No description
- Nix 97.4%
- Shell 2.6%
| docs | ||
| hosts/reference | ||
| lib | ||
| modules | ||
| scripts | ||
| vms | ||
| .gitignore | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
Nixisolated
Qubes-inspired workflow isolation for NixOS using MicroVMs.
The goal of this repository is to design and implement a workstation layout that:
- isolates secrets by activity and trust domain,
- limits the blast radius of supply-chain compromise,
- keeps risky internet-sourced work disposable,
- stays usable enough for daily development and communication.
The current design is documented in docs/ARCHITECTURE.md.
The first implementation scaffold will expose:
- reusable NixOS modules for host and guest policy,
- template and profile modules for each VM class,
- a reference host module you can import into a real machine config,
- disposable VM definitions built from template-based guest configs.
Trying It
Right now, the repository is best treated as a design-aware scaffold.
What you can already try:
- fetch the flake inputs,
- evaluate or build a guest runner,
- launch a guest imperatively with
nix run, - import the reference host module into a real NixOS host later.
See docs/BOOTSTRAP.md for the exact commands and current limitations.
Implementation will follow the architecture in phases:
- minimal host orchestration,
- reusable VM profiles and templates,
- disposable project sandboxes,
- secret delivery and network policy,
- ergonomics and day-to-day workflow polish.