{"id":46231753,"url":"https://github.com/ppb1701/nixos-config","last_synced_at":"2026-03-03T18:02:48.268Z","repository":{"id":323707471,"uuid":"1079908320","full_name":"ppb1701/nixos-config","owner":"ppb1701","description":"NixOs Config -\u003e AdguardHome, Syncthing, Nginx, TailScale, SSH","archived":false,"fork":false,"pushed_at":"2026-02-25T15:56:21.000Z","size":415,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-25T19:29:42.432Z","etag":null,"topics":["adguardhome","nginx","nixos","ssh","syncthing","tailscale"],"latest_commit_sha":null,"homepage":"https://blog.ppb1701.com/building-a-bulletproof-home-server-series","language":"Nix","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ppb1701.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-20T15:12:26.000Z","updated_at":"2026-02-25T16:02:02.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ppb1701/nixos-config","commit_stats":null,"previous_names":["ppb1701/nixos-config"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/ppb1701/nixos-config","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ppb1701%2Fnixos-config","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ppb1701%2Fnixos-config/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ppb1701%2Fnixos-config/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ppb1701%2Fnixos-config/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ppb1701","download_url":"https://codeload.github.com/ppb1701/nixos-config/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ppb1701%2Fnixos-config/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30054003,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-03T17:46:22.538Z","status":"ssl_error","status_checked_at":"2026-03-03T17:46:22.036Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adguardhome","nginx","nixos","ssh","syncthing","tailscale"],"created_at":"2026-03-03T18:02:32.449Z","updated_at":"2026-03-03T18:02:48.259Z","avatar_url":"https://github.com/ppb1701.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NixOS AdGuard Home Server\n\nA fully declarative, reproducible AdGuard Home DNS server built with NixOS. This configuration is designed to be:\n\n- **Declarative:** Everything defined in code\n- **Reproducible:** Rebuild identical systems anytime\n- **Disaster-proof:** Complete recovery in 20 minutes\n- **Privacy-focused:** Ad-blocking DNS with local control\n\n## ⚠️ Security Warning\n\nThis configuration uses a **temporary, publicly-known password** for initial convenience:\n\n**Default Password:** `nixos`\n\n### Why This Approach?\n\n- Keeps passwords out of public GitHub repositories\n- Allows you to set your own secure password after installation\n- Prevents being locked out of a freshly installed system\n\n### CRITICAL: Change Password Immediately\n\n**After installation, you MUST:**\n\n1. SSH into the system: `ssh ppb1701@YOUR_IP` (password: `nixos`)\n2. Change your password: `passwd`\n3. Edit `/etc/nixos/configuration.nix`:\n   - Remove: `initialPassword = \"nixos\";`\n   - Change: `security.sudo.wheelNeedsPassword = true;`\n4. Rebuild: `sudo nixos-rebuild switch`\n\n**DO NOT expose this system to the internet before changing the password!**\n\n## Blog Series\n\nThis repository is the companion code for my blog series:\n\n**Building a Resilient Home Server Series**\nhttps://blog.ppb1701.com/building-a-resilient-home-server-series\n\n**Discussion:** [@ppb1701@ppb.social](https://ppb.social/@ppb1701)\n\n## Repository Branches\n\nThis repository has two main branches serving different purposes:\n\n- **`main`:** Production server configuration - battle-tested and running on physical hardware\n  - Most services are **enabled** and ready to configure\n- **`vm`:** Testing branch - for VM testing and development of new features\n  - Several services are **disabled** for clean testing environments\n\n**Services disabled in VM branch (enabled in main):**\n- Tailscale (VPN mesh network)\n- Vaultwarden (Password manager)\n- SearX (Self-hosted search)\n- Nextcloud (Private cloud storage)\n- Collabora Online (Document editing - requires Nextcloud)\n- Linkwarden (Bookmark manager)\n\n**Services disabled in both branches:**\n- Gitea (Git hosting - configured but disabled)\n\nIf you clone the repo or use the VM branch, enable services by editing `/etc/nixos/modules/services.nix` and changing `enable = false` to `enable = true`, then run `sudo nixos-rebuild switch`.\n\nWhen deploying to production, use the `main` branch. Use `vm` for testing changes safely before deploying.