Skip to content
/ rustnixos Public

How to build and bundle a Rust web app as a module for deployment with NixOS

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

malteneuss/rustnixos

BranchesTags

Repository files navigation

(Rust) Web app on NixOS for self-hosting.

Package and deploy a (Rust) web app that needs a database with Nix(OS).

Deployment

  • The NixOS Server is setup to infect and run on a cheap Hetzner Virtualmachine
  • You have to create such a server with e.g. Ubuntu first to get a static IP address for it.
  • Run nix run github:numtide/nixos-anywhere -- --flake .#hetzner-cloud root@<vm-ip> to infect and replace the VM operating system completely with NixOS (careful: deletes everything on server!).
    • It formats the VM disks automatically using the Nix library disko
    • The nixosConfiguration for the server is in flake.nix and called hetzner-cloud.
  • Any subsequent redeploy must use nixos-rebuild switch --flake .#hetzner-cloud --target-host root@<vm-ip>! See flake.nix and nixos-modules for configs.

Running software on NixOS

  • NixOS runs all apps (web app, database, migration app, reverse-proxy) as declarative systemd services, easy and concise to setup.
  • The configured database is Postgresql.
    • NixOS makes really easy to setup DBs without overhead and unrealibility of Docker containers.
    • Migrations are managed by dbmate.
    • Systemd allows us to run migrations on every web app upgrade.
  • The configured reverse-proxy that secures the web app behind a smaller attack surface and enables automatic, browser-trusted web encryption is Caddy.
  • Secrets are managed by agenix.
    • nixos-rebuild can only copy data from the nix-store, which is open for everyone to see.
    • So data to pass to the server must be encrypted on the way.
    • You encrypt your secret into a secure secret.age file, which is put into the store. Agenix uses age for encryption)
      • NixOS on the server creates a public/private key combination.
      • On the server you get its public key (that works with agenix) with [root@nixos:~]# cat /etc/ssh/ssh_host_ed25519_key.pub
      • On you local computer you encrypt with the servers public key.
      • The agenix on the server decrypts the secret.age file with the servers private key.
      • The key is then readable on the server at /run/agenix/secret.

Packaging Rust

  • Packaging the Rust app is done with nix-community/dream2nix framework to create a Nix package that is exposed as a modular Nix flake so that servers can download and run this app wherever.

Test

sudo nixos-container create db-dev --flake .#db-dev
sudo nixos-container start db-dev --flake .#db-dev
curl --connect-to localhost:80:all:80 --connect-to localhost:443:all:443 http://localhost -k -L
sudo nixos-container update db-dev --flake .#db-dev
sudo nixos-container root-login db-dev --flake .#db-dev

About

How to build and bundle a Rust web app as a module for deployment with NixOS

Topics

rust nixos self-hosted dbmate axum

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages