deployment.alwaysActivate
Always run the activation script, no matter whether the configuration
has changed (the default). This behaviour can be enforced even if it's
set to false using the command line option
--always-activate on deployment.
If this is set to false, activation is done only if
the new system profile doesn't match the previous one.
type
boolean
default
{
deployment.alwaysActivate = true;
}
deployment.ec2.accessKeyId
The AWS Access Key ID. If left empty, it defaults to the
contents of the environment variables
type
string
example
{
deployment.ec2.accessKeyId = "AKIABOGUSACCESSKEY";
}
default
{
deployment.ec2.accessKeyId = "";
}
deployment.ec2.ami
EC2 identifier of the AMI disk image used in the virtual machine. This must be a NixOS image providing SSH access.
type
string
example
{
deployment.ec2.ami = "ami-00000000";
}
deployment.ec2.associatePublicIpAddress
If instance in a subnet/VPC, whether to associate a public IP address with the instance.
type
boolean
default
{
deployment.ec2.associatePublicIpAddress = false;
}
deployment.ec2.blockDeviceMapping
Block device mapping.
With the following instances, EBS volumes are exposed as NVMe block devices: C5, C5d, i3.metal, M5, and M5d (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html). For these instances volumes should be attached as
type
attribute set of submodule
example
{
deployment.ec2.blockDeviceMapping = {
"/dev/xvdb" = {
disk = "ephemeral0";
};
"/dev/xvdg" = {
disk = "vol-00000000";
};
};
}
default
{
deployment.ec2.blockDeviceMapping = {};
}
deployment.ec2.blockDeviceMapping.<name>.cipher
The cipher used to encrypt the disk.
type
string
default
{
deployment.ec2.blockDeviceMapping.<name>.cipher = "aes-cbc-essiv:sha256";
}
deployment.ec2.blockDeviceMapping.<name>.deleteOnTermination
For automatically created EBS volumes, determines whether the volume should be deleted on instance termination.
type
boolean
deployment.ec2.blockDeviceMapping.<name>.disk
EC2 identifier of the disk to be mounted. This can be an
ephemeral disk (e.g.
type
string or resource of type ‘ebs-volume’
example
{
deployment.ec2.blockDeviceMapping.<name>.disk = "vol-00000000";
}
default
{
deployment.ec2.blockDeviceMapping.<name>.disk = "";
}
deployment.ec2.blockDeviceMapping.<name>.encrypt
Whether the EBS volume should be encrypted using LUKS.
type
boolean
default
{
deployment.ec2.blockDeviceMapping.<name>.encrypt = false;
}
deployment.ec2.blockDeviceMapping.<name>.encryptionType
Whether the EBS volume should be encrypted using LUKS or on the underlying EBS volume (Amazon EBS feature). Possible values are "luks" (default) and "ebs".
type
one of "luks", "ebs"
default
{
deployment.ec2.blockDeviceMapping.<name>.encryptionType = "luks";
}
deployment.ec2.blockDeviceMapping.<name>.fsType
Filesystem type for automatically created EBS volumes.
type
string
default
{
deployment.ec2.blockDeviceMapping.<name>.fsType = "ext4";
}
deployment.ec2.blockDeviceMapping.<name>.iops
The provisioned IOPS you want to associate with this EBS volume.
type
null or signed integer
default
{
deployment.ec2.blockDeviceMapping.<name>.iops = null;
}
deployment.ec2.blockDeviceMapping.<name>.keySize
The size of the encryption key.
type
signed integer
default
{
deployment.ec2.blockDeviceMapping.<name>.keySize = 128;
}
deployment.ec2.blockDeviceMapping.<name>.passphrase
The passphrase (key file) used to decrypt the key to access the device. If left empty, a passphrase is generated automatically; this passphrase is lost when you destroy the machine or remove the volume, unless you copy it from NixOps's state file. Note that the passphrase is stored in the Nix store of the instance, so an attacker who gains access to the EBS volume or instance store that contains the Nix store can subsequently decrypt the encrypted volume.
type
string
default
{
deployment.ec2.blockDeviceMapping.<name>.passphrase = "";
}
deployment.ec2.blockDeviceMapping.<name>.size
Volume size (in gigabytes). This may be left unset if you are creating the volume from a snapshot, in which case the size of the volume will be equal to the size of the snapshot. However, you can set a size larger than the snapshot, allowing the volume to be larger than the snapshot from which it is created.
