nix-ota/examples/device-host/configuration.nix

# Device configuration — what gets installed on `fridge-007`.
#
# You build + install this ONCE (e.g. via `nixos-rebuild --target-host`
# or by flashing an SD image). From then on, you ship updates to this
# machine by publishing new closures through nix-ota; you do not need
# to redeploy this flake to bump packages.
{ config, pkgs, lib, ... }:
{
  imports = [
    # Replace with your hardware config.
    # ./hardware-configuration.nix
  ];

  networking.hostName = "fridge-007";

  services.nix-ota-agent = {
    enable = true;

    # Where the control server lives.
    server  = "https://ota.example.com";
    channel = "prod";

    # Unique identifier for this device. Use the MAC, serial number,
    # whatever you have. Must be unique within your fleet.
    deviceId = "fridge-007";

    # Paste the ed25519 PUBLIC key you generated with `nix-ota keygen`.
    # If this doesn't match the key the manifest is signed with, the
    # agent will refuse to apply it — that's the point.
    publicKey = "REPLACE_WITH_MANIFEST_PUBLIC_KEY_BASE64";

    # Where the agent fetches closures from. Nix verifies the per-path
    # signatures against `cachePublicKey` below.
    cacheUrl       = "https://ota.example.com/cache";
    cachePublicKey = "ota.example.com-1:REPLACE_WITH_CACHE_PUBLIC_KEY";

    # How often to poll. The systemd timer also fires once on boot.
    interval = 60;

    # Optional health check. Runs after switch-to-configuration.
    # If it exits non-zero, the agent rolls back to the previous
    # generation and reports `rolled_back`.
    healthCmd = "systemctl is-system-running --wait";
  };

  # Standard NixOS stuff for a real device.
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAA... your-key-here"
  ];

  system.stateVersion = "24.05";
}
Add worked example: server-host and device-host flakes Self-contained example under examples/ with full NixOS flakes for both sides of a deployment (control server + binary cache vs. an agent device), plus a README walking through the end-to-end install + first publish. 2026-05-25 15:57:32 +02:00			# Device configuration — what gets installed on `fridge-007`.
			`#`
			# You build + install this ONCE (e.g. via `nixos-rebuild --target-host`
			`# or by flashing an SD image). From then on, you ship updates to this`
			`# machine by publishing new closures through nix-ota; you do not need`
			`# to redeploy this flake to bump packages.`
			`{ config, pkgs, lib, ... }:`
			`{`
			`imports = [`
			`# Replace with your hardware config.`
			`# ./hardware-configuration.nix`
			`];`

			`networking.hostName = "fridge-007";`

			`services.nix-ota-agent = {`
			`enable = true;`

			`# Where the control server lives.`
			`server = "https://ota.example.com";`
			`channel = "prod";`

			`# Unique identifier for this device. Use the MAC, serial number,`
			`# whatever you have. Must be unique within your fleet.`
			`deviceId = "fridge-007";`

			# Paste the ed25519 PUBLIC key you generated with `nix-ota keygen`.
			`# If this doesn't match the key the manifest is signed with, the`
			`# agent will refuse to apply it — that's the point.`
			`publicKey = "REPLACE_WITH_MANIFEST_PUBLIC_KEY_BASE64";`

			`# Where the agent fetches closures from. Nix verifies the per-path`
			# signatures against `cachePublicKey` below.
			`cacheUrl = "https://ota.example.com/cache";`
			`cachePublicKey = "ota.example.com-1:REPLACE_WITH_CACHE_PUBLIC_KEY";`

			`# How often to poll. The systemd timer also fires once on boot.`
			`interval = 60;`

			`# Optional health check. Runs after switch-to-configuration.`
			`# If it exits non-zero, the agent rolls back to the previous`
			# generation and reports `rolled_back`.
			`healthCmd = "systemctl is-system-running --wait";`
			`};`

			`# Standard NixOS stuff for a real device.`
			`services.openssh.enable = true;`
			`users.users.root.openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAA... your-key-here"`
			`];`

			`system.stateVersion = "24.05";`
			`}`