deployment.alwaysActivate

Always run the activation script, no matter whether the configuration has changed (the default). This behaviour can be enforced even if it's set to false using the command line option --always-activate on deployment.

If this is set to false, activation is done only if the new system profile doesn't match the previous one.

type

boolean

default

{
  deployment.alwaysActivate = true;
}

deployment.arguments

Attribute set representing the NixOps arguments. This is set by NixOps.

type

unspecified

deployment.hasFastConnection

If set to true, whole closure will be copied using just nix-copy-closure.

If set to false, closure will be copied first using binary substitution. Additionally, any missing derivations copied with nix-copy-closure will be done using --gzip flag.

Some backends set this value to true.

type

boolean

default

{
  deployment.hasFastConnection = false;
}

deployment.keys

The set of keys to be deployed to the machine. Each attribute maps a key name to a file that can be accessed as destDir/name, where destDir defaults to /run/keys. Thus, { password.text = "foobar"; } causes a file destDir/passwordto be created with contentsfoobar. The directory destDiris only accessible to root and thekeys`` group, so keep in mind to add any users that need to have access to a particular key to this group.

Each key also gets a systemd service <name>-key.service which is active while the key is present and inactive while the key is absent. Thus, { password.text = "foobar"; } gets a password-key.service.

type

attribute set of string or key options

example

{
  deployment.keys = {
    password = {
      text = "foobar";
    };
  };
}

default

{
  deployment.keys = {};
}

deployment.keys.<name>.destDir

When specified, this allows changing the destDir directory of the key file from its default value of /run/keys.

This directory will be created, its permissions changed to 0750 and ownership to root:keys.

type

path

default

{
  deployment.keys.<name>.destDir = "/run/keys";
}

deployment.keys.<name>.group

The group that will be set for the key file.

type

string

default

{
  deployment.keys.<name>.group = "root";
}

deployment.keys.<name>.keyCommand

When non-null, output of this command run on local machine will be deployed to the specified key on the target machine. If the key name is password and echo secrettoken is set here, the contents of the file destDir/password deployed will equal the output of the command echo secrettoken.

This option is especially useful when you don't want to store the secrets inside of your NixOps deployment but rather in a well-guarded place such as an encrypted file. Consider using nixpkgs.password-store as storage for such sensitive secrets.

NOTE: Either text, keyCommand or keyFile have to be set.

type

null or list of string

example

{
  deployment.keys.<name>.keyCommand = [
    "pass"
    "show"
    "secrettoken"
  ];
}

default

{
  deployment.keys.<name>.keyCommand = null;
}

deployment.keys.<name>.keyFile

When non-null, contents of the specified file will be deployed to the specified key on the target machine. If the key name is password and /foo/bar is set here, the contents of the file destDir/password deployed will be the same as local file /foo/bar.

Since no serialization/deserialization of key contents is involved, there are no limits on that content: null bytes, invalid Unicode, /dev/random output -- anything goes.

NOTE: Either text, keyCommand or keyFile have to be set.

type

null or path

default

{
  deployment.keys.<name>.keyFile = null;
}

deployment.keys.<name>.name

The name of the key file.

type

string

example

{
  deployment.keys.<name>.name = "secret.txt";
}

default

{
  deployment.keys.<name>.name = "‹name›";
}

deployment.keys.<name>.permissions

The default permissions to set for the key file, needs to be in the format accepted by chmod(1).

type

string

example

{
  deployment.keys.<name>.permissions = "0640";
}

default

{
  deployment.keys.<name>.permissions = "0600";
}

deployment.keys.<name>.text

When non-null, this designates the text that the key should contain. So if the key name is password and foobar is set here, the contents of the file destDir/password will be foobar.

NOTE: Either text, keyCommand or keyFile have to be set.

type

null or string

example

{
  deployment.keys.<name>.text = "super secret stuff";
}

default

{
  deployment.keys.<name>.text = null;
}

deployment.keys.<name>.user

The user which will be the owner of the key file.

type

string

default

{
  deployment.keys.<name>.user = "root";
}

deployment.name

The name of the NixOps deployment. This is set by NixOps.

type

string

deployment.owners

List of email addresses of the owners of the machines. Used to send email on performing certain actions.

type

list of string

default

{
  deployment.owners = [];
}

deployment.privilegeEscalationCommand

A command to escalate to root privileges when using SSH as a non-root user. This option is ignored if the targetUser option is set to root.

The program and its options are executed verbatim without shell.

It's good practice to end with "--" to indicate that the privilege escalation command should stop processing command line arguments.

type

list of string

default

{
  deployment.privilegeEscalationCommand = [
    "sudo"
    "-H"
    "--"
  ];
}

deployment.provisionSSHKey

This option specifies whether to let NixOps provision SSH deployment keys.

NixOps will by default generate an SSH key, store the private key in its state file, and add the public key to the remote host.

Setting this option to false will disable this behaviour and rely on you to manage your own SSH keys by yourself and to ensure that ssh has access to any keys it requires.

type

boolean

default

{
  deployment.provisionSSHKey = true;
}

deployment.sshOptions

Extra options passed to the OpenSSH client verbatim, and are not executed by a shell.

type

list of string

default

{
  deployment.sshOptions = [];
}

deployment.targetEnv

This option specifies the type of the environment in which the machine is to be deployed by NixOps.

type

string

example

{
  deployment.targetEnv = "ec2";
}

default

{
  deployment.targetEnv = "none";
}

deployment.targetHost

This option specifies the hostname or IP address to be used by NixOps to execute remote deployment operations.

type

string

deployment.targetPort

This option specifies the SSH port to be used by NixOps to execute remote deployment operations.

type

signed integer

deployment.targetUser

The username to be used by NixOps by SSH when connecting to the remote system.

type

string

default

{
  deployment.targetUser = "root";
}

deployment.uuid

The UUID of the NixOps deployment. This is set by NixOps.

type

string

name

Name of the Command Output.

type

string

default

{
  name = "{name}";
}

networking.privateIPv4

IPv4 address of this machine within in the logical network. This address can be used by other machines in the logical network to reach this machine. However, it need not be visible to the outside (i.e., publicly routable).

type

string

example

{
  networking.privateIPv4 = "10.1.2.3";
}

networking.publicIPv4

Publicly routable IPv4 address of this machine.

type

null or string

example

{
  networking.publicIPv4 = "198.51.100.123";
}

default

{
  networking.publicIPv4 = null;
}

networking.vpnPublicKey

Public key of the machine's VPN key (set by nixops)

type

null or string

default

{
  networking.vpnPublicKey = null;
}

privateKey

The generated private key.

type

string

default

{
  privateKey = "";
}

publicKey

The generated public SSH key.

type

string

default

{
  publicKey = "";
}

script

Text of a script which will produce a JSON value. Warning: This uses shell features and is potentially dangerous. Environment variables: $out is a temp directory available for use.

type

null or string

default

{
  script = null;
}

value

Result of running script.

type

null or string

default

{
  value = null;
}