Declarative infrastructure for compliance and certification

Declarative Infrastructure as Compliance Documentation: Talos, NixOS, and Audit-Ready Systems

Here’s how an ISO 27001 audit usually goes. Weeks before the auditor shows up, someone starts collecting screenshots. Configuration panels, firewall rules, a dashboard showing patches applied. Then come the Word documents describing what the systems are supposed to do. Then the change tickets, dug out of a ticketing system, each one referencing a vague “server maintenance” that nobody can fully reconstruct six months later. Everyone treats this as the cost of doing business. I did too, for years. ...

March 23, 2026 · 9 min read · Tom Meurs
NixOS vs Talos Linux for Kubernetes nodes comparison

NixOS vs Talos for Kubernetes Nodes: Two Flavors of Immutable Infrastructure

I’ve written about Talos Linux as the immutable Kubernetes OS, and I’ve compared Arch vs NixOS for workstations. One question keeps landing in my inbox after both: what about NixOS for the Kubernetes nodes themselves? It’s a fair question, because on paper these two look like siblings. NixOS and Talos are both declarative. Both can be immutable. Both put your configuration under version control. So why pick one over the other to run a cluster? ...

March 15, 2026 · 11 min read · Tom Meurs
Talos Linux immutable Kubernetes operating system

Talos Linux: The Immutable Kubernetes OS That Changed How I Think About Nodes

Here is how most of us run Kubernetes nodes. You install a general-purpose Linux distro, harden it with a CIS benchmark script, add an SSH key, set up a config management tool to keep drift in check, and then spend the next two years SSH-ing in to fix the things the config management tool didn’t catch. Every node is a little snowflake with its own history. We’ve accepted this as normal. ...

March 11, 2026 · 8 min read · Tom Meurs