Elixir-native host infrastructure declarations, planning, and runtime control.
HostKit is intended to be used from a normal Mix project with .exs infrastructure files. The DSL compiles to plain inspectable structs; Mix tasks are wrappers around the runtime API.
For naming, block shape, defaults, and reference style, see DSL design guidelines.
Design
- Core owns systemd/systemdkit persistent units.
- Core owns unitctl transient runtime primitives.
- Integrations such as Caddy, Forgejo, object storage, and monitoring are providers.
- DSL evaluation never applies changes to a host.
- Planning and rendering are available as runtime APIs.
Example
use HostKit.DSL
project :toys do
roots source: "/opt/toys/src",
data: "/srv/toys",
state: "/var/lib/toys",
config: "/etc/toys"
prefixes user: "toys-", unit: "toys-"
host :elixir_toys, at: "elixir.toys" do
ssh do
user "dannote"
sudo true
end
end
service :exograph do
account system: true
storage :data, mode: 0o755
storage :state, mode: 0o750
daemon do
description "Exograph search"
after_target :network_online
wants :network_online
working_directory path(:source)
exec ["/usr/local/bin/mix", "exograph.index.hex", "--web", "--port", "4200"]
restart :on_failure
restart_sec 10
isolate do
writable :data
writable :state
network :loopback
end
end
end
endPlans and down plans
Rollback is represented as another HostKit plan. A plan change already carries before and after state, so HostKit can derive a down plan from the exact plan that was applied:
{:ok, plan} = HostKit.plan(project, target: prod)
{:ok, down_plan} = HostKit.down(plan)
HostKit.format_plan(down_plan)
HostKit.apply(down_plan, confirm: true)Partial rollback uses the same plan model:
{:ok, down_plan} =
HostKit.down(plan, only: [{:file, "/etc/gatehouse/config.exs"}])Command-like operations need semantic down steps because HostKit cannot infer the opposite of an arbitrary command:
command :migrate,
exec: {"bin/app", ["eval", "App.Release.migrate()"]},
phase: :before_start,
down: {"bin/app", ["eval", "App.Release.rollback()"]}
command :warm_cache,
exec: {"bin/app", ["eval", "App.Cache.warm()"]},
down: :noopThe down command is emitted as an ordinary command change in the down plan. down: :irreversible records an explicit warning and omits the command from the down plan.
Created resources use conservative rollback policies. File-like resources and symlinks can be deleted by a down plan, but directories are kept unless explicitly opted in:
file "/etc/app/config", content: "..."
symlink "/opt/app/current", to: "/opt/app/releases/20260615"
directory "/tmp/demo", rollback: :delete_if_created
directory "/srv/app", rollback: :keep
account :app, system: true, rollback: :keep
package :caddy, rollback: :keepCLI usage mirrors this:
mix host_kit.plan infra/config.exs --host prod --out up.plan.json
mix host_kit.down up.plan.json --out down.plan.json
mix host_kit.apply --plan down.plan.json --confirm
Run tracking
Tracked applies write minimal run records under the project-configured HostKit runs root:
mix host_kit.apply --track --plan up.plan.json --confirm
mix host_kit.runs --host prod infra/config.exs
mix host_kit.runs --host prod --verbose infra/config.exs
mix host_kit.runs --host prod --latest --verbose infra/config.exs
mix host_kit.down --host prod --run 20260614-101148-demo-up --out down.plan.json infra/config.exs
Run records are intentionally compact: they identify the run, project, direction, timestamp, and applied change statuses. They do not replace plan artifacts; use plan artifacts for inspectable up/down plan contents. When a tracked apply is started from --plan, HostKit copies that up-plan artifact under the runs root and records the copied path so mix host_kit.down --last can work from the tracked run.
