saji/blog
1
0
Fork 0
Code Actions Activity

finalize nix-unprivileged-deployments
All checks were successful
Build Blog / Build (push) Successful in 5m38s
Details

Browse source
This commit is contained in:
saji 2025-04-21 08:42:38 -05:00
parent f0d3ae0aaa
commit 55875f4c25
2 changed files with 61 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
content/blog/nix-unprivileged-deployments.md
View file

@ -118,8 +118,10 @@ $ ls /nix/store | grep myblog
mqhssdlmg9f03avpajwcqaah2apknl02-myblog mqhssdlmg9f03avpajwcqaah2apknl02-myblog
``` ```
Now I just need a symlink to this file, and a nginx vhost. I'll create a small NixOS
module that will set this up: Before we go any further, let's set up the nginx server,
as well as a well-known path for our website. I'll also
add a user here that we can use to deploy.
```nix ```nix
@ -157,6 +159,7 @@ in
}; };
# make this user trusted (spooky) # make this user trusted (spooky)
# you'll see why we need this in a moment.
nix.settings.trusted-users = [ user ]; nix.settings.trusted-users = [ user ];
@ -200,10 +203,10 @@ The last step is creating that symlink. This is where the concept of "activation
For NixOS, `deploy-rs` activation just calls `switch-to-configuration` to make For NixOS, `deploy-rs` activation just calls `switch-to-configuration` to make
the system change the profile. We can effectively do whatever we want here. the system change the profile. We can effectively do whatever we want here.
Reading the [custom activator](https://github.com/serokell/deploy-rs/blob/aa07eb05537d4cd025e2310397a6adcedfe72c76/flake.nix#L58C13-L96C17) source: Reading the [custom activator](https://github.com/serokell/deploy-rs/blob/aa07eb05537d4cd025e2310397a6adcedfe72c76/flake.nix#L58C13-L96C17) source:
```nix ```nix
custom = custom = {
{
__functor = customSelf: base: activate: __functor = customSelf: base: activate:
final.buildEnv { final.buildEnv {
name = ("activatable-" + base.name); name = ("activatable-" + base.name);
@ -240,7 +243,7 @@ custom =
}) })
]; ];
}; };
}; };
``` ```
@ -302,9 +305,24 @@ lrwxrwxrwx 1 static-site static-site 62 Apr 17 19:59 mysite-2-link -> /nix/sto
lrwxrwxrwx 1 static-site static-site 62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog lrwxrwxrwx 1 static-site static-site 62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog
``` ```
We can get an idea of how this works: The chain looks like this:
1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile 1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile
2. The profile is itself a link to `mysite-8-link`. 2. The profile is itself a link to `mysite-8-link`.
3. `mysite-8-link` is also a link to a derivation in the nix store. 3. `mysite-8-link` is again a link, this time to a derivation in the nix store.
A profile is just a symlink to a derivation in the nix store. One layer of indirection
exists to make rollbacks easier.
# End
I hope this was useful for you. I think non-root deployment is
under-explored for nix since NixOS makes it easy to reconfigure.
As a follow on, you can probably host arbitrary services like this,
if you used [home-manager](https://nix-community.github.io/home-manager/)
to manage the user and the systemd services. Or you could hack together
something similar yourself.
ok bai

1
styles/config/vocabularies/Base/accept.txt
View file

@ -24,3 +24,4 @@ keypair
whitelabel whitelabel
systemd