https://github.com/ryanjdillon/nix-config

NixOS flake configuration managing multiple hosts with modular architecture, automated secret management, and k3s cluster orchestration.
https://github.com/ryanjdillon/nix-config

dotfiles infrastructure-as-code k3s kubernetes nix-flakes nixos

Last synced: 3 months ago
JSON representation

NixOS flake configuration managing multiple hosts with modular architecture, automated secret management, and k3s cluster orchestration.

• Host: GitHub
• URL: https://github.com/ryanjdillon/nix-config
• Owner: ryanjdillon
• Created: 2026-02-06T19:34:57.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2026-03-31T16:53:58.000Z (3 months ago)
• Last Synced: 2026-03-31T18:42:09.366Z (3 months ago)
• Topics: dotfiles, infrastructure-as-code, k3s, kubernetes, nix-flakes, nixos
• Language: Nix
• Homepage:
• Size: 869 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 4
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# nix-config

NixOS flake configuration managing multiple hosts with modular architecture, automated secret management, and k3s cluster orchestration.

## Features

- 🏗️ **Modular Architecture** - Reusable components with explicit enable flags

- 🔐 **SOPS Secret Management** - Age-encrypted secrets with placeholder substitution

- 🐳 **k3s Cluster** - Raspberry Pi control plane with x86_64 worker nodes

- 🏠 **Home Automation** - Home Assistant, Zigbee2MQTT, Mosquitto on ARM64

- 🖥️ **Multi-Architecture** - x86_64 desktops and ARM64 Raspberry Pi with cross-compilation

- 🔄 **Automated Deployment** - Network deployment with deploy-rs, token rotation tools

## Hosts

| Host | Platform | Role | Key Features |

|------|----------|------|--------------|

| **rincon** | x86_64 (ThinkPad X1 Gen 12) | Laptop | Fingerprint reader, Azure CLI, Docker |

| **solimar** | x86_64 (Desktop) | k3s Worker | General compute, NVIDIA RTX 2060, Frigate NVR |

| **laconchita** | x86_64 (Desktop) | k3s Worker | AI/ML compute, NVIDIA RTX 3090, Coral TPU |

| **faria** | ARM64 (RPi 4) | k3s Control Plane | Home automation, IoT hub |

| **mondos** | x86_64 (ThinkPad X280) | Laptop | Ultraportable, 8th gen Intel |

## Quick Start

```bash

# Clone repository

git clone  && cd nix-config

# Configure secrets

sops secrets.yaml

# Build and deploy

sudo nixos-rebuild switch --flake .#

```

📖 **Full setup instructions:** [Quickstart Guide](docs/quickstart.md)

## Documentation

### Getting Started

- [Quickstart Guide](docs/quickstart.md) - Initial setup and deployment

- [Architecture Overview](CLAUDE.md#architecture-overview) - System design and patterns

- [Network Topology](docs/network-topology.md) - Network and service architecture

### Operations

- [Secret Management](docs/secret-management.md) - SOPS encryption and secret access patterns

- [Raspberry Pi Deployment](docs/rpi-build.md) - ARM64 cross-compilation and SD card creation

- [k3s Token Management](docs/k3s-token-management.md) - Cluster token rotation

- [Troubleshooting](docs/troubleshooting.md) - Common issues and solutions

## Common Commands

```bash

# Build and deploy

sudo nixos-rebuild switch --flake .#

# Build ARM64 SD image

nix build .#packages.x86_64-linux.faria

# Deploy to Raspberry Pi

deploy .#faria

# Rotate k3s token

nix run .#rotate-k3s-token

# Edit secrets

sops secrets.yaml

# Home Manager

home-manager switch --flake .

```

## Architecture

### Directory Structure

```

nix-config/

├── flake.nix           # Flake orchestration and outputs

├── hosts/              # Host-specific configurations

│   ├── rincon/

│   ├── solimar/

│   ├── laconchita/

│   └── faria/

├── modules/            # Reusable modules (disabled by default)

│   ├── desktop/        # GNOME, printing, scanning

│   ├── hardware/       # GPU, TPU, platform-specific

│   ├── services/       # k3s, Frigate, Home Assistant

│   └── system/         # Users, SOPS, base configuration

├── hardware/           # Hardware profiles

├── systems/            # Base system configuration

├── users/              # Home-manager configurations

├── docs/               # Documentation

└── scripts/            # Automation scripts

```

### Module System

All modules follow the pattern:

```nix

{ lib, config, ... }:

let cfg = config.modules..;

in {

  options.modules...enable = lib.mkEnableOption "description";

  config = lib.mkIf cfg.enable {

    # Module implementation

  };

}

```

Modules are composed in host configurations like building blocks.

## k3s Cluster

```mermaid

graph TB

    Internet((Internet))

    subgraph Cloud["☁️ AWS Cloud"]

        Bastion["🌐 Bastion
Cloud VM
Public Access"]

    end

    subgraph HomeNet["🏠 Home Network"]

        subgraph K3s["k3s Cluster"]

            Control["🎛️ faria
Raspberry Pi 4
ARM64
Control Plane"]

            Worker1["⚡ solimar
AMD Ryzen
RTX 2060
General Compute"]

            Worker2["🤖 laconchita
Intel
RTX 3090 + Coral TPU
AI/ML Workload"]

        end

    end

    Internet -->|HTTPS| Bastion

    Bastion -.->|Tailscale VPN| Control

    Control ==>|k3s API
:6443| Worker1

    Control ==>|k3s API
:6443| Worker2

    classDef cloud fill:#FF9900,stroke:#232F3E,stroke-width:2px,color:#fff

    classDef control fill:#326CE5,stroke:#fff,stroke-width:2px,color:#fff

    classDef worker fill:#00D4AA,stroke:#fff,stroke-width:2px,color:#fff

    classDef aiml fill:#E91E63,stroke:#fff,stroke-width:2px,color:#fff

    class Bastion cloud

    class Control control

    class Worker1 worker

    class Worker2 aiml

```

**Architecture:**

- **Control Plane:** faria (ARM64) - k3s server, home automation hub

- **General Compute:** solimar (RTX 2060) - Frigate NVR, media services

- **AI/ML Workload:** laconchita (RTX 3090 + Coral TPU) - AI/ML compute with GPU taints

- **External Access:** AWS bastion connected via Tailscale VPN

## Secret Management

Secrets are encrypted with SOPS-nix and age encryption:

```bash

# Edit secrets

sops secrets.yaml

# Access in configuration (two patterns)

config.sops.placeholder."key"      # Placeholder substitution for generated configs

config.sops.secrets."key".path     # Runtime path for file-based access

```

📖 **Complete guide:** [Secret Management](docs/secret-management.md)

## Development

### Prerequisites

- NixOS with flakes enabled

- SOPS and age for secret management

- Deploy-rs for remote deployment (optional)

### Building

```bash

# Validate configuration

nixos-rebuild build --flake .#

# Test in VM (x86_64 only)

sudo nixos-rebuild build-vm --flake .#

./result/bin/run--vm

```

### Contributing

1. Create logical, atomic commits

2. Use conventional commit format (feat/fix/refactor/docs/chore)

3. Remove trailing whitespace: `nowhite ./`

4. Test builds before pushing

## License

Personal configuration repository. Use at your own risk.

## References

- [NixOS Manual](https://nixos.org/manual/nixos/stable/)

- [Home Manager Manual](https://nix-community.github.io/home-manager/)

- [SOPS-nix](https://github.com/Mic92/sops-nix)

- [deploy-rs](https://github.com/serokell/deploy-rs)