Create a private PaaS on Hetzner Cloud or your own servers in minutes. Leverage NixOS and Nix Packages to build a reproducible and auditable private cloud for your projects.
Why nix-infra? You want to move away from click-ops and embrace infrastructure-as-code and reproducibility. You want to avoid vendor lock-in and unpredictable cloud bills. There is a future for private PaaS solutions in a world where privacy and cost control are primary concerns, we just need to build it on a robust foundation.
- Low and predictable cost — provision from scratch on Hetzner Cloud or deploy to your existing servers via SSH
- Reproducible and auditable — 100% configuration in code
- Privacy — all data within your private walled garden
- Easy to debug — zero blackbox services
- Extensible — install anything that runs on NixOS or as an OCI container
- Customisable — modify and share modules to build your perfect private PaaS
- Fleet mode — manage standalone NixOS machines or groups of independent servers
- Cluster mode — HA clusters with etcd, encrypted overlay network (Flanneld + WireGuard), and service mesh (HAProxy + confd)
- Secrets management — encrypted secrets with OpenSSL pbkdf2, three input methods (inline, file, stdin), systemd-creds runtime decryption
- Provider abstraction — Hetzner Cloud and self-hosted servers (including VMware via nixos-infect mutations), with automatic detection
- Container registry — private OCI image distribution
- MCP servers — experimental AI-assisted infrastructure management via Claude or other MCP-compatible assistants
- Download and install the nix-infra binary
- SSH and OpenSSL installed on your workstation
- A Hetzner Cloud API token or existing servers accessible via SSH
Option 1: High-availability cluster
Use the nix-infra-ha-cluster template for a fault-tolerant multi-node cluster with service mesh and overlay networking.
Option 2: Fleet of standalone machines
Use the nix-infra-machine template for managing individual machines or fleets without cluster orchestration.
Each template contains detailed instructions. You can either run the provided test script to automate installation, or clone the repo and create custom automation scripts.
Comprehensive documentation is available in the docs/ directory:
| Guide | Description |
|---|---|
| Documentation Home | Entry point with overview and navigation |
| Architecture | How nix-infra works internally — CLI structure, provider abstraction, deployment flow, service mesh |
| Providers | Infrastructure providers — Hetzner Cloud, self-hosted servers, hybrid mode, VMware provisioning |
| Fleet Guide | Managing standalone machines — setup, commands, day-2 operations |
| Cluster Guide | HA clusters — control plane, worker nodes, etcd, service topology |
| Secrets | Secrets management — encryption, storage, deployment, pre-build secrets |
| Security | Security model — transport, encryption, PKI, known limitations, recommendations |
-
Install Nix (choose one):
- https://nixos.org/download/
- https://github.com/DeterminateSystems/nix-installer (supports uninstall)
-
Clone and build:
nix-shell -p dart # if you don't have a recent version of Dart
git clone git@github.com:jhsware/nix-infra.git
cd nix-infra && ./build.sh
# output: bin/nix-infrascripts/end-to-end-tests/test-nix-infra-ha-cluster.sh --env=./.env
scripts/end-to-end-tests/test-nix-infra-test.sh --env=./.env- Update version in pubspec.yaml
- Build macOS binary:
./build.sh build-macos --env=.env - Package and notarise macOS binary
- Run build workflow to create draft release with Linux binary
- Add macOS binary to release
- Add release notes
- Publish release