2 KiB
Nix Configurations
Repository structure:
-
host/
One subdirectory per NixOS host, each containing its host-specific configuration. -
mod/
NixOS modules.- mod/common/: Modules enabled by default on all hosts.
- mod/desktop/: Modules enabled on desktop hosts (i.e. hosts with
hd.desktop.enable = true).
-
home/
Home Manager modules. Home Manager is integrated into the system configuration via thehomeoption defined inmod/desktop/default.nix. -
bin/
Helper scripts for generating parts of the configuration. -
dotfiles/
Raw configuration files deployed using Home Manager. -
devshells/
Nix development shells. -
pki/
Certificates used by the configuration. -
secrets/
Age-encrypted secrets managed and deployed via agenix. -
var/ Shared data used across the configuration.
hosts.nixis the single source of truth for per-host data (SSH keys, WireGuard config). Adding a new host means adding an entry there and runningbin/gen-syncthing-cert.
Network topology
WireGuard overlay network (onet, 10.10.11.0/24). Roam is the hub and the only publicly reachable node; desktops peer with roam only. Roam also runs a Mullvad WireGuard tunnel used as an egress for the torrent container configured in table 1000.
TODO
- WireGuard key: Manage
/var/secrets/wg.keyvia agenix. - Forgejo: Provision the
hduser (with email, admin flag) and SSH keys via a systemd service. - Firefox sync server (
host/roam/firefox-sync.nix): Containerize. - systemd-resolved (
mod/desktop/network.nix): Enable DoH. - Remote builder (
mod/build-machines.nix): declarative SSH jump server. - Restic backups (
host/roam/backup.nix): Add incremental backups with a retention policy alongside rclone. - Roam system state (
host/roam/backup.nix): Include PostgreSQL dumps (Forgejo, Nextcloud) in the backup script. - Backup monitoring (
host/roam/backup.nix): Alert on backup job failure.