I’m in the process of migrating my servers to NixOS. It takes a lot of time and the learning curve is steep, but I have one config shared for all the servers and PCs. I have setup the servers to automatically pull the latest configuration everyday and even restart if there’s a kernel update.
This means I just need to update my laptop and push the changes to the repository, and all the servers will also update.
I haven’t had this setup long enough to know if things will break unexpectedly with updates tho. NixOS has a great feature where you can rollback to a previous configuration (generation) with a single command. You can always keep using containers to isolate updates, if you want (Nix allows you to declare those in the config as well).
As an example, you can take a look at my config.
EDIT: Systemd timers have an option to randomize the time a service runs, I use it all the time. The option for Nix’s config pulling is using systemd timers, so you can use that.
I’ve been using email aliases for a few years now, but all spam I get is addressed to my main email (which admittedly is readily available on my website). Seems like no one has sold my email address yet