Homelab Configurations

How to

Prepare a USB bootable nix system

nix build .#usbboot
sudo dd if=result/iso/<ISO_FILE> of=/dev/<USBKEY> bs=4M conv=fsync status=progress

Provision a new machine

Don't forget to update ~/.ssh/config (way easier, esp. when using SSH jump and/or custom SSH port).

nix run github:nix-community/nixos-anywhere -- \
  --generate-hardware-config nixos-generate-config ./<HOST>/chewie/hardware-configuration.nix \
  --flake .#<HOST> \
  --target-host <TARGET>

Update the age key (depending on server or desktop, the path might change). Register the machine into tailscale. Update DNS is necessary.

Deploy a new configuration

Don't forget to update ~/.ssh/config (way easier, esp. when using SSH jump and/or custom SSH port).

nixos-rebuild switch --flake ".#<HOST>" \
  --target-host <TARGET> \
  --build-host <TARGET> \
  --sudo \
  --use-substitutes

Make a change in the disk configuration

When adding/removing a ZFS datasets, make the changes imperatively, then document the change in datasets.md.

Potential locations where nix configuration must mirror imperative commands:

• zfs.nix to add/remove the pools to mount at boot & update sanoid config
• zpools.nix to add/remove zpools

Create a new SOPS age key

age-keygen -o agekey.txt
# Get the public key
age-keygen -y agekey.txt
# Update .sops.yaml with the new public key
# Update secrets encryption
sops updatekeys secrets/secrets.yaml

Generate an Authelia client PBKDF2 hash

nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512

TODO

Features

• Tailscale-backed network layout
• Server hardening
• OCI containers deployment
• nix modules deployment
• ZFS datasets with at rest encryption
• KVM compatible workflow for reboot
• Impermanence
• Reverse proxy
• OIDC + SSO
• Alerting
• Monitoring
• Observability
• Logs management
• Containers logs management
• Per container service CPU/memory limits
• Per nix service CPU/memory limits
• Dedicated node for PSU monitoring
• Dedicated node for backup
• VTT app
• Discord alternative
• ebooks management app
• File-based Authelia authentication workflow
• Switch from linkding to linkwarden
• endurain
• technicium with split-horizon DNS
• Split secrets per host
• move observability to leia
• implement backup to rsync
• alerting on failed backups
• implement DMZ pattern and network isolation for public-facing services (see docs/public-services-isolation.md)

Configuring SOPS

Setting up SSH Key

ssh-keygen -t ed25519

Deriving Age key from SSH

mkdir -p ~/.config/sops/age
nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"

Get Age public key

nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"

Then add the key to .sops.yaml

Add keys to secret file

sops updatekeys secrets/secrets.yaml

Updating SOPS secrets

sops secrets/secrets.yaml

ZFS datasets

See datasets.md

Hierarchy

chewie
├── ssd
│   ├── services
│   │   ├── infra
│   │   └── apps
│   ├── databases
│   │   ├── mysql
│   │   └── postgres
│   └── data
│       └── vaultwarden
└── hdd
    └── data
        ├── media
        ├── paperless
        ├── seafile
        └── immich

Temporary Workarounds

This section lists temporary fixes applied to the configuration due to bugs introduced by nixpkgs or flake updates. These should be reviewed periodically and removed once the upstream issues are resolved.

• hmts.nvim disabled: The hmts.nvim plugin is currently disabled in Neovim due to an incompatibility with the latest Neovim/Tree-sitter versions (attempt to call method 'parent' (a nil value)). See modules/home/neovim/plugins/treesitter.nix.