4.1 KiB
4.1 KiB
nix-config
https://git.jan-leila.com/jan-leila/nix-config
nix multi user, multi system, configuration with sops secret management, home-manager, and nixos-anywhere setup via disko with zfs + impermanence
Hosts
Host Map
| Hostname | Device Description | Primary User | Role | Provisioned | Using Nix |
|---|---|---|---|---|---|
twilight |
Desktop Computer | Leyla | Desktop | ✅ | ✅ |
horizon |
13 inch Framework Laptop | Leyla | Laptop | ✅ | ✅ |
defiant |
NAS Server | Leyla | Server | ✅ | ✅ |
hesperium |
Mac | ????? | Mac | ❌ | ❌ |
emergent |
Desktop Computer | Eve | Desktop | ✅ | ✅ |
threshold |
Laptop | Eve | Laptop | ❌ | ❌ |
wolfram |
Steam Deck | House | Handheld | ✅ | ❌ |
ceder |
A5 Tablet | Leyla | Tablet | ✅ | ❌ |
skate |
A6 Tablet | Leyla | Tablet | ❌ | ❌ |
shale |
A6 Tablet | Eve | Tablet | ✅ | ❌ |
coven |
Pixel 8 | Leyla | Android | ✅ | ❌ |
Tooling
Rebuilding
./rebuild.sh
Updating
nix flake update
New host setup
./install.sh --target 192.168.1.130 --flake hostname
Updating Secrets
sops secrets/secrets_file_here.yaml
Inspecting a configuration
nix-inspect -p .
Notes:
Research topics
- Look into this for auto rotating sops keys
https://technotim.live/posts/rotate-sops-encryption-keys/ - Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/
- https://nixos-and-flakes.thiscute.world/
Tasks:
Tech Debt
- monitor configuration in
~/.config/monitors.xmlshould be sym linked to/run/gdm/.config/monitors.xml(https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) - nfs export should be backed by the same values for server and client
New Features
- crab-hole
- figure out why syncthing and jellyfins permissions don't propagate downwards
- figure out steam vr things?
- auto turn off on power loss - nut
- zfs email after scrubbing # TODO: test this
- SMART test with email results
- samba mounts
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- Create Tor guard/relay server
- migrate away from flakes and move to npins
- whisper
- zfs encryption FIDO2 2fa (look into shavee)
- Secure Boot - https://github.com/nix-community/lanzaboote
- rotate sops encryption keys periodically (and somehow sync between devices?)
- wake on LAN for updates
- remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
- ISO target that contains authorized keys for nixos-anywhere
4acc43ebc7/hosts/bootstrap/default.nix - panoramax instance
- mastodon instance
- rework the reverse_proxy.nix file so that it is a normally named service. Then also change it so that we can hook into it with both a base domain and a subdomain to make migrating to vpn accessible services easier
- move searx, home-assistant, actual, jellyfin, paperless, and immich to only be accessible via vpn
- make radarr, sonarr, and bazarr accessible over vpn
- create some sort of service that allows uploading files to jellyfin
- auto sort files into where they should go with some combination of filebot cli and picard cli
- graphana accessible though tailscale
- fix panoramax package
- actual instance
- intergrade radarr, sonarr, and bazarr
- claude code MCP servers should bundle node with them so they work in all environments