5.3 KiB
5.3 KiB
nix-config
https://git.jan-leila.com/jan-leila/nix-config
nix multi user, multi system, configuration with sops secret management, home-manager, and nixos-anywhere setup via disko with zfs + impermanence
Hosts
Host Map
| Hostname | Device Description | Primary User | Role | Provisioned | Using Nix |
|---|---|---|---|---|---|
twilight |
Desktop Computer | Leyla | Desktop | ✅ | ✅ |
horizon |
13 inch Framework Laptop | Leyla | Laptop | ✅ | ✅ |
defiant |
NAS Server | Leyla | Server | ✅ | ✅ |
hesperium |
Mac | ????? | Mac | ❌ | ❌ |
emergent |
Desktop Computer | Eve | Desktop | ✅ | ✅ |
threshold |
Laptop | Eve | Laptop | ❌ | ❌ |
wolfram |
Steam Deck | House | Handheld | ✅ | ❌ |
ceder |
A5 Tablet | Leyla | Tablet | ✅ | ❌ |
skate |
A6 Tablet | Leyla | Tablet | ❌ | ❌ |
shale |
A6 Tablet | Eve | Tablet | ✅ | ❌ |
coven |
Pixel 8 | Leyla | Android | ✅ | ❌ |
Tooling
Rebuilding
./rebuild.sh
Updating
nix flake update
New host setup
./install.sh --target 192.168.1.130 --flake hostname
Updating Secrets
sops secrets/secrets_file_here.yaml
Inspecting a configuration
nix-inspect -p .
Notes:
Research topics
- Look into this for auto rotating sops keys
https://technotim.live/posts/rotate-sops-encryption-keys/ - Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/
- https://nixos-and-flakes.thiscute.world/
- proton mail now has an smtp server we could use that for our zfs and SMART test emails
Tasks:
Chores:
- test out crab hole service
Tech Debt
- monitor configuration in
~/.config/monitors.xmlshould be sym linked to/run/gdm/.config/monitors.xml(https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) - migrate away from flakes and move to npins
host.usersshould be redone so that we just extend the baseusers.usersobject. Right now we cant quite do this because we have weird circular dependencies with disko/impermanence (not sure which one) and home manger enabling/disabling users per devices
Broken things
- figure out steam vr things?
- whisper was having issues
Data Integrity
- zfs email after scrubbing # TODO: test this
- SMART test with email results
- zfs encryption FIDO2 2fa (look into shavee)
- rotate sops encryption keys periodically (and somehow sync between devices?)
- Secure Boot - https://github.com/nix-community/lanzaboote
- auto turn off on power loss - nut
- every service needs to have its own data pool
- secondary server with data sync. Maybe a Pi with a usb hdd enclosure and use rtcwake to only turn on once a week to sync data over tailscale with connection initiated from pi's side. We could probably put this at LZ. Hoping for it to draw only like $1 of power a month. Initial sync should probably be done here before we move it over because that will take a while. Data should be encrypted so that devices doesn't have access to it. Project will prob cost like $1800
Data Access
- nfs export should be backed by the same values for server and client
- samba mounts
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- figure out why syncthing and jellyfins permissions don't propagate downwards
- make radarr, sonarr, and bazarr accessible over vpn
- move searx, home-assistant, actual, vikunja, jellyfin, paperless, and immich to only be accessible via vpn
- FreeIPA/SSSD/LDAP/Kerberos to manage uid and gid's
Services
- vikunja service for project management
- Penpot services (need to make this custom)
- minecraft server with old world file
- storj server
- Create Tor guard/relay server
- screeps server
- mastodon instance
DevOps
- wake on LAN for updates
- remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
- ISO target that contains authorized keys for nixos-anywhere
4acc43ebc7/hosts/bootstrap/default.nix - fix panoramax package
- claude code MCP servers should bundle node with them so they work in all environments
Observability
- graphana for dashboards
- prometheus and loki for metric and log collection
- zfs storage usage
- zfs drive health status
- service version lag
- network/cpu/ram utilization
- http latency
- postgres db load
- nginx queries
- ntfy.sh for push notifications
- kuma for uptime visualization
Packages
- Custom private fork of MultiMC