nex + styrene
nex and styrene are complementary tools. nex sets up the machine. styrene operates the mesh.
The boundary
nex handles everything that works on a cold machine with just files on disk — no daemon needed:
- Package management (install, remove, adopt, update)
- Machine provisioning (init, forge, polymerize, profile)
- Operator identity (identity init, ssh, git, link)
- Machine health (doctor, self-update)
styrene handles everything that requires the mesh daemon:
- Mesh status and peer discovery
- LXMF messaging
- Fleet operations (remote exec, reboot)
- Tunnel management
- Announce and transport control
The handoff
nex init # bootstrap nix + homebrew
nex identity init # create StyreneIdentity
nex identity git # configure git signing
nex identity ssh --add github # register SSH key
nex install ykman # install security tools
styrened # start mesh node (loads identity)
styrene status # verify mesh is live
styrene peers # see who's out thereBoth tools share ~/.config/styrene/identity.key. The identity file is the artifact that bridges cold-start setup to runtime mesh operations.
Profile signing
Profiles are deterministic, signable declarations of machine state. The operator signs a profile with their StyreneIdentity, and the target node verifies the signature before applying.
# Sign a profile (resolves extends chain, canonicalizes, signs with Ed25519)
nex profile sign styrene-lab/edge-profile
# Verify (public-key only — no passphrase or identity file needed)
nex profile verify styrene-lab_edge-profile.signed.toml
# Apply (same as before)
nex profile apply styrene-lab/edge-profileThis is the foundation for styrene fleet apply — push signed profiles to remote nodes over the mesh, verified against the operator’s RBAC allowlist.
Interactive forge
nex forge with no arguments walks through the entire process interactively:
$ nex forge
Profile (GitHub user/repo, local path, or blank for generic): styrene-lab/edge
Hostname for target [nixos]: edge-alpha
Target architecture:
1. x86_64 (Intel/AMD)
2. aarch64 (Raspberry Pi, ARM)
> 1
Flash to USB:
1. /dev/disk4 SanDisk Ultra 32GB
2. Skip (build bundle only)
> 1
Pre-configure WiFi for first boot? yes
WiFi SSID: MyNetwork
WiFi password: ********
Bake SSH key for target access? yes
✓ USB readyAll flags still work — pass --hostname, --disk, etc. to skip the corresponding prompt.
Provisioning chain
nex’s provisioning commands create machines that styrene operates:
nex profile apply user/my-profile— apply a machine profilenex forge user/my-profile --disk /dev/sdX— burn a NixOS USB with the profile baked in- Boot the target →
nex polymerize— install NixOS with the profile - The installed machine starts
styrene daemonon boot - It announces on the mesh and appears in
styrene peers
The identity created by nex identity init on the operator’s workstation signs the profile. The identity derived by styrene daemon on the target machine is separate — it’s the machine’s identity, not the operator’s.
Package management for mesh tools
nex includes aliases for security hardware and mesh tooling:
nex install ykman # YubiKey Manager
nex install fido2 # libfido2
nex install opensc # smart card tools
nex install pcsc-tools # PC/SC diagnosticsThese are the OS-level prerequisites for hardware-backed identity (YubiKey FIDO2).
Where config lives
| What | Where | Managed by |
|---|---|---|
| Nix packages | nix-darwin/NixOS repo (.nix files) | nex |
| Identity file | ~/.config/styrene/identity.key | nex or styrene |
| Identity config (SSH labels, git name/email) | ~/.config/nex/config.toml | nex |
| Daemon config | ~/.config/styrene/config.yaml or ~/.styrene/ | styrene |
| Daemon database | ~/.styrene/store.db | styrene |
| Daemon IPC socket | $XDG_RUNTIME_DIR/styrened/control.sock | styrene |
See also
- Identity — the shared cryptographic root
- Styrene CLI — runtime mesh commands
- Getting Started — full setup walkthrough
- Components — architectural overview