type
signed integer
example
{
deployment.ec2.blockDeviceMapping.<name>.size = 100;
}
deployment.ec2.blockDeviceMapping.<name>.volumeType
The volume type for the EBS volume, which must be one of
type
one of "standard", "io1", "io2", "gp2", "gp3", "st1", "sc1"
default
{
deployment.ec2.blockDeviceMapping.<name>.volumeType = "standard";
}
deployment.ec2.ebsBoot
Whether you want to boot from an EBS-backed AMI. Only EBS-backed instances can be stopped and restarted, and attach other EBS volumes at boot time. This option determines the selection of the default AMI; if you explicitly specify
, it has no effect.type
boolean
default
{
deployment.ec2.ebsBoot = true;
}
deployment.ec2.ebsInitialRootDiskSize
Preferred size (G) of the root disk of the EBS-backed instance. By default, EBS-backed images have a size determined by the AMI. Only supported on creation of the instance.
type
signed integer
default
{
deployment.ec2.ebsInitialRootDiskSize = 0;
}
deployment.ec2.ebsOptimized
Whether the EC2 instance should be created as an EBS Optimized instance.
type
boolean
default
{
deployment.ec2.ebsOptimized = false;
}
deployment.ec2.elasticIPv4
Elastic IPv4 address to be associated with this machine.
type
string or resource of type ‘elastic-ip’
example
{
deployment.ec2.elasticIPv4 = "123.1.123.123";
}
default
{
deployment.ec2.elasticIPv4 = "";
}
deployment.ec2.instanceId
EC2 instance ID (set by NixOps).
type
string
default
{
deployment.ec2.instanceId = "";
}
deployment.ec2.instanceProfile
The name of the IAM Instance Profile (IIP) to associate with the instances.
type
string
example
{
deployment.ec2.instanceProfile = "rolename";
}
default
{
deployment.ec2.instanceProfile = "";
}
deployment.ec2.instanceType
EC2 instance type. See for a list of valid Amazon EC2 instance types.
type
string
example
{
deployment.ec2.instanceType = "m1.large";
}
default
{
deployment.ec2.instanceType = "m1.small";
}
deployment.ec2.keyPair
Name of the SSH key pair to be used to communicate securely
with the instance. Key pairs can be created using the
type
string or resource of type ‘ec2-keypair’
example
{
deployment.ec2.keyPair = "my-keypair";
}
deployment.ec2.physicalProperties
Attribute set containing number of CPUs and memory available to the machine.
type
attribute set of signed integer or string or boolean
example
{
deployment.ec2.physicalProperties = {
cores = 4;
memory = 14985;
};
}
default
{
deployment.ec2.physicalProperties = {};
}
deployment.ec2.placementGroup
Placement group for the instance.
type
string or resource of type ‘ec2-placement-group’
example
{
deployment.ec2.placementGroup = "my-cluster";
}
default
{
deployment.ec2.placementGroup = "";
}
deployment.ec2.privateKey
Path of the SSH private key file corresponding with
. NixOps will use this private key if set; otherwise, the key must be findable by SSH through its normal mechanisms (e.g. it should be listed intype
string
example
{
deployment.ec2.privateKey = "/home/alice/.ssh/id_rsa-my-keypair";
}
default
{
deployment.ec2.privateKey = "";
}
deployment.ec2.region
AWS region in which the instance is to be deployed. This option only applies when using EC2. It implicitly sets
.type
string
example
{
deployment.ec2.region = "us-east-1";
}
default
{
deployment.ec2.region = "";
}
deployment.ec2.securityGroupIds
Security Group IDs for the instance. Necessary if starting an instance inside a VPC/subnet. In the non-default VPC, security groups needs to be specified by ID and not name.
type
list of string
default
{
deployment.ec2.securityGroupIds = [
"default"
];
}
deployment.ec2.securityGroups
Security groups for the instance. These determine the firewall rules applied to the instance.
type
list of string or resource of type ‘ec2-security-group’
example
{
deployment.ec2.securityGroups = [
"my-group"
"my-other-group"
];
}
default
{
deployment.ec2.securityGroups = [
"default"
];
}
deployment.ec2.sourceDestCheck
If instance in a subnet/VPC, whether to enable or disable source-destination-check.
