Skip to content
luxusAi

Removing Machines

How to cleanly retire a machine from the Clan: drop it from the inventory, clean up its vars/secrets, and reclaim disk space. This is the reverse of Adding a Machine.

Lifecycle at a glance

Section titled “Lifecycle at a glance”
  1. Back up anything you still need from the machine (data, keys).
  2. Remove it from the flake.nix inventory (and any service assignments).
  3. Clean up its Clan vars and SOPS secrets.
  4. Delete the machine config directory.
  5. Validate the flake, then garbage-collect generations on the retired host (or wipe it).

1. Remove from the modules/clan/ registry

Section titled “1. Remove from the modules/clan/ registry”

Delete the machine’s entries across the registry files:

  • modules/clan/default.nixclan.machines.<name>.nixpkgs.hostPlatform and inventory.machines.<name> (deploy target, class, tags).
  • modules/clan/machines.nix — the <name>.imports feature list.
  • modules/clan/hjem-users.nix — the <name> hjem user block.

Then remove the machine from any service / instance assignments in modules/clan/services.nix (inventory.instances) that name it explicitly, e.g.:

## remove lines like:
roles.default.machines.<name> = { };
roles.server.machines.<name> = { };

Note: tag-based assignments (roles.*.tags.nixos, tags.all, etc.) stop applying automatically once the machine and its tags are gone — no per-instance edit needed for those.

2. Clean up vars and secrets

Section titled “2. Clean up vars and secrets”

Inspect, then delete the machine’s generated vars:

Terminal window
clan vars list <name>                 # see what exists
clan vars delete <name> <generator>   # delete a specific generator

Remove the machine from Clan’s secrets system and drop its SOPS material:

Terminal window
clan secrets machines remove <name>

Then remove leftover on-disk artifacts (commit the deletions):

  • lib/machine-env-matrix.nix — delete the machine’s secret key list.
  • sops/machines/<name>/ — the machine’s age public key entry.
  • sops/secrets/<name>-age.key/ (and any <name>-* secrets scoped only to it).

Only delete secrets that are exclusive to this machine. Shared secrets (used by other hosts via tags) must stay.

3. Delete the host module

Section titled “3. Delete the host module”
Terminal window
git rm -r modules/hosts/<name>

This also removes its facter.json / hardware-configuration.nix / disko.nix.

4. Validate

Section titled “4. Validate”
Terminal window
just check                       # deadnix, statix, nixfmt --check, nix flake check
scripts/validate-inventory.sh    # confirm nothing still references <name>

nix flake check will fail if any instance still points at the removed machine — fix the dangling reference and re-run.

5. Reclaim space / wipe the host

Section titled “5. Reclaim space / wipe the host”

If the physical machine is being kept but repurposed, free old NixOS generations on it (see Rollback & Recovery):

Terminal window
nh clean all                   # or: sudo nix-collect-garbage -d

If it’s being decommissioned entirely, just wipe the disk. Either way, also remove its SSH host key references from your known_hosts and, if it was a borgbackup/ssh peer, confirm no other machine still expects it.