Most personal sites treat deployment as an afterthought. This one treats it as content. The source repo exposes a Nix flake, the host consumes it as a pinned input, and nginx stays a thin TLS edge in front of a user-owned router.

That gives every homepage edit a provenance chain: source commit, flake lock, Nix store path, systemd unit, and public HTTP response.

  • Source lives under /data/lazrossi/code/lazare.ai.
  • Deployment lives under /home/lazrossi/nixos-config.
  • Runtime binds loopback only; nginx publishes https://lazare.ai.