\n\n## Features\n\n### Core Services\n\n- **AdGuard Home:** Network-wide ad blocking and DNS filtering\n  - Configurable upstream DNS (Control D, Quad9)\n  - DNSSEC enabled for security\n  - Web UI accessible via Nginx reverse proxy (http://adguard.home)\n- **Homepage Dashboard:** Centralized service dashboard\n  - Auto-discovers enabled services via NixOS module system\n  - Real-time CPU, memory, and disk usage widgets\n  - Dark theme with organized categories (Network, Services, Monitoring)\n  - Web UI accessible at http://home.home\n- **Syncthing:** Cross-platform file synchronization\n  - Works with Windows, macOS, Linux, Android\n  - Private device configuration\n  - Secure LAN-only sync\n  - Web UI accessible via Nginx reverse proxy (http://syncthing.home)\n- **Nextcloud:** Private cloud storage and collaboration platform\n  - File sync and sharing with desktop/mobile clients\n  - External drive support for large storage\n  - Calendar, contacts, and collaborative editing\n  - Integrated monitoring and alerting\n  - Web UI accessible at http://cloud.home\n- **Collabora Online:** Document editing engine for Nextcloud\n  - LibreOffice-based collaborative editing (replaces Google Docs/Office 365)\n  - Edit documents, spreadsheets, and presentations in browser\n  - Integrated via Richdocuments Nextcloud app\n  - Proxied via Nginx at http://collabora.home\n  - Requires nixos-unstable channel (see Troubleshooting docs for channel/pinning details)\n- **Vaultwarden:** Self-hosted password manager (Bitwarden compatible)\n  - Secure password vault with 2FA support\n  - Accessible remotely via Tailscale Funnel (HTTPS)\n  - Automatic HTTPS certificates\n  - Bitwarden client compatibility (desktop, mobile, browser extensions)\n  - Accessible at https://nixos.tailXXXXXX.ts.net (your Tailscale hostname)\n- **Nginx:** Reverse proxy for clean local URLs\n  - Access services via friendly names (adguard.home, syncthing.home, grafana.home, notes.home, etc.)\n  - No need to remember port numbers\n- **Tailscale:** Secure remote access VPN\n  - Access your server from anywhere\n  - Zero-config mesh networking\n- **SSH Access:** Secure remote management\n  - Key-based authentication support\n  - Auto-restart on failure\n- **NoteDiscovery:** Web-based knowledge base (optional)\n  - Full-text search across markdown notes\n  - Web UI accessible via Nginx reverse proxy (http://notes.home)\n  - Integrates with Syncthing for note synchronization\n  - Password-protected with configurable authentication\n- **SearX:** Self-hosted metasearch engine\n  - Privacy-respecting search aggregating multiple engines\n  - Dark theme, autocomplete, image proxy\n  - Web UI accessible at http://search.home\n- **Linkwarden:** Self-hosted bookmark manager\n  - Save, organize, and archive bookmarks\n  - Automatic page archiving with screenshots\n  - Browser extensions available\n  - Web UI accessible at http://links.home\n\n### Backup System\n\n- **Restic Backups:** Automated, encrypted backup system\n  - **Vaultwarden:** Hourly backups with service stop/start for SQLite safety\n  - **Nextcloud Database:** Daily PostgreSQL dumps at 2:15 AM\n  - **Linkwarden:** Daily PostgreSQL dumps + archived pages at 2:40 AM\n  - **Private Configs:** Daily backup of `/etc/nixos/private` at 3:15 AM\n  - Retention policy: 24 hourly, 7 daily, 4 weekly, 12 monthly\n  - All backups stored in `/var/local/backups/restic`\n\n- **Nextcloud Data Synchronization:** For syncing Nextcloud actual data between servers\n  - Initial sync via rsync: `rsync -avP -e \"ssh -p 2212\" /mnt/nextcloud-data/data/ user@host:/mnt/nextcloud-data/nextcloud/`\n  - Ongoing sync via Syncthing for continuous replication\n  - Provides disaster recovery capability to secondary server\n\nSee `docs/SERVICES.md` for detailed backup configuration and restore procedures.\n\n### Monitoring and Alerting Stack\n\n- **Prometheus:** Metrics collection and time-series database\n  - 30-day retention, system and service metrics\n  - Node, Nginx, Nextcloud, and Blackbox exporters\n  - Syncthing metrics monitoring\n  - HTTP health checks for services\n  - Web UI at http://prometheus.home\n- **Grafana:** Beautiful dashboards and visualization\n  - Pre-configured Prometheus and Loki data sources\n  - Import community dashboards\n  - Web UI at http://grafana.home\n- **Alertmanager:** Alert routing and notifications\n  - Email alerts via Fastmail SMTP\n  - Push notifications via ntfy\n  - Web UI at http://alertmanager.home\n- **Loki + Promtail:** Log aggregation and collection\n  - 7-day log retention\n  - Query logs through Grafana\n  - Systemd journal collection\n- **ntfy:** Self-hosted push notifications\n  - Instant alerts to mobile/desktop\n  - 24-hour message cache\n  - Web UI and mobile apps at http://ntfy.home\n\n**Note:** Monitoring configuration is now in its own module (`modules/monitoring.nix`) for better organization.\n\nSee `docs/SERVICES.md` and `docs/NEXTCLOUD-SETUP.md` for detailed setup and configuration.