Tracked applies also write backup payloads for previous file-like state when that state was captured in the plan. Backup payloads live under hostkit_backups/<run-id>/ or the --backups-root override. mix host_kit.down --last and mix host_kit.down --run RUN_ID rewrite supported previous file-like state to %HostKit.BackupRef{} entries so generated down plans restore from backup payloads instead of embedding prior content. Backup-backed restore currently covers ordinary files plus rendered file resources such as env files, Caddy sites, proxy config, firewall/egress files, and systemd unit files when their previous rendered content was captured. Symlink rollback restores the previous link target directly in the plan. Use mix host_kit.runs --verbose, --latest, or --id RUN_ID to inspect copied plan artifacts and backup payload paths.
Source updates are intentionally not inferred as reversible by default: a previous Git remote/ref may no longer be reachable. Treat source rollback as an explicit lifecycle operation or pair it with a backup/source-bundle strategy.
Run retention is explicit. Use mix host_kit.runs --prune --keep N to remove older run records plus their copied plan artifact and backup payload directories.
Elixir app lifecycle helpers
The Elixir app recipe can emit lifecycle commands for common BEAM deployment operations. Ecto migrations are represented as normal commands with explicit down commands:
elixir_app :shop do
source github: "acme/shop", path: ".", ref: "main"
phoenix host: "shop.example.com", secret_key_base: secret_env("SECRET_KEY_BASE")
ecto release: "Shop.Release"
endThis emits a :before_start migration command that runs through the built release and a matching down command that calls Shop.Release.rollback().
For multiple repos, HostKit emits one ordered command per repo. Down plans reverse that order:
elixir_app :shop do
source github: "acme/shop", path: ".", ref: "main"
phoenix host: "shop.example.com", secret_key_base: secret_env("SECRET_KEY_BASE")
ecto release: "Shop.Release" do
repo "Shop.Repo"
repo "Shop.AnalyticsRepo"
end
endThe default expressions are:
Shop.Release.migrate(Shop.Repo)
Shop.Release.rollback(Shop.Repo)Use :migrate and :rollback for custom release functions when the defaults do not fit.
Providers
Providers can contribute DSL modules, resource types, renderers, validators, and read/plan/apply lifecycle operations. Systemd and Unitctl are core primitives, not providers; integrations such as Caddy should be providers.
use HostKit.DSL, providers: [HostKit.Providers.Caddy]
project :demo do
provider :caddy, HostKit.Providers.Caddy do
set :sites_dir, "/etc/caddy/sites"
end
service :web do
daemon do
exec ["/opt/web/bin/server"]
listen :http, port: 4000
end
caddy_site "example.com", path: "web.caddy" do
encode [:zstd, :gzip]
reverse_proxy :http
end
end
endInstances and nested hosts
Top-level host declarations describe existing connection targets. instance declarations describe lifecycle-managed compute boundaries with backend-selected lifecycle and normal HostKit contents nested inside.
use HostKit.DSL
project :demo do
instance :demo_vm do
backend :incus
image "images:ubuntu/24.04"
kind :container
lifecycle :ephemeral
expose :ssh, host: 2222, guest: 22
expose :web, host: 18080, guest: 80
target_host :guest
host :guest, at: "127.0.0.1" do
ssh do
user "root"
password "hostkit-demo"
port 2222
accept_hosts true
end
end
service :web do
package :caddy
daemon do
exec ["/usr/bin/env", "true"]
listen :http, port: 80
end
end
end
endThe instance owns compute lifecycle metadata (backend, image, kind, lifecycle, expose). The nested host owns connection metadata. Nested services/resources are ordinary HostKit declarations scoped to the instance contents. Plans emit the instance lifecycle resource first, then nested content resources annotated with the nested host target so read/apply operations run through that endpoint. If an instance declares more than one nested host, use target_host :name to choose the endpoint for nested content resources; otherwise HostKit uses the first nested host.
Down plans delete lifecycle :ephemeral instances after their nested content has been rolled back. Persistent instances are intentionally skipped in down plans and reported as warnings rather than destroyed implicitly.
Backend implementations are intentionally separate from the generic DSL. Incus is implemented as a backend for instance, not as a user-facing incus_machine DSL. The Incus backend maps expose declarations to Incus proxy devices.
