Skip to content

Latest commit

 

History

History
162 lines (126 loc) · 9.14 KB

README.md

File metadata and controls

162 lines (126 loc) · 9.14 KB

Hosts | Overview | Structure

preview

❄️ My NixOS Configuration

This is my personal nix config which I use to maintain my whole infrastructure, including my homelab, external servers and my development machines.

Hosts

Type Name Hardware Purpose
💻 Laptop nom Gigabyte AERO 15-W8 (i7-8750H) My laptop and my main portable development machine Framework when?
🖥️ Desktop kroma PC (AMD Ryzen 9 5900X) Main workstation and development machine, also for some occasional gaming
🖥️ Server ward ODROID H3 Energy efficient SBC for my home firewall and some lightweight services using containers and microvms.
🖥️ Server sire Threadripper 1950X Home media server and data storage. Runs all services as microvms.
🖥️ Server sausebiene Intel N100 Home automation and IoT network isolation
🥔 Server zackbiene ODROID N2+ Decomissioned. Old home assistant board
☁️ VPS sentinel Hetzner Cloud server Proxies and protects my local services
☁️ VPS envoy Hetzner Cloud server Mailserver

Overview

An overview over what you will find in this repository. I usually put a lot of effort into all my configurations and try to go over every option in detail. I've included the major components in the lists below.

Dotfiles

~~~~~~~~~~~~ Program Source Description
🐚 Shell ZSH & Starship Link ZSH configuration with FZF, starship prompt, sqlite history and histdb-skim for fancy CtrlR
🖥️ Terminal Kitty Link Terminal configuration with nerdfonts and history CtrlShiftH to view scrollback buffer in neovim
🪟 WM hyprland & i3 Link, Link Tiling window manager, heavily customized to my personal preferences
🔋 Bar waybar Link Taskbar and status
🌐 Browser Firefox Link Firefox with many privacy settings and betterfox
🖊️ Editor Neovim Link Extensive neovim configuration, made with nixvim
📜 Manpager Neovim Link Isolated neovim as manpager via nixvim
📷 Screenshots Custom based on grimblast Link Custom scripts utilizing grimblast for QR code detection and OCR / satty editing
🗨️ Notifications SwayNotificationCenter Link Notification center with customized color scheme
🎮 Gaming Steam & Bottles Link Setup for gaming
📫 Mail Thunderbird Link Your regular thunderbird setup

Services

~~~~~~~~~~~~ Service Source Description
💸 Budgeting Actual Budget Link Budgeting application to track income and expenses
🛡️ Adblock AdGuard Home Link DNS level adblocker
🔒 SSO Kanidm Link Identity provider for Single-Sign-On on my hosted services, with provisioning.
🐙 Git Forgejo Link Forgejo with SSO
🔑 Passwords Vaultwarden Link Self-hosted password manager
📷 Photos Immich Link Self-hosted photo and video backup solution
📄 Documents Paperless Link Document management system. With per-user Samba share integration (consume & archive)
🗓️ CalDAV/CardDAV Radicale Link Contacts, Calender and Tasks synchronization
📁 NAS Samba Link Network attached storage. Cross-integration with paperless
🌐 VPN Netbird Link Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication.
🏠 Home Automation Home Assistant Link Automation with Home Assistant and many related services
📧 Mailserver Stalwart Link Modern mail server setup with custom self-service alias management including Bitwarden integration
🧱 Minecraft PaperMC Link Minecraft game server. Autostart on connect, systemd service with background console, automatic backups
🐒 Local LLM Ollama & open-webui Link Local LLM and AI Chat
📊 Dashboard Grafana Link Logs and metrics dashboard and alerting
📔 Logs DB Loki Link Central log aggregation service
📔 Logs Agent Promtail Link Log shipping agent
📚 TSDB Influxdb2 Link Time series database for storing host metrics
⏱️ Metrics Telegraf Link Per-host collection of metrics

General & Miscellaneous

(WIP)

~~~~~~~~~~~~ Source Description
🗑️ Impermanence Link Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration.
  • reverse proxy with wireguard tunnel
  • restic
  • static wireguard mesh
  • unified guests interface for microvms and containers with ZFS integration
  • zoned nftables
  • Secret rekeying, generation and bootstrapping using agenix-rekey
  • Remote-unlockable full disk encryption using ZFS on LUKS
  • Automatic disk partitioning via disko
  • Support for repository-wide secrets at evaluation time (hides PII like MACs)

Structure

If you are interested in parts of my configuration, you probably want to examine the contents of users/, config/, modules/ and hosts/. Also, a lot of interesting modules have been moved to nixos-extra-modules, a separate repository specifically for reusable stuff. The full structure of this flake is described in STRUCTURE.md, but here's a quick breakdown of the what you will find where.

config/ global configuration for all hosts
config/optional/ optional configuration included by hosts
hosts/<hostname> top-level configuration for <hostname>
modules/ classical reusable configuration modules
nix/ library functions and flake plumbing
pkgs/ Custom packages and scripts
secrets/ Global secrets and age identities
users/ User configuration and dotfiles

How-To

Add new machine

... incomplete.

  • Add to hosts in flake.nix
  • Create hosts/
  • Fill net.nix
  • Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)
  • Run agenix generate and agenix rekey (create's dummy secrets for initial deploy)

Initial deploy

  • Create a bootable iso disk image with nix build --print-out-paths --no-link .#images.<target-system>.live-iso, dd it to a stick and boot
  • (Alternative) Use an official NixOS live-iso and setup ssh manually
  • Copy the installer from a local machine to the live system with nix copy --to <target> .#nixosConfigurationsMinimal.config.system.build.installFromLive

Afterwards:

  • Run install-system in the live environment, export your zfs pools and reboot
  • Retrieve the new host identity by using ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub
  • (If the host has guests, also retrieve their identities!)
  • Rekey the secrets for the new identity nix run .#rekey
  • Deploy again

New secret

...

Stuff

  • Generate, edit and rekey secrets with agenix <generate|edit|rekey>

To be able to decrypt the repository-wide secrets (files that contain my PII and are thus hidden from public view), you will need to (be me and) add nix-plugins and point it to ./nix/extra-builtins.nix. The devshell will do this for you automatically. If this doesn't work for any reason, this can also be done manually:

  1. Get nix-plugins: NIX_PLUGINS=$(nix build --print-out-paths --no-link nixpkgs#nix-plugins)
  2. Run all commands with --option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix

Misc

Generate self-signed cert, e.g. for kanidm internal communication to proxy:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout selfcert.key -out selfcert.crt -subj \
  "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"