\n\n### Desktop Environment\n\n- **LXQT Desktop:** Lightweight desktop environment for VM/local access\n  - LightDM display manager with auto-login\n  - PipeWire audio support\n  - NetworkManager applet for easy network configuration\n\n### Infrastructure Features\n\n- **Modular Configuration:** Services organized in logical modules\n  - `services.nix` - Core service configurations (AdGuard, Syncthing, Tailscale, Nginx, Nextcloud, Collabora Online, SearX, Linkwarden, NoteDiscovery)\n  - `homepage.nix` - Homepage Dashboard (auto-discovers enabled services, system resource widgets)\n  - `nginx-virtualhosts.nix` - Nginx reverse proxy virtual hosts (split out for readability)\n  - `monitoring.nix` - Complete monitoring stack (Prometheus, Grafana, Alertmanager, Loki, Promtail)\n  - `backups.nix` - Restic backup configuration\n  - `networking.nix` - Network and firewall settings\n  - `system.nix` - System packages, users, desktop\n  - `boot-bios.nix` / `boot-uefi.nix` - Boot configurations\n- **Private Configuration:** Sensitive data kept out of Git\n  - `private/` directory gitignored for security\n  - `private-example/` provides templates for required config files\n  - Automated installer copies examples to `private/` as starting point\n  - Files: `syncthing-secrets.nix`, `ssh-keys.nix`, `secrets.nix`, `alertmanager.env`, `notediscovery-config.*`, `nextcloud-admin-pass`\n- **Home Manager:** User environment management\n  - Custom ZSH configuration with starship prompt\n  - Extensive shell aliases for system management\n- **Custom ISO Builder:** Bootable installation images\n- **Automated Installation:** Zero-touch deployment script with BIOS/UEFI selection\n\n## Quick Start\n\n### Option 1: Pre-built ISO (Easiest)\n\n**Download the latest ISO:**\n\nhttps://github.com/ppb1701/nixos-config/releases/tag/nixos\n\n**Install:**\n\n1. Download the ISO from the releases page\n2. Flash ISO to USB drive (Rufus on Windows, `dd` on Linux/Mac, or Ventoy)\n3. Boot target machine from USB\n4. Run: `sudo /etc/nixos-config/install-nixos.sh`\n5. Choose UEFI or BIOS boot mode\n6. Follow prompts\n7. Reboot into your configured system!\n\n### Option 2: Build Your Own ISO\n\n**Build the ISO:**\n\n```bash\ngit clone https://github.com/ppb1701/nixos-config\ncd nixos-config\n./build-iso.sh\n```\n\n**Install:**\n\n1. Flash ISO to USB drive\n2. Boot target machine from USB\n3. Run: `sudo /etc/nixos-config/install-nixos.sh`\n4. Follow prompts\n5. Reboot into your configured system!\n\n### Option 3: Manual Installation\n\nOn an existing NixOS system:\n\n```bash\ngit clone https://github.com/ppb1701/nixos-config /etc/nixos\ncd /etc/nixos\nsudo nixos-rebuild switch\n```\n\n\u003e **Note:** You'll need to adjust `hardware-configuration.nix` for your hardware.\n\n## Configuration\n\n### Required Setup\n\n#### Network Settings\n\nEdit `modules/networking.nix`:\n\n**For VM testing (DHCP):**\n\n```nix\nnetworking.useDHCP = true;\n```\n\n**For production (Static IP):**\n\n```nix\nnetworking = {\n  useDHCP = false;\n  interfaces.eno1 = {\n    ipv4.addresses = [{\n      address = \"192.168.1.154\";\n      prefixLength = 24;\n    }];\n  };\n  defaultGateway = \"192.168.1.1\";\n  nameservers = [ \"127.0.0.1\" ];\n};\n```\n\n- Change `eno1` to your interface name\n- Change `192.168.1.154` to your desired IP\n- Change `192.168.1.1` to your router IP\n\n#### User Configuration\n\nEdit `configuration.nix`:\n\n```nix\nusers.users.ppb1701 = {\n  isNormalUser = true;\n  extraGroups = [ \"wheel\" \"networkmanager\" ];\n  hashedPassword = \"...\";\n};\n```\n\n- `hashedPassword` will be set during installation\n\n#### Hardware Configuration\n\n**Important:** Replace `hardware-configuration.nix` with output from:\n\n```bash\nnixos-generate-config --show-hardware-config\n```\n\n### Optional Services\n\n#### Monitoring and Alerting\n\n**Prerequisites:**\n\nCreate required private configuration files:\n\n1. **Grafana password file:**\n   ```bash\n   sudo micro /etc/nixos/private/secrets.nix\n   ```\n\n   Add content:\n   ```nix\n   {\n     grafanaPassword = \"your-secure-password-here\";\n     grafanaSecretKey = \"your-random-secret-key\";  # openssl rand -hex 32\n   }\n   ```\n\n2. **Alertmanager SMTP configuration:**\n   ```bash\n   sudo micro /etc/nixos/private/alertmanager.env\n   ```\n\n   Add content:\n   ```bash\n   SMTP_USERNAME=your-email@fastmail.com\n   SMTP_PASSWORD=your-fastmail-app-password\n   EMAIL_TO=alerts@your-domain.com\n   ```\n\n3. **Rebuild system:**\n   ```bash\n   sudo nixos-rebuild switch\n   ```\n\n4. **Configure DNS rewrites in AdGuard Home:**\n\n   Open AdGuard Home web UI → Filters → DNS rewrites, and add:\n\n   ```\n   grafana.home       → 192.168.1.154\n   prometheus.home    → 192.168.1.154\n   alertmanager.home  → 192.168.1.154\n   ntfy.home          → 192.168.1.154\n   notes.home         → 192.168.1.154\n   ```\n\n5. **Access monitoring services:**\n   - **Grafana:** http://grafana.home (username: admin, password: from secrets.nix)\n   - **Prometheus:** http://prometheus.home\n   - **Alertmanager:** http://alertmanager.home\n   - **ntfy:** http://ntfy.home\n\n6. **Set up mobile notifications:**\n   - Install ntfy app (iOS/Android)\n   - Subscribe to: `http://YOUR_SERVER_IP:2586/nixos`\n   - Test: `curl -d \"Test\" http://localhost:2586/nixos`\n\n\u003e **Note:** See `docs/SERVICES.md` for complete monitoring stack documentation including alert rules, Grafana dashboard setup, and troubleshooting.