European infrastructure faces three simultaneous crises:
Legacy tools (Ansible, Puppet) describe actions to perform, not states to reach. The outcome depends on pre-existing state. Configuration drift is structurally inevitable.
Jamf, Intune, AWX make your infrastructure a dependency of their cloud. Your ability to deploy depends on their availability. Cloud Act exposure, opaque internals, proprietary formats.
15,000+ French entities affected. Deadline: end of 2027. Fines up to €10M or 2% of global revenue. Personal liability for executives.
NixFleet transforms NixOS's mathematical guarantees — reproducibility, atomicity, traceability — into an enterprise fleet management platform, NIS2-compliant by construction and 100% self-hosted.
Single mkHost API to declare an entire fleet in one flake.nix. 11 scopes auto-activate. No proprietary DSL — standard NixOS.
Central server: fleet state, rollout orchestration (canary, staged, all-at-once), full audit trail. mTLS + API key authentication.
Autonomous binary on each host. Pull model (polling). State machine with health checks and automatic rollback on failure. Works even if the CP is temporarily down.
12 active NIS2 control modules (+ 4 reserved for DORA/ISO) with enforce + prove pattern. NIS2 preset (essential/important). Automatic evidence collection. Works with or without NixFleet.
NixFleet is not a research project or a vision. It is a working product, tested, with production-ready security.
| Component | Status | Detail |
|---|---|---|
Nix Framework (mkHost) | Working | Simplified API, 11 auto-activating scopes, flake templates |
| Rust Control Plane | Working | Axum, SQLite, HTTPS, mTLS, rollouts, audit trail |
| Rust Agent | Working | State machine, polling, health checks, auto-rollback |
| Rust CLI | Working | bootstrap, deploy, status, rollout, policy, schedule |
| Security | Production-ready | mTLS agent-CP, API keys SHA-256 (RBAC), mandatory HTTPS |
| NIS2 Compliance | 12 active controls | + 4 reserved DORA/ISO, automatic evidence collector |
| Tests | 143+ tests | Rust unit, VM fleet (canary mTLS), compliance end-to-end, Nix eval |
| Documentation | Complete | mdbook, getting started, architecture, API reference |
NixOS provides the foundational guarantees. NixFleet adds everything needed to go from a well-configured server to an enterprise-managed fleet:
| Capability | NixOS Alone (DIY) | With NixFleet |
|---|---|---|
| Fleet deployment | Manual SSH or Colmena (push) | Autonomous agent (pull), works through firewalls |
| Progressive rollout | None — all or nothing | Canary, staged %, health-gated |
| Rollback | Manual, host by host | Automatic on health check failure, fleet-wide <90s |
| Fleet visibility | No centralized view | Real-time state of every host via control plane |
| Security | Configure it yourself | mTLS + API keys + HTTPS built-in, zero config |
| NIS2 compliance | Considerable manual effort | 12 NIS2 controls enabled in 1 line, automatic evidence |
| Audit trail | Non-existent | Full log with actor identity, CSV/JSON export |
| Support | Community (best-effort) | SLA, dedicated support, compliance expertise |
NIS2 Directive (Article 21) defines 10 categories of measures. NixFleet covers all 10 with 12 active control modules, each following the enforce + prove pattern: enforce the control at the infrastructure layer, then emit machine-readable evidence.
| NIS2 Obligation | Traditional Approach | NixFleet |
|---|---|---|
| Change traceability | SIEM + separate tools (+€30k/yr) | Every change = signed Git commit |
| Incident recovery <24h | Manual runbooks, uncertain outcome | Atomic rollback < 90 seconds |
| Supply chain security | Separate SBOM tools, manual integration | Auto-generated SBOM from flake.lock |
| Cryptography (Art. 21h) | Per-system manual config, inconsistent | LUKS + mTLS + TLS policy, fleet-wide |
| Access control (Art. 21i) | Separate IAM, manual CMDB | SSH hardening + access audit built-in |
| Asset inventory | Expensive CMDB, often inaccurate | Complete inventory in nixosConfigurations |
| Capability | Ansible / Puppet | Jamf / Intune | Colmena | NixFleet |
|---|---|---|---|---|
| Bitwise reproducibility | No | No | Yes | Yes |
| Full sovereignty (self-hosted) | Partial | No | Yes | Yes |
| Commercial support / SLA | Yes | Yes | No | Yes |
| Atomic fleet rollback | No | No | No | Yes |
| Built-in NIS2 compliance | No | No | No | Yes |
| Rollout strategies | Manual | Limited | No | Yes |
| Evidence collection | No | Partial | No | Yes |
European SMBs and mid-market enterprises (50-500 employees) subject to NIS2, without dedicated compliance teams. These organizations face regulatory pressure but lack the budget and staff to stack traditional tools.
| Country | Opportunity |
|---|---|
| France | 15,000+ NIS2 entities, largest EU market |
| Germany | BSI sovereignty mandate |
| Netherlands | Strong NixOS community |
| Belgium | EU institutions headquarters |
| Switzerland | Finance, pharma, neutrality |
| Nordics | High digital maturity |
| Solution | Cost |
|---|---|
| Ansible + AWX + compliance | €80-150k |
| Jamf / Intune | €40-100k |
| NixFleet Pro | €6-36k |
Open-core model: the engine is open source (MIT/AGPL), commercial value lies in enterprise orchestration and compliance expertise. Clients never depend on NixFleet — if they leave, their Nix configuration works without us.
| Tier | Price | Target |
|---|---|---|
| Community | Free | < 10 machines |
| Pro | €499-2,999/mo | 10-200 machines, SMBs |
| Enterprise | €50-500k/yr | 200+ machines |
| Sovereign | Custom | Government, defense |
| Service | Description |
|---|---|
| NIS2 Audit | Gap analysis + remediation plan |
| Pilot | Audit + deployment on 5-10 machines |
| Migration | Transition from Ansible/Puppet |
| Training | Nix/NixOS for infrastructure teams |
| Done | Phase 0-4 | Nix simplification, Rust hardening (mTLS, audit), fleet orchestration, infra modules, compliance framework |
| In progress | Phase 5 | Open source launch: documentation, templates, public repos |
| Next | Phase 6 | Outreach and pilots: ANSSI, consulting partners, Horizon Europe, 3 pilots |
| Blocked | Phase 7 | Enterprise: multi-tenant, RBAC, dashboard — pending pilot feedback |
NIS2-regulated operators (5-10 machines) for a free 3-month pilot. You get the audit + deployment, we get a real-world use case.
Firms with NIS2/DORA expertise (Capgemini, Wavestone, Deloitte). Co-pilot model: your regulatory expertise + our platform.
Horizon Europe CL3 consortium (deadline Sept. 2026). Formal verification, security audit, compliance research.