Demo - 4 VMs, 10 minutes, locally

01The 4-VM reference fleet

nixfleet-demo spins up four QEMU VMs that exercise the full signed GitOps loop end to end: forge (Git forge + CI runner + Nix binary cache; the ed25519 release-signer lives here), cp (control plane, mTLS, signature verification), web-01 and web-02 (nginx agents on the stable-canary and edge channels). The repository ships with public demo keys so a fresh clone boots immediately - do not deploy this configuration to production.

After the 10-step walkthrough, nixfleet status on cp shows the converged fleet:

root@cp:~# nixfleet status
HOST    CHANNEL  CURRENT         DECLARED        STATUS       COMPLIANCE
forge   stable   q9w4kx2vp3nf7…  q9w4kx2vp3nf7…  ✓ converged  -
cp      stable   8jzm5lc7wxqr2…  8jzm5lc7wxqr2…  ✓ converged  0 outstanding
web-01  stable   yb3dr0h5p9fnt…  yb3dr0h5p9fnt…  ✓ converged  0 outstanding
web-02  edge     m7c4kx9l1bgwh…  m7c4kx9l1bgwh…  ✓ converged  0 outstanding

forge shows - in the compliance column because it's the build / signing host, not an audited workload. The three agents run the NIS2 preset.

github.com/arcanesys/nixfleet-demo · MIT.

02What the demo demonstrates

The full signed-artifact GitOps loop: commit on your laptop → CI in forge signs fleet.resolved.json → cp verifies → each agent verifies independently → activate.
Channel-gated waves: web-02 (edge) must converge before web-01 (stable canary) is allowed to start. The channelEdges ordering is the gate.
Magic rollback with deadline: break web-01's config, push. The agent fails activation and reverts to the previous generation automatically. No external monitoring.
Independent agent verification: stop cp between signing and dispatch. Agents still refuse anything not signed by the release key.
Signed compliance evidence: /var/lib/nixfleet-compliance/evidence.json on each agent, JCS-canonicalised, host-signed, per control.

03Prerequisites

Linux or macOS with Nix flakes enabled (experimental-features = nix-command flakes)
QEMU/KVM (Linux) or Apple Hypervisor (macOS)
~6 GB free RAM, ~20 GB free disk for VM state
First CI run: 20–45 minutes on a cold nixpkgs cache (forge compiles the nixfleet Rust workspace from source). Subsequent pushes finish in 2–5 minutes.

04Run it

The 10-step walkthrough - exact commands, flags, port forwards, expected output - lives in the repository's README. Copy-paste, ten minutes of typing, then a coffee break for the first CI run. The README is the single source of truth. Commands change with the flake.

Open the walkthrough ↗ Open the repository ↗

05After the demo

If the loop converged on your laptop, the next step is a 15-min call to scope a workshop on 2–3 of your own hosts. The transition from demo to your infrastructure is documented in the workshop kit.

Scope a workshop →

4 VMs. 10 minutes. The full GitOps loop, locally.

01The 4-VM reference fleet

02What the demo demonstrates

03Prerequisites

04Run it

05After the demo

Run a 3-month pilot. 5–15 hosts. Free.