Declarative, signed, sovereign. Built for EU operators under NIS2, DORA, ISO 27001, and ANSSI BP-028.
nix run github:arcanesys/nixfleet-demoSingle-host signed-evidence demo. Requires Nix with flakes enabled and /dev/kvm. macOS: see docs.
Imperative tools manage desired state. They cannot prove actual state. Drift is mathematically inevitable.
NixFleet: Reproducible by construction. Each commit produces a content-addressed closure, identical on every host.
US cloud control planes (Jamf, Intune, AWS SSM) put your deployment capability behind the Cloud Act, vendor pricing, and third-party availability.
NixFleet: 100% self-hosted. Git forge, binary cache, control plane - all on your infrastructure. If we disappear, your fleet keeps running.
EDR, SIEM, SBOM scanners are detection layers stacked on top of mutable systems. They surveil, they do not change what runs.
NixFleet: Security emerges from the system model: hash-addressed Nix store, signed-artifact chain end-to-end, closure-hash quarantine, impermanence.
NIS2, DORA, ISO 27001, ANSSI BP-028 require auditable evidence. Traditional stacks produce assertions, not proofs.
NixFleet: Compliance as a release gate, not a scanner. The build refuses non-compliant closures; the auditor verifies the chain offline, without trusting us.
Keep the rest where it is. NixFleet places your regulated zone - 5 to 15 hosts that carry your NIS2 / DORA / ANSSI exposure - on a signed-artifact GitOps loop. Commit → CI signs → control plane verifies → agent verifies independently → activate with magic rollback. No signing keys in the control plane. Compromise of the CP is an outage, not a breach.
NIS2 Article 21 mapping, signed evidence per host, governance engine with per-rule exceptions.
Your regulated zone on a declarative substrate. Signed NIS2 evidence packet at month 3. Migration from Ansible / Puppet / Chef in scope.
TPM-bound identity, PCR-sealed secrets, threshold-signed channels. Specified in 4 RFCs.
Move your regulated workloads to a declarative substrate. Keep the rest where it is. We help you stand up the regulated zone with signed evidence ready for your auditor, whether you already run NixOS or migrate from Ansible / Puppet / Chef during the 12 weeks.
Book a 15-min call