nex + styrene

nex and styrene are complementary tools. nex sets up the machine. styrene operates the mesh.

The boundary

nex handles everything that works on a cold machine with just files on disk — no daemon needed:

• Package management (install, remove, adopt, update)
• Machine provisioning (init, forge, polymerize, profile)
• Operator identity (identity init, ssh, git, link)
• Machine health (doctor, self-update)

styrene handles everything that requires the mesh daemon:

• Mesh status and peer discovery
• LXMF messaging
• Fleet operations (remote exec, reboot)
• Tunnel management
• Announce and transport control

The handoff

nex init                    # bootstrap nix + homebrew
nex identity init           # create StyreneIdentity
nex identity git            # configure git signing
nex identity ssh --add github  # register SSH key
nex install ykman           # install security tools

styrened                    # start mesh node (loads identity)
styrene status              # verify mesh is live
styrene peers               # see who's out there

Both tools share ~/.config/styrene/identity.key. The identity file is the artifact that bridges cold-start setup to runtime mesh operations.

Profile signing

Profiles are deterministic, signable declarations of machine state. The operator signs a profile with their StyreneIdentity, and the target node verifies the signature before applying.

# Sign a profile (resolves extends chain, canonicalizes, signs with Ed25519)
nex profile sign styrene-lab/edge-profile

# Verify (public-key only — no passphrase or identity file needed)
nex profile verify styrene-lab_edge-profile.signed.toml

# Apply (same as before)
nex profile apply styrene-lab/edge-profile

This is the foundation for styrene fleet apply — push signed profiles to remote nodes over the mesh, verified against the operator’s RBAC allowlist.

Interactive forge

nex forge with no arguments walks through the entire process interactively:

$ nex forge

  Profile (GitHub user/repo, local path, or blank for generic): styrene-lab/edge
  Hostname for target [nixos]: edge-alpha
  Target architecture:
    1. x86_64  (Intel/AMD)
    2. aarch64 (Raspberry Pi, ARM)
  > 1
  Flash to USB:
    1. /dev/disk4  SanDisk Ultra  32GB
    2. Skip (build bundle only)
  > 1
  Pre-configure WiFi for first boot? yes
    WiFi SSID: MyNetwork
    WiFi password: ********
  Bake SSH key for target access? yes

  ✓ USB ready

All flags still work — pass --hostname, --disk, etc. to skip the corresponding prompt.

Provisioning chain

nex’s provisioning commands create machines that styrene operates:

1. nex profile apply user/my-profile — apply a machine profile
2. nex forge user/my-profile --disk /dev/sdX — burn a NixOS USB with the profile baked in
3. Boot the target → nex polymerize — install NixOS with the profile
4. The installed machine starts styrene daemon on boot
5. It announces on the mesh and appears in styrene peers

The identity created by nex identity init on the operator’s workstation signs the profile. The identity derived by styrene daemon on the target machine is separate — it’s the machine’s identity, not the operator’s.

Package management for mesh tools

nex includes aliases for security hardware and mesh tooling:

nex install ykman        # YubiKey Manager
nex install fido2        # libfido2
nex install opensc       # smart card tools
nex install pcsc-tools   # PC/SC diagnostics

These are the OS-level prerequisites for hardware-backed identity (YubiKey FIDO2).

Where config lives

See also

• Identity — the shared cryptographic root
• Styrene CLI — runtime mesh commands
• Getting Started — full setup walkthrough
• Components — architectural overview