I track all my system configurations (NixOS) in an infra.git. This has worked great historically, but my configuration doesn't move much¹ (and the numbers of computers/domains I have to wrangle grows), so I don't look at the history often; I'm not always sure if HEAD of master really is the state of whatever system I'm considering.

I figured I'd try tagging my commits: I tagged HEAD as current, pushed it, and immediately figured that updating my systems now came with the overhead of removing a tag from all repo copies; untenable.

I instead landed in tags on the form $(hostname)-$(date --iso-8601): it scales, does not require any tag removals (latest $(hostname)-* tag will be the state of the system), and I'm unlikely to tag twice in a day, anyway.

Now I can glance at my infra.git history and immediately know the state of all my systems, without having to ask them (great if remote access is lost²). In case system end-users complain about stuff breaking, I can produce a clean diff between two deployment revisions, too. I imagine the method can give some useful info for high-prio CVEs, also.

Now I just need to remember to create a tag after the regular nixos-rebuild <test|switch> song-and-dance.

Footnotes

¹ Apart from infrequent maintenance changes and some emacs.org tweaks.

² Nevertheless: knock on wood.