No description

Find a file

Leyla Becker f9c27c82b6 feat: refactored database configuration		2025-10-27 03:55:09 -05:00
.hooks	fix: fixed pre and post commit hook behavior	2025-10-20 20:55:35 -05:00
.vscode	restructured repo to support nix-darwin	2024-11-25 16:58:12 -06:00
configurations	feat: refactored database configuration	2025-10-27 03:55:09 -05:00
const	switched to using dev shells for local development environment	2024-11-11 18:38:44 -06:00
modules	feat: refactored database configuration	2025-10-27 03:55:09 -05:00
nix-config-secrets@444229a105	feat: pinned mapilary version downloader	2025-10-08 13:05:08 -05:00
util	feat: re enabled lix	2025-10-05 14:58:41 -05:00
.envrc	switched to using dev shells for local development environment	2024-11-11 18:38:44 -06:00
.gitconfig	updated hooks folder location	2024-09-21 12:24:54 -05:00
.gitignore	moved spellcheck to separate file	2024-11-25 15:14:50 -06:00
.gitmodules	switched submodule files to non flake input	2024-09-24 02:30:54 -05:00
.sops.yaml	added applications key file	2025-06-04 13:14:11 -05:00
build-installer.sh	started draft for installer	2024-11-25 22:37:08 -06:00
flake.lock	feat: updated flack lock	2025-10-26 23:35:54 -05:00
flake.nix	feat: re enabled lix	2025-10-05 14:58:41 -05:00
install.sh	added note to install script	2024-12-01 18:37:36 -06:00
README.md	chore:added task for qbittorent directory	2025-10-27 02:52:56 -05:00
rebuild.sh	feat: supported branching for commit checking	2025-10-19 18:50:26 -05:00
shell.nix	switched to using dev shells for local development environment	2024-11-11 18:38:44 -06:00

README.md

nix-config

https://git.jan-leila.com/jan-leila/nix-config

nix multi user, multi system, configuration with sops secret management, home-manager, and nixos-anywhere setup via disko with zfs + impermanence

Hosts

Host Map

Hostname	Device Description	Primary User	Role	Provisioned	Using Nix
`twilight`	Desktop Computer	Leyla	Desktop	✅	✅
`horizon`	13 inch Framework Laptop	Leyla	Laptop	✅	✅
`defiant`	NAS Server	Leyla	Server	✅	✅
`hesperium`	Mac	?????	Mac	❌	❌
`emergent`	Desktop Computer	Eve	Desktop	✅	✅
`threshold`	Laptop	Eve	Laptop	❌	❌
`wolfram`	Steam Deck	House	Handheld	✅	❌
`ceder`	A5 Tablet	Leyla	Tablet	✅	❌
`skate`	A6 Tablet	Leyla	Tablet	❌	❌
`shale`	A6 Tablet	Eve	Tablet	✅	❌
`coven`	Pixel 8	Leyla	Android	✅	❌

Tooling

Rebuilding

./rebuild.sh

Updating

nix flake update

New host setup

./install.sh --target 192.168.1.130 --flake hostname

Updating Secrets

sops secrets/secrets_file_here.yaml

Inspecting a configuration

nix-inspect -p .

Notes:

Research topics

Look into this for auto rotating sops keys https://technotim.live/posts/rotate-sops-encryption-keys/
Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/
https://nixos-and-flakes.thiscute.world/
proton mail now has an smtp server we could use that for our zfs and SMART test emails

Tasks:

Chores:

test out crab hole service
qbittorent should be downloading to rpool/persist/system/qbittorrent or maybe even rpool/persist/system/jellyfin but right now its downloading to rpool/persist/system/root this should be fixed

Tech Debt

monitor configuration in ~/.config/monitors.xml should be sym linked to /run/gdm/.config/monitors.xml (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
migrate away from flakes and move to npins

Broken things

figure out steam vr things?
whisper was having issues

Data Integrity

zfs email after scrubbing # TODO: test this
SMART test with email results
zfs encryption FIDO2 2fa (look into shavee)
rotate sops encryption keys periodically (and somehow sync between devices?)
Secure Boot - https://github.com/nix-community/lanzaboote
auto turn off on power loss - nut
secondary server with data sync. Maybe a Pi with a usb hdd enclosure and use rtcwake to only turn on once a week to sync data over tailscale with connection initiated from pi's side. We could probably put this at LZ. Hoping for it to draw only like $1 of power a month. Initial sync should probably be done here before we move it over because that will take a while. Data should be encrypted so that devices doesn't have access to it. Project will prob cost like $1800

Data Access

nfs export should be backed by the same values for server and client
samba mounts
offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
figure out why syncthing and jellyfins permissions don't propagate downwards
make radarr, sonarr, and bazarr accessible over vpn
move searx, home-assistant, actual, vikunja, jellyfin, paperless, and immich to only be accessible via vpn

Services

vikunja service for project management
Penpot services (need to make this custom)
minecraft server with old world file
Create Tor guard/relay server
mastodon instance
screeps server

DevOps

wake on LAN for updates
remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
ISO target that contains authorized keys for nixos-anywhere 4acc43ebc7/hosts/bootstrap/default.nix
fix panoramax package
claude code MCP servers should bundle node with them so they work in all environments

Observability

graphana for dashboards
prometheus and loki for metric and log collection
- zfs storage usage
- zfs drive health status
- service version lag
- network/cpu/ram utilization
- http latency
- postgres db load
- nginx queries
ntfy.sh for push notifications
kuma for uptime visualization

Packages

Custom private fork of MultiMC