This is my personal nix config which I use to maintain my whole infrastructure, including my homelab, external servers and my development machines.
| Type | Name | Hardware | Purpose | |
|---|---|---|---|---|
| 💻 | Laptop | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine Framework when? |
| 🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming |
| 🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms. |
| 🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms. |
| 🖥️ | Server | sausebiene | Intel N100 | Home automation and IoT network isolation |
| 🥔 | Server | zackbiene | ODROID N2+ | Decomissioned. Old home assistant board |
| ☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services |
| ☁️ | VPS | envoy | Hetzner Cloud server | Mailserver |
An overview over what you will find in this repository. I usually put a lot of effort into all my configurations and try to go over every option in detail. I've included the major components in the lists below.
| ~~~~~~~~~~~~ | Program | Source | Description |
|---|---|---|---|
| 🐚 Shell | ZSH & Starship | Link | ZSH configuration with FZF, starship prompt, sqlite history and histdb-skim for fancy CtrlR |
| 🖥️ Terminal | Kitty | Link | Terminal configuration with nerdfonts and history CtrlShiftH to view scrollback buffer in neovim |
| 🪟 WM | niri | Link | Dynamic tiling window manager |
| 🔋 Bar | noctalia | Link | Statusbar, wallpaper and notifications |
| 🌐 Browser | Firefox | Link | Firefox with many privacy settings and betterfox |
| 🖊️ Editor | Neovim | Link | Extensive neovim configuration, made with nixvim |
| 📜 Manpager | Neovim | Link | Isolated neovim as manpager via nixvim |
| 📷 Screenshots | Custom based on grimblast | Link | Custom scripts utilizing grimblast for QR code detection and OCR / satty editing |
| 🎮 Gaming | Steam & Bottles | Link | Setup for gaming |
| Thunderbird | Link | Your regular thunderbird setup |
| ~~~~~~~~~~~~ | Service | Source | Description |
|---|---|---|---|
| 🛡️ Adblock | AdGuard Home | Link | DNS level adblocker |
| 🔒 SSO | Kanidm | Link | Identity provider for Single-Sign-On on my hosted services, with provisioning. |
| 🐙 Git | Forgejo | Link | Forgejo with SSO |
| 🔑 Passwords | Vaultwarden | Link | Self-hosted password manager |
| 📷 Photos | Immich | Link | Self-hosted photo and video management solution |
| 📄 Documents | Paperless | Link | Document management system. With per-user Samba share integration (consume & archive) |
| 📔 Notes | AFFiNE | Link | Next-gen knowledge base similar to Notion or Obsidian |
| 🗓️ CalDAV/CardDAV | Radicale | Link | Contacts, Calender and Tasks synchronization |
| 📁 NAS | Samba | Link | Network attached storage. Cross-integration with paperless |
| 🌐 VPN | Firezone | Link | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication |
| 🥗 Recipes | Mealie | Link | Recipe manager and meal planner |
| 🏠 Home Automation | Home Assistant | Link | Automation with Home Assistant and many related services |
| 📧 Mailserver | Stalwart | Link | Modern mail server setup with custom self-service alias management including Bitwarden integration |
| 🧱 Minecraft | PaperMC | Link | Minecraft game server. Autostart on connect, systemd service with background console, automatic backups |
| 🐒 Local LLM | Ollama & open-webui | Link | Local LLM and AI Chat |
| 📊 Dashboard | Grafana | Link | Logs and metrics dashboard and alerting |
| 📔 Logs DB | Loki | Link | Central log aggregation service |
| 📔 Logs Agent | Promtail | Link | Log shipping agent |
| 📚 TSDB | Influxdb2 | Link | Time series database for storing host metrics |
| ⏱️ Metrics | Telegraf | Link | Per-host collection of metrics |
(WIP)
| ~~~~~~~~~~~~ | Source | Description |
|---|---|---|
| 🗑️ Impermanence | Link | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration. |
- reverse proxy with wireguard tunnel
- restic
- static wireguard mesh
- unified guests interface for microvms and containers with ZFS integration
- zoned nftables
- Secret rekeying, generation and bootstrapping using agenix-rekey
- Remote-unlockable full disk encryption using ZFS on LUKS
- Automatic disk partitioning via disko
- Support for repository-wide secrets at evaluation time (hides PII like MACs)
If you are interested in parts of my configuration,
you probably want to examine the contents of users/, config/, modules/ and hosts/.
Also, a lot of interesting modules have been moved to nixos-extra-modules, a separate repository specifically for reusable stuff.
The full structure of this flake is described in STRUCTURE.md,
but here's a quick breakdown of the what you will find where.
config/ |
global configuration for all hosts |
config/optional/ |
optional configuration included by hosts |
hosts/<hostname> |
top-level configuration for <hostname> |
modules/ |
classical reusable configuration modules |
nix/ |
library functions and flake plumbing |
pkgs/ |
Custom packages and scripts |
secrets/ |
Global secrets and age identities |
users/ |
User configuration and dotfiles |
... incomplete.
- Add to
hostsinflake.nix - Create hosts/
- Fill net.nix
- Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)
- Run
agenix generateandagenix rekey(create's dummy secrets for initial deploy)
- Create a bootable iso disk image with
nix build --print-out-paths --no-link .#images.<target-system>.live-iso, dd it to a stick and boot - (Alternative) Use an official NixOS live-iso and setup ssh manually
- Copy the installer from a local machine to the live system with
nix copy --to <target> .#nixosConfigurationsMinimal.config.system.build.installFromLive
Afterwards:
- Run
install-systemin the live environment, export your zfs pools and reboot - Retrieve the new host identity by using
ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub - (If the host has guests, also retrieve their identities!)
- Rekey the secrets for the new identity
nix run .#rekey - Deploy again
...
- Generate, edit and rekey secrets with
agenix <generate|edit|rekey>
To be able to decrypt the repository-wide secrets (files that contain my PII and are thus hidden from public view),
you will need to (be me and) add nix-plugins and point it to ./nix/extra-builtins.nix.
The devshell will do this for you automatically. If this doesn't work for any reason, this can also be done manually:
- Get nix-plugins:
NIX_PLUGINS=$(nix build --print-out-paths --no-link nixpkgs#nix-plugins) - Run all commands with
--option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix
Generate self-signed cert, e.g. for kanidm internal communication to proxy:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout selfcert.key -out selfcert.crt -subj \
"/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"restic -o rclone.program="ssh -p 23 u000000@u000000.your-storagebox.de rclone" -o rclone.args="serve restic --stdio /home/restic/<subuser>/repo" -r rclone: stats