For headless Raspberry Pi bring-up on NixOS, image-time secret injection is often more reliable than first-boot decryption on the device. Here's the provisioning flow, the brittle design we tried first, and why bootstrap state belongs under /var/lib rather than /etc.
A practical BorgBackup setup for NixOS with rsync.net: the manual CLI basics first, then a clean declarative `services.borgbackup.jobs` configuration with `sops-nix`, retention, pre-backup dump chaining, and restore verification.
How to install NixOS on cheap VPS instances with 768MB–1GB RAM using nixos-infect and a custom kexec image for nixos-anywhere.
Private repos return a 404, not a 401, and you're debugging the wrong thing. Here's how to configure Nix access-tokens, manage them with sops-nix on NixOS and macOS, create properly-scoped GitHub tokens, and handle the edge cases — remote builders, the daemon, and fresh hosts.
Upgrading PostgreSQL across four major versions on a NixOS server using flake-native scripts — reproducible, atomic, and with human checkpoints where they matter.
Hard-won patterns for packaging Elixir releases with Nix, running multiple instances on the same host, and avoiding the pitfalls that NixOS makes easy to fall into.
When your NixOS host needs decrypted secrets to build its own configuration but can't decrypt them until after it's built — and how nixos-rebuild's --target-host and --build-host flags solve the chicken-and-egg problem elegantly.
How to take over an OVH Kimsufi dedicated server with nixos-anywhere, disko, and mdadm RAID — plus wrestling with Java Web Start KVM consoles in 2026.
Why I wrote a simple Prometheus exporter for FreeBSD bhyve VMs managed by vm-bhyve, and how to use it.
How a Rust-based template generator turns the boilerplate of adding a new NixOS host to a dotfiles flake into a guided, repeatable process.