10.15 Invoking guix deploy

We’ve already seen operating-system declarations used to manage a machine’s configuration locally. Suppose you need to configure multiple machines, though—perhaps you’re managing a service on the web that’s comprised of several servers. guix deploy enables you to use those same operating-system declarations to manage multiple remote hosts at once as a logical “deployment”.

Note: The functionality described in this section is still under development and is subject to change. Get in touch with us on guix-devel@gnu.org!

guix deploy file

Such an invocation will deploy the machines that the code within file evaluates to. As an example, file might contain a definition like this:

;; This is a Guix deployment of a "bare bones" setup, with
;; no X11 display server, to a machine with an SSH daemon
;; listening on localhost:2222. A configuration such as this
;; may be appropriate for virtual machine with ports
;; forwarded to the host's loopback interface.

(use-service-modules networking ssh)
(use-package-modules bootloaders)

(define %system
  (operating-system
   (host-name "gnu-deployed")
   (timezone "Etc/UTC")
   (bootloader (bootloader-configuration
                (bootloader grub-bootloader)
                (targets '("/dev/vda"))
                (terminal-outputs '(console))))
   (file-systems (cons (file-system
                        (mount-point "/")
                        (device "/dev/vda1")
                        (type "ext4"))
                       %base-file-systems))
   (services
    (append (list (service dhcp-client-service-type)
                  (service openssh-service-type
                           (openssh-configuration
                            (permit-root-login #t)
                            (allow-empty-passwords? #t))))
            %base-services))))

(list (machine
       (operating-system %system)
       (environment managed-host-environment-type)
       (configuration (machine-ssh-configuration
                       (host-name "localhost")
                       (system "x86_64-linux")
                       (user "alice")
                       (identity "./id_rsa")
                       (port 2222)))))

The file should evaluate to a list of machine objects. This example, upon being deployed, will create a new generation on the remote system realizing the operating-system declaration %system. environment and configuration specify how the machine should be provisioned—that is, how the computing resources should be created and managed. The above example does not create any resources, as a 'managed-host is a machine that is already running the Guix system and available over the network. This is a particularly simple case; a more complex deployment may involve, for example, starting virtual machines through a Virtual Private Server (VPS) provider. In such a case, a different environment type would be used.

Do note that you first need to generate a key pair on the coordinator machine to allow the daemon to export signed archives of files from the store (see Invoking guix archive), though this step is automatic on Guix System:

# guix archive --generate-key

Each target machine must authorize the key of the master machine so that it accepts store items it receives from the coordinator:

# guix archive --authorize < coordinator-public-key.txt

user, in this example, specifies the name of the user account to log in as to perform the deployment. Its default value is root, but root login over SSH may be forbidden in some cases. To work around this, guix deploy can log in as an unprivileged user and employ sudo to escalate privileges. This will only work if sudo is currently installed on the remote and can be invoked non-interactively as user. That is, the line in sudoers granting user the ability to use sudo must contain the NOPASSWD tag. This can be accomplished with the following operating system configuration snippet:

(use-modules ...
             (gnu system))               ;for %sudoers-specification

(define %user "username")

(operating-system
  ...
  (sudoers-file
     (plain-file "sudoers"
                 (string-append (plain-file-content %sudoers-specification)
                                (format #f "~a ALL = NOPASSWD: ALL~%"
                                        %user)))))

For more information regarding the format of the sudoers file, consult man sudoers.

Data Type: machine

This is the data type representing a single machine in a heterogeneous Guix deployment.

operating-system

The object of the operating system configuration to deploy.

environment

An environment-type describing how the machine should be provisioned.

configuration (default: #f)

An object describing the configuration for the machine’s environment. If the environment has a default configuration, #f may be used. If #f is used for an environment with no default configuration, however, an error will be thrown.

Data Type: machine-ssh-configuration

This is the data type representing the SSH client parameters for a machine with an environment of managed-host-environment-type.

host-name

build-locally? (default: #t)

If false, system derivations will be built on the machine being deployed to.

system

The system type describing the architecture of the machine being deployed to—e.g., "x86_64-linux".

authorize? (default: #t)

If true, the coordinator’s signing key will be added to the remote’s ACL keyring.

port (default: 22)

user (default: "root")

identity (default: #f)

If specified, the path to the SSH private key to use to authenticate with the remote host.

host-key (default: #f)

This should be the SSH host key of the machine, which looks like this:

ssh-ed25519 AAAAC3Nz… root@example.org

When host-key is #f, the server is authenticated against the ~/.ssh/known_hosts file, just like the OpenSSH ssh client does.

allow-downgrades? (default: #f)

Whether to allow potential downgrades.

Like guix system reconfigure, guix deploy compares the channel commits currently deployed on the remote host (as returned by guix system describe) to those currently in use (as returned by guix describe) to determine whether commits currently in use are descendants of those deployed. When this is not the case and allow-downgrades? is false, it raises an error. This ensures you do not accidentally downgrade remote machines.

Data Type: digital-ocean-configuration

This is the data type describing the Droplet that should be created for a machine with an environment of digital-ocean-environment-type.

ssh-key

The path to the SSH private key to use to authenticate with the remote host. In the future, this field may not exist.

tags

A list of string “tags” that uniquely identify the machine. Must be given such that no two machines in the deployment have the same set of tags.

region

A Digital Ocean region slug, such as "nyc3".

size

A Digital Ocean size slug, such as "s-1vcpu-1gb"

enable-ipv6?

Whether or not the droplet should be created with IPv6 networking.