Backend configuration stays on the backend declaration instead of leaking backend-specific flags into generic plan/apply commands:
instance :demo_vm do
backend :incus, sudo: true, project: "hostkit"
endFor multi-line configuration, use backend options:
instance :demo_vm do
backend :incus do
option :sudo, true
option :project, "hostkit"
end
endBackend authors implement HostKit.Instance.Backend:
read/2returns the observed instance ornil,apply/2creates/starts/configures/waits for the instance,delete/2destroys an instance when an ephemeral down plan requests it.
Backends should emit apply events for long-running lifecycle work so CLI and Livebook progress remain mailbox-first.
Host bootstrap packages and mise-managed runtimes
HostKit can install OS packages through the target package manager. The DSL is distribution-neutral by default and can be pinned to a manager when needed.
bootstrap do
package :ca_certificates
package :build_essential, as: "build-essential", update: true
endHostKit can also bootstrap mise and install system-wide tool versions. This is intended for host bootstrap and workspace agents; application services should still prefer packaged release artifacts where possible.
bootstrap do
mise do
tool :erlang, "29.0.2"
tool :elixir, "1.20.1"
end
endThis applies through the mise CLI contract: it installs the binary with mise.run when missing, then runs mise install --system with MISE_SYSTEM_DATA_DIR set.
Package planning resolves semantic package names through Repology and caches responses in .host_kit/cache/repology for 24 hours by default. Use locks for deterministic apply:
mix host_kit.plan --write-package-lock host_kit.package.lock infra/config.exs
mix host_kit.apply --package-lock host_kit.package.lock --confirm infra/config.exs
Plan/apply artifacts make remote changes inspectable before apply. Prefer declaring the remote host in normal .exs HostKit config and selecting it with --host:
use HostKit.DSL
project :infra do
host :prod, at: "host.example" do
ssh do
user "root"
identity_file Path.expand("~/.ssh/id_ed25519")
password secret_env("HOSTKIT_SSH_PASSWORD")
accept_hosts true
retry attempts: 3, base_delay: 250, max_delay: 2_000
end
end
endmix host_kit.plan --host prod \
--package-lock host_kit.package.lock \
--out host_kit.plan.json infra/config.exs
mix host_kit.apply --host prod \
--plan host_kit.plan.json --confirm infra/config.exs
ssh retry: ... is an SSH transport policy. It retries connection establishment for transient SSH startup/network failures; it does not blindly rerun arbitrary deployment commands after a command has been sent to the remote host. Use retry: 3 as shorthand for three attempts, retry: false to disable, or keyword options with :attempts, :base_delay/:base_delay_ms, and :max_delay/:max_delay_ms. Retry progress is emitted as apply events and mirrored to Logger for collection.
Plan artifacts are JSON and intended to be inspectable. Secret references are stored as references, not values, for example:
{
"$type": "struct",
"module": "Elixir.HostKit.Secret",
"fields": {
"source": {
"$type": "tuple",
"items": [
{"$type": "atom", "value": "env"},
"HOSTKIT_SSH_PASSWORD"
]
}
}
}secret_env/1 records an environment-backed secret reference and resolves it only at the control-plane boundary that needs the value. Use it for HostKit's own credentials, such as SSH passwords or future provider API tokens. Target application environment files use contextual env declarations. Inside service, env :name do ... end declares a managed env file at the service's config path. Inside daemon, env :name attaches that same file to the systemd unit:
service :app do
env :runtime do
set :mix_env, :prod
secret :database_url, env: "DATABASE_URL"
end
daemon do
env :runtime
exec ["/opt/app/bin/server"]
end
endUse dotenv path do ... end when you need an explicit dotenv-format file at a specific path.
Raw SSH flags remain available as an escape hatch: --remote, --user, --port, --identity-file, --password, and --password-env.
