nix-ota/examples/server-host/configuration.nix

# Server host — runs nix-ota-server AND nix-serve (the binary cache),
# fronted by nginx with Let's Encrypt TLS.
#
# Layout under https://ota.example.com/ :
#   /            -> nix-ota-server dashboard + API  (port 8080)
#   /cache/      -> nix-serve binary cache          (port 5000)
#
# The cache and the control plane are on the same DNS name so devices
# only need one URL. They can be split if you prefer.
{ config, pkgs, lib, ... }:
{
  imports = [
    # Replace with your hardware config.
    # ./hardware-configuration.nix
  ];

  networking.hostName = "ota";
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  ###########################################################################
  # 1. The control server.
  ###########################################################################
  services.nix-ota-server = {
    enable = true;
    listen = "127.0.0.1:8080";
    # Put your real secret here. With sops-nix:
    #   publishTokenFile = config.sops.secrets."nix-ota/publish-token".path;
    # For the demo we just write a literal file; replace this in production.
    publishTokenFile = pkgs.writeText "publish-token" "CHANGE-ME-LONG-RANDOM-STRING";
  };

  ###########################################################################
  # 2. The binary cache (nix-serve). Skip this if you use Attic / S3 / Cachix.
  ###########################################################################
  services.nix-serve = {
    enable = true;
    port = 5000;
    bindAddress = "127.0.0.1";
    # Generate once with:
    #   nix-store --generate-binary-cache-key ota.example.com-1 \
    #     /var/lib/nix-serve/key /var/lib/nix-serve/pub.key
    # Then commit the .pub file (it's public) and keep `key` secret.
    secretKeyFile = "/var/lib/nix-serve/key";
  };

  # Tell the local Nix daemon to trust paths signed by our cache so
  # `nix copy --to` from operators works without --no-check-sigs.
  nix.settings.trusted-public-keys = [
    # paste the contents of /var/lib/nix-serve/pub.key here
    "ota.example.com-1:REPLACE_WITH_PUBLIC_KEY"
  ];

  ###########################################################################
  # 3. Reverse proxy + TLS.
  ###########################################################################
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."ota.example.com" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8080";
      };
      locations."/cache/" = {
        proxyPass = "http://127.0.0.1:5000/";
        # nix-serve doesn't need any special headers.
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "ops@example.com";
  };

  system.stateVersion = "24.05";
}
Add worked example: server-host and device-host flakes Self-contained example under examples/ with full NixOS flakes for both sides of a deployment (control server + binary cache vs. an agent device), plus a README walking through the end-to-end install + first publish. 2026-05-25 15:57:32 +02:00			`# Server host — runs nix-ota-server AND nix-serve (the binary cache),`
			`# fronted by nginx with Let's Encrypt TLS.`
			`#`
			`# Layout under https://ota.example.com/ :`
			`# / -> nix-ota-server dashboard + API (port 8080)`
			`# /cache/ -> nix-serve binary cache (port 5000)`
			`#`
			`# The cache and the control plane are on the same DNS name so devices`
			`# only need one URL. They can be split if you prefer.`
			`{ config, pkgs, lib, ... }:`
			`{`
			`imports = [`
			`# Replace with your hardware config.`
			`# ./hardware-configuration.nix`
			`];`

			`networking.hostName = "ota";`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`

			`###########################################################################`
			`# 1. The control server.`
			`###########################################################################`
			`services.nix-ota-server = {`
			`enable = true;`
			`listen = "127.0.0.1:8080";`
			`# Put your real secret here. With sops-nix:`
			`# publishTokenFile = config.sops.secrets."nix-ota/publish-token".path;`
			`# For the demo we just write a literal file; replace this in production.`
			`publishTokenFile = pkgs.writeText "publish-token" "CHANGE-ME-LONG-RANDOM-STRING";`
			`};`

			`###########################################################################`
			`# 2. The binary cache (nix-serve). Skip this if you use Attic / S3 / Cachix.`
			`###########################################################################`
			`services.nix-serve = {`
			`enable = true;`
			`port = 5000;`
			`bindAddress = "127.0.0.1";`
			`# Generate once with:`
			`# nix-store --generate-binary-cache-key ota.example.com-1 \`
			`# /var/lib/nix-serve/key /var/lib/nix-serve/pub.key`
			# Then commit the .pub file (it's public) and keep `key` secret.
			`secretKeyFile = "/var/lib/nix-serve/key";`
			`};`

			`# Tell the local Nix daemon to trust paths signed by our cache so`
			# `nix copy --to` from operators works without --no-check-sigs.
			`nix.settings.trusted-public-keys = [`
			`# paste the contents of /var/lib/nix-serve/pub.key here`
			`"ota.example.com-1:REPLACE_WITH_PUBLIC_KEY"`
			`];`

			`###########################################################################`
			`# 3. Reverse proxy + TLS.`
			`###########################################################################`
			`services.nginx = {`
			`enable = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`virtualHosts."ota.example.com" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:8080";`
			`};`
			`locations."/cache/" = {`
			`proxyPass = "http://127.0.0.1:5000/";`
			`# nix-serve doesn't need any special headers.`
			`};`
			`};`
			`};`

			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "ops@example.com";`
			`};`

			`system.stateVersion = "24.05";`
			`}`