This is my personal nix config which I use to maintain my whole infrastructure, including my homelab, external servers and my development machines.
| Type | Name | Hardware | Purpose | |
|---|---|---|---|---|
| 💻 | Laptop | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine Framework when? |
| 🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming |
| 🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms. |
| 🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms. |
| 🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network |
| ☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services |
| ☁️ | VPS | envoy | Hetzner Cloud server | Mailserver |
An overview over what you will find in this repository. I usually put a lot of effort into all my configurations and try to go over every option in detail. These lists summarize the major parts.
I've also included a (subjective) indicator of customization (💎) so you can more easily find the configs that are very polished or different from the basic setup that most people would have. The configurations are sorted into three categories:
- dotfiles: Lists all the stuff I use on my desktop/development machines. All of this is very customized.
- services: Lists all my services, both homelab and external.
- other: Lists anything else, like general machine config, organizational and miscellaneous stuff.
| ~~~~~~~~~~~~ | Program | Source | Description |
|---|---|---|---|
| 🐚 Shell | ZSH & Starship | Link | ZSH configuration with FZF, starship prompt, sqlite history and histdb-skim for fancy CtrlR |
| 🖥️ Terminal | Kitty | Link | Terminal configuration with nerdfonts and history CtrlShiftH to view scrollback buffer in neovim |
| 🪟 WM | i3 | Link | Tiling window manager, heavily customized to my personal preferences |
| 🌐 Browser | Firefox | Link | Firefox with many privacy settings and betterfox |
| 🖊️ Editor | Neovim | Link | Extensive neovim configuration, made with nixvim |
| 📜 Manpager | Neovim | Link | Isolated neovim as manpager via nixvim |
| 📷 Screenshots | Flameshot | Link | Screenshot tool with custom QR code detection and OCR to clipboard |
| 🗨️ Notifications | wired-notify | Link | Notification daemon with a very customized layout and color scheme |
| 🎮 Gaming | Steam & Bottles | Link | Setup for gaming |
| ~~~~~~~~~~~~ | 💎 | Service | Source | Description |
|---|---|---|---|---|
| 🐙 Git | – | Forgejo | Link | Forgejo with SSO |
| 🔑 SSO | 💎 | Kanidm | Link | Identity provider for Single Sign On on my hosted services. 💎 With custom-made secret provisioning. |
| 🔴 DNS Adblock | – | AdGuard Home | Link | DNS level adblocker |
| 🔐 Passwords | – | Vaultwarden | Link | Self-hosted password manager |
| 📷 Photos | – | Immich | Link | Self-hosted photo and video backup solution |
| 🗂️ Documents | 💎 | Paperless | Link | Document management system. 💎 with per-user Samba share integration (consume & archive) |
| 🗓️ CalDAV/CardDAV | – | Radicale | Link | Contacts, Calender and Tasks synchronization |
| 📁 NAS | 💎 | Samba | Link | Network attached storage. 💎 Cross-integration with paperless |
| 🧱 Minecraft | 💎 | PaperMC | Link | Minecraft game server. 💎 Autostart on connect, systemd service with background console, automatic backups |
| 🛡️ VPN | - | Netbird | Link | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication. |
| 📧 Mailserver | 💎 | Stalwart | Link | Modern mail server setup with custom self-service alias management including Bitwarden integration |
| 📈 Dashboard | – | Grafana | Link | Logs and metrics dashboard and alerting |
| 📔 Logs DB | – | Loki | Link | Central log aggregation service |
| 📔 Logs | – | Promtail | Link | Log shipping agent |
| 📚 TSDB | – | Influxdb2 | Link | Time series database for storing host metrics |
| ⏱️ Metrics | – | Telegraf | Link | Per-host collection of metrics |
(WIP)
| ~~~~~~~~~~~~ | 💎 | Source | Description |
|---|---|---|---|
| 🗑️ Impermanence | – | Link | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration. |
- reverse proxy with wireguard tunnel
- restic
- static wireguard mesh
- unified guests interface for microvms and containers with ZFS integration
- zoned nftables
- Secret rekeying, generation and bootstrapping using agenix-rekey
- Remote-unlockable full disk encryption using ZFS on LUKS
- Automatic disk partitioning via disko
- Support for repository-wide secrets at evaluation time (hides PII like MACs)
If you are interested in parts of my configuration,
you probably want to examine the contents of users/, config/, modules/ and hosts/.
Also, a lot of interesting modules have been moved to nixos-extra-modules, a separate repository specifically for reusable stuff.
The full structure of this flake is described in STRUCTURE.md,
but here's a quick breakdown of the what you will find where.
hosts/<hostname> |
top-level configuration for <hostname> |
lib/ |
library functions overlayed on top of nixpkgs.lib |
config/ |
global configuration for all hosts |
config/optional/ |
optional configuration included by hosts |
modules/ |
classical reusable configuration modules |
nix/ |
library functions and flake plumbing |
pkgs/ |
Custom packages and scripts |
secrets/ |
Global secrets and age identities |
users/ |
User configuration and dotfiles |
... incomplete.
- Add to
hostsinflake.nix - Create hosts/
- Fill net.nix
- Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)
- Run
agenix generateandagenix rekey(create's dummy secrets for initial deploy)
- Create a bootable iso disk image with
nix build --print-out-paths --no-link .#images.<target-system>.live-iso, dd it to a stick and boot - (Alternative) Use an official NixOS live-iso and setup ssh manually
- Copy the installer from a local machine to the live system with
nix copy --to <target> .#nixosConfigurationsMinimal.config.system.build.installFromLive
Afterwards:
- Run
install-systemin the live environment, export your zfs pools and reboot - Retrieve the new host identity by using
ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub - (If the host has guests, also retrieve their identities!)
- Rekey the secrets for the new identity
nix run .#rekey - Deploy again
If a host uses encrypted root together with the common/initrd-ssh.nix module,
it can be unlocked remotely by connecting via ssh on port 4 and executing systemd-tty-ask-password-agent.
nix run show-wireguard-qr then select the host in the fzf menu
...
- Generate, edit and rekey secrets with
agenix <generate|edit|rekey>
To be able to decrypt the repository-wide secrets (files that contain my PII and are thus hidden from public view),
you will need to (be me and) add nix-plugins and point it to ./nix/extra-builtins.nix.
The devshell will do this for you automatically. If this doesn't work for any reason, this can also be done manually:
- Get nix-plugins:
NIX_PLUGINS=$(nix build --print-out-paths --no-link nixpkgs#nix-plugins) - Run all commands with
--option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix
Generate self-signed cert, e.g. for kanidm internal communication to proxy:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout selfcert.key -out selfcert.crt -subj \
"/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
