Deployment Options
Colmena adds a set of extra options that can be used in your NixOS configurations under the deployment
prefix.
deployment.allowLocalDeployment
Allow the configuration to be applied locally on the host running Colmena.
For local deployment to work, all of the following must be true:
- The node must be running NixOS.
- The node must have deployment.allowLocalDeployment set to true.
- The node’s networking.hostName must match the hostname.
To apply the configurations locally, run colmena apply-local
.
You can also set deployment.targetHost to null if the nost is not
accessible over SSH (only local deployment will be possible).
Type: boolean
Default:
false
deployment.buildOnTarget
Whether to build the system profiles on the target node itself.
When enabled, Colmena will copy the derivation to the target
node and initiate the build there. This avoids copying back the
build results involved with the native distributed build
feature. Furthermore, the build
goal will be equivalent to
the push
goal. Since builds happen on the target node, the
results are automatically “pushed” and won’t exist in the local
Nix store.
You can temporarily override per-node settings by passing
--build-on-target
(enable for all nodes) or
--no-build-on-target
(disable for all nodes) on the command
line.
Type: boolean
Default:
false
deployment.keys
A set of secrets to be deployed to the node.
Secrets are transferred to the node out-of-band and never ends up in the Nix store.
Type: attribute set of (submodule)
Default:
{ }
deployment.keys.<name>.destDir
Destination directory on the host.
Type: path
Default:
"/run/keys"
deployment.keys.<name>.group
The group that will own the file.
Type: string
Default:
"root"
deployment.keys.<name>.keyCommand
Command to run to generate the key.
One of text
, keyCommand
and keyFile
must be set.
Type: null or (list of string)
Default:
null
deployment.keys.<name>.keyFile
Path of the local file to read the key from.
One of text
, keyCommand
and keyFile
must be set.
Type: null or path
Default:
null
deployment.keys.<name>.name
File name of the key.
Type: string
Default:
"‹name›"
deployment.keys.<name>.permissions
Permissions to set for the file.
Type: string
Default:
"0600"
deployment.keys.<name>.text
Content of the key.
One of text
, keyCommand
and keyFile
must be set.
Type: null or string
Default:
null
deployment.keys.<name>.uploadAt
When to upload the keys.
- pre-activation (default): Upload the keys before activating the new system profile.
- post-activation: Upload the keys after successfully activating the new system profile.
For colmena upload-keys
, all keys are uploaded at the same time regardless of the configuration here.
Type: one of “pre-activation”, “post-activation”
Default:
"pre-activation"
deployment.keys.<name>.user
The group that will own the file.
Type: string
Default:
"root"
deployment.privilegeEscalationCommand
Command to use to elevate privileges when activating the new profiles on SSH hosts.
This is used on SSH hosts when deployment.targetUser
is not root
.
The user must be allowed to use the command non-interactively.
Type: list of string
Default:
[
"sudo"
"-H"
"--"
]
deployment.replaceUnknownProfiles
Allow a configuration to be applied to a host running a profile we have no knowledge of. By setting this option to false, you reduce the likelyhood of rolling back changes made via another Colmena user.
Unknown profiles are usually the result of either:
- The node had a profile applied, locally or by another Colmena.
- The host running Colmena garbage-collecting the profile.
To force profile replacement on all targeted nodes during apply,
use the flag --force-replace-unknown-profiles
.
Type: boolean
Default:
true
deployment.tags
A list of tags for the node.
Can be used to select a group of nodes for deployment.
Type: list of string
Default:
[ ]
deployment.targetHost
The target SSH node for deployment.
By default, the node’s attribute name will be used. If set to null, only local deployment will be supported.
Type: null or string
Default:
"nixos"
deployment.targetPort
The target SSH port for deployment.
By default, the port is the standard port (22) or taken from your ssh_config.
Type: null or unsigned integer, meaning >=0
Default:
null
deployment.targetUser
The user to use to log into the remote node. If set to null, the target user will not be specified in SSH invocations.
Type: null or string
Default:
"root"