but you can always just call nix-build on any old nix expression and it will happily stick it in the the store, and leave a gc root at whatever path you like, no nix-env required.