nix-ota/examples/device-host/configuration.nix

# Device configuration — what gets installed on `fridge-007`.
#
# You build + install this ONCE (e.g. via `nixos-rebuild --target-host`
# or by flashing an SD image). From then on, you ship updates to this
# machine by publishing new closures through nix-ota; you do not need
# to redeploy this flake to bump packages.
{ config, pkgs, lib, ... }:
{
  imports = [
    # Replace with your hardware config.
    # ./hardware-configuration.nix
  ];

  networking.hostName = "fridge-007";

  services.nix-ota-agent = {
    enable = true;

    # Where the control server lives.
    server  = "https://ota.example.com";
    channel = "prod";

    # Unique identifier for this device. Use the MAC, serial number,
    # whatever you have. Must be unique within your fleet.
    deviceId = "fridge-007";

    # Paste the ed25519 PUBLIC key you generated with `nix-ota keygen`.
    # If this doesn't match the key the manifest is signed with, the
    # agent will refuse to apply it — that's the point.
    publicKey = "REPLACE_WITH_MANIFEST_PUBLIC_KEY_BASE64";

    # Where the agent fetches closures from. Nix verifies the per-path
    # signatures against `cachePublicKey` below.
    cacheUrl       = "https://ota.example.com/cache";
    cachePublicKey = "ota.example.com-1:REPLACE_WITH_CACHE_PUBLIC_KEY";

    # How often to poll. The systemd timer also fires once on boot.
    interval = 60;

    # Optional health check. Runs after switch-to-configuration.
    # If it exits non-zero, the agent rolls back to the previous
    # generation and reports `rolled_back`.
    healthCmd = "systemctl is-system-running --wait";
  };

  # Standard NixOS stuff for a real device.
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAA... your-key-here"
  ];

  system.stateVersion = "24.05";
}