zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity
778 Commits 5 Branches 0 Tags
1e7aa17d3dbb75ddc8f1b6f72b1daa46b692762b
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Zuckerberg 1e7aa17d3d
All checks were successful
Check Flake / check-flake (push) Successful in 3m58s
Details
Log DIMM temperatures on each check run
2026-03-05 21:31:29 -08:00
.claude/skills
Update flake inputs; drop navidrome; fix noto-fonts subset glob
2026-03-01 12:36:10 -08:00
.gitea
See if limiting upload jobs helps with push reliability
2026-03-01 21:36:31 -08:00
common
Log DIMM temperatures on each check run
2026-03-05 21:31:29 -08:00
home
Fix rust analyzer in vscode
2026-02-17 21:28:50 -08:00
lib
Add Incus container support to sandboxed workspaces
2026-02-08 15:16:40 -08:00
machines
Remove recyclarr, I'm not using it currently
2026-03-05 21:27:35 -08:00
overlays
Patch attic-client to retry on push failure
2026-03-03 22:40:27 -08:00
patches
Update flake inputs (nixpkgs, home-manager, claude-code-nix)
2026-03-03 22:54:45 -08:00
secrets
Remove recyclarr, I'm not using it currently
2026-03-05 21:27:35 -08:00
.gitignore
Claude workspaces
2026-02-22 17:19:48 -08:00
CLAUDE.md
Update claude.md
2026-03-03 21:43:36 -08:00
flake.lock
Update flake inputs (nixpkgs, home-manager, claude-code-nix)
2026-03-03 22:54:45 -08:00
flake.nix
Update flake inputs (nixpkgs, home-manager, claude-code-nix)
2026-03-03 22:54:45 -08:00
LICENSE
Add LICENSE
2021-05-21 13:01:02 +00:00
Makefile
Add activate deploy command
2026-01-24 14:58:40 -08:00
new_machine.md
Update install steps
2023-04-19 21:17:45 -06:00
README.md
Update README
2026-03-04 20:53:46 -08:00
TODO.md
update TODOs
2023-04-23 10:16:54 -06:00

README.md

NixOS Configuration

A NixOS flake managing multiple machines with role-based configuration, agenix secrets, sandboxed dev workspaces, and self-hosted services.

Layout

  • /common - shared configuration imported by all machines
    • /boot - bootloaders, CPU microcode, remote LUKS unlock over Tor
    • /network - Tailscale, PIA VPN with leak-proof containers, sandbox networking
    • /pc - desktop/graphical config (enabled by the personal role)
    • /server - self-hosted service definitions (Gitea, Matrix, Nextcloud, media stack, etc.)
    • /sandboxed-workspace - isolated dev environments (VM, container, or Incus)
    • /ntfy - push notification integration (service failures, SSH logins, ZFS alerts)
    • binary-cache.nix - nix binary cache configuration (nixos.org, cachix, self-hosted atticd)
    • nix-builder.nix - distributed build delegation across machines
    • backups.nix - snapshot-aware restic backups to Backblaze B2
  • /machines - per-machine config (default.nix, hardware-configuration.nix, properties.nix)
    • fry - personal desktop
    • howl - personal laptop
    • ponyo - web/mail server (Gitea, Nextcloud, LibreChat, mail)
    • storage/s0 - storage/media server (Jellyfin, Home Assistant, monitoring, productivity apps)
    • zoidberg - media center
    • ephemeral - minimal config for building install ISOs and kexec images
  • /secrets - agenix-encrypted secrets, decryptable by machines based on their roles
  • /home - Home Manager user config
  • /lib - custom library functions extending nixpkgs lib
  • /overlays - nixpkgs overlays applied globally
  • /patches - patches applied to nixpkgs at build time

Notable Features

Auto-discovery & roles — Machines register themselves by placing a properties.nix under /machines/. No manual listing in flake.nix. Roles declared per-machine ("personal", "dns-challenge", etc.) drive feature enablement via config.thisMachine.hasRole.<role> and control which agenix secrets each machine can decrypt.

Machine properties module systemproperties.nix files form a separate lightweight module system (machine-info) for recording machine metadata (hostnames, architecture, roles, SSH keys). Since every machine's properties are visible to every other machine, each system can reflect on the properties of the entire fleet — enabling automatic SSH trust, role-based secret access, and cross-machine coordination without duplicating information.

Remote LUKS unlock over Tor — Machines with encrypted root disks can be unlocked remotely via SSH. An embedded Tor hidden service starts in the initrd so the machine is reachable even without a known IP, using a separate SSH host key for the boot environment.

VPN containers — A pia-vpn module provides leak-proof VPN networking for containers. The host creates a WireGuard interface and runs tinyproxy on a bridge network for PIA API bootstrap. A dedicated VPN container authenticates with PIA via the proxy, configures WireGuard, and masquerades bridge traffic through the tunnel. Service containers default-route exclusively through the VPN container — leakage is impossible by network topology. Supports port forwarding with automatic port assignment.

Sandboxed workspaces — Isolated dev environments backed by microVMs (cloud-hypervisor), systemd-nspawn containers, or Incus. Each workspace gets a static IP on a NAT'd bridge (192.168.83.0/24), auto-generated SSH host keys, shell aliases for management, and comes pre-configured with Claude Code. The sandbox network blocks access to the local LAN while allowing internet.

Snapshot-aware backups — Restic backups to Backblaze B2 automatically create ZFS snapshots or btrfs read-only snapshots before backing up, using mount namespaces to bind-mount frozen data over the original paths so restic records correct paths. Each backup group gets a restic_<group> CLI wrapper. Supports .nobackup marker files.

Self-hosted services — Comprehensive service stack across ponyo and s0: Gitea (git hosting + CI), Nextcloud (files/calendar), Matrix (chat), mail server, Jellyfin/Sonarr/Radarr/Lidarr (media), Home Assistant/Zigbee2MQTT/Frigate (home automation), LibreChat (AI), Gatus (monitoring), and productivity tools (Vikunja, Actual Budget, Outline, Linkwarden, Memos).

Push notifications — ntfy integration alerts on systemd service failures, SSH logins, and ZFS pool issues. Gatus monitors all web-facing services and sends alerts via ntfy.

Remote deployment — deploy-rs handles remote machine deployments with boot-only or immediate activation modes. A Makefile wraps common operations (make deploy <host>, make deploy-activate <host>).

Reference in New Issue View Git Blame Copy Permalink
Description
My NixOS configurations
Readme MIT 47 MiB
Languages
Nix 91.6%
Python 7.4%
Makefile 0.5%
Shell 0.5%