โ๏ธ My NixOS Configuration
This is my personal nix config which I use to maintain my whole infrastructure, including my homelab, external servers and my development machines.
Hosts
| Type | Name | Hardware | Purpose | |
|---|---|---|---|---|
| ๐ป | Laptop | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine Framework when? |
| ๐ฅ๏ธ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming |
| ๐ฅ๏ธ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms. |
| ๐ฅ๏ธ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms. |
| ๐ฅ | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network |
| โ๏ธ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services |
| โ๏ธ | VPS | envoy | Hetzner Cloud server | Mailserver |
Overview
An overview over what you will find in this repository. I usually put a lot of effort into all my configurations and try to go over every option in detail. These lists summarize the major parts.
I've also included a (subjective) indicator of customization (๐) so you can more easily find the configs that are very polished or different from the basic setup that most people would have. The configurations are sorted into three categories:
- dotfiles: Lists all the stuff I use on my desktop/development machines. All of this is very customized.
- services: Lists all my services, both homelab and external.
- other: Lists anything else, like general machine config, organizational and miscellaneous stuff.
Dotfiles
| Program | Source | Description | |
|---|---|---|---|
| ๐ Shell | ZSH & Starship | Link | ZSH configuration with FZF, starship prompt, sqlite history and histdb-skim for fancy CtrlR |
| ๐ฅ๏ธ Terminal | Kitty | Link | Terminal configuration with nerdfonts and history CtrlShiftH to view scrollback buffer in neovim |
| ๐ช WM | hyprland & i3 | Link, Link | Tiling window manager, heavily customized to my personal preferences |
| ๐ Bar | waybar | Link | Taskbar and status |
| ๐ Browser | Firefox | Link | Firefox with many privacy settings and betterfox |
| ๐๏ธ Editor | Neovim | Link | Extensive neovim configuration, made with nixvim |
| ๐ Manpager | Neovim | Link | Isolated neovim as manpager via nixvim |
| ๐ท Screenshots | Custom based on grimblast | Link | Custom scripts utilizing grimblast for QR code detection and OCR / satty editing |
| ๐จ๏ธ Notifications | SwayNotificationCenter | Link | Notification center with customized color scheme |
| ๐ฎ Gaming | Steam & Bottles | Link | Setup for gaming |
Services
| ๐ | Service | Source | Description | |
|---|---|---|---|---|
| ๐ Git | โ | Forgejo | Link | Forgejo with SSO |
| ๐ SSO | ๐ | Kanidm | Link | Identity provider for Single Sign On on my hosted services. ๐ With custom-made secret provisioning. |
| ๐ด DNS Adblock | โ | AdGuard Home | Link | DNS level adblocker |
| ๐ Passwords | โ | Vaultwarden | Link | Self-hosted password manager |
| ๐ท Photos | โ | Immich | Link | Self-hosted photo and video backup solution |
| ๐๏ธ Documents | ๐ | Paperless | Link | Document management system. ๐ with per-user Samba share integration (consume & archive) |
| ๐๏ธ CalDAV/CardDAV | โ | Radicale | Link | Contacts, Calender and Tasks synchronization |
| ๐ NAS | ๐ | Samba | Link | Network attached storage. ๐ Cross-integration with paperless |
| ๐งฑ Minecraft | ๐ | PaperMC | Link | Minecraft game server. ๐ Autostart on connect, systemd service with background console, automatic backups |
| ๐ก๏ธ VPN | - | Netbird | Link | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication. |
| ๐ง Mailserver | ๐ | Stalwart | Link | Modern mail server setup with custom self-service alias management including Bitwarden integration |
| ๐ Dashboard | โ | Grafana | Link | Logs and metrics dashboard and alerting |
| ๐ Logs DB | โ | Loki | Link | Central log aggregation service |
| ๐ Logs | โ | Promtail | Link | Log shipping agent |
| ๐ TSDB | โ | Influxdb2 | Link | Time series database for storing host metrics |
| โฑ๏ธ Metrics | โ | Telegraf | Link | Per-host collection of metrics |
General & Miscellaneous
(WIP)
| ๐ | Source | Description | |
|---|---|---|---|
| ๐๏ธ Impermanence | โ | Link | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration. |
- reverse proxy with wireguard tunnel
- restic
- static wireguard mesh
- unified guests interface for microvms and containers with ZFS integration
- zoned nftables
- Secret rekeying, generation and bootstrapping using agenix-rekey
- Remote-unlockable full disk encryption using ZFS on LUKS
- Automatic disk partitioning via disko
- Support for repository-wide secrets at evaluation time (hides PII like MACs)
Structure
If you are interested in parts of my configuration,
you probably want to examine the contents of users/, config/, modules/ and hosts/.
Also, a lot of interesting modules have been moved to nixos-extra-modules, a separate repository specifically for reusable stuff.
The full structure of this flake is described in STRUCTURE.md,
but here's a quick breakdown of the what you will find where.
config/ |
global configuration for all hosts |
config/optional/ |
optional configuration included by hosts |
hosts/<hostname> |
top-level configuration for <hostname> |
modules/ |
classical reusable configuration modules |
nix/ |
library functions and flake plumbing |
pkgs/ |
Custom packages and scripts |
secrets/ |
Global secrets and age identities |
users/ |
User configuration and dotfiles |
How-To
Add new machine
... incomplete.
- Add
to hostsinflake.nix - Create hosts/
- Fill net.nix
- Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)
- Run
agenix generateandagenix rekey(create's dummy secrets for initial deploy)
Initial deploy
- Create a bootable iso disk image with
nix build --print-out-paths --no-link .#images.<target-system>.live-iso, dd it to a stick and boot - (Alternative) Use an official NixOS live-iso and setup ssh manually
- Copy the installer from a local machine to the live system with
nix copy --to <target> .#nixosConfigurationsMinimal.config.system.build.installFromLive
Afterwards:
- Run
install-systemin the live environment, export your zfs pools and reboot - Retrieve the new host identity by using
ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub - (If the host has guests, also retrieve their identities!)
- Rekey the secrets for the new identity
nix run .#rekey - Deploy again
New secret
...
Stuff
- Generate, edit and rekey secrets with
agenix <generate|edit|rekey>
To be able to decrypt the repository-wide secrets (files that contain my PII and are thus hidden from public view),
you will need to (be me and) add nix-plugins and point it to ./nix/extra-builtins.nix.
The devshell will do this for you automatically. If this doesn't work for any reason, this can also be done manually:
- Get nix-plugins:
NIX_PLUGINS=$(nix build --print-out-paths --no-link nixpkgs#nix-plugins) - Run all commands with
--option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix
Misc
Generate self-signed cert, e.g. for kanidm internal communication to proxy:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout selfcert.key -out selfcert.crt -subj \
"/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"