Keystone Systems

Keystone OS

The immutable, secure operating system based on NixOS. It comes in two primary variants:

Server: Optimized for headless operation, providing robust services, networking, and storage capabilities.
Desktop: A feature-rich Graphical User Interface (GUI) environment tailored for laptops and workstations, offering a consistent and secure user experience.
Comes installed with the Keystone TUI.

Example: NixOS Configuration with Keystone Flake

You can manage your entire system configuration, including hardware, services, and users, using NixOS flakes. Here's an example demonstrating how to define a NixOS configuration for a workstation, integrating Home Manager through NixOS:

NixOS Workstation Configuration

{
  description = "A very basic flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    keystone.url = "github:ncrmro/keystone";
  };

  outputs = { self, nixpkgs, keystone, ... }@inputs: {
    # NixOS Configuration
    # Manages the entire system configuration (kernel, system services, hardware, networking, users, etc.).
    #
    # To apply changes for 'jdoe-workstation':
    # $ sudo nixos-rebuild switch --flake .#jdoe-workstation
    nixosConfigurations = {
      "jdoe-workstation" = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/jdoe-workstation/default.nix

          # Example: Managing Home Manager through NixOS
          #
          # This approach allows you to manage user configurations (dotfiles) as part of the system generation.
          #
          # Benefits:
          # 1. Atomic Rollbacks: Reverting the system generation also reverts the home environment (dotfiles, packages).
          # 2. Sync: Ensures system and user configurations are always in sync.
          #
          # keystone.inputs.home-manager.nixosModules.home-manager
          # {
          #   home-manager.useGlobalPkgs = true;
          #   home-manager.useUserPackages = true;
          #   home-manager.users.jdoe = import ./home/jdoe/home.nix;
          #   home-manager.extraSpecialArgs = { inherit inputs; };
          # }
        ];
      };
    };
  };
}

Cross-OS comparison

This mirrors the comparison linked from the Keystone README, so the OS overview shows how Keystone stacks up against macOS, Windows, Ubuntu, and Omarchy in one place.

Feature	Keystone	macOS	Windows	Ubuntu	Omarchy
Full disk encryption	ZFS native + TPM2 auto-unlock	FileVault (APFS)	BitLocker (TPM)	LUKS (manual)	LUKS (manual)
Declarative config	Entire system via Nix flakes	Partial (defaults, profiles)	No	No	No
Reproducible builds	Yes - pinned inputs, binary cache	No	No	No	No
Self-hosted services	One-toggle enable with auto TLS/DNS	Manual or Docker	Manual or Docker	Manual or Docker	Manual or Docker
Desktop environment	Hyprland (tiling, 15 themes)	Aqua (proprietary)	Explorer (proprietary)	GNOME	Hyprland
Terminal environment	Zsh + Helix + Zellij + AI tools	Zsh + user choice	PowerShell / WSL	Bash + user choice	Zsh + user choice
AI agents	Sandboxed OS users with own UID, SSH keys, email, and desktop	Third-party only	Third-party only	Third-party only	Third-party only
Rollbacks	Instant (NixOS generations + ZFS snapshots)	Time Machine (slow)	System Restore (unreliable)	Snapper (if configured)	Timeshift (if configured)
Secure Boot	Custom key enrollment via lanzaboote	Apple Secure Boot	Microsoft keys	shim-signed	No
Multi-user	Declarative user accounts + agents	Yes	Yes	Yes	Yes