For Linux integration testing, use Incus as the lightweight native container/VM backend:
HOSTKIT_INCUS_SUDO=true HOSTKIT_SSH_PUBLIC_KEY=$HOME/.ssh/id_ed25519.pub \
scripts/incus_integration_vm.sh ensure
HOSTKIT_INCUS_SUDO=true scripts/incus_integration_vm.sh ip
Set HOSTKIT_INCUS_TYPE=vm to launch an Incus VM instead of the default container, and HOSTKIT_INCUS_INSTANCE=name to change the instance name. Run the remote CLI integration against Incus with HOSTKIT_INTEGRATION_TOOL=incus, or against a pre-existing host declared in .exs config with HOSTKIT_INTEGRATION_TOOL=remote HOSTKIT_INTEGRATION_CONFIG=examples/integration_hosts.example.exs.
A real remote validation can use the same host config and a shell-provided secret:
HOSTKIT_SSH_PASSWORD='...' \
HOSTKIT_INTEGRATION_TOOL=remote \
HOSTKIT_INTEGRATION_CONFIG=examples/integration_hosts.example.exs \
mix test test/integration/cli_remote_test.exs --include integration
Project-local DSLs
Use HostKit.ProjectDSL in consuming projects to build local conventions without baking them into HostKit.
Load project-local DSL files explicitly through the runtime API or Mix task --require option:
# infra/toys_infra.exs
defmodule ToysInfra do
use HostKit.ProjectDSL
root :source, "/opt/toys/src"
root :data, "/srv/toys"
root :state, "/var/lib/toys"
root :config, "/etc/toys"
prefix :user, "toys-"
prefix :unit, "toys-"
defservice :toy_service do
let :service_user, do: prefixed(:user, service_name())
let :unit_name, do: prefixed(:unit, service_name()) <> ".service"
path :source_dir, root(:source), service_name()
path :data_dir, root(:data), service_name()
path :state_dir, root(:state), service_name()
path :config_dir, root(:config), service_name()
macro :standard_user do
account service_user(), system: true, home: state_path("home")
end
end
end# infra/config.exs
use HostKit.DSL, providers: [HostKit.Providers.Caddy]
use ToysInfra
project :toys do
toy_service :exograph do
standard_user()
systemd_service unit_name() do
working_directory source_dir()
read_write_paths [data_dir(), state_dir(), source_dir()]
end
end
endRuntime API
{:ok, project} = HostKit.load("infra/config.exs", require: ["toys_infra.exs"])
{:ok, plan} = HostKit.plan(project)
#=> %HostKit.Plan{changes: [%HostKit.Change{action: :create, ...}]}
prod = HostKit.Target.ssh(:prod, host: "elixir.toys", user: "dannote", sudo: true)
{:ok, remote_plan} = HostKit.plan(project, target: prod, reader: HostKit.Remote)
HostKit.format_plan(plan)
{:ok, results} = HostKit.apply(plan, dry_run: true)
# Supported apply resources include accounts, directories, files, structured configs,
# templates, symlinks, env files, systemd units, commands, packages, and provider-rendered files.
{:ok, results} = HostKit.apply(plan, confirm: true, sudo: true)
# Command and filesystem operations are routed through a runner boundary.
{:ok, results} = HostKit.apply(plan, confirm: true, runner: HostKit.Runner.Local)
prod = HostKit.Target.ssh(:prod, host: "elixir.toys", user: "dannote", sudo: true)
{:ok, results} = HostKit.apply(plan, target: prod, confirm: true)
{:ok, conn} = HostKit.Runner.SSH.Connection.open(host: "elixir.toys", user: "dannote")
try do
prod = HostKit.Target.ssh(:prod, runner: {HostKit.Runner.SSH.Connection, conn: conn}, sudo: true)
{:ok, remote_plan} = HostKit.plan(project, target: prod, reader: HostKit.Remote)
after
HostKit.Runner.SSH.Connection.close(conn)
end
{:ok, unit} = HostKit.Render.render(project, {:systemd_service, "toys-exograph.service"})Storage volumes
HostKit models storage as named metadata instead of repeated path strings:
volume =
HostKit.Storage.volume(:repositories,
path: "/srv/toys/forgejo/repositories",
owner: "toys-forgejo",
group: "toys-forgejo",
mode: 0o750,
backup: true
)
directory HostKit.Storage.directory(volume)
read_write_paths HostKit.Storage.read_write_paths([volume])Service conventions can derive these paths without project-specific macros and later reuse the same volume metadata for systemd sandboxing, Unitctl transient runtimes, and backups.
