Odoo Box

All of Martel's Odoo stack on just one NixOS machine.

So we've migrated our Odoo service away from K8s to a dedicated NixOS server. In the process, we've developed quite a bit of functionality that wasn't easy to implement in our old K8s setup and which resulted in slashing IT Ops and hardware costs while improving reliability and performance at the same time.

Below is an UML-ish deployment diagram followed by an overview of the main features, read up about the details in the docs.

Features

Odoo Service Stack

A fully-fledged, multi-architecture (x86-64 and ARM64) service stack to run Odoo on a single machine:

• Odoo multi-processing server, including LiveChat gevent process and configurable user session timeout.
• Sane, automatically generated Odoo config.
• Nix-packaged Odoo addons.
• systemd service to run Odoo, including daemon user and secure handling of Odoo admin password.
• systemd service to run PgAdmin, including daemon user, zero-config DB init with automatic connection to Postgres from the Web UI, and secure handling of PgAdmin Web UI admin password.
• Non-network Postgres DB backend (both Odoo and PgAdmin connect to Unix sockets) with automatic creation of Odoo & PgAdmin DBs and roles as well as strict security policies.
• Nginx TLS reverse proxy to safely expose Odoo and PgAdmin to the internet.
• CLI tools to help with maintenance tasks.
• Minimal NixOS base system with firewall and SSH.

From DBs to services to security, we wire everything together to make the whole service stack work out of the box without any extra manual config. As for security, we stick to Least Privilege and Zero Trust principles.

Operations

Nix and GitOps, a marriage made in heaven. We use Nix to build,deploy and manage our Odoo server and do GitOps all the way down to the operating system level. We keep the code that defines a running server in this git repo and then apply it to a remote set of machines to update their configuration, packages, services, etc. This also includes secrets and other security settings as well as Odoo addons, but obviously excludes the Odoo DB and file store. Basically the git repo is the single source of truth, the remote machines reflect the deployment state declared in the repo.

Also, we've developed a few things to make the sys admin's life a bit easier:

• Login. Choose how the root and admin users can log in. In cloud mode, these users can only log in over SSH with their respective SSH identities. In standard mode, they can log in both through TTY and SSH using passwords. Plus, they can also log in over SSH using their respective identities.
• Vault. All our password and TLS settings consolidated in one place for easy management and auditing. We encrypt vault files and then automatically decrypt them on the target machine directly into RAM (tmpfs) to avoid storing them on disk. This way even secrets can be safely kept in Git and in the Nix store, all of which enables a full-on GitOps approach.
• TLS certificates. Automatic request, installation and renewal of TLS certs. We use Let's Encrypt as a CA in prod, but we've also rolled out our own Smallstep CA to test locally and in non-prod envs.
• Odoo data migration. Support to migrate an Odoo DB and file store from another Odoo server. Complete with K8s migration scripts.
• Backups. Automatic hot and cold backups with flexible schedules. Notice that thanks to our Nix-powered GitOps approach, backing up and restoring a machine is a breeze. We just need to back up the Odoo DB and file store since our repo contains everything else you need to instantiate our Odoo Box. With a snapshot of the Odoo DB and file store at a point in time, you can restore your machine to the exact same state it was at that point in time with just a couple of commands.
• Built-in EC2 support. One-line install for Graviton (ARM64) and Intel (x86_64) instance types.

Development & Testing

We believe in local-first and reproducible development. Each dev should be able to install all the tools they need with a single command and the tool chain should be exactly the same for everyone in the team. Also, every dev should be able to test and tinker with Odoo Box locally without affecting other devs, prod or having to rely on cloud providers, not even for tricky scenarios like getting or renewing TLS certificates.

• Dev Env. Nix shell to get proper, isolated and reproducible dev envs. This is a sort of virtual shell env on steroids which has in it all the tools you need with the right versions. Plus, it doesn't pollute your box with libs that could break your existing programs—everything gets installed in an isolated Nix store dir and made available only in the Nix shell. Multi-architecture (x86-64 and ARM64) and available both on Linux and MacOS.
• Dev VM. Qemu VM to run and test the whole prod server in the comfort of your laptop. Why spin up a cloud VM or buy a separate dev box when you can easily test a prod clone on your laptop?