\n\n#### Syncthing (File Sync)\n\n**Setup:**\n\n1. Create secrets configuration (for monitoring):\n   ```bash\n   sudo micro /etc/nixos/private/syncthing-secrets.nix\n   ```\n\n   Add content:\n   ```nix\n   {\n     guiPassword = \"your-strong-password-here\";\n\n     prometheus_auth = {\n       username = \"ppb1701\";\n       password = \"your-strong-password-here\";\n     };\n   }\n   ```\n\n2. Create devices configuration:\n   ```bash\n   sudo micro /etc/nixos/private/syncthing-devices.nix\n   ```\n\n   Add content:\n   ```nix\n   {\n     devices = {\n       \"my-laptop\" = {\n         id = \"ABCDEFG-HIJKLMN-OPQRSTU-VWXYZAB-CDEFGHI-JKLMNOP-QRSTUVW-XYZABCD\";\n       };\n     };\n\n     folders = {\n       \"Documents\" = {\n         path = \"/home/ppb1701/Documents\";\n         devices = [ \"my-laptop\" ];\n       };\n     };\n   }\n   ```\n\n   **Note:** The `prometheus_auth` in syncthing-secrets.nix allows Prometheus to scrape Syncthing metrics for monitoring.\n\n3. Get device IDs from each device:\n   - Install Syncthing on the device\n   - Open web UI: http://localhost:8384\n   - Go to Actions → Show ID\n   - Copy the full device ID\n\n4. Add more devices and folders as needed to `syncthing-devices.nix`\n\n5. Rebuild:\n   ```bash\n   sudo nixos-rebuild switch\n   ```\n\n6. Access Syncthing web UI:\n   - **Via Nginx:** http://syncthing.home (requires DNS rewrite in AdGuard Home - see below)\n   - **Direct access:** http://192.168.1.154:8384\n   - **Username:** ppb1701\n   - **Password:** (what you set in syncthing-secrets.nix)\n\n\u003e **Note:** The `private/` directory is gitignored to protect your device IDs and password.\n\n#### Vaultwarden (Password Manager)\n\n**Prerequisites:**\n\nVaultwarden requires Tailscale for remote access via Tailscale Funnel, providing secure HTTPS access to your password manager from anywhere.\n\n**Setup:**\n\n1. **Generate admin token:**\n   ```bash\n   nix-shell -p openssl --run \"openssl rand -base64 48\"\n   ```\n\n2. **Create environment file:**\n   ```bash\n   sudo mkdir -p /etc/nixos/private\n   sudo micro /etc/nixos/private/vaultwarden.env\n   ```\n\n   Add content:\n   ```bash\n   ADMIN_TOKEN='your_generated_token_here'\n   ```\n\n3. **Add Tailscale hostname to secrets:**\n   ```bash\n   sudo micro /etc/nixos/private/secrets.nix\n   ```\n\n   Update to include your Tailscale hostname:\n   ```nix\n   {\n     grafanaPassword = \"your-secure-password-here\";\n     grafanaSecretKey = \"your-random-secret-key\";  # openssl rand -hex 32\n     tailscaleIP = \"100.x.y.z\";  # Your Tailscale IP\n     tailscaleHostname = \"nixos.tailXXXXXX.ts.net\";  # Your Tailscale hostname\n     tailscaleIP2 = \"100.x.y.z\";  # Secondary server Tailscale IP (if applicable)\n     tailscaleHostname2 = \"nixos2.tailXXXXXX.ts.net\";  # Secondary server hostname\n   }\n   ```\n\n   **Finding your Tailscale hostname:**\n   - Run: `tailscale status`\n   - Or visit: https://login.tailscale.com/admin/machines\n   - Look for your machine's hostname (e.g., nixos.taild891fe71.ts.net)\n\n4. **Rebuild system:**\n   ```bash\n   sudo nixos-rebuild switch\n   ```\n\n5. **Enable Tailscale Funnel:**\n\n   a. Enable Funnel in your Tailscale account:\n   - Go to https://login.tailscale.com/admin/settings\n   - Under \"Access Controls\", click \"Edit\"\n   - Add the following to your ACL configuration:\n     ```json\n     \"nodeAttrs\": [\n       {\n         \"target\": [\"autogroup:member\"],\n         \"attr\": [\"funnel\"]\n       }\n     ]\n     ```\n   - Click \"Save\"\n\n   b. Start Tailscale Funnel:\n   ```bash\n   sudo tailscale funnel --bg --https=443 http://127.0.0.1:8222\n   ```\n\n6. **Access Vaultwarden and complete setup:**\n   - Open: https://nixos.tailXXXXXX.ts.net (use your Tailscale hostname)\n   - Create your account (first account is admin)\n   - Enable 2FA in Account Settings for security\n   - Disable signups in admin panel (/admin):\n     - Go to https://nixos.tailXXXXXX.ts.net/admin\n     - Login with your admin token\n     - Disable \"Allow new signups\"\n     - Save settings\n\n7. **Optional - Rebuild to disable signups permanently:**\n\n   Edit `/etc/nixos/modules/services.nix` and ensure:\n   ```nix\n   SIGNUPS_ALLOWED = false;\n   ```\n\n   Then rebuild: `sudo nixos-rebuild switch`\n\n**Using Vaultwarden:**\n\n- **Web Vault:** https://nixos.tailXXXXXX.ts.net\n- **Admin Panel:** https://nixos.tailXXXXXX.ts.net/admin\n- **Mobile/Desktop