# nix-config https://git.jan-leila.com/jan-leila/nix-config nix multi user, multi system, configuration with `sops` secret management, `home-manager`, and `nixos-anywhere` setup via `disko` with `zfs` + `impermanence` # Hosts ## Host Map | Hostname | Device Description | Primary User | Role | Provisioned | Using Nix | | :---------: | :------------------------: | :--------------: | :-------: | :---------: | :-------: | | `twilight` | Desktop Computer | Leyla | Desktop | ✅ | ✅ | | `horizon` | 13 inch Framework Laptop | Leyla | Laptop | ✅ | ✅ | | `defiant` | NAS Server | Leyla | Server | ✅ | ✅ | | `hesperium` | Mac | ????? | Mac | ❌ | ❌ | | `emergent` | Desktop Computer | Eve | Desktop | ✅ | ✅ | | `threshold` | Laptop | Eve | Laptop | ❌ | ❌ | | `wolfram` | Steam Deck | House | Handheld | ✅ | ❌ | | `ceder` | A5 Tablet | Leyla | Tablet | ✅ | ❌ | | `skate` | A6 Tablet | Leyla | Tablet | ❌ | ❌ | | `shale` | A6 Tablet | Eve | Tablet | ✅ | ❌ | | `coven` | Pixel 8 | Leyla | Android | ✅ | ❌ | # Tooling ## Rebuilding `./rebuild.sh` ## Updating `nix flake update` ## New host setup `./install.sh --target 192.168.1.130 --flake hostname` ## Updating Secrets `sops secrets/secrets_file_here.yaml` ## Inspecting a configuration `nix-inspect -p .` # Notes: ## Research topics - Look into this for auto rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/` - Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/ - https://nixos-and-flakes.thiscute.world/ # Tasks: ## Tech Debt - [ ] monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) - [ ] migrate away from flakes and move to npins - [ ] rework the reverse_proxy.nix file so that it is a normally named service. Then also change it so that we can hook into it with both a base domain and a subdomain to make migrating to vpn accessible services easier ## Broken things - [ ] figure out steam vr things? - [ ] whisper was having issues ## Data Integrity - [ ] zfs email after scrubbing # TODO: test this - [ ] SMART test with email results - [ ] zfs encryption FIDO2 2fa (look into shavee) - [ ] rotate sops encryption keys periodically (and somehow sync between devices?) - [ ] Secure Boot - https://github.com/nix-community/lanzaboote - [ ] auto turn off on power loss - nut ## Data Access - [ ] nfs export should be backed by the same values for server and client - [ ] samba mounts - [ ] offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - [ ] figure out why syncthing and jellyfins permissions don't propagate downwards - [ ] make radarr, sonarr, and bazarr accessible over vpn - [ ] move searx, home-assistant, actual, jellyfin, paperless, and immich to only be accessible via vpn ## Services - [ ] crab-hole for ad block - [ ] enable and learn actual for budgeting - [ ] vikunja service for project management - [ ] Create Tor guard/relay server - [ ] mastodon instance ## DevOps - [ ] wake on LAN for updates - [ ] remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html - [ ] ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix - [ ] fix panoramax package - [ ] claude code MCP servers should bundle node with them so they work in all environments ## Observability - [ ] graphana for dashboards - [ ] prometheus and loki for metric and log collection - [ ] zfs storage usage - [ ] zfs drive health status - [ ] service version lag - [ ] network/cpu/ram utilization - [ ] http latency - [ ] postgres db load - [ ] nginx queries - [ ] ntfy.sh for push notifications - [ ] kuma for uptime visualization