project :toys do
roots data: "/srv/toys", config: "/etc/toys"
prefixes user: "toys-", unit: "toys-"
service :forgejo do
storage :repositories, under: :data, path: "repositories", mode: 0o750, backup: true
storage :config, under: :config, owner: "root", group: service_user(), writable: false, secret: true
daemon unit_name() do
run user: service_user(), read_write_paths: writable_storage_paths()
end
end
endHostKit agent
HostKit can run as a supervised OTP application. The supervision tree currently starts agent state and a monitor worker:
HostKit.Agent.status()
HostKit.Agent.configure(project: project, target: HostKit.Target.local(:prod))
HostKit.Agent.run_plan()
HostKit.Agent.run_monitor()HostKit can also declare its own outer systemd supervisor unit:
HostKit.Agent.Systemd.service(
exec_start: ["/opt/host_kit/bin/host_kit", "agent", "--config", "/etc/host_kit/config.exs"]
)State snapshots can be written for audit/drift history:
HostKit.State.write(plan, "/var/lib/host_kit/state/latest-plan.json")
HostKit.State.read("/var/lib/host_kit/state/latest-plan.json")This gives a clean two-layer supervision model: OTP inside the BEAM and systemd outside it.
Firewall policy
HostKit can declare project- or host-scoped firewall policy:
firewall do
allow tcp: 22, from: :any
allow tcp: [80, 443], from: :any
allow tcp: 9100, from: {10, 44, 0, 0, 24}
deny :all
endHost-scoped policy lives inside host:
host :prod, at: "elixir.toys" do
firewall do
allow tcp: 22, from: :any
deny :all
end
endExtract, render, plan, and apply policies with:
HostKit.Firewall.policies(project)
HostKit.Firewall.Nftables.render(policy)
HostKit.plan(project, reader: HostKit.Local)
HostKit.apply(plan, confirm: true, nft_reload: true)Firewall policy is written to /etc/nftables.d/hostkit.nft by default and validated with nft -c -f before optional reload.
Workspace inside monitoring
Workspace services can declare checks that are intended to run inside the sandbox later via a workspace agent:
workspace :blog, owner: :alice do
service :preview do
inside do
monitor :mix, task: "test", every: "5m"
monitor :port, port: 4000
monitor :git, clean: true
end
end
endExtract them with:
HostKit.Workspace.inside_monitors(project)Workspace execution and tenants
Tenants can own workspaces:
tenant :alice, quota: [memory: "4G"] do
agent port: 4173
endWorkspace command specs can be built for transient execution:
HostKit.Workspace.exec_spec(project, :alice, :blog, ["mix", "test"])
HostKit.Workspace.exec(project, :alice, :blog, ["mix", "test"])Inside monitors currently return :pending_workspace_agent, reserving execution for the sandbox agent boundary.
OpenTelemetry Collector config
Telemetry declarations can be converted to an OpenTelemetry Collector config map:
HostKit.OtelCollector.config(project, endpoint: "otel.example:4317")Workspace sandbox profiles
Systemd-backed isolation profiles can be applied inside daemons:
workspace :blog, owner: :alice do
service :preview do
daemon do
exec ["mix", "phx.server"]
isolate :vibe_dev do
writable path(:data)
network :loopback
end
end
end
endProfiles include :vibe_dev, :strict_app, and :untrusted, and can be overridden inside isolate:
isolate :untrusted do
memory_max "256M"
private_network false
endWorkspace preview helper
Workspace services can expose a preview route with a named listener and Caddy site:
workspace :blog, owner: :alice do
service :preview do
daemon unit_name() do
run exec_start: ["mix", "phx.server"]
end
preview :http, port: 4000, domain: "alice-blog.dev.example.com"
end
endThis expands to listen :http, a Caddy reverse proxy to that listener, an HTTP monitor, telemetry metadata, and Caddy access-log metadata.