Apps:** Use official Bitwarden apps\n  - Download from: https://bitwarden.com/download/\n  - Configure server URL: https://nixos.tailXXXXXX.ts.net\n  - Login with your credentials\n\n\u003e **Security Notes:**\n\u003e - Vaultwarden only listens on localhost (127.0.0.1) for security\n\u003e - Access is only available via Tailscale Funnel with automatic HTTPS\n\u003e - Enable 2FA immediately after creating your account\n\u003e - Store your admin token securely - you'll need it for admin panel access\n\u003e - Disable signups after creating your accounts to prevent unauthorized access\n\n#### DNS Configuration for Clean URLs\n\nTo access services via clean URLs (adguard.home, syncthing.home, etc.), configure DNS rewrites in AdGuard Home:\n\n**Setup:**\n\n1. Open AdGuard Home web UI: http://192.168.1.154:3000\n2. Go to **Filters** → **DNS rewrites**\n3. Add these DNS rewrites:\n\n```\nadguard.home       → 192.168.1.154\nhome.home          → 192.168.1.154\nsyncthing.home     → 192.168.1.154\nsearch.home        → 192.168.1.154\nlinks.home         → 192.168.1.154\ncollabora.home     → 192.168.1.154\n```\n\nIf you've also set up monitoring, knowledge management, and cloud storage services, add:\n\n```\ngrafana.home       → 192.168.1.154\nprometheus.home    → 192.168.1.154\nalertmanager.home  → 192.168.1.154\nntfy.home          → 192.168.1.154\nnotes.home         → 192.168.1.154\ncloud.home         → 192.168.1.154\n```\n\n**How it works:**\n- AdGuard Home acts as your network's DNS server\n- DNS rewrites map `.home` domains to your server's IP\n- Split DNS: `.home` domains resolve on both LAN and Tailscale networks\n- Works automatically for all devices using AdGuard Home as DNS\n- No need to edit /etc/hosts on every device\n\n**Alternative (if not using AdGuard Home as DNS):**\n\nAdd to `/etc/hosts` on each client device:\n\n```\n192.168.1.154  adguard.home home.home syncthing.home search.home links.home collabora.home grafana.home prometheus.home alertmanager.home ntfy.home notes.home cloud.home\n```\n\n#### Other Services\n\nSee documentation for detailed guides:\n\n- `docs/SERVICES.md` - Comprehensive monitoring and alerting stack, alternative services, and integrations\n- `docs/NEXTCLOUD-SETUP.md` - Complete Nextcloud setup, troubleshooting, and iOS app configuration\n- Additional service options: Netdata, Uptime Kuma, WireGuard, Samba, Jellyfin, Navidrome, Home Assistant, Gitea, Fail2ban\n\n## System Maintenance\n\n### Cleaning Up Old Generations\n\nOver time, NixOS accumulates old system generations that consume disk space. Use these commands or the convenient shell alias to recover space:\n\n```bash\n# Using shell alias (easiest)\ncleanup\n\n# Or manually\nsudo nix-collect-garbage -d\nsudo nix-store --optimize\n```\n\n**What it does:**\n- `cleanup` alias removes all old generations and optimizes the store\n- `nix-collect-garbage -d` removes all unreachable store paths\n- `nix-store --optimize` hard-links identical files to save space\n\n**When to run:**\n- Monthly as routine maintenance\n- Before major system upgrades\n- When disk space is running low\n- After experimenting with multiple configurations\n\n**Expected results:**\n- Can free 5-20GB depending on how many old generations exist\n- Store optimization typically saves 10-30% through hard-linking\n\n**Other useful aliases:**\n- `optimize` - Just run store optimization\n- `diskspace` - Check current disk usage (df -h)\n\n\u003e **Tip:** Keep at least one or two recent generations in case you need to rollback. You can rollback with the `rollback` alias.\n\n## Repository Structure\n\n```\nnixos-config/\n├── configuration.nix              # Main system configuration (BIOS boot)\n├── configuration-bios.nix         # BIOS/Legacy boot variant\n├── configuration-uefi.nix         # UEFI boot variant\n├── hardware-configuration.nix     # Hardware-specific settings (auto-generated)\n├── build-iso.sh                   # ISO build script\n├── install-nixos.sh               # Automated installation script\n├── setup.config.sh                # Configuration extraction script\n├── modules/                       # Service modules\n│   ├── services.nix              # Core services (AdGuard, Syncthing, Tailscale, Nginx, Nextcloud, Collabora, SearX, Linkwarden, etc.)