type
boolean
default
{
deployment.ec2.sourceDestCheck = true;
}
deployment.ec2.spotInstanceInterruptionBehavior
Whether to terminate, stop or hibernate the instance when it gets interrupted. For stop, spotInstanceRequestType must be set to "persistent".
type
one of "terminate", "stop", "hibernate"
default
{
deployment.ec2.spotInstanceInterruptionBehavior = "terminate";
}
deployment.ec2.spotInstancePrice
Price (in dollar cents per hour) to use for spot instances request for the machine. If the value is equal to 0 (default), then spot instances are not used.
type
signed integer
default
{
deployment.ec2.spotInstancePrice = 0;
}
deployment.ec2.spotInstanceRequestType
The type of the spot instance request. It can be either "one-time" or "persistent".
type
one of "one-time", "persistent"
default
{
deployment.ec2.spotInstanceRequestType = "one-time";
}
deployment.ec2.spotInstanceTimeout
The duration (in seconds) that the spot instance request is valid. If the request cannot be satisfied in this amount of time, the request will be cancelled automatically, and NixOps will fail with an error message. The default (0) is no timeout.
type
signed integer
default
{
deployment.ec2.spotInstanceTimeout = 0;
}
deployment.ec2.subnetId
The subnet inside a VPC to launch the instance in.
type
string or resource of type ‘vpc-subnet’
example
{
deployment.ec2.subnetId = "subnet-00000000";
}
default
{
deployment.ec2.subnetId = "";
}
deployment.ec2.tags
Tags assigned to the instance. Each tag name can be at most 128 characters, and each tag value can be at most 256 characters. There can be at most 10 tags.
type
attribute set of string
example
{
deployment.ec2.tags = {
foo = "bar";
xyzzy = "bla";
};
}
default
{
deployment.ec2.tags = {};
}
deployment.ec2.tenancy
The tenancy of the instance (if the instance is running in a VPC). An instance with a tenancy of dedicated runs on single-tenant hardware. An instance with host tenancy runs on a Dedicated Host, which is an isolated server with configurations that you can control.
type
one of "default", "dedicated", "host"
default
{
deployment.ec2.tenancy = "default";
}
deployment.ec2.usePrivateIpAddress
If instance is in a subnet/VPC whether to use the private IP address for ssh connections to this host. Defaults to true in the case that you are deploying into a subnet but not associating a public ip address.
type
boolean
default
{
deployment.ec2.usePrivateIpAddress = false;
}
deployment.ec2.zone
The EC2 availability zone in which the instance should be created. If not specified, a zone is selected automatically.
type
string
example
{
deployment.ec2.zone = "us-east-1c";
}
default
{
deployment.ec2.zone = "";
}
deployment.hasFastConnection
If set to true, whole closure will be copied using just nix-copy-closure.
If set to false, closure will be copied first using binary substitution.
Additionally, any missing derivations copied with nix-copy-closure will be done
using --gzip flag.
Some backends set this value to true.
type
boolean
default
{
deployment.hasFastConnection = false;
}
deployment.keys
The set of keys to be deployed to the machine. Each attribute maps
a key name to a file that can be accessed as
destDir/name,
where destDir defaults to
/run/keys. Thus, { password.text = "foobar"; } causes a file
destDir/passwordto be created with contentsfoobar. The directory destDiris only accessible to root and thekeys`` group, so keep in mind
to add any users that need to have access to a particular key to this
group.
Each key also gets a systemd service <name>-key.service
which is active while the key is present and inactive while the key
is absent. Thus, { password.text = "foobar"; } gets
a password-key.service.
type
attribute set of string or key options
example
{
deployment.keys = {
password = {
text = "foobar";
};
};
}
default
{
deployment.keys = {};
}
deployment.keys.<name>.destDir
When specified, this allows changing the destDir directory of the key
file from its default value of /run/keys.
This directory will be created, its permissions changed to
0750 and ownership to root:keys.
type
path
default
{
deployment.keys.<name>.destDir = "/run/keys";
}
deployment.keys.<name>.group
The group that will be set for the key file.
type
string
default
{
deployment.keys.<name>.group = "root";
}
deployment.keys.<name>.keyCommand
When non-null, output of this command run on local machine will be
deployed to the specified key on the target machine. If the key name
is
password and echo secrettoken
is set here, the contents of the file
destDir/password
deployed will equal the output of the command echo secrettoken.
