Deployment Options
Colmena adds a set of extra options that can be used in your NixOS configurations under the deployment prefix.
deployment.allowLocalDeployment
Allow the configuration to be applied locally on the host running Colmena.
For local deployment to work, all of the following must be true:
- The node must be running NixOS.
- The node must have deployment.allowLocalDeployment set to true.
- The node's networking.hostName must match the hostname.
To apply the configurations locally, run colmena apply-local.
You can also set deployment.targetHost to null if the nost is not
accessible over SSH (only local deployment will be possible).
Type: boolean
Default
false
deployment.keys
A set of secrets to be deployed to the node.
Secrets are transferred to the node out-of-band and never ends up in the Nix store.
Type: attribute set of submodules
Default
{}
deployment.keys.<name>.destDir
Destination directory on the host.
Type: string
Default
"/run/keys"
deployment.keys.<name>.group
The group that will own the file.
Type: string
Default
"root"
deployment.keys.<name>.keyCommand
Command to run to generate the key.
One of text, keyCommand and keyFile must be set.
Type: null or list of strings
Default
null
deployment.keys.<name>.keyFile
Path of the local file to read the key from.
One of text, keyCommand and keyFile must be set.
Type: null or path
Default
null
deployment.keys.<name>.permissions
Permissions to set for the file.
Type: string
Default
"0600"
deployment.keys.<name>.text
Content of the key.
One of text, keyCommand and keyFile must be set.
Type: null or string
Default
null
deployment.keys.<name>.uploadAt
When to upload the keys.
- pre-activation (default): Upload the keys before activating the new system profile.
- post-activation: Upload the keys after successfully activating the new system profile.
For colmena upload-keys, all keys are uploaded at the same time regardless of the configuration here.
Type: one of "pre-activation", "post-activation"
Default
"pre-activation"
deployment.keys.<name>.user
The group that will own the file.
Type: string
Default
"root"
deployment.privilegeEscalationCommand
Command to use to elevate privileges when activating the new profiles on SSH hosts.
This is used on SSH hosts when deployment.targetUser is not root.
The user must be allowed to use the command non-interactively.
Type: list of strings
Default
["sudo","-H","--"]
deployment.replaceUnknownProfiles
Allow a configuration to be applied to a host running a profile we have no knowledge of. By setting this option to false, you reduce the likelyhood of rolling back changes made via another Colmena user.
Unknown profiles are usually the result of either:
- The node had a profile applied, locally or by another Colmena.
- The host running Colmena garbage-collecting the profile.
To force profile replacement on all targeted nodes during apply,
use the flag --force-replace-unknown-profiles.
Type: boolean
Default
true
deployment.tags
A list of tags for the node.
Can be used to select a group of nodes for deployment.
Type: list of strings
Default
[]
deployment.targetHost
The target SSH node for deployment.
By default, the node's attribute name will be used. If set to null, only local deployment will be supported.
Type: null or string
Default
"nixos"
deployment.targetPort
The target SSH port for deployment.
By default, the port is the standard port (22) or taken from your ssh_config.
Type: null or unsigned integer, meaning >=0
Default
null
deployment.targetUser
The user to use to log into the remote node. If null, login as the current user.
Type: null or string
Default
"root"