loom.farm / Seed

What you're looking at

This page is served by a NixOS system running inside a Kata Containers microVM with hardware isolation. The entire system — OS, services, configuration — is defined in a Nix flake and deployed as a single OCI image.

The stack

• NixOS instance definition (a standard NixOS module)
• nix-snapshotter builds an OCI image from the Nix closure
• Kata Containers runs it in a Cloud Hypervisor microVM
• k3s schedules the pod on bare metal
• Caddy terminates TLS with a Let's Encrypt certificate (DNS-01 via PowerDNS)
• This page

Secrets

Each VM gets a virtual TPM backed by swtpm on the host. At first boot, an age identity is generated from the TPM. Secrets are encrypted with sops and decrypted at boot by sops-nix using the TPM-backed age key. No secret material touches disk unencrypted.

Infrastructure

Single bare-metal node. Dual-stack IPv4 + IPv6. MetalLB for LoadBalancer services. Every pod runs in its own hardware-isolated VM — there is no shared kernel between tenants.

Learn more

github.com/loomtex/seed