This option is especially useful when you don't want to store the secrets inside of your NixOps deployment but rather in a well-guarded place such as an encrypted file. Consider using nixpkgs.password-store as storage for such sensitive secrets.
NOTE: Either text, keyCommand or
keyFile have to be set.
type
null or list of string
example
{
deployment.keys.<name>.keyCommand = [
"pass"
"show"
"secrettoken"
];
}
default
{
deployment.keys.<name>.keyCommand = null;
}
deployment.keys.<name>.keyFile
When non-null, contents of the specified file will be deployed to the
specified key on the target machine. If the key name is
password and /foo/bar is set
here, the contents of the file
destDir/password
deployed will be the same as local file /foo/bar.
Since no serialization/deserialization of key contents is involved, there
are no limits on that content: null bytes, invalid Unicode,
/dev/random output -- anything goes.
NOTE: Either text, keyCommand or
keyFile have to be set.
type
null or path
default
{
deployment.keys.<name>.keyFile = null;
}
deployment.keys.<name>.name
The name of the key file.
type
string
example
{
deployment.keys.<name>.name = "secret.txt";
}
default
{
deployment.keys.<name>.name = "‹name›";
}
deployment.keys.<name>.permissions
The default permissions to set for the key file, needs to be in the
format accepted by chmod(1).
type
string
example
{
deployment.keys.<name>.permissions = "0640";
}
default
{
deployment.keys.<name>.permissions = "0600";
}
deployment.keys.<name>.text
When non-null, this designates the text that the key should contain. So if
the key name is password and
foobar is set here, the contents of the file
destDir/password
will be foobar.
NOTE: Either text, keyCommand or
keyFile have to be set.
type
null or string
example
{
deployment.keys.<name>.text = "super secret stuff";
}
default
{
deployment.keys.<name>.text = null;
}
deployment.keys.<name>.user
The user which will be the owner of the key file.
type
string
default
{
deployment.keys.<name>.user = "root";
}
deployment.owners
List of email addresses of the owners of the machines. Used to send email on performing certain actions.
type
list of string
default
{
deployment.owners = [];
}
deployment.privilegeEscalationCommand
A command to escalate to root privileges when using SSH as a non-root user.
This option is ignored if the targetUser option is set to root.
The program and its options are executed verbatim without shell.
It's good practice to end with "--" to indicate that the privilege escalation command should stop processing command line arguments.
type
list of string
default
{
deployment.privilegeEscalationCommand = [
"sudo"
"-H"
"--"
];
}
deployment.provisionSSHKey
This option specifies whether to let NixOps provision SSH deployment keys.
NixOps will by default generate an SSH key, store the private key in its state file, and add the public key to the remote host.
Setting this option to false will disable this behaviour
and rely on you to manage your own SSH keys by yourself and to ensure
that ssh has access to any keys it requires.
type
boolean
default
{
deployment.provisionSSHKey = true;
}
deployment.route53.accessKeyId
The AWS Access Key ID. If left empty, it defaults to the
contents of the environment variables
type
string
example
{
deployment.route53.accessKeyId = "AKIABOGUSACCESSKEY";
}
default
{
deployment.route53.accessKeyId = "";
}
deployment.route53.hostName
The DNS hostname to bind the public IP address to.
type
string
example
{
deployment.route53.hostName = "test.x.logicblox.com";
}
default
{
deployment.route53.hostName = "";
}
deployment.route53.private
Whether to create an A record with the instance's private address.
Make sure to use this on a Private Hosted DNS zones only, because it will appear as if the host is down at best, but may cause erroneous requests to be routed to hosts on your clients' local networks.
type
boolean
default
{
deployment.route53.private = false;
}
deployment.route53.ttl
The time to live (TTL) for the A record created for the specified DNS hostname.
type
signed integer
example
{
deployment.route53.ttl = 300;
}
default
{
deployment.route53.ttl = 300;
}
deployment.route53.usePublicDNSName
Whether to create a CNAME record with the instance's public DNS name. This will resolve inside AWS to a private IP and outside AWS to the public IP.
type
boolean
default
{
deployment.route53.usePublicDNSName = false;
}
deployment.sshOptions
Extra options passed to the OpenSSH client verbatim, and are not executed by a shell.
