GitHub - arnarg/nixidy: Kubernetes GitOps with nix and Argo CD.

Kubernetes GitOps with nix and Argo CD.

Getting Started • Documentation • Features • Examples

Why Nixidy?

Managing Kubernetes configurations at scale is hard. Helm charts require complex value overrides, Kustomize leads to repetitive overlays, and raw YAML becomes unmaintainable. Reviewing changes across environments is nearly impossible.

Nixidy solves this by bringing the power of Nix and the NixOS module system to Kubernetes:

Declarative: Define your entire cluster state in one place
Typed: Catch configuration errors before deployment
Composable: Build complex configurations from reusable modules
Reviewable: Generate plain YAML for easy PR reviews
Reproducible: Same input always produces the same output

How It Works

Define your Kubernetes resources using Nix:

{
  applications.demo = {
    namespace = "demo";
    createNamespace = true;

    resources = {
      deployments.nginx.spec = {
        replicas = 3;
        selector.matchLabels.app = "nginx";
        template = {
          metadata.labels.app = "nginx";
          spec.containers.nginx = {
            image = "nginx:1.25.1";
            ports.http.containerPort = 80;
          };
        };
      };

      services.nginx.spec = {
        selector.app = "nginx";
        ports.http.port = 80;
      };
    };
  };
}

Build with nixidy:

Get clean, reviewable YAML:

result/
├── apps/
│   └── Application-demo.yaml
└── demo/
    ├── Deployment-nginx.yaml
    ├── Namespace-demo.yaml
    └── Service-nginx.yaml

Argo CD picks up the changes, after committing the new manifests to your repository, and deploys to your cluster. That's it.

Features

🎯 Declarative Cluster Management

Define your entire cluster state using Nix. No more scattered YAML files, Helm value overrides, or Kustomize patches. Everything in one place, with one language.

🔒 Strongly-Typed Configuration

Every Kubernetes resource is typed. Catch typos and validate configurations before they hit your cluster.

# This will error at build time, not runtime
resources.deployments.nginx.spec.replicas = "three"; # Type error!

📦 First-Class Helm Support

Use existing Helm charts without giving up control. Override values, patch resources, and clean up Helm artifacts.

applications.traefik = {
  namespace = "traefik";

  helm.releases.traefik = {
    chart = lib.helm.downloadHelmChart {
      repo = "https://traefik.github.io/charts/";
      chart = "traefik";
      version = "25.0.0";
      chartHash = "sha256-ua8KnUB6MxY7APqrrzaKKSOLwSjDYkk9tfVkb1bqkVM=";
    };
    values = {
      ingressClass.enabled = true;
    };
  };

  # Patch Helm output with nixidy
  resources.deployments.traefik.spec.replicas = lib.mkForce 5;
};

🔧 Kustomize Integration

Seamlessly incorporate Kustomize applications:

applications.argocd.kustomize.applications.argocd = {
  namespace = "argocd";
  kustomization = {
    src = pkgs.fetchFromGitHub {
      owner = "argoproj";
      repo = "argo-cd";
      rev = "v2.9.3";
      hash = "sha256-GaY4Cw/LlSwy35umbB4epXt6ev8ya19UjHRwhDwilqU=";
    };
    path = "manifests/cluster-install";
  };
};

🌍 Multi-Environment Made Easy

Manage dev, staging, and production with shared base configurations and environment-specific overrides:

# base.nix - shared configuration
{lib, ...}: {
  applications.api.resources.deployments.api.spec = {
    replicas = lib.mkDefault 1;
    selector.matchLabels.app = "api";
    template.spec.containers.api.image = "api:latest";
  };
}

# prod.nix - production overrides
{lib, ...}: {
  imports = [ ./base.nix ];
  applications.api.resources.deployments.api.spec = {
    replicas = lib.mkForce 10;
    template.spec.containers.api.resources = {
      requests.memory = "512Mi";
      limits.memory = "1Gi";
    };
  };
}

