Basic vocabulary for administering a DNF network. The following pages refer to it without redefining it.
DNF is entirely based on Nix / NixOS 🡕. Key concepts to know before administering the fleet:
| Term | Description |
|---|
| Nix | Declarative package manager: you describe the desired state, Nix builds it identically. |
| NixOS | The Linux distribution built on Nix: the entire system (packages, services, network) is described in code. |
| Declarative | You declare what (the result), not how (the commands): the same code produces the same system. |
| Reproducible | Same inputs → same system, on any machine, at any time. |
| Derivation | The “recipe” for building an element (package, config), evaluated by Nix. |
Store (/nix/store) | Immutable repository of built artifacts, identified by a hash. Nothing gets overwritten. |
| Flake | Nix project unit with pinned inputs (flake.lock): frozen and reproducible versions. |
| Generation | A complete, timestamped system state. Each deployment creates a new one. |
| Rollback | Revert to a previous generation (at boot or hot): a failed deployment is never final. |
| Home Manager 🡕 | Declaratively manages a user’s environment (apps, desktop, dotfiles). |
| Term | Description |
|---|
| Zone | Autonomous subnet (home LAN, guest network, remote site…). /16 IP prefix, one gateway, its hosts. |
| Node | Any machine on the network: workstation, server, gateway, coordination server. |
| Gateway | Border node of a zone: router, firewall, DNS/DHCP, VPN client. One per zone, fixed IP <prefix>.1.1. |
| Coordination server (HCS) | Public node that orchestrates the mesh VPN (Headscale) and hosts shared services between zones. |
| VPN (tailnet) | The mesh that connects all zones and remote machines, via Headscale + Tailscale. |
| Term | Description |
|---|
| Host | Managed NixOS node, declared in etc/config.yaml. |
| Host profile | Template that defines a host’s role (gateway, server, desktop, laptop, portable, hcs, vm…). See Host profiles. |
| User profile | Home Manager 🡕 environment for an account (nix-admin, normal, student, child…). |
| Groups | Connect users and hosts: they determine who can connect where. |
| Services | Self-hosted bricks activated per host (Nextcloud, Immich, Forgejo…). See Services. |
| Features | Non-service options activated per host (monitoring-node, nfs-client…). |
Everything comes from a single declarative file, turned into NixOS configuration:
| Location | Role |
|---|
etc/config.yaml | The source of truth: network, zones, users, hosts, services. |
dnf/ | The framework: modules, profiles, libraries. Reusable, rarely modified. |
usr/ | The local project (writable): module and profile overrides, machines, secrets. |
var/generated/ | Generated Nix code from etc/config.yaml (never edit manually). |
doc/ | This documentation. |
