{"id":21508853,"url":"https://github.com/oddlama/nix-config","last_synced_at":"2025-04-04T21:08:32.648Z","repository":{"id":156761746,"uuid":"568936554","full_name":"oddlama/nix-config","owner":"oddlama","description":"❄️ My nix config and dotfiles","archived":false,"fork":false,"pushed_at":"2025-03-23T10:02:50.000Z","size":6997,"stargazers_count":200,"open_issues_count":0,"forks_count":4,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-28T20:11:39.948Z","etag":null,"topics":["dotfiles","flake","nix","nix-dotfiles","nix-flake","nixos","nixos-configuration","nixos-dotfiles"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oddlama.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-21T18:21:18.000Z","updated_at":"2025-03-28T18:26:42.000Z","dependencies_parsed_at":"2023-10-16T05:16:15.551Z","dependency_job_id":"15024004-0526-4a72-819f-2281dd24e174","html_url":"https://github.com/oddlama/nix-config","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Fnix-config","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Fnix-config/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Fnix-config/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Fnix-config/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oddlama","download_url":"https://codeload.github.com/oddlama/nix-config/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247249526,"owners_count":20908212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dotfiles","flake","nix","nix-dotfiles","nix-flake","nixos","nixos-configuration","nixos-dotfiles"],"created_at":"2024-11-23T21:13:08.339Z","updated_at":"2025-04-04T21:08:32.627Z","avatar_url":"https://github.com/oddlama.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"[Hosts](#hosts) \\| [Overview](#overview) \\| [Structure](./STRUCTURE.md)\n\n![preview](https://github.com/oddlama/nix-config/assets/31919558/139c94de-9ecd-4b36-ab5c-c654d9e38888)\n\n## ❄️  My NixOS Configuration\n\nThis is my personal nix config which I use to maintain my whole infrastructure,\nincluding my homelab, external servers and my development machines.\n\n## Hosts\n\n|  | Type | Name | Hardware | Purpose\n---|---|---|---|---\n💻 | Laptop | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine \u003csub\u003eFramework when?\u003c/sub\u003e\n🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming\n🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms.\n🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms.\n🖥️ | Server | sausebiene | Intel N100 | Home automation and IoT network isolation\n🥔 | Server | zackbiene | ODROID N2+ | Decomissioned. Old home assistant board\n☁️  | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services\n☁️  | VPS | envoy | Hetzner Cloud server | Mailserver\n\n## Overview\n\nAn overview over what you will find in this repository. I usually put a lot of\neffort into all my configurations and try to go over every option in detail.\nI've included the major components in the lists below.\n\n#### Dotfiles\n\n| ~~~~~~~~~~~~ | Program | Source | Description\n---|---|---|---\n🐚 Shell | ZSH \u0026 Starship | [Link](./users/config/shell) | ZSH configuration with FZF, starship prompt, sqlite history and histdb-skim for fancy \u003ckbd\u003eCtrl\u003c/kbd\u003e\u003ckbd\u003eR\u003c/kbd\u003e\n🖥️ Terminal | Kitty | [Link](./users/myuser/graphical/kitty.nix) | Terminal configuration with nerdfonts and history \u003ckbd\u003eCtrl\u003c/kbd\u003e\u003ckbd\u003eShift\u003c/kbd\u003e\u003ckbd\u003eH\u003c/kbd\u003e to view scrollback buffer in neovim\n🪟 WM | hyprland \u0026 i3 | [Link](./users/myuser/graphical/hyprland.nix), [Link](./users/myuser/graphical/i3.nix) | Tiling window manager, heavily customized to my personal preferences\n🔋 Bar | waybar | [Link](./users/myuser/graphical/waybar.nix) | Taskbar and status\n🌐 Browser | Firefox | [Link](./users/myuser/graphical/firefox.nix) | Firefox with many privacy settings and betterfox\n🖊️ Editor | Neovim | [Link](./users/myuser/neovim) | Extensive neovim configuration, made with nixvim\n📜 Manpager | Neovim | [Link](./users/config/manpager.nix) | Isolated neovim as manpager via nixvim\n📷 Screenshots | Custom based on grimblast | [Link](./pkgs/scripts) | Custom scripts utilizing grimblast for [QR code detection](./pkgs/scripts/screenshot-area-scan-qr.nix) and [OCR / satty editing](./pkgs/scripts/screenshot-area.nix)\n🗨️ Notifications | SwayNotificationCenter | [Link](./users/myuser/graphical/swaync.nix) | Notification center with customized color scheme\n🎮 Gaming | Steam \u0026 Bottles | [Link](./users/myuser/graphical/games) | Setup for gaming\n📫 Mail | Thunderbird | [Link](./users/myuser/graphical/thunderbird.nix) | Your regular thunderbird setup\n\n#### Services\n\n| ~~~~~~~~~~~~ | Service | Source | Description\n---|---|---|---\n💸 Budgeting | Actual Budget | [Link](./hosts/sire/guests/actual.nix) | Budgeting application to track income and expenses\n🛡️ Adblock | AdGuard Home | [Link](./hosts/ward/guests/adguardhome.nix) | DNS level adblocker\n🔒 SSO | Kanidm | [Link](./hosts/ward/guests/kanidm.nix) | Identity provider for Single-Sign-On on my hosted services, with provisioning.