87 lines
2.8 KiB
Markdown
87 lines
2.8 KiB
Markdown
# NixOS Configuration
|
|
|
|
My personal NixOS configuration for multiple hosts, managed with flakes and home-manager.
|
|
|
|
## Hosts
|
|
|
|
### Desktop Systems
|
|
- **rotterdam** - Main desktop workstation (x86_64)
|
|
- Features: Desktop, AI tools, Bluetooth, Dev environment, Gaming, Virtualization (libvirtd), Podman
|
|
- Storage: Ephemeral root with LUKS encryption
|
|
|
|
- **io** - Secondary desktop (x86_64)
|
|
- Features: Desktop, AI tools, Bluetooth, Dev environment, Podman
|
|
- Storage: Ephemeral root with LUKS encryption
|
|
|
|
### Servers
|
|
- **alexandria** - Home server (x86_64)
|
|
- Hosts: Nextcloud, Vaultwarden, Jellyfin, Kanidm
|
|
|
|
- **trantor** - Cloud server (aarch64)
|
|
- Hosts: Forgejo
|
|
- Cloud provider: Oracle Cloud Infrastructure
|
|
- Storage: Ephemeral root with btrfs
|
|
|
|
## Home Manager Configurations
|
|
|
|
- **user@rotterdam** - Full desktop setup with gaming, OBS, and complete development environment
|
|
- **user@io** - Lightweight desktop setup
|
|
|
|
Both configurations include:
|
|
- btop, direnv, helix, starship, tmux
|
|
- Stylix theme management
|
|
- Fish shell with custom configurations
|
|
|
|
## Terranix Configurations
|
|
|
|
Infrastructure as code using Terranix (NixOS + Terraform/OpenTofu):
|
|
|
|
- **oci-trantor** - Oracle Cloud Infrastructure provisioning for Trantor server
|
|
- **cloudflare-baduhaidev** - DNS and CDN configuration for baduhai.dev domain
|
|
- **tailscale-tailnet** - Tailscale network ACL and device management
|
|
|
|
## Services
|
|
|
|
All services are accessible via custom domains under baduhai.dev:
|
|
|
|
- **Kanidm** (auth.baduhai.dev) - Identity and access management
|
|
- **Vaultwarden** (pass.baduhai.dev) - Password manager
|
|
- **Forgejo** (git.baduhai.dev) - Git forge (publicly accessible)
|
|
- **Nextcloud** (cloud.baduhai.dev) - File sync and collaboration
|
|
- **Jellyfin** (jellyfin.baduhai.dev) - Media server
|
|
|
|
Services are accessible via:
|
|
- LAN for alexandria-hosted services
|
|
- Tailscale VPN for all services
|
|
- Public internet for Forgejo only
|
|
|
|
## Notable Features
|
|
|
|
### Ephemeral Root
|
|
Rotterdam, io, and trantor use an ephemeral root filesystem that resets on every boot:
|
|
- Root filesystem is automatically rolled back using btrfs snapshots
|
|
- Old snapshots retained for 30 days
|
|
- Persistent data stored in dedicated subvolumes
|
|
- Implements truly stateless systems
|
|
|
|
### Custom DNS Architecture
|
|
- Unbound DNS servers on both alexandria and trantor
|
|
- Service routing based on visibility flags (public/LAN/Tailscale)
|
|
- Split-horizon DNS for optimal access paths
|
|
|
|
### Security
|
|
- LUKS full-disk encryption on desktop systems
|
|
- Fail2ban on public-facing servers
|
|
- agenix for secrets management
|
|
- Tailscale for secure remote access
|
|
|
|
### Desktop Environment
|
|
- Custom Niri window manager (Wayland compositor)
|
|
- Using forked version with auto-centering feature
|
|
- Stylix for consistent theming
|
|
|
|
### Development Setup
|
|
- Nix flakes for reproducible builds
|
|
- deploy-rs for automated deployments
|
|
- Podman for containerization
|
|
- Complete AI tooling integration
|