NixOS in Production: Why We Run Our EU Cloud on It
Reproducible builds, atomic rollbacks, declarative servers — why NixOS is the foundation of Alplink's European hosting and what it means for you.
When we started building Alplink, we had a fundamental question to answer: what operating system do you trust to run production infrastructure for European businesses that care about data sovereignty, security, and reliability?
We evaluated the usual candidates — Ubuntu, Debian, CentOS, Alpine. They are all solid choices used by thousands of companies. But we kept running into the same problems: configuration drift, unreproducible deployments, upgrade anxiety, and the "it works on my machine" gap between development and production.
Then we found NixOS, and it changed how we think about infrastructure.
What Is NixOS?
NixOS is a Linux distribution built on the Nix package manager. Unlike traditional distributions where you install packages and edit configuration files imperatively (apt install, then edit /etc/something.conf), NixOS takes a declarative approach: you describe your entire system in a single configuration file, and NixOS builds it.
{ config, pkgs, ... }:
{
services.nginx.enable = true;
services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_16;
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin@example.com";
}
This configuration is not a script that runs commands. It is a specification of the desired system state. NixOS reads it and builds the entire operating system — kernel, packages, services, users, firewall rules — from this single source of truth.
Why This Matters for Our Customers
1. Reproducible Deployments
Every server we deploy is built from the same NixOS configuration. There is no drift between machines, no "this server has an extra package installed because someone debugged something six months ago." If our configuration says PostgreSQL 16 with these settings, that is exactly what every server runs.
This means when we deploy your Odoo instance, WordPress site, or custom application, the environment is identical every time. No surprises.
2. Atomic Upgrades and Rollbacks
Traditional Linux upgrades are nerve-wracking. You run apt upgrade, packages update one by one, and if something breaks halfway through, you are left with a partially upgraded system.
NixOS upgrades are atomic. The system builds the new configuration entirely, and then switches to it in a single operation. If the new configuration fails, the old one is still there — untouched. Rolling back is as simple as selecting the previous generation at boot.
We have rolled back production systems in under 30 seconds. Try doing that with a traditional distribution.
3. Security Through Immutability
NixOS systems are functionally immutable. You cannot SSH into a server and apt install something — changes must go through the configuration. This eliminates an entire class of security risks:
- No configuration drift — the running system always matches the declared configuration
- No shadow IT on servers — nobody can install unauthorized software
- Full audit trail — every change is a Git commit in our configuration repository
- Reproducible security patches — when a CVE drops, we update the configuration once and rebuild all affected servers
4. Infrastructure as Code, for Real
Many companies claim to do "infrastructure as code" but still have manual steps, undocumented tweaks, and tribal knowledge about how servers are actually configured. With NixOS, the configuration is the infrastructure. There is no gap between documentation and reality.
Our entire infrastructure configuration lives in a Git repository. Every change is reviewed, tested, and versioned. If a customer asks "what exact software is running on my server?", we can point them to the exact commit.
How NixOS Compares to Traditional Approaches
| Aspect | Traditional (Ubuntu/Debian) | NixOS |
|---|---|---|
| Configuration | Imperative (edit files, run commands) | Declarative (describe desired state) |
| Upgrades | In-place, can fail partially | Atomic, all-or-nothing |
| Rollback | Manual, often impossible | Built-in, instant |
| Reproducibility | Best-effort with Ansible/Puppet | Guaranteed by design |
| Drift detection | Requires external tooling | Impossible by architecture |
| Audit trail | Depends on discipline | Automatic (Git + Nix store) |
The Trade-Offs
We believe in transparency, so here is what NixOS costs us:
- Steeper learning curve — Nix has its own functional language. Our team invested significant time learning it. This is time our customers do not have to spend.
- Smaller community — NixOS has a passionate but smaller community than Ubuntu or Debian. Finding answers sometimes requires deeper digging.
- Different mental model — Engineers accustomed to imperative Linux administration need to retrain their instincts. You do not fix a NixOS server by SSH-ing in and editing files.
We consider these trade-offs worth it because our customers get the benefits (reproducibility, security, reliability) without bearing the costs (learning Nix, maintaining configurations).
Real-World Example: Deploying a Customer's Odoo Stack
Here is a simplified version of how we deploy a customer's Odoo instance:
{ config, pkgs, ... }:
{
services.odoo = {
enable = true;
package = pkgs.odoo17;
domain = "erp.customer-company.eu";
settings = {
dbfilter = "^customer_prodquot;;
proxy_mode = true;
list_db = false;
};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
settings = {
shared_buffers = "2GB";
effective_cache_size = "6GB";
};
};
services.nginx.virtualHosts."erp.customer-company.eu" = {
enableACME = true;
forceSSL = true;
};
services.backup.postgresql = {
enable = true;
schedule = "daily";
retention = 30;
};
}
This single file defines the complete stack: Odoo, PostgreSQL, Nginx with automatic SSL, and daily backups with 30-day retention. It is version-controlled, peer-reviewed, and reproducible. If we need to migrate the customer to new hardware, we apply the same configuration and get an identical system.
Why We Are Telling You This
Most hosting companies treat their infrastructure as a black box. We think that is backwards.
When you trust a provider with your business data, you deserve to know how they operate. We use NixOS because it gives us — and by extension, our customers — guarantees that traditional infrastructure cannot match: reproducibility, auditability, and the ability to prove exactly what is running on your server at any point in time.
This is especially important for European businesses subject to GDPR and industry-specific regulations. When an auditor asks "how do you ensure consistent security configurations across all servers?", we do not show them a runbook and hope it was followed. We show them the NixOS configuration and the Git history.
Want to See It in Action?
Alplink runs fully managed European cloud infrastructure on NixOS. Whether you need hosting for Odoo, WordPress, or custom applications, every deployment benefits from reproducible builds, atomic upgrades, and the security guarantees that come with declarative infrastructure. Your data stays in Europe, your infrastructure is auditable, and you never have to worry about configuration drift or botched upgrades. Explore what Alplink can do for your business.