NixOS k8s

Created by Jaka Hudoklin / @offlinehacker

About me?

Fullstack software engeneer in javascript, python, c, nix and more, with experiences in web technologies, system provisioning, embedded devices and security.

Projects new fintech platform for multy currency payments, trading and exchange based on ripple

Data driven distributed task automation and data agregation framework using graph databases and docker containers and nix.

Question is how can we scale (nix) applications in production?

How to deploy:

  • ... scalabe nixos systems?
  • ... scalabe apps on top of nixos?
  • ... scalable and reliable distributed storage?
  • ... scalable monitoring system?

What do we need?

  • Cluster process manager
  • Secure distributed overlay networking
  • Load balancer
  • Distributed and replicated storage
  • Scheduler for resources like storage, processing power, networking, ...
  • Cluster manager
  • Monitoring system

(Container) service managers

  • systemd (nspawn)
  • docker
  • rocket
  • lxc

Overlay networking

  • openvswitch
  • wave
  • flanner
  • libnetwork

Distributed and replicated storage

  • ceph
  • glusterfs
  • xtremefs
  • In cloud reliable storage like amazon ebs

Avaliable container cluster managers

  • google kubernetes
  • coreos fleet
  • docker swarm
  • dokku
  • rancher

Many more avalible here:

Docker and nix

  • Primarily used for running applications, not whole distros
  • Running nix inside docker is easy
  • A few benefits compared to other docker images, you can pick exact versions of packages you want to run.
$ cat Dockerfile
FROM nixos/nix:1.10
RUN nix-channel --add dev
RUN nix-channel --update
RUN nix-env -iA dev.nginx
ADD nginx.conf nginx.conf
CMD nginx -c $PWD/nginx.conf -g 'daemon off;'
$ docker build -t offlinehacker/nginx .
$ docker run -ti -p 80:80 offlinehacker/nginx

What about running nixos in docker?

You can run nixos inside docker containers using --privileged mode

... but, you don't want to do that

Working implementation of service abstraction layer is in progress, but currently not on my priority list

Kubernetes project

Distributed cluster manager for docker containers

  • First announced and opensourced in 2014 by google
  • Influenced by Google's Borg system
  • Written in go
  • Uses docker as primary process manager
  • Support for rocket
  • ~20.000 commits, 555 contributors
  • Currently stable release 1.1.1


  • Replication
  • Load balancing
  • Integration with distributed storage (ebs, ceph, glusterfs, nfs, ...)
  • Resource quotas
  • Logging and monitoring
  • Declarative configuration

Separation of components into microservices:

  • kube-apisever: http api service
  • kube-controller-manager: managment of resource
  • kube-scheduler: scheduling of resources like servers and storage
  • kube-proxy: load balancing proxy
  • kubelet: container managment and reporting on minions

Kubernetes terms:

  • Namespace: a separate group of pods, replication controllers and services
  • Minon: a worker node
  • Pod: a group of containers running on the same node
  • Replication controller: A controller for a group of pods
  • Service: Internal load balancer for a group of pods


Create replication controller

$ cat nginx-controller.yaml
apiVersion: v1
kind: ReplicationController
  name: nginx-controller
  replicas: 2
  # selector identifies the set of Pods that this
  # replication controller is responsible for managing
    app: nginx
  # podTemplate defines the 'cookie cutter' used for creating
  # new pods when necessary
        # Important: these labels need to match the selector above
        # The api server enforces this constraint.
        app: nginx
      - name: nginx
        image: offlinehacker/nginx
        - containerPort: 80
$ kubectl create -f nginx-controller.yaml

Expose created pods using load balancer

$ cat nginx-service.yaml
apiVersion: v1
kind: Service
  name: nginx-service
  - port: 8000 # the port that this service should serve on
    # the container on each pod to connect to, can be a name
    # (e.g. 'www') or a number (e.g. 80)
    targetPort: 80
    protocol: TCP
  # just like the selector in the replication controller,
  # but this time it identifies the set of pods to load balance
  # traffic to.
    app: nginx
$ kubectl create -f nginx-service.yaml

Some additional commands

$ kubectl get nodes
$ kubectl get pods
$ kubectl logs nginx-controller-c5sik
$ kubectl exec -t -i -p nginx-controller-c5sik -c nginx -- sh

Running kubernetes on nixos

There is a nixos module created and maintained by me

It's deployed in production for longer period of time, till now without any bigger issues

A few lines of nixos config

bridges = {
	cbr0.interfaces = [ ];
interface = {
	cbr0 = {
		ipAddress = "";
		prefixLength = 24;
services.kubernetes.roles = ["master" "node"];
virtualisation.docker.extraOptions =
	''--iptables=false --ip-masq=false -b cbr0'';

This enables kubernetes with all the services you need for single node kubernetes

Running kubernetes in production

For production environments we need at least a cluster of three machines of which one of the machines is master

All machines need to be connected and have routable subnets

How we do it?

  • Several aws instances in VPC
  • Deployment with nixops
  • Overlay ipsec networking with openvswitch
  • EBS as storage
  • Separate production and development namespaces


  • Collectd for metrics agregation
  • Influxdb for metrics storage
  • Grafana as dashboard for metrics vizualizations
  • Bosun for alerting
  • Heapster for kubernetes monitoring
  • Grafana and kibana for agregation and vizualization of logs


I have developed a set of reusable nixos profiles that you can simply include in your configuration. They are avalible on

... they still need a better documentation


My social media and sites: