NixCon 2024

Scalable and secure NixOS deploys on AWS
2024-10-25 , Arena

In this talk you will learn best practices on how to build your own NixOS images and securely deploy them using autosaling groups, IAM roles and AWS Systems Manager , terraform and GitHub actions as an alternative to NixOps


At Mercury.com we deploy to production dozens of times per day on a fleet of NixOS servers on AWS. We also host a plethora of supporting services on NixOS like a GitHub actions runner cluster, Prometheus, and Vault.

In this talk I want to show the various techniques that we use to deploy NixOS at scale. We will cover topics like how to set up your own S3 cache, how to build custom AMIs, how to use Auto Scaling Groups with Instance Refresh for zero downtime rolling releases of stateless software and how to use AWS Systems Manager as an alternative for NixOps to manage long lived stateful services.

I will also show how SSM can be used to gain secure access to servers without exposing them to the public internet and without the need of a bastion host.

I will finally cover how to trigger deploys of your infrastructure from GitHub Actions and how we use Workload Identity (OIDC tokens and IAM roles) as a way to do these securely deploys without needing any static shared AWS Credentials and bastion hosts.

I am planning to open source the Terraform modules and GitHub actions workflows so that you too can quickly set up a security hardened and production ready NixOS deploy pipeline on AWS.

I would also like to briefly go over the roadmap of improvements I am planning for the AWS NixOS images (https://github.com/nixos/amis)


What level of experience in Nix is the talk addressed to?

We will only be showing how to deploy things built with NixOS and will not be going into deep technical nix details. The talk is suitable for anyone who has some experience with NixOS and is curious how to deploy it to AWS.

Do you allow your talk to be recorded? – yes
See also: Slides