Rites of Anointment — Deployment Commands
Reference of the rites used to forge and anoint NixOS configurations.
All just commands execute from the repository root.
exampleHost — Local Sanctification
Section titled “exampleHost — Local Sanctification”# Test the configuration without applying itjust build
# Apply the configuration (equivalent to nixos-rebuild switch)just installjust install executes nh os switch ., which applies the system configuration
and activates Home Manager for the current user.
clochette — Remote VPS Anointment via Tailscale
Section titled “clochette — Remote VPS Anointment via Tailscale”# Build onlyjust build_clochette
# Deployjust install_clochette --ask-sudo-passwordThe underlying full command:
nixos-rebuild switch \ --flake .#clochette \ --target-host guillaume@clochette.friloux.me \ --sudo \ --ask-sudo-passwordPrerequisites: Tailscale active on both machines, clochette.friloux.me
resolves to the Tailscale IP, and SSH is functional.
RogueLeader — Home-Shrine Anointment via Local Network
Section titled “RogueLeader — Home-Shrine Anointment via Local Network”# Build onlyjust build_rogueleader
# Deploy the systemjust install_rogueleader --ask-sudo-password
# Deploy Home Manager onlyjust home_rogueleaderPre-deployment Verification
Section titled “Pre-deployment Verification”# Run all linters (statix, deadnix, alejandra) via pre-commitjust test
# Evaluate the flake without buildingnix flake checkRollback
Section titled “Rollback”If a deployment produces an unstable system:
# List NixOS generationsnixos-rebuild list-generations
# Revert to previous generationnixos-rebuild switch --rollback
# Or select a specific generation at boot (via GRUB)For clochette via SSH:
ssh guillaume@clochette.friloux.me \ "sudo nixos-rebuild switch --rollback"Editing Secrets
Section titled “Editing Secrets”# exampleHost secretsjust secrets
# clochette secretsjust secrets_clochette
# RogueLeader secretsjust secrets_rogueleaderThese commands open the encrypted file in $EDITOR via sops.
Save and quit automatically re-encrypts.
Docker Image Security Scan
Section titled “Docker Image Security Scan”just scanRuns Trivy on all Docker images in the clochette configuration and displays HIGH and CRITICAL vulnerabilities.
Update Flake Dependencies
Section titled “Update Flake Dependencies”just updateUpdates flake.lock with the latest revisions of all inputs.
Follow with just build_clochette to verify nothing breaks.