\n│   ├── homepage.nix              # Homepage Dashboard (service landing page with system monitoring)\n│   ├── nginx-virtualhosts.nix    # Nginx reverse proxy virtual hosts (split out for readability)\n│   ├── monitoring.nix            # Monitoring stack (Prometheus, Grafana, Alertmanager, Loki, Promtail)\n│   ├── backups.nix               # Restic backup configuration (Vaultwarden, Nextcloud DB, Linkwarden, private configs)\n│   ├── networking.nix            # Network \u0026 firewall configuration\n│   ├── system.nix                # System packages, users, desktop, SSH\n│   ├── boot-bios.nix             # BIOS/GRUB boot configuration\n│   └── boot-uefi.nix             # UEFI/systemd-boot configuration\n├── home/                          # Home Manager configurations\n│   └── ppb1701.nix               # User environment (ZSH, Starship, aliases)\n├── private/                       # Private config (gitignored)\n│   ├── syncthing-secrets.nix     # Syncthing settings and device IDs\n│   ├── syncthing-devices.nix     # Symlink to syncthing-secrets.nix\n│   ├── ssh-keys.nix              # SSH authorized keys\n│   ├── secrets.nix               # Service passwords (Grafana, Tailscale, SearX, Linkwarden, Gitea, etc.)\n│   ├── alertmanager.env          # SMTP credentials for email alerts\n│   ├── vaultwarden.env           # Vaultwarden admin token\n│   ├── notediscovery-config.nix  # NoteDiscovery notes path\n│   ├── notediscovery-config.yaml # NoteDiscovery app configuration\n│   ├── nextcloud-admin-pass      # Nextcloud admin password\n│   └── restic-password           # Restic backup encryption password\n├── private-example/               # Example templates for private config\n│   ├── README.md                 # Instructions for private config\n│   ├── secrets.nix               # Example secrets file (Grafana, Tailscale)\n│   ├── ssh-keys.nix              # Example SSH keys file\n│   ├── alertmanager.env          # Example SMTP config\n│   ├── vaultwarden.env           # Example Vaultwarden admin token\n│   ├── syncthing-secrets.nix     # Example Syncthing config\n│   ├── syncthing-devices.nix     # Example Syncthing devices\n│   ├── notediscovery-config.nix  # Example NoteDiscovery path config\n│   ├── notediscovery-config.yaml # Example NoteDiscovery app config\n│   ├── nextcloud-admin-pass      # Example Nextcloud password file\n│   └── restic-password           # Example Restic backup password file\n├── docs/                          # Documentation\n│   ├── CUSTOMIZATION.md          # How to customize services\n│   ├── SERVICES.md               # Additional services guide\n│   ├── NEXTCLOUD-SETUP.md        # Complete Nextcloud setup and troubleshooting\n│   ├── TROUBLESHOOTING.md        # Common issues \u0026 solutions\n│   └── BUILDING-PUBLIC-ISOS.md   # ISO building guide\n├── iso-config.nix                 # Custom ISO configuration\n└── README.md                      # This file\n```\n\n## Building a Custom ISO\n\n\u003e **Note:** A pre-built ISO is available at https://github.com/ppb1701/nixos-config/releases/tag/nixos\n\u003e\n\u003e Only build your own ISO if you need to customize the configuration before installation.\n\n### Prerequisites\n\n- NixOS system (or VM)\n- Git\n- 20GB free disk space\n\n### Build Process\n\n1. **Clone the repository:**\n   ```bash\n   git clone https://github.com/ppb1701/nixos-config\n   cd nixos-config\n   ```\n\n2. **Build the ISO:**\n   ```bash\n   ./build-iso.sh\n   ```\n\n**Result:** `nixos-config.iso` (~1GB)\n\n### What's Included\n\nThe custom ISO contains:\n\n- Complete NixOS installation environment\n- Your configuration files (from this repo)\n- Automated installation script\n- Useful tools (git, vim, parted, etc.)\n- SSH enabled (user: `nixos`, password: `nixos`)\n\n### Flashing to USB\n\n**Linux/Mac:**\n\n```bash\nsudo dd if=nixos-config.iso of=/dev/sdX bs=4M status=progress\nsync\n```\n\n- Replace `/dev/sdX` with your USB drive (e.g., `/dev/sdb`)\n- **WARNING:** This will erase all data on the USB drive!\n\n**Windows:**\n\nUse [Rufus](https://rufus.ie/) or [balenaEtcher](https://www.balena.io/etcher/)\n\n## Installation\n\n1. Boot from USB\n2. Login (user: `nixos`, password: `nixos`)\n3. Run: `sudo /etc/nixos-config/install-nixos.sh`\n4. Follow prompts\n5. Reboot\n\n\u003e **Note:** The install script will:\n\u003e - Erase `/dev/sda` (configurable)\n\u003e - Create partitions (boot + root)\n\u003e - Create 4GB swap file\n\u003e - Install NixOS with this configuration\n\n## Privacy \u0026 Security\n\n### What's Safe to Share\n\nThis repository contains:\n\n- Generic system configuration\n- Service configurations (AdGuard Home, etc.)\n- Network settings (private IP ranges)\n- Build scripts and automation\n\nThis repository does **NOT** contain:\n\n- Passwords or password hashes\n- SSH keys\n- Personal device names/IDs (Syncthing)\n- API tokens or secrets\n\n### Private Configuration\n\nSensitive configuration is stored in the `private/` directory, which is gitignored:\n\n```\nprivate/\n├── syncthing-secrets.nix          # Syncthing GUI password and device IDs (gitignored)\n├── syncthing-devices.nix          # Symlink to syncthing-secrets.nix (gitignored)\n├── ssh-keys.nix                   # SSH authorized keys (gitignored)\n├── secrets.nix                    # Grafana password, Tailscale hostname (gitignored)\n├── alertmanager.env               # SMTP credentials for alerts (gitignored)\n├── vaultwarden.env                # Vaultwarden admin token (gitignored)\n├── notediscovery-config.nix       # NoteDiscovery notes path (gitignored)\n├── notediscovery-config.yaml      # NoteDiscovery app config (gitignored)\n```\n\n**Example Templates:**\n\nThe `private-example/` directory contains template files showing the required structure for private configuration. During installation, if no private configuration backup exists, these example files are automatically copied to `/etc/nixos/private/` as a starting point.