No description
- Nix 96.5%
- Shell 2.3%
- CSS 0.9%
- Nu 0.3%
| config | ||
| hosts | ||
| keys | ||
| modules | ||
| modules-hm | ||
| nix | ||
| patches/PR | ||
| pkgs | ||
| secrets | ||
| users | ||
| .envrc | ||
| .gitignore | ||
| CLAUDE.md | ||
| flake.lock | ||
| flake.nix | ||
| globals.nix | ||
| ids.json | ||
| README.md | ||
| statix.toml | ||
| STRUCTURE.md | ||
Meine wundervolle nix config ❄️
Hosts
| Name | Device | Description | |
|---|---|---|---|
| 💻 | patricknix | HP spectre x360 | Patrick's laptop, mainly used for on the go university |
| 💻 | thinknix | ThinkPad | Work laptop |
| 🖥️ | desktopnix | Intel i5-8600K NVIDIA GeForce GTX 1080 32 GiB RAM |
Patrick's desktop, used for most development and gaming |
| 🖥️ | elisabeth | AMD Ryzen 7 5800X 32 GiB RAM |
Server running most cloud services |
| 🖥️ | nucnix | Intel NUC | Gateway for internal home network |
| 🖥️ | mailnix | Hetzner VPS | Static IP server running mail |
| 🖥️ | torweg | Hetzner VPS | Static IP server running gateway services |
User Configuration
This showcases my end user setup, which I dailydrive on all my hosts.
| Programm | Description | |
|---|---|---|
| 🐚 Shell | ZSH & Starship | ZSH with FZF autocomplete, starship prompt, sqlite history and histdb-skim for fancy reverse search |
| 🪟 WM | Niri | Scrolling tiling window manager |
| 🖼️ Styling | Stylix | globally consistent styling |
| 📝 Editor | NeoVim | Extensively configured neovim |
| 🎮 Gaming | Bottles & Steam | Pew, Pew and such |
| 🌐 Browser | Firefox | Heavily configured Firefox to still my privacy and security needs |
| 💻 Terminal | Kitty | fast terminal |
| 🎵 Music | Spotify | Fancy looking spotify using spicetify |
| Thunderbird | Best email client there is |
Service Configuration
These are services I've set up
| Programm | Description | |
|---|---|---|
| 💸 Budgeting | FireflyIII | Self Hosted budgeting tool |
| 🛡️ AdBlock | AdGuard Home | DNS Adblocker |
| 📝 Blog | Blog | Personal blog |
| 🔨 Git | Forgejo | Selfhosted GitHub alternative |
| 📊 Monitoring | Grafana | Monitoring dashboards |
| 🏠 Home | Home Assistant | Home automation |
| 📸 Photos | Immich | Selfhosted Google Photos equivalent |
| ▶️ Video | Invidious | Privacy-friendly YouTube frontend |
| 🎬 Media | Jellyfin | Media server |
| 🔒 SSO | Kanidm | Secure single sign on Identity Provider |
| 🔗 Bookmarks | Linkwarden | Bookmark manager |
| 🍽️ Recipes | Mealie | Recipe manager |
| Stalwart | All in one mail server | |
| 🌐 VPN | Firezone | Easy to use peer to peer VPN solution based on wireguard |
| 🌧️ Cloud | NextCloud | All in one cloud solution providing online File storage as well as notes, contacts and calendar synchronization |
| 🗄️ Documents | Paperless | Machine learning supported document organizing platform |
| 📁 NAS | Samba | Local network shared storage |
| 📰 Feedreader | freshRSS | Hosted RSS feed aggregator |
| 🔑 Passwords | Vaultwarden | Self hosted bitwarden server |
| 🎵 Music | Your Spotify | Spotify listening habits analyzer |
External dependencies
These are notable external flakes which this config depend upon
| Name | Usage |
|---|---|
| NixVim | NeoVim using nix |
| MicroVM | Declarative VMs |
| Disko | disk partitioning |
| nixos-generators | generate installers |
| home-manager | user config |
| agenix | secret files for nix |
| agenix-rekey | secret files that are git commitable |
| nixos-nftables-firewall | nftables based firewall |
| impermanence | stateless filesystem |
| lanzaboote | Secure Boot |
| stylix | theming |
| spicetify | spotify looking fancy |
How-To
Add additional hosts
- Create host configuration in
hosts/<name>- Create and fill
default.nix - Fill
net.nix - Fill
fs.nix - Don't forget to add necessary config for filesystems, etc.
- Create and fill
- Generate ISO image using
nix build --print-out-paths --no-link .#images.<target-system>.live-iso- This might take multiple minutes(~10)
- Alternatively boot an official nixos image connect with password
- Copy ISO to usb using dd
- After booting copy the installer to the live system using
nix copy --to <target> .#minimalConfigurations.<target-system>.config.system.build.installFromLive - Run the installer script from the nix store of the live system
- you can get the path using
nix path-info .#minimalConfigurations.<target-system>.config.system.build.installFromLive
- you can get the path using
- Export all zpools and reboot into system
- Retrieve hostkeys using
ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub - Deploy system
Add new services
- Add service config to
config/services/<service>- Add Impermanence
- Add allowed ports
- Add id to
ids.json - Add UID to
config/basic/users.nix - Add definitions to
globals.nix - Add Container/VM to
hosts/<host>/guests.nix - Run
agenix generate && agenix rekey - Deploy system
- Fetch ssh hostkey using
ssh-keyscan - Rekey again
agenix rekey - Deploy again
Add secureboot to new systems
- generate keys with
sbctl create-keys - tar the resulting folder using
tar cvf secureboot.tar -C /var/lib/sbctl . - Copy the tar to local using scp and encrypt it using rage
rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age
- safe the encrypted archive to
hosts/<host>/secrets/secureboot.tar.age - DO NOT forget to delete the unecrypted archives
- Deploy your system with lanzaboote enabled
- ensure the boot files are signed using
sbctl verify - Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys
- bootctl should now read
Secure Boot: disabled (setup) - you can now enroll your secureboot keys using
sbctl enroll-keysIf you want to be able to boot microsoft signed images append--microsoft- Time to reboot and pray
Add TPM unlock
- Run
systemd-cryptenroll --tpm2-with-pin=<yes/no> --tpm2-device=auto /dev/<...>
Deploy from new host
If deploying from a host not containing the necessary nix configuration option append
--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`