koalalorenzo/nixos-config
1
0
Fork 0
Code Activity Actions
No description
1,123 commits 1 branch 0 tags 3.6 MiB
  • Nix 96.5%
  • Makefile 3.3%
  • Shell 0.2%
Find a file
Exact
Lorenzo Setale ba724ef33e
All checks were successful
Nix Builder / check (desktop-lorenzo) (push) Successful in 1m25s
Details
Nix Builder / check (homelab-0db5c) (push) Successful in 51s
Details
Nix Builder / check (homelab-36816) (push) Successful in 45s
Details
Nix Builder / check (runner-b32f8) (push) Successful in 45s
Details
Nix Builder / check (framework12) (push) Successful in 1m5s
Details
Nix Builder / check (storage-eb25f) (push) Successful in 44s
Details
simplifies steam path 
Signed-off-by: Lorenzo Setale <lorenzo@setale.me>
2026-06-15 23:24:54 +02:00
.forgejo/workflows makes cicd fail fast 2026-05-17 11:27:44 +02:00
hardware enable firmware upgrade service 2026-06-01 17:51:00 +02:00
services chage syncthing to receive only 2026-06-12 08:15:53 +02:00
settings simplifies steam path 2026-06-15 23:24:54 +02:00
tools extracts IP address based on the host 2025-08-12 18:41:42 +02:00
.gitignore moves to better host-target instead of generics 2025-01-29 11:23:33 +01:00
.gitlab-ci.yml Changes done during fabulab 2024-10-09 17:01:50 +00:00
.sops.yaml removes builder deprecated files and changes clamav settings 2026-05-17 10:56:19 +02:00
disko.nix runs alejandra formatting 2025-10-26 14:01:32 +01:00
flake.lock update versions and locks 2026-06-15 22:28:29 +02:00
flake.nix adds noctalia shell to try 2026-06-09 18:24:52 +02:00
Makefile disable fallback to avoid re-compiling the world 2026-06-08 17:57:20 +02:00
README.md removes builder deprecated files and changes clamav settings 2026-05-17 10:56:19 +02:00

README.md

nixos-config

NixOS flake-based configuration for a homelab cluster (Raspberry Pi nodes running k3s), desktops, laptops, and a storage node. All hosts are declared in flake.nix and built from shared modules in settings/ and services/.

Repository structure

nixos-config/
├── hardware/              # Hardware-specific modules
│   ├── apple/             # Apple devices support
│   ├── framework/         # Framework Devices
│   ├── rpi/               # Raspberry Pi devices modules
│   ├── vms/               # VM-specific hardware
│   ├── extras/            # Optional hardware like HDD, ZFS, YubiKey, Ledger, NuPhy, Rosetta
│   ├── desktop.nix        # Desktop PC hardware (AMD Hardoware)
│   └── steamdeck.nix      # Steam Deck hardware
├── settings/              # Purpose specific NixOS configuration modules
│   ├── default.nix        # Base settings applied to all hosts
│   ├── desktop/           # Desktop environment for laptops and desktops hosts
│   ├── security/          # Security hardening modules
│   ├── storage/           # Storage-node settings (ZFS, Sanoid, filesharing, etc)
│   ├── homelab.nix        # Homelab-specific settings for all homelab hosts
│   └── laptop.nix         # Laptop power/suspend settings for all laptops
└── services/              # Service modules, generic with common config, often expanded in settings)
    ├── k3s/               # k3s Kubernetes node
    ├── garage/            # Garage S3-compatible object storage
    ├── filesharing/       # Samba and Syncthing
    ├── grafana-alloy/     # Metrics/log collection agent
    ├── wireguard/         # WireGuard VPN
    ├── zfs/               # ZFS event daemon and scrub
    └── forgejo-runner/    # Forgejo CI runner

Hosts

Hostname Architecture Hardware Role
framework12 x86_64 Framework 12 (13th gen Intel) Desktop/laptop
desktop-lorenzo x86_64 Desktop PC Desktop
storage-* aarch64 Raspberry Pi 5 NAS / storage node
homelab-0db5c aarch64 Raspberry Pi 5 k3s server (control plane)
homelab-* aarch64 Raspberry Pi 5 k3s agent
runner-* aarch64 Raspberry Pi 4 k3s agent + Forgejo runner
steamdeck x86_64 Steam Deck k3s agent

Dependencies

Enter the development shell (provides git, gnupg, curl, gnumake, age, age-plugin-yubikey, openssh, ssh-to-age, sops, and other tools):

nix develop

Secrets (SOPS)

Secrets are managed with sops-nix, encrypted with age keys backed by YubiKey. The .sops.yaml file at the repo root defines which age keys can decrypt which secret paths.

To add a new host's age key (derived from its SSH host key):

make append_sops_HOSTNAME

This scans the host's SSH key via ssh-keyscan, converts it to an age key with ssh-to-age, and appends the entry to .sops.yaml.

Baking images

This flake can generate SD card images (.img.zst) and ISOs. The Makefile provides pattern targets %.img.zst and %.iso.

# All homelab and storage SD card images at once
make homelab_sds

Remote builds

Build, activate on next boot, or live-switch a remote host over SSH. The Makefile resolves HOSTNAME.local automatically.

# Build only (does not activate)
make remote_build_HOSTNAME

# Activate on next boot
make remote_boot_HOSTNAME

# Live-switch (activate immediately)
make remote_switch_HOSTNAME

Shortcuts for all homelab nodes:

# Boot all homelab nodes
make homelab_boot

# Live-switch all homelab nodes
make homelab_switch

Using nixos-rebuild

# With no secrets (pulls the flake from a remote git repo)
sudo nixos-rebuild --flake git+https://git.elates.it/koalalorenzo/nixos-config#HOSTNAME boot

Using nixos-install

# Format disks using disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount disko.nix

# Install (clone the repo and decrypt secrets in /tmp/nixos-config first)
sudo nixos-install --flake .#HOSTNAME --root /mnt --impure

sudo reboot

Post-install: storage nodes

Re-create Samba users. Passwords are stored in the .sops.env file.

sudo smbpasswd -a koalalorenzo
sudo smbpasswd -a longhorn
sudo smbpasswd -a immich
sudo smbpasswd -a jellyfin