Workspace agent helper
Workspaces can declare the default sandbox agent service as ordinary HostKit resources:
workspace :blog, owner: :alice do
agent port: 4173
endThis expands to a service with an account, workspace directory, systemd daemon, loopback listener, logs, telemetry, systemd monitor, and loopback-only network policy.
Workspace scope
workspace scopes ordinary HostKit DSL for user sandboxes while keeping resources inspectable:
workspace :blog, owner: :alice do
service :preview do
directory path(:data), mode: :private_dir
daemon unit_name() do
run exec_start: ["mix", "phx.server"]
listen :http, port: 4000, on: :loopback
end
end
endInside a workspace, services get workspace metadata plus separate path and identity names:
path(:data) # .../alice/blog/preview
unit_name() # prefix-alice-blog-preview.serviceNamed listeners
Services can declare named listeners and reuse them from provider declarations:
daemon unit_name() do
run exec_start: ["/usr/bin/env", "true"]
listen :http, port: 3000, on: :loopback
end
caddy_site "web.example.com" do
reverse_proxy :http
endNamed listeners are stored as service metadata and render Caddy upstreams like 127.0.0.1:3000 at the provider boundary.
Network addresses and policy
Network addresses can use Elixir tuple forms and semantic aliases:
listen 3000, on: :loopback
listen 4000, on: {127, 0, 0, 1}
network_policy deny: :all, allow: [:loopback, {10, 44, 0, 0, 24}]Systemd services compile network policy to:
IPAddressDeny=any
IPAddressAllow=localhost 10.44.0.0/24
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIXLog management intent
Log management can be declared globally, per service, or on individual resources:
observability do
logs driver: :journald,
retention: "14d",
ship: true,
attributes: [deployment_environment: :prod]
endSystemd service log declarations also add unit directives:
daemon unit_name() do
run exec_start: ["/usr/bin/env", "true"]
logs identifier: service_name(), stdout: :journal, stderr: :journal
endExtract log intent with:
HostKit.Logs.configs(project)Read recent journald logs through local or remote targets:
HostKit.Logs.read("toys-forgejo.service", target: prod, since: "1h")
HostKit.Logs.tail("toys-forgejo.service", target: prod, lines: 100)OpenTelemetry collection intent
Observability defaults can be enabled once at project or service scope and inherited by resources:
observability do
telemetry logs: true,
metrics: true,
traces: false,
attributes: [deployment_environment: :prod]
endResource-level overrides are still available:
daemon unit_name() do
run exec_start: ["/usr/bin/env", "true"]
telemetry logs: :journald, metrics: false, service_name: service_name()
endExtract collection intent with:
HostKit.Telemetry.signals(project)Systemd services and Caddy sites get default collection intent even without global defaults:
# systemd: logs: :journald, metrics: :systemd
# caddy: logs: :access, metrics: :httpMonitoring metadata
Declarations can carry monitoring intent for a later monitoring service or config generator:
daemon do
exec ["/usr/bin/env", "true"]
listen :http, port: 4000
monitor :systemd, expect: [state: :active], severity: :critical
end
caddy_site "web.example.com" do
reverse_proxy :http
monitor :http, url: "https://web.example.com", expect: [status: 200]
endExtract or run checks with:
HostKit.Monitor.checks(project)
HostKit.Monitor.run(project, target: prod)Initial execution supports systemd state, HTTP status, and filesystem existence checks.
File modes
Mode values can be raw octal, semantic aliases, tuples, keywords, or capability lists:
mode: :secret_group_file
mode: {:rw, :r, nil}
mode: [owner: :rw, group: :r]
mode: [:setgid, :owner_rwx, :group_rwx, :other_rx]Resources store normalized integer modes, so plan/apply remains simple.
