Add worked example: server-host and device-host flakes

Self-contained example under examples/ with full NixOS flakes for both sides of a deployment (control server + binary cache vs. an agent device), plus a README walking through the end-to-end install + first publish.
2026-05-25 15:57:32 +02:00 · 2026-05-25 15:57:32 +02:00 · f72d24596a
commit f72d24596a
parent 42b2ce4d1d
6 changed files with 309 additions and 0 deletions
--- a/examples/server-host/configuration.nix
+++ b/examples/server-host/configuration.nix
@ -0,0 +1,79 @@
+# Server host — runs nix-ota-server AND nix-serve (the binary cache),
+# fronted by nginx with Let's Encrypt TLS.
+#
+# Layout under https://ota.example.com/ :
+#   /            -> nix-ota-server dashboard + API  (port 8080)
+#   /cache/      -> nix-serve binary cache          (port 5000)
+#
+# The cache and the control plane are on the same DNS name so devices
+# only need one URL. They can be split if you prefer.
+{ config, pkgs, lib, ... }:
+{
+  imports = [
+    # Replace with your hardware config.
+    # ./hardware-configuration.nix
+  ];
+
+  networking.hostName = "ota";
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  ###########################################################################
+  # 1. The control server.
+  ###########################################################################
+  services.nix-ota-server = {
+    enable = true;
+    listen = "127.0.0.1:8080";
+    # Put your real secret here. With sops-nix:
+    #   publishTokenFile = config.sops.secrets."nix-ota/publish-token".path;
+    # For the demo we just write a literal file; replace this in production.
+    publishTokenFile = pkgs.writeText "publish-token" "CHANGE-ME-LONG-RANDOM-STRING";
+  };
+
+  ###########################################################################
+  # 2. The binary cache (nix-serve). Skip this if you use Attic / S3 / Cachix.
+  ###########################################################################
+  services.nix-serve = {
+    enable = true;
+    port = 5000;
+    bindAddress = "127.0.0.1";
+    # Generate once with:
+    #   nix-store --generate-binary-cache-key ota.example.com-1 \
+    #     /var/lib/nix-serve/key /var/lib/nix-serve/pub.key
+    # Then commit the .pub file (it's public) and keep `key` secret.
+    secretKeyFile = "/var/lib/nix-serve/key";
+  };
+
+  # Tell the local Nix daemon to trust paths signed by our cache so
+  # `nix copy --to` from operators works without --no-check-sigs.
+  nix.settings.trusted-public-keys = [
+    # paste the contents of /var/lib/nix-serve/pub.key here
+    "ota.example.com-1:REPLACE_WITH_PUBLIC_KEY"
+  ];
+
+  ###########################################################################
+  # 3. Reverse proxy + TLS.
+  ###########################################################################
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."ota.example.com" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+      };
+      locations."/cache/" = {
+        proxyPass = "http://127.0.0.1:5000/";
+        # nix-serve doesn't need any special headers.
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "ops@example.com";
+  };
+
+  system.stateVersion = "24.05";
+}
--- a/examples/server-host/flake.nix
+++ b/examples/server-host/flake.nix
@ -0,0 +1,19 @@
+{
+  description = "ota.example.com — nix-ota control plane + binary cache";
+
+  inputs = {
+    nixpkgs.url  = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nix-ota.url  = "git+https://linus.dyrehytten.dk/max/nix-ota";
+    nix-ota.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, nix-ota, ... }: {
+    nixosConfigurations.ota = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        nix-ota.nixosModules.server
+        ./configuration.nix
+      ];
+    };
+  };
+}