Yes, although later I learned I could do it in a one-liner. Here nixconfig is a folder with all my nix files:

  tar -czf - nixconfig | ssh 192.168.1.1 \
    'tar -zxf - && sudo cp -r ./nixconfig/* /etc/nixos/ && sudo nixos-rebuild --show-trace '"${rebuild_flag} ${name_flag}"

If you're ok with building locally and not on the target host, this is simpler:

nixos-rebuild --flake .#foo --target-host root@foo --build-host localhost switch

Deploy-rs is a great alternative. It works as wrapper on top of flakes, local (optionally, cross-) building and copying closures to target machine with activation:

https://github.com/serokell/deploy-rs

These days, that's all included in nixos-rebuild itself, not much need for wrappers anymore. I migrated from Colmena to just nixos-rebuild.

Huh, I guess I was woefully behind on changes to nixos-rebuild. Thanks for the pointer, I will check it out

One thing nixos-rebuild doesn't get you is a secrets transmission mechanism. I've been dabbling to build something independent of NixOS/Nix that would still do that neatly...

May I suggest agenix? It dovetails into my deploy-rs flake setup very nicely and I can track the encrypted secrets in the flake repo.

I keep the "master" key encrypted in pass passing it in a zsh's "=" subshell to agenix.