Env files and secrets
HostKit has a Dotenvy-validated dotenv resource for explicit env files. Secret values are resolved at apply time. Drift detection compares metadata and non-secret set entries; secret entry values are not read into plan artifacts for comparison. Use secret KEY, env: :redacted for existing/generated env-file secrets that should be modeled but never rendered by HostKit. Secret sources support env: "NAME", file: "/run/secrets/name", and command: ["pass", "show", "name"].
service :web do
env :runtime do
set :MIX_ENV, :prod
set :PORT, 4000
secret :SECRET_KEY_BASE, env: "SECRET_KEY_BASE"
secret :API_TOKEN, file: "/run/secrets/api-token"
secret :GENERATED_TOKEN, env: :redacted
end
daemon do
env :runtime
exec ["/opt/web/bin/server"]
end
endFor explicit paths, use dotenv alongside ini and yaml:
dotenv path(:config, "env"), owner: "root", group: service_user(), mode: 0o640 do
set "MIX_ENV", "prod"
set "PORT", 4000
secret "GENERATED_TOKEN", env: :redacted
endStructured config files
Use ini/2 and yaml/2 when a managed file is naturally data. Structured config resources are first-class resources in plans and render to ordinary managed files during read/apply.
service :forgejo, path: "forgejo" do
ini path(:config, "app.ini"), owner: "root", group: service_user(), mode: 0o640 do
set "APP_NAME", "elixir.toys git"
section "server" do
set "DOMAIN", "git.elixir.toys"
set "ROOT_URL", "https://git.elixir.toys/"
set "HTTP_PORT", 3000
secret "LFS_JWT_SECRET", env: :redacted
end
section "database" do
set "DB_TYPE", "sqlite3"
set "PATH", path(:data, "forgejo.db")
end
end
endSecret or redacted INI/YAML values are omitted from public drift comparison. HostKit decodes YAML with yaml_elixir for public-path comparison and renders YAML scalars with ymlr; HostKit does not hand-roll YAML quoting/parsing. env: :redacted is useful for modeling existing generated secrets without storing or rendering them, and it is intentionally not renderable during apply. Use an env-backed secret when HostKit should render the file during apply:
secret "TOKEN", env: "APP_TOKEN"
secret "TOKEN", file: "/run/secrets/app-token"
secret "TOKEN", command: ["pass", "show", "app/token"]YAML configs use Elixir keyword data for stable order and may contain redacted secret leaves:
yaml path(:config, "gatus.yaml"),
content: [
storage: [type: "sqlite", path: path(:state, "gatus.db")],
alerting: [telegram: [token: :redacted, id: "chat-id"]],
endpoints: [
[
name: "Forgejo",
url: "https://git.elixir.toys",
conditions: ["[STATUS] == 200"]
]
]
],
owner: "root",
group: service_user(),
mode: 0o640Templates
Use template/2 for deterministic EEx-rendered text resources. Templates are first-class resources in plans and render to ordinary managed files during read/apply.
service :forgejo, path: "forgejo" do
template path(:config, "app.ini"),
from: "templates/forgejo/app.ini.eex",
assigns: %{
domain: "git.elixir.toys",
data_dir: path(:data),
repositories_dir: path(:data, "repositories")
},
owner: "root",
group: service_user(),
mode: 0o640
endIn DSL configs, relative from: paths are resolved relative to the declaring config file. Runtime code may use absolute from: paths or inline source::
HostKit.Resources.Template.new("/etc/app.conf",
source: "port=<%= @port %>\n",
assigns: %{port: 4000}
)Templates support regular EEx bindings (<%= port %>) and assigns syntax (<%= @port %>). Keep templates inspectable and deterministic; do not hide runtime behavior in templates. Template assigns containing %HostKit.Secret{} or :redacted are rejected until redacted template diffs are explicitly supported.