🏗️ Reusable Templates

Create templates for common patterns and reuse them across applications:

templates.webApp = {
  options = {
    image = mkOption {
      type = lib.types.str;
      description = "The image to use in the web application deployment";
    };
    replicas = mkOption {
      type = lib.types.int;
      default = 3;
      description = "The number of replicas for the web application deployment.";
    };
    port = mkOption {
      type = lib.types.port;
      default = 8080;
      description = "The web application's port.";
    };
  };
  output = { name, config, ... }: {
    deployments.${name}.spec = {
      replicas = config.replicas;
      selector.matchLabels.app = name;
      template = {
        metadata.labels.app = name;
        spec.containers.${name} = {
          image = config.image;
          ports.http.containerPort = config.port;
        };
      };
    };
    services.${name}.spec = {
      selector.app = name;
      ports.http.port = config.port;
    };
  };
};

# Use the template
applications.frontend.templates.webApp.frontend = {
  image = "frontend:v1.2.3";
  replicas = 5;
};

🔄 GitOps Ready

Nixidy implements the Rendered Manifests Pattern. Your CI generates plain YAML, you review the exact changes in PRs, and Argo CD deploys them. No surprises.

🚀 App-of-Apps Bootstrap

Bootstrap your entire cluster with a single command:

nixidy bootstrap .#prod | kubectl apply -f -

⚡ Direct Apply

Skip GitOps if you want to:

Uses kubectl apply --prune for safe, declarative deployments directly to your cluster.

🎛️ CRD Support

Generate typed Nix options from any Custom Resource Definition:

packages.generators.cilium = nixidy.packages.${system}.generators.fromCRD {
  name = "cilium";
  src = pkgs.fetchFromGitHub { /* ... */ };
  crds = [
    "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
  ];
};

Then use your CRDs with full type safety:

resources.ciliumNetworkPolicies.allow-dns.spec = {
  endpointSelector = {};
  egress = [{
    toEndpoints = [{ matchLabels."k8s:io.kubernetes.pod.namespace" = "kube-system"; }];
    toPorts = [{ ports = [{ port = "53"; protocol = "UDP"; }]; }];
  }];
};

Quick Start

With Flakes

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixidy.url = "github:arnarg/nixidy";
  };

  outputs = { nixpkgs, nixidy, ... }: {
    nixidyEnvs.x86_64-linux = nixidy.lib.mkEnvs {
      pkgs = nixpkgs.legacyPackages.x86_64-linux;
      envs.dev.modules = [ ./env/dev.nix ];
    };
  };
}

{
  nixidy.target.repository = "https://github.com/you/your-repo.git";
  nixidy.target.branch = "main";

  applications.hello = {
    namespace = "hello";
    createNamespace = true;
    resources.deployments.hello.spec = {
      selector.matchLabels.app = "hello";
      template = {
        metadata.labels.app = "hello";
        spec.containers.hello.image = "hello-world:latest";
      };
    };
  };
}

See the Getting Started Guide for detailed setup instructions.

Documentation

Getting Started — Set up your first nixidy project
Helm Charts — Integrate existing Helm charts
Templates — Create reusable application patterns
Git Strategies — Monorepo vs. environment branches
GitHub Actions — CI/CD integration
Typed Resources — Generate types for CRDs

Examples

arnarg/cluster — Real-world cluster configuration using nixidy

Comparison

Feature	nixidy	Helm	Kustomize	Raw YAML
Type Safety	✅ Full	❌ None	❌ None	❌ None
Composability	✅ Modules	⚠️ Subcharts	⚠️ Overlays	❌ Copy/Paste
Helm Integration	✅ Native	✅ Native	⚠️ Inflate	❌ Manual
Reviewable Output	✅ Plain YAML	❌ Templates	⚠️ Patches	✅ Plain YAML
Multi-Environment	✅ Built-in	⚠️ Values files	⚠️ Overlays	❌ Manual
Reproducibility	✅ Guaranteed	⚠️ Depends	⚠️ Depends	⚠️ Depends

Community

Issues: GitHub Issues
Discussions: GitHub Discussions

Contributing

Contributions are welcome! Whether it's bug reports, feature requests, documentation improvements, or code contributions, please feel free to open an issue or pull request on our GitHub repository.

Acknowledgments

nix-kube-generators — Used internally for Helm chart rendering
kubenix — Resource options generator forked from kubenix

License

nixidy is licensed under the MIT License.