type
list of string
default
{
deployment.sshOptions = [];
}
deployment.targetEnv
This option specifies the type of the environment in which the machine is to be deployed by NixOps.
type
string
example
{
deployment.targetEnv = "ec2";
}
default
{
deployment.targetEnv = "none";
}
deployment.targetHost
This option specifies the hostname or IP address to be used by NixOps to execute remote deployment operations.
type
string
deployment.targetPort
This option specifies the SSH port to be used by NixOps to execute remote deployment operations.
type
signed integer
deployment.targetUser
The username to be used by NixOps by SSH when connecting to the remote system.
type
string
default
{
deployment.targetUser = "root";
}
fileSystems
type
attribute set of submodule
fileSystems.<name>.ec2
EC2 disk to be attached to this mount point. This is shorthand for defining a separate
attribute.type
null or submodule
default
{
fileSystems.<name>.ec2 = null;
}
fileSystems.<name>.ec2.cipher
The cipher used to encrypt the disk.
type
string
default
{
fileSystems.<name>.ec2.cipher = "aes-cbc-essiv:sha256";
}
fileSystems.<name>.ec2.deleteOnTermination
For automatically created EBS volumes, determines whether the volume should be deleted on instance termination.
type
boolean
fileSystems.<name>.ec2.disk
EC2 identifier of the disk to be mounted. This can be an
ephemeral disk (e.g.
type
string or resource of type ‘ebs-volume’
example
{
fileSystems.<name>.ec2.disk = "vol-00000000";
}
default
{
fileSystems.<name>.ec2.disk = "";
}
fileSystems.<name>.ec2.encrypt
Whether the EBS volume should be encrypted using LUKS.
type
boolean
default
{
fileSystems.<name>.ec2.encrypt = false;
}
fileSystems.<name>.ec2.encryptionType
Whether the EBS volume should be encrypted using LUKS or on the underlying EBS volume (Amazon EBS feature). Possible values are "luks" (default) and "ebs".
type
one of "luks", "ebs"
default
{
fileSystems.<name>.ec2.encryptionType = "luks";
}
fileSystems.<name>.ec2.fsType
Filesystem type for automatically created EBS volumes.
type
string
default
{
fileSystems.<name>.ec2.fsType = "ext4";
}
fileSystems.<name>.ec2.iops
The provisioned IOPS you want to associate with this EBS volume.
type
null or signed integer
default
{
fileSystems.<name>.ec2.iops = null;
}
fileSystems.<name>.ec2.keySize
The size of the encryption key.
type
signed integer
default
{
fileSystems.<name>.ec2.keySize = 128;
}
fileSystems.<name>.ec2.passphrase
The passphrase (key file) used to decrypt the key to access the device. If left empty, a passphrase is generated automatically; this passphrase is lost when you destroy the machine or remove the volume, unless you copy it from NixOps's state file. Note that the passphrase is stored in the Nix store of the instance, so an attacker who gains access to the EBS volume or instance store that contains the Nix store can subsequently decrypt the encrypted volume.
type
string
default
{
fileSystems.<name>.ec2.passphrase = "";
}
fileSystems.<name>.ec2.size
Volume size (in gigabytes). This may be left unset if you are creating the volume from a snapshot, in which case the size of the volume will be equal to the size of the snapshot. However, you can set a size larger than the snapshot, allowing the volume to be larger than the snapshot from which it is created.
type
signed integer
example
{
fileSystems.<name>.ec2.size = 100;
}
fileSystems.<name>.ec2.volumeType
The volume type for the EBS volume, which must be one of
type
one of "standard", "io1", "io2", "gp2", "gp3", "st1", "sc1"
default
{
fileSystems.<name>.ec2.volumeType = "standard";
}
networking.privateIPv4
IPv4 address of this machine within in the logical network. This address can be used by other machines in the logical network to reach this machine. However, it need not be visible to the outside (i.e., publicly routable).
type
string
example
{
networking.privateIPv4 = "10.1.2.3";
}
networking.publicIPv4
Publicly routable IPv4 address of this machine.
type
null or string
example
{
networking.publicIPv4 = "198.51.100.123";
}
default
{
networking.publicIPv4 = null;
}
networking.vpnPublicKey
Public key of the machine's VPN key (set by nixops)
type
null or string
default
{
networking.vpnPublicKey = null;
}