Read, audit, and facts APIs
Runtime APIs are primary; Mix tasks wrap them. Besides HostKit.plan/2, projects expose focused read/audit helpers:
{:ok, current_resources} = HostKit.Project.read(project, target: HostKit.Target.local(:prod))
{:ok, audit_plan} = HostKit.Project.audit(project, target: HostKit.Target.local(:prod))
{:ok, facts} = HostKit.Facts.collect(HostKit.Target.local(:prod), only: [:os, :users, :systemd, :ports])read/2 returns the current snapshots captured for each desired resource. audit/2 returns the same plan shape as HostKit.plan/2, so callers can inspect creates, updates, deletes, read errors, and no-ops without going through Mix tasks. CLI wrappers are available as mix host_kit.read, mix host_kit.audit, and mix host_kit.facts.
Command argv builder
Use argv/2 when a service command has many CLI options. It keeps argv inspectable without hand-writing long flag lists.
daemon :search do
exec argv(path(:bin, "mix"),
args: ["exograph.web"],
opts: [
backend: "duckdb",
manifest_path: path(:data, "hex-manifest.json"),
duckdb_memory_limit: "2GB",
port: 4200
]
)
endOption styles are configurable:
argv("cmd", opts: [foo_bar: "baz"], style: :gnu) # --foo-bar baz
argv("cmd", opts: [foo_bar: "baz"], style: :equals) # --foo-bar=baz
argv("cmd", opts: [foo_bar: "baz"], style: :single_dash) # -foo-bar baz
argv("cmd", opts: [f: "baz", v: true], style: :short) # -f baz -v
argv("cmd", opts: [foo_bar: "baz"], style: :underscore) # --foo_bar bazBooleans with true emit flags, false/nil are omitted, and list values repeat the option.
Systemd unit names
daemon, job, and schedule normalize systemd suffixes. Strings without a suffix get the right suffix; strings with .service/.timer are preserved. Atom names use the configured :unit prefix.
daemon "custom" do ... end # custom.service
schedule "custom" do ... end # custom.timer
daemon :health_alert do ... end # e.g. toys-health-alert.service
schedule :health_alert do ... endUse raw systemd_service/systemd_timer only when you intentionally want the low-level resource constructor.
Runtime isolation
HostKit uses shared runtime isolation structs for persistent systemd units and future transient Unitctl workloads:
sandbox = HostKit.Runtime.Sandbox.new(:strict_web)
resources = HostKit.Runtime.Resources.new(memory_max: "512M", cpu_quota: "50%")
service sandbox |> HostKit.Runtime.Sandbox.to_systemd_service_options()
service resources |> HostKit.Runtime.Resources.to_systemd_service_options()Built-in profiles include :web_service, :strict_web, :strict_app, :small, :medium, and :large.
The daemon DSL exposes a human-oriented isolation block for common service hardening:
service :api do
storage :data, mode: 0o750
daemon do
exec ["/opt/api/bin/server"]
isolate do
memory_max "512M"
writable :data
network :loopback
end
end
enddaemon do ... end derives the unit name from the enclosing service and enables it for multi-user.target by default. Use explicit systemd directives only when you need non-default unit behavior.
Runtime controls
HostKit exposes Unitctl as its core transient runtime layer:
{:ok, spec} =
HostKit.Runtime.Spec.new(
name: "demo-check",
command: ["/usr/bin/env", "true"],
sandbox: %{no_new_privileges: true, private_tmp: true}
)
{:ok, instance} = HostKit.Runtime.start(spec)
{:ok, state} = HostKit.Runtime.status(instance)
:ok = HostKit.Runtime.stop(instance)Mix tasks
mix host_kit.dump --require toys_infra.exs infra/config.exs
mix host_kit.plan --require toys_infra.exs infra/config.exs
mix host_kit.plan --require toys_infra.exs infra/config.exs --local
mix host_kit.plan --require toys_infra.exs infra/config.exs --local --ignore systemd_service:toys-exograph.service
mix host_kit.plan --require toys_infra.exs infra/config.exs --remote elixir.toys --user dannote --sudo
mix host_kit.apply --require toys_infra.exs infra/config.exs --local --dry-run
mix host_kit.render --require toys_infra.exs infra/config.exs systemd_service toys-exograph.service