Add worked example: server-host and device-host flakes

Self-contained example under examples/ with full NixOS flakes for both sides of a deployment (control server + binary cache vs. an agent device), plus a README walking through the end-to-end install + first publish.
2026-05-25 15:57:32 +02:00 · 2026-05-25 15:57:32 +02:00 · f72d24596a
commit f72d24596a
parent 42b2ce4d1d
6 changed files with 309 additions and 0 deletions
--- a/examples/device-host/configuration.nix
+++ b/examples/device-host/configuration.nix
@ -0,0 +1,53 @@
+# Device configuration — what gets installed on `fridge-007`.
+#
+# You build + install this ONCE (e.g. via `nixos-rebuild --target-host`
+# or by flashing an SD image). From then on, you ship updates to this
+# machine by publishing new closures through nix-ota; you do not need
+# to redeploy this flake to bump packages.
+{ config, pkgs, lib, ... }:
+{
+  imports = [
+    # Replace with your hardware config.
+    # ./hardware-configuration.nix
+  ];
+
+  networking.hostName = "fridge-007";
+
+  services.nix-ota-agent = {
+    enable = true;
+
+    # Where the control server lives.
+    server  = "https://ota.example.com";
+    channel = "prod";
+
+    # Unique identifier for this device. Use the MAC, serial number,
+    # whatever you have. Must be unique within your fleet.
+    deviceId = "fridge-007";
+
+    # Paste the ed25519 PUBLIC key you generated with `nix-ota keygen`.
+    # If this doesn't match the key the manifest is signed with, the
+    # agent will refuse to apply it — that's the point.
+    publicKey = "REPLACE_WITH_MANIFEST_PUBLIC_KEY_BASE64";
+
+    # Where the agent fetches closures from. Nix verifies the per-path
+    # signatures against `cachePublicKey` below.
+    cacheUrl       = "https://ota.example.com/cache";
+    cachePublicKey = "ota.example.com-1:REPLACE_WITH_CACHE_PUBLIC_KEY";
+
+    # How often to poll. The systemd timer also fires once on boot.
+    interval = 60;
+
+    # Optional health check. Runs after switch-to-configuration.
+    # If it exits non-zero, the agent rolls back to the previous
+    # generation and reports `rolled_back`.
+    healthCmd = "systemctl is-system-running --wait";
+  };
+
+  # Standard NixOS stuff for a real device.
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAA... your-key-here"
+  ];
+
+  system.stateVersion = "24.05";
+}