HX NixOSInfrastructure Documentation

Declarative, reproducible, hardened NixOS configurations for a laptop workstation and homelab server.

Impermanence

Server root filesystem is wiped on every boot and rebuilt from a pristine BTRFS snapshot. Only /persist and /nix survive reboots.

Enterprise-grade kernel, network, and syscall hardening. Post-quantum SSH cryptography. Systemd sandboxing on all services.

Disk partitioning (disko), secrets (agenix), containers (systemd-nspawn), backups (restic) -- all defined in Nix.

Each service runs in its own NixOS container with private networking, NAT, and firewall rules. Traefik handles TLS termination.

Weekly auto-upgrades with lock file commits, daily encrypted backups with retention policies, automatic garbage collection.

No channels. Each system has an independent flake with pinned inputs. Modular architecture with 22+ laptop and 25+ server modules.