Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

AtomicNix logo

NixOS-based firmware image with atomic A/B OTA updates, automatic rollback, and watchdog integration (currently disabled on Rock64 during development).

AtomicNix is a purpose-built firmware platform for Rock64 (RK3328, aarch64) edge gateway devices. Each device serves as a network security boundary compliant with EN18031, isolating legacy LAN devices from the internet while supporting provisioned application containers and Nixstasis-hosted remote management.

Why AtomicNix?

Remote embedded devices that receive over-the-air updates face a fundamental reliability problem: if an update fails mid-write or the new image doesn’t boot correctly, the device is bricked. Traditional package-manager approaches (e.g., apt upgrade) have a measurable failure rate from power loss, partial writes, and dependency conflicts.

AtomicNix eliminates this class of failure through:

  • Atomic A/B updates – installs to the inactive slot pair while the active slot stays online; no partial state
  • Automatic rollback – U-Boot boot-count logic falls back to the previous working slot after 3 consecutive boot failures
  • Hardware watchdog (currently disabled on Rock64) – integration and tests are in place; runtime enablement is pending final boot-stability validation on hardware
  • Local health-check confirmation – commits new slots only after verifying that all services and containers are healthy for a sustained 60-second window
  • Signed RAUC bundles – reproducible, CA-signed .raucb artifacts built from the Nix flake
  • Read-only root filesystem – squashfs rootfs with OverlayFS (tmpfs upper layer) prevents runtime drift; every boot starts from a known-good state

Supported Hardware

BoardSoCArchitectureStorage
Rock64RK3328aarch6416 GB eMMC

Key Properties

  • Reproducible – the entire system image is built from a single Nix flake with pinned inputs; same flake, same image
  • Immutable – the squashfs root filesystem is read-only; writable state lives on a dedicated /data partition
  • Testable – a NixOS VM integration test suite covers the update lifecycle, provisioning paths, forensic log durability, network security, and rollback behavior without physical hardware
  • EN18031 compliant – ships without default credentials; per-device credentials are provisioned at factory time; IP forwarding is disabled by default

Network Role

Each AtomicNix device acts as a gateway between an isolated LAN and the internet:

  • WAN (eth0): DHCP client, deny-by-default inbound; application/VPN ports are provisioned explicitly
  • LAN (eth1): Provisioned static IP, runs DHCP/DNS server (dnsmasq) and NTP server (chrony) for local devices
  • No routing: IP forwarding is disabled; LAN devices have zero internet access
  • Remote management: Nixstasis-hosted management and SSH key-only access; bootstrap stays LAN-local

Quick Start

# Build the flashable disk image set
mise run build

# Flash to eMMC (macOS)
mise run flash /dev/disk4

# Run all E2E tests
mise run e2e

# Run all E2E tests inside a Lima VM
mise run e2e --lima

See Building and Provisioning for detailed instructions.