My NixOS and Home-Manager Configs
Standalone home-manager modules.
| Feature | Component |
|---|---|
| Shell | Fish⌃, Starship⌃ |
| Editor | Neovim⌃, Vim⌃ |
| WM | Niri⌃ |
| Desktop Shell | DankMaterialShell⌃ |
| Theming | Matugen⌃ |
| Terminal | Alacritty⌃ |
| Launcher | Vicinae⌃ |
| Browser | Firefox⌃ |
Podman containers via quadlet-nix (Rootful, userns=auto)⌃.
| Service | Component |
|---|---|
| Authentication | Authelia⌃ |
| Reverse Proxy | Caddy⌃ |
| Adblock | Pihole⌃ |
| Torrent Indexer | Jackett⌃ |
| Minecraft Server | Nix-Minecraft⌃ |
| Nix Binary Cache | TODO |
| Services Monitoring | Beszel (TODO) |
| CalDAV/CardDAV | Radicale (TODO) |
| Music Stats | Multi-scrobbler, Koito (TODO) |
| RSS Aggregator | FreshRSS (TODO) |
- Secrets management via sops-nix ⌃,⌃.
- Declarative disks partitioning via disko with BTRFS and LUKS ