NixOps Options¶
deployment.alwaysActivate¶
Always run the activation script, no matter whether the configuration
has changed (the default). This behaviour can be enforced even if it’s
set to false
using the command line option
--always-activate
on deployment.
If this is set to false
, activation is done only if
the new system profile doesn’t match the previous one.
Read Only
- Type
boolean
- Default
true
deployment.hasFastConnection¶
If set to true
, whole closure will be copied using just nix-copy-closure.
If set to false
, closure will be copied first using binary substitution.
Additionally, any missing derivations copied with nix-copy-closure will be done
using --gzip
flag.
Some backends set this value to true
.
Read Only
- Type
boolean
- Default
false
deployment.keys¶
The set of keys to be deployed to the machine. Each attribute maps
a key name to a file that can be accessed as
destDir
/name
,
where destDir
defaults to
/run/keys
. Thus, { password.text = "foobar"; }
causes a file
destDir
/password`` to be
created with contents foobar
. The directory destDir
is only
accessible to root and the keys
group, so keep in mind
to add any users that need to have access to a particular key to this
group.
Each key also gets a systemd service <name>-key.service
which is active while the key is present and inactive while the key
is absent. Thus, { password.text = "foobar"; }
gets
a password-key.service
.
Read Only
- Type
attribute set of string or key optionss
- Default
{}
- Example
{“password”:{“text”:”foobar”}}
deployment.keys.<name>.destDir¶
When specified, this allows changing the destDir directory of the key
file from its default value of /run/keys
.
This directory will be created, its permissions changed to
0750
and ownership to root:keys
.
Read Only
- Type
path
- Default
“/run/keys”
deployment.keys.<name>.group¶
The group that will be set for the key file.
Read Only
- Type
string
- Default
“root”
deployment.keys.<name>.keyCommand¶
When non-null, output of this command run on local machine will be
deployed to the specified key on the target machine. If the key name
is
password
and echo secrettoken
is set here, the contents of the file
destDir
/password
deployed will equal the output of the command echo secrettoken
.
This option is especially useful when you don’t want to store the secrets inside of your NixOps deployment but rather in a well-guarded place such as an encrypted file. Consider using nixpkgs.password-store as storage for such sensitive secrets.
NOTE: Either text
, keyCommand
or
keyFile
have to be set.
Read Only
- Type
null or list of strings
- Default
null
- Example
[“pass”,”show”,”secrettoken”]
deployment.keys.<name>.keyFile¶
When non-null, contents of the specified file will be deployed to the
specified key on the target machine. If the key name is
password
and /foo/bar
is set
here, the contents of the file
destDir
/password
deployed will be the same as local file /foo/bar
.
Since no serialization/deserialization of key contents is involved, there
are no limits on that content: null bytes, invalid Unicode,
/dev/random
output – anything goes.
NOTE: Either text
, keyCommand
or
keyFile
have to be set.
Read Only
- Type
null or path
- Default
null
deployment.keys.<name>.name¶
The name of the key file.
Read Only
- Type
string
- Default
“‹name›”
- Example
“secret.txt”
deployment.keys.<name>.permissions¶
The default permissions to set for the key file, needs to be in the
format accepted by chmod(1)
.
Read Only
- Type
string
- Default
“0600”
- Example
“0640”
deployment.keys.<name>.text¶
When non-null, this designates the text that the key should contain. So if
the key name is password
and
foobar
is set here, the contents of the file
destDir
/password
will be foobar
.
NOTE: Either text
, keyCommand
or
keyFile
have to be set.
Read Only
- Type
null or string
- Default
null
- Example
“super secret stuff”
deployment.keys.<name>.user¶
The user which will be the owner of the key file.
Read Only
- Type
string
- Default
“root”
deployment.owners¶
List of email addresses of the owners of the machines. Used to send email on performing certain actions.
Read Only
- Type
list of strings
- Default
[]
deployment.privilegeEscalationCommand¶
A command to escalate to root privileges when using SSH as a non-root user.
This option is ignored if the targetUser
option is set to root
.
The program and its options are executed verbatim without shell.
It’s good practice to end with “–” to indicate that the privilege escalation command should stop processing command line arguments.
Read Only
- Type
list of strings
- Default
[“sudo”,”-H”,”–”]
deployment.provisionSSHKey¶
This option specifies whether to let NixOps provision SSH deployment keys.
NixOps will by default generate an SSH key, store the private key in its state file, and add the public key to the remote host.
Setting this option to false
will disable this behaviour
and rely on you to manage your own SSH keys by yourself and to ensure
that ssh
has access to any keys it requires.
Read Only
- Type
boolean
- Default
true
deployment.sshOptions¶
Extra options passed to the OpenSSH client verbatim, and are not executed by a shell.
Read Only
- Type
list of strings
- Default
[]
deployment.targetEnv¶
This option specifies the type of the environment in which the machine is to be deployed by NixOps.
Read Only
- Type
string
- Default
“none”
- Example
“ec2”
deployment.targetHost¶
This option specifies the hostname or IP address to be used by NixOps to execute remote deployment operations.
Read Only
- Type
string
deployment.targetPort¶
This option specifies the SSH port to be used by NixOps to execute remote deployment operations.
Read Only
- Type
signed integer
deployment.targetUser¶
The username to be used by NixOps by SSH when connecting to the remote system.
Read Only
- Type
string
- Default
“root”
networking.privateIPv4¶
IPv4 address of this machine within in the logical network. This address can be used by other machines in the logical network to reach this machine. However, it need not be visible to the outside (i.e., publicly routable).
Read Only
- Type
string
- Example
“10.1.2.3”
networking.publicIPv4¶
Publicly routable IPv4 address of this machine.
Read Only
- Type
null or string
- Default
null
- Example
“198.51.100.123”
networking.vpnPublicKey¶
Public key of the machine’s VPN key (set by nixops)
Read Only
- Type
null or string
- Default
null