Personal NixOS infrastructure-as-code managing three machines and a full homelab stack, built entirely with Nix flakes.
The flake entry point is intentionally minimal — flake-parts and import-tree auto-import every .nix file under modules/, so there is no manual module registration list.
flake.nix → flake-parts.lib.mkFlake → import-tree ./modules
| Tool | Purpose |
|---|---|
| Flake-parts | Modular flake output framework |
| import-tree | Auto-discovers and imports all modules |
| home-manager | User environment management (integrated as NixOS module) |
| Colmena | Remote deployment to server nodes |
| agenix | Age-encrypted secrets management |
| Restic | Automated service backups over SFTP |
| disko | Declarative disk partitioning |
| Stylix | System-wide Base16 theming |
AMD CPU/GPU daily-driver running the Niri Wayland compositor. Managed locally via nh os switch.
- Desktop: Niri + Noctalia Shell + Stylix (
eightiesBase16 scheme) - Terminal: Kitty + Tmux + Starship
- Editor: Nixvim (Neovim-in-Nix) with LSPs, Telescope, DAP, and Tree-sitter
- Gaming: Steam (Proton-GE + Gamescope), Gamemode, Prism Launcher, r2modman
- Other: Mullvad VPN, YubiKey support, Flipper Zero udev rules, PrusaSlicer
- Auth:
doasonly —sudois disabled
Intel CPU + NVIDIA GPU server running 25+ self-hosted services. Deployed remotely via Colmena. NFS-mounts media and backup shares from a NAS at 10.0.0.8.
- Containers: Docker (with CDI GPU pass-through) + Podman for OCI workloads
- Reverse proxy: Nginx with Cloudflare DNS-01 ACME for
*.ewhomelab.com - Database: PostgreSQL 17 (shared by Matrix, Paperless, bridges, etc.)
- AI: Ollama (CUDA) serving
qwen3.5:27bandqwen3-coder:30b
Lightweight QEMU/KVM VPS acting as the public-facing edge. Deployed via Colmena.
- Role: TLS-terminating Nginx reverse proxy for homelab services + coturn TURN server for Matrix voice/video
- VPN: Tailscale mesh
| Service | Domain | Description |
|---|---|---|
| Immich | photos.ewhomelab.com |
Self-hosted photo management |
| Jellyfin | jellyfin.ewhomelab.com |
Media server |
| Navidrome | navidrome.ewhomelab.com |
Music streaming |
| Audiobookshelf | audiobookshelf.ewhomelab.com |
Audiobooks & podcasts |
| Sonarr | sonarr.ewhomelab.com |
TV show management |
| Radarr | radarr.ewhomelab.com |
Movie management |
| Prowlarr | prowlarr.ewhomelab.com |
Indexer manager |
| SABnzbd | sabnzbd.ewhomelab.com |
Usenet downloader |
| Recyclarr | — | TRaSH Guide quality profile sync |
| Paperless-ngx | docs.ewhomelab.com |
Document management |
| Mealie | recipes.ewhomelab.com |
Recipe manager |
| Vaultwarden | vault.ewhomelab.com |
Bitwarden-compatible password manager |
| Radicale | radicale.ewhomelab.com |
CalDAV / CardDAV |
| SearXNG | search.ewhomelab.com |
Privacy-respecting meta search |
| Stirling PDF | pdf.ewhomelab.com |
PDF tools |
| Node-RED | node-red.ewhomelab.com |
Flow-based automation |
| Home Assistant | hass.ewhomelab.com |
Home automation |
| Forgejo | git.ewhomelab.com |
Self-hosted Git forge |
| Grafana | grafana.ewhomelab.com |
Metrics dashboards for Prometheus |
| Gatus | gatus.ewhomelab.com |
Uptime monitoring (alerts via Matrix) |
| ntfy | ntfy.ewhomelab.com |
Push notifications |
| Ollama + Open WebUI | :11434 / :8084 |
Local LLM inference |
| Matrix Synapse | matrix.ewhomelab.com |
Self-hosted Matrix homeserver |
| mautrix-gmessages | — | Matrix ↔ Google Messages bridge |
| mautrix-signal | — | Matrix ↔ Signal bridge |
| coturn | turn.ewhomelab.com |
TURN/STUN for Matrix calls (on vryn) |
| TeamSpeak 6 | :9987 |
Voice chat |
| PostgreSQL + pgAdmin4 | pgadmin.ewhomelab.com |
Shared database + admin UI |
| Traefik | traefik-int.ewhomelab.com |
Internal reverse proxy |
| UniFi | unifi.ewhomelab.com |
Network controller proxy |
modules/
├── hosts/ # Per-host NixOS configuration (kaladesh, dominaria, vryn)
├── homelab/ # Individual homelab service modules
├── nixvim/ # Neovim configuration via nixvim
├── niri/ # Niri Wayland compositor config + keybinds
├── pkgs/ # Custom packages (spotiflac, audible2m4b, define)
├── system/ # Flake plumbing (colmena, overlays, shared args, flake-parts)
├── users/ # User definitions (eweishaar, deploy)
└── groups/ # Group definitions (media)
| Package | Description |
|---|---|
spotiflac |
AppImage wrapper for SpotiFLAC |
audible2m4b |
Converts Audible .aax files to .m4b via ffmpeg |
define |
Looks up a word definition and surfaces it as a desktop notification |
Secrets managed with agenix, encrypted per-host and per-user with SSH keys. Covers API tokens, service passwords, SSH private keys, and bridge secrets.