\n\n**What's kept private:**\n\n- Syncthing device IDs and GUI password (syncthing-secrets.nix)\n- SSH authorized keys (ssh-keys.nix)\n- Grafana admin password, secret key, and Tailscale hostnames (secrets.nix)\n- Email SMTP credentials for alerting (alertmanager.env)\n- Vaultwarden admin token (vaultwarden.env)\n- NoteDiscovery configuration and password hash (notediscovery-config.nix/yaml)\n- Any other sensitive credentials\n\n**What's public:**\n\n- Username (ppb1701) - already public on GitHub, Mastodon, etc.\n- Configuration structure\n- System architecture and design\n\n**Setting up private files:**\n\nThe automated installer copies example files from `private-example/` to `private/` automatically. You can also set them up manually:\n\n```bash\n# Option 1: Copy all example files at once\nsudo cp -r private-example/* /etc/nixos/private/\nsudo chmod 600 /etc/nixos/private/*\n\n# Option 2: Create individual files\n# Create syncthing-secrets.nix\nsudo micro /etc/nixos/private/syncthing-secrets.nix\n\n# Create ssh-keys.nix (list of SSH public keys)\nsudo micro /etc/nixos/private/ssh-keys.nix\n\n# Create secrets.nix (Grafana password)\nsudo micro /etc/nixos/private/secrets.nix\n\n# Create alertmanager.env (SMTP credentials)\nsudo micro /etc/nixos/private/alertmanager.env\n\n# Create vaultwarden.env (admin token)\nsudo micro /etc/nixos/private/vaultwarden.env\n\n# Create NoteDiscovery config (optional)\nsudo micro /etc/nixos/private/notediscovery-config.nix\nsudo micro /etc/nixos/private/notediscovery-config.yaml\n\n# Example ssh-keys.nix content:\n[\n  \"ssh-ed25519 AAAAC3... user@hostname\"\n  \"ssh-rsa AAAAB3... user@another-host\"\n]\n\n# Example secrets.nix content:\n{\n  grafanaPassword = \"your-secure-password-here\";\n  grafanaSecretKey = \"your-random-secret-key\";  # openssl rand -hex 32\n  tailscaleIP = \"100.x.y.z\";\n  tailscaleHostname = \"nixos.tailXXXXXX.ts.net\";\n  tailscaleIP2 = \"100.x.y.z\";  # Secondary server Tailscale IP (if applicable)\n  tailscaleHostname2 = \"nixos2.tailXXXXXX.ts.net\";  # Secondary server hostname\n  searxSecret = \"your-random-secret-key\";  # openssl rand -hex 32\n  linkwardenDbPassword = \"your-db-password\";  # openssl rand -hex 32\n  linkwardenNextAuthSecret = \"your-nextauth-secret\";  # openssl rand -base64 32\n}\n\n# Example alertmanager.env content:\nSMTP_USERNAME=your-email@fastmail.com\nSMTP_PASSWORD=your-app-password\nEMAIL_TO=alerts@your-domain.com\n\n# Example vaultwarden.env content:\nADMIN_TOKEN='your_generated_token_here'\n```\n\n### Building Public ISOs\n\nIf you fork this repo and want to share ISOs publicly:\n\n1. Ensure `private/syncthing-devices.nix` is not present (or is the .example file)\n2. Build ISO from clean checkout\n3. The resulting ISO will not contain device IDs or passwords\n\nSee `docs/building-public-isos.md` for details.\n\n## Customization\n\n### Convenient Shell Aliases\n\nThe system includes extensive shell aliases for quick configuration editing. Run `help` to see all available aliases:\n\n```bash\n# Edit configurations quickly\nec      # Edit configuration.nix\nes      # Edit modules/services.nix (AdGuard, Syncthing, Collabora, etc.)\nen      # Edit modules/networking.nix\nem      # Edit modules/monitoring.nix\nesy     # Edit modules/system.nix\neh      # Edit home/ppb1701.nix\nehp     # Edit modules/homepage.nix\nebu     # Edit modules/backups.nix\nehost   # Edit modules/nginx-virtualhosts.nix\nebios   # Edit modules/boot-bios.nix\neuefi   # Edit modules/boot-uefi.nix\neb/eu   # Edit BIOS/UEFI configuration\nescrt   # Edit private/secrets.nix (Grafana, Tailscale, etc.)