\n🐙 Git | Forgejo | [Link](./hosts/ward/guests/forgejo.nix) | Forgejo with SSO\n🔑 Passwords | Vaultwarden | [Link](./hosts/ward/guests/vaultwarden.nix) | Self-hosted password manager\n📷 Photos | Immich | [Link](./hosts/sire/guests/immich.nix) | Self-hosted photo and video backup solution\n📄 Documents | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. With per-user Samba share integration (consume \u0026 archive)\n🗓️ CalDAV/CardDAV | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization\n📁 NAS | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. Cross-integration with paperless\n🌐 VPN | Firezone | [Link](./hosts/ward/guests/firezone.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication.\n🏠 Home Automation | Home Assistant | [Link](./hosts/zackbiene/home-assistant.nix) | Automation with Home Assistant and many related services\n📧 Mailserver | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration\n🧱 Minecraft | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. Autostart on connect, systemd service with background console, automatic backups\n🐒 Local LLM | Ollama \u0026 open-webui | [Link](./hosts/sire/guests/ai.nix) | Local LLM and AI Chat\n📊 Dashboard | Grafana | [Link](./hosts/sire/guests/grafana.nix) | Logs and metrics dashboard and alerting\n📔 Logs DB | Loki | [Link](./hosts/sire/guests/loki.nix) | Central log aggregation service\n📔 Logs Agent | Promtail | [Link](./modules/promtail.nix) | Log shipping agent\n📚 TSDB | Influxdb2 | [Link](./hosts/sire/guests/influxdb.nix) | Time series database for storing host metrics\n⏱️  Metrics | Telegraf | [Link](./modules/telegraf.nix) | Per-host collection of metrics\n\n\u003c!--\n- home assistant \u0026 subcomponents\n- scrutiny\n- ollama\n- open-webui\n--\u003e\n\n#### General \u0026 Miscellaneous\n\n(WIP)\n\n| ~~~~~~~~~~~~ | Source | Description\n---|---|---\n🗑️ Impermanence | [Link](./config/impermanence.nix) | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration.\n\n- reverse proxy with wireguard tunnel\n- restic\n- static wireguard mesh\n- unified guests interface for microvms and containers with ZFS integration\n- zoned nftables\n- Secret rekeying, generation and bootstrapping using [agenix-rekey](https://github.com/oddlama/agenix-rekey)\n- Remote-unlockable full disk encryption using ZFS on LUKS \u003c!-- with automatic snapshots and backups --\u003e\n- Automatic disk partitioning via [disko](https://github.com/nix-community/disko)\n- Support for repository-wide secrets at evaluation time (hides PII like MACs)\n\n## Structure\n\nIf you are interested in parts of my configuration,\nyou probably want to examine the contents of `users/`, `config/`, `modules/` and `hosts/`.\nAlso, a lot of interesting modules have been moved to [nixos-extra-modules](https://github.com/oddlama/nixos-extra-modules), a separate repository specifically for reusable stuff.\nThe full structure of this flake is described in [STRUCTURE.md](./STRUCTURE.md),\nbut here's a quick breakdown of the what you will find where.\n\n|   |   |\n|---|---|\n`config/` | global configuration for all hosts\n`config/optional/` | optional configuration included by hosts\n`hosts/\u003chostname\u003e` | top-level configuration for `\u003chostname\u003e`\n`modules/` | classical reusable configuration modules\n`nix/` | library functions and flake plumbing\n`pkgs/` | Custom packages and scripts\n`secrets/` | Global secrets and age identities\n`users/` | User configuration and dotfiles\n\n## How-To\n\n#### Add new machine\n\n... incomplete.\n\n- Add \u003cname\u003e to `hosts` in `flake.nix`\n- Create hosts/\u003cname\u003e\n- Fill net.nix\n- Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)\n- Run `agenix generate` and `agenix rekey` (create's dummy secrets for initial deploy)\n\n#### Initial deploy\n\n- Create a bootable iso disk image with `nix build --print-out-paths --no-link .#images.\u003ctarget-system\u003e.live-iso`, dd it to a stick and boot\n- (Alternative) Use an official NixOS live-iso and setup ssh manually\n- Copy the installer from a local machine to the live system with `nix copy --to \u003ctarget\u003e .#nixosConfigurationsMinimal.config.system.build.installFromLive`\n\nAfterwards:\n\n- Run `install-system` in the live environment, export your zfs pools and reboot\n- Retrieve the new host identity by using `ssh-keyscan \u003chost/ip\u003e | grep -o 'ssh-ed25519.*' \u003e hosts/\u003chost\u003e/secrets/host.pub`\n- (If the host has guests, also retrieve their identities!)\n- Rekey the secrets for the new identity `nix run .#rekey`\n- Deploy again\n\n#### New secret\n\n...\n\n## Stuff\n\n- Generate, edit and rekey secrets with `agenix \u003cgenerate|edit|rekey\u003e`\n\nTo be able to decrypt the repository-wide secrets (files that contain my PII and are thus hidden from public view),\nyou will need to \u003csub\u003e(be me and)\u003c/sub\u003e add nix-plugins and point it to `./nix/extra-builtins.nix`.\nThe devshell will do this for you automatically. If this doesn't work for any reason, this can also be done manually:\n\n1. Get nix-plugins: `NIX_PLUGINS=$(nix build --print-out-paths --no-link nixpkgs#nix-plugins)`\n2. Run all commands with `--option plugin-files \"$NIX_PLUGINS\"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix`\n\n## Misc\n\nGenerate self-signed cert, e.g. for kanidm internal communication to proxy:\n\n```bash\nopenssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \\\n  -keyout selfcert.key -out selfcert.crt -subj \\\n  \"/CN=example.com\" -addext \"subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foddlama%2Fnix-config","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foddlama%2Fnix-config","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foddlama%2Fnix-config/lists"}