nix-config/README.md

# nix-config

https://git.jan-leila.com/jan-leila/nix-config

nix multi user, multi system, configuration with `sops` secret management, `home-manager`, and `nixos-anywhere` setup via `disko` with `zfs` + `impermanence`

# Hosts

## Host Map
|   Hostname  |      Device Description    |   Primary User   |    Role   | Provisioned | Using Nix |
| :---------: | :------------------------: | :--------------: | :-------: | :---------: | :-------: |
|  `twilight` |      Desktop Computer      |      Leyla       |  Desktop  |     ✅      |    ✅     |
|  `horizon`  |  13 inch Framework Laptop  |      Leyla       |  Laptop   |     ✅      |    ✅     |
|  `defiant`  |         NAS Server         |      Leyla       |   Server  |     ✅      |    ✅     |
| `hesperium` |             Mac            |      ?????       |    Mac    |     ❌      |    ❌     |
|  `emergent` |      Desktop Computer      |       Eve        |  Desktop  |     ✅      |    ✅     |
| `threshold` |           Laptop           |       Eve        |  Laptop   |     ❌      |    ❌     |
|  `wolfram`  |          Steam Deck        |      House       |  Handheld |     ✅      |    ❌     |
|   `ceder`   |          A5 Tablet         |      Leyla       |   Tablet  |     ✅      |    ❌     |
|   `skate`   |          A6 Tablet         |      Leyla       |   Tablet  |     ❌      |    ❌     |
|   `shale`   |          A6 Tablet         |       Eve        |   Tablet  |     ✅      |    ❌     |
|   `coven`   |           Pixel 8          |      Leyla       |  Android  |     ✅      |    ❌     |

# Tooling
## Rebuilding
`./rebuild.sh`

## Updating
`nix flake update`

## New host setup
`./install.sh --target 192.168.1.130 --flake hostname`

## Updating Secrets
`sops secrets/secrets_file_here.yaml`

## Inspecting a configuration
`nix-inspect -p .`

# Notes:

## Research topics
- Look into this for auto rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
- Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/
- https://nixos-and-flakes.thiscute.world/
- proton mail now has an smtp server we could use that for our zfs and SMART test emails

# Tasks:

## Chores:
- [ ] test out crab hole service
- [ ] qbittorent should be downloading to `rpool/persist/system/qbittorrent` or maybe even `rpool/persist/system/jellyfin` but right now its downloading to `rpool/persist/system/root` this should be fixed

## Tech Debt
- [ ] monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
- [ ] migrate away from flakes and move to npins

## Broken things
- [ ] figure out steam vr things?
- [ ] whisper was having issues

## Data Integrity
- [ ] zfs email after scrubbing # TODO: test this
- [ ] SMART test with email results
- [ ] zfs encryption FIDO2 2fa (look into shavee)
- [ ] rotate sops encryption keys periodically (and somehow sync between devices?)
- [ ] Secure Boot - https://github.com/nix-community/lanzaboote
- [ ] auto turn off on power loss - nut
- [ ] secondary server with data sync. Maybe a Pi with a usb hdd enclosure and use rtcwake to only turn on once a week to sync data over tailscale with connection initiated from pi's side. We could probably put this at LZ. Hoping for it to draw only like $1 of power a month. Initial sync should probably be done here before we move it over because that will take a while. Data should be encrypted so that devices doesn't have access to it. Project will prob cost like $1800

## Data Access
- [ ] nfs export should be backed by the same values for server and client
- [ ] samba mounts
- [ ] offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- [ ] figure out why syncthing and jellyfins permissions don't propagate downwards
- [ ] make radarr, sonarr, and bazarr accessible over vpn
- [ ] move searx, home-assistant, actual, vikunja, jellyfin, paperless, and immich to only be accessible via vpn

## Services
- [ ] vikunja service for project management
- [ ] Penpot services (need to make this custom)
- [ ] minecraft server with old world file
- [ ] Create Tor guard/relay server
- [ ] mastodon instance
- [ ] screeps server

## DevOps
- [ ] wake on LAN for updates
- [ ] remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
- [ ] ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
- [ ] fix panoramax package
- [ ] claude code MCP servers should bundle node with them so they work in all environments

## Observability
- [ ] graphana for dashboards
- [ ] prometheus and loki for metric and log collection
	- [ ] zfs storage usage
	- [ ] zfs drive health status
	- [ ] service version lag
	- [ ] network/cpu/ram utilization
	- [ ] http latency
	- [ ] postgres db load
	- [ ] nginx queries
- [ ] ntfy.sh for push notifications
- [ ] kuma for uptime visualization

## Packages
- [ ] Custom private fork of MultiMC