Skip to content

Rites of Anointment — Deployment Commands

Reference of the rites used to forge and anoint NixOS configurations. All just commands execute from the repository root.

Terminal window
# Test the configuration without applying it
just build
# Apply the configuration (equivalent to nixos-rebuild switch)
just install

just install executes nh os switch ., which applies the system configuration and activates Home Manager for the current user.

clochette — Remote VPS Anointment via Tailscale

Section titled “clochette — Remote VPS Anointment via Tailscale”
Terminal window
# Build only
just build_clochette
# Deploy
just install_clochette --ask-sudo-password

The underlying full command:

Terminal window
nixos-rebuild switch \
--flake .#clochette \
--target-host guillaume@clochette.friloux.me \
--sudo \
--ask-sudo-password

Prerequisites: Tailscale active on both machines, clochette.friloux.me resolves to the Tailscale IP, and SSH is functional.

RogueLeader — Home-Shrine Anointment via Local Network

Section titled “RogueLeader — Home-Shrine Anointment via Local Network”
Terminal window
# Build only
just build_rogueleader
# Deploy the system
just install_rogueleader --ask-sudo-password
# Deploy Home Manager only
just home_rogueleader
Terminal window
# Run all linters (statix, deadnix, alejandra) via pre-commit
just test
# Evaluate the flake without building
nix flake check

If a deployment produces an unstable system:

Terminal window
# List NixOS generations
nixos-rebuild list-generations
# Revert to previous generation
nixos-rebuild switch --rollback
# Or select a specific generation at boot (via GRUB)

For clochette via SSH:

Terminal window
ssh guillaume@clochette.friloux.me \
"sudo nixos-rebuild switch --rollback"
Terminal window
# exampleHost secrets
just secrets
# clochette secrets
just secrets_clochette
# RogueLeader secrets
just secrets_rogueleader

These commands open the encrypted file in $EDITOR via sops. Save and quit automatically re-encrypts.

Terminal window
just scan

Runs Trivy on all Docker images in the clochette configuration and displays HIGH and CRITICAL vulnerabilities.

Terminal window
just update

Updates flake.lock with the latest revisions of all inputs. Follow with just build_clochette to verify nothing breaks.