- Nix 100%
| hosts | ||
| secrets | ||
| .sops.yaml | ||
| flake.lock | ||
| flake.nix | ||
| nixpkgs.nix | ||
| README.md | ||
| shell.nix | ||
My NixOS configurations
Here's my NixOS config files. Requires Nix flakes.
Highlights:
- Multiple NixOS configurations, including desktop, laptop, servers
- Fully declarative self-hosted stuff
- Deployment secrets using sops-nix
- Mesh networked hosts with wireguard
About the installation
All my computers use a single btrfs
partition, with subvolumes for /nix, /root and /home,
except for my servers. They still use btrfs but the boot volumes
on those are not encrypted
How to bootstrap
All you need is nix (any version). Run:
nix-shell
nixos-rebuild switch --flake .#<host> To build system configurations
sops To manage secrets
Secrets
For deployment secrets (such as user passwords and server service secrets), I'm
using the awesome sops-nix. All secrets
are encrypted with an age key, as well as the relevant systems's SSH host keys.
On my desktop and laptop, and phone, I use self-hosted vaultwarden for managing passwords,
only accessible to clients on my wireguard network
Tooling and applications I use
Most relevant user apps as daily drivers:
- kitty
- KDE Plasma
- fish
- KDE kate (IDE)
- brave
- bitwarden
Some of the services I host:
- syncthing
- uptime kuma
- git
- victoriametrics
- mailserver
- wireguard VPN
Overview of host sturctures
giga- daily driver Gigabyte Aero 15x laptop with RTX 3090 eGPUcommand- Powerful desktop for running VMs and gaming (offline since late 2024 as it is in a closet in another country)vpn- wireguard VPN tunnel host with adguard for DNS blocking and unbound for encrypted DNS server for all my other machines including my phonepublic- Public facing host where most of my services live like syncthing (backups), vaultwarden (bitwarden server), forgejo (this git), uptime-kuma (infra uptime monitoring & alerting), mattermost (chat), etcmail- ymrtech mailserver set up withnixos-simple-mailserver