\nea      # Edit private/alertmanager.env (SMTP credentials)\neny     # Edit private/notediscovery-config.yaml\nenx     # Edit private/notediscovery-config.nix\n\n# System management\nrebuild      # Rebuild and switch to new config (auto-reloads shell)\nrebuild-safe # Rebuild, auto-reboot if activation hangs (useful on unstable)\nrebuild-boot # Rebuild, activate on next boot\ntest         # Test new config without switching\nrollback     # Rollback to previous generation\nupdate       # Update system and rebuild\ncleanup      # Clean old generations\noptimize     # Deduplicate Nix store\n\n# Service management\nags/agr/agl # AdGuard status/restart/logs\nsts/str/stl # Syncthing status/restart/logs\nsss/ssr     # SSH status/restart\nncs/ncr/ncl # Nextcloud status/restart/logs\nrds/rdr/rdl # Redis status/restart/logs\ncos/cor/col # Collabora status/restart/logs (service: coolwsd)\nncocc       # Run nextcloud-occ command\n\n# Git operations (from /etc/nixos)\ngc/gp/gl/gs # commit/push/pull/status\n```\n\n### Adding Services to modules/services.nix\n\nEdit `modules/services.nix` to add or configure services:\n\n```bash\n# Quick edit with alias\nes\n\n# Or manually\nsudo micro /etc/nixos/modules/services.nix\n```\n\nExample - Add a new service section:\n\n```nix\n# ═══════════════════════════════════════════════════════════════════════════\n# YOUR NEW SERVICE\n# ═══════════════════════════════════════════════════════════════════════════\nservices.your-service = {\n  enable = true;\n  # Service-specific options\n};\n```\n\nThen rebuild: `rebuild` (or `sudo nixos-rebuild switch`)\n\n### Modifying Network Settings\n\nEdit `modules/networking.nix` for:\n\n- Static IP configuration\n- Interface selection\n- DNS settings (currently using Control D: 76.76.2.2, 76.76.10.2)\n- Firewall rules\n- NetworkManager configuration\n\nQuick edit: `en` or `sudo micro /etc/nixos/modules/networking.nix`\n\n### Automatic Generations Cleaning\n\nNixOS keeps previous system configurations (called \"generations\") as a safety feature. Every time you run `sudo nixos-rebuild switch`, it creates a new generation while keeping old ones. This is incredibly useful—if a configuration breaks your system, you can boot into a previous working generation during startup.\n\nHowever, these old generations accumulate over time and consume disk space. Here's how to automatically clean them up while keeping recent ones for safety.\n\n**Add to `configuration.nix`:**\n\n```nix\n{ config, pkgs, ... }:\n\n{\n  # Automatic garbage collection\n  nix.gc = {\n    automatic = true;\n    dates = \"weekly\";\n    options = \"--delete-older-than 30d\";\n  };\n\n  # Keep last 5 generations in bootloader menu\n  boot.loader.systemd-boot.configurationLimit = 5;\n\n  # Optimize Nix store to save space (deduplication)\n  nix.optimise.automatic = true;\n  nix.optimise.dates = [ \"weekly\" ];\n}\n```\n\n**What this does:**\n\n- **Garbage collection:** Automatically removes old generations older than 30 days every week\n- **Boot entries:** Keeps only the 5 most recent generations in your boot menu (prevents clutter)\n- **Store optimization:** Deduplicates identical files in the Nix store to save space\n\n**Manual cleanup:**\n\nIf you need to clean up immediately:\n\n```bash\n# Delete all old generations\nsudo nix-collect-garbage -d\n\n# Delete generations older than 30 days\nsudo nix-collect-garbage --delete-older-than 30d\n\n# Optimize the store now\nsudo nix-store --optimise\n```\n\n\u003e **Tip:** After major changes, wait a few days before letting automatic cleanup run. This gives you time to ensure the new configuration is stable.\n\n## Troubleshooting\n\n### Common Issues\n\n**AdGuard Home web UI not accessible:**\n\n- Check firewall: `sudo iptables -L`\n- Verify service: `ags` (or `systemctl status adguardhome`)\n- Check binding: `ss -tlnp | grep 3000`\n- View logs: `agl` (or `journalctl -u adguardhome -f`)\n- Try accessing via Nginx: http://adguard.home\n\n**Syncthing not syncing:**\n\n- Check web UI: http://syncthing.home or http://192.168.1.154:8384\n- Verify device IDs in `/etc/nixos/private/syncthing-secrets.nix`\n- Check service status: `sts` (or `systemctl status syncthing`)\n- View logs: `stl` (or `journalctl -u syncthing -f`)\n- Verify firewall ports (22000, 21027, 8384)\n\n**Network issues after config changes:**\n\n- Check NetworkManager status: `systemctl status NetworkManager`\n- Verify interface name in `modules/networking.nix` (currently enp1s0)\n- Check DNS settings: `cat /etc/resolv.conf`\n- Test connectivity: `ping 1.1.1.1`\n\n**ISO build fails:**\n\n- Ensure sufficient disk space (20GB+): `diskspace` or `df -h`\n- Clean old generations: `cleanup`\n- Check Nix store: `nix-store --verify --check-contents`\n- Try clean build: `rm -rf result \u0026\u0026 ./build-iso.sh`\n\nSee [docs/TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md) for more detailed solutions.\n\n## Reporting Issues\n\nWant to discuss? Have a suggestion?\n\n- **Mastodon:** [@ppb1701@ppb.social](https://ppb.social/@ppb1701)\n- **Blog:** https://blog.ppb1701.com\n\n## License\n\nMIT License - See [LICENSE](LICENSE) file for details\n\n## Acknowledgments\n\n- NixOS community\n- AdGuard Home project\n- Everyone who contributed ideas and feedback\n\n---\n\n**Built with ❤️ and NixOS**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fppb1701%2Fnixos-config","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fppb1701%2Fnixos-config","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fppb1701%2Fnixos-config/lists"}