NixOS agenix Secrets
A public-safe pattern for keeping real service credentials out of the repo while still fitting a rebuildable NixOS host.
Guides / Reproducible Self-Hosting
Declarative service design, maintainable automation, and self-hosting patterns with less operational drift.
Reproducible Self-Hosting guides
NixOS Podman Service
A rebuild-first pattern for adding one real service to a NixOS host with explicit state, env placeholders, validation, and backup scope.
Minimal NixOS Host
A small NixOS baseline with flakes, key-only SSH, firewall defaults, fail2ban, and rebuild checks.