A quick google search yielded a serviceable flake for a Hugo dev environment. So I just ran nix develop, hugo new site and then had a Claude agent throw in some placeholder content. 5 minutes later I had something serving on localhost.

It’s placeholder slop but I decided to complete the loop and ship it. The nice thing is this flake also exports the built site as a package. Excellent! I verified that nix build succeeds.

Then I popped into my deployment repo that has the configuration for my NixOS VPS. The top-level flake gets a new input attribute that pulls in the Hugo repo from local storage: inputs.paradigmatic.url = "path:/path/to/paradigmatic.systems";. Then my nginx config gets a new entry:

virtualHosts."paradigmatic.systems" = {
  enableACME = true;
  forceSSL = true;
  root = "${paradigmatic.packages.${system}.website}";
};

Just like that, I’ve got a new reverse proxy serving this static site. Since I already have deploy-rs set up, a simple deploy command kicks of the Nix magic which does the build and sends up the new system. Deployment failed the first time because the Acme certificates hadn’t gone through. But thanks to magic rollbacks, the system was uninterrupted.

At time of writing my NixOS flake has 4 different projects coexisting. The flake basically does the job of pulling in different repos that each contain their own packaging instructions. For a more complex (Phoenix) application there is also a module definition that lets me enable and configure the service. So in addition to the input and nginx config we’d have something like:

services.phoenix-app = {
  enable = true;
  port = 4002;
  host = "phoenix-app.com";
  secretKeyBase = "";
};

I have some lingering curiosity that I’d like to state and follow up on.

When I run nix flake update it pulls all the input repos into the nix store and updates the lock file. Are those store paths immune from garbage collection? What if I was in some silly situation where the nix store has the actual valid copy of what I’m deploying, but the source is corrupted?

1) Set up a new droplet

• Choose Ubuntu 22.04
• Add SSH keys for something you have a local IdentityFile for.
• Under “Advanced Options” -> “Add initialization scripts” paste

#cloud-config
write_files:
- path: /etc/nixos/host.nix
  permissions: '0644'
  content: |
    {pkgs, ...}:
    {
      environment.systemPackages = with pkgs; [ vim ];
    }
runcmd:
  - curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=digitalocean NIXOS_IMPORT=./host.nix NIX_CHANNEL=nixos-25.05 bash 2>&1 | tee /tmp/infect.log

2) SSH in and copy config down

Add the node’s SSH config to ~/.ssh/config

Host [node-name]
        HostName [IP-address]
        User root
        IdentityFile ~/.ssh/[identity]

Now you should be able to ssh [node-name] and cat /etc/nixos/configuration.nix to see your new system.

Start a new directory for containing the node’s configuration locally. Maybe call it [node-name]-deployment.

On the server, run scp [node-name]:/etc/nixos/* ..

Now you’ve got the remote configuration in hand. If you wanted to alter the node, the naive way to do it is edit the configuration, push it back over, and run sudo nixos-rebuild switch. But there’s a better way to approach this that involves building the system locally. We’ll continue in setting up deploy-rs.