Most personal sites treat deployment as an afterthought. This one treats it as content. The source repo exposes a Nix flake, the host consumes it as a pinned input, and nginx stays a thin TLS edge in front of a user-owned router.
That gives every homepage edit a provenance chain: source commit, flake lock, Nix store path, systemd unit, and public HTTP response.
- Source lives under
/data/lazrossi/code/lazare.ai. - Deployment lives under
/home/lazrossi/nixos-config. - Runtime binds loopback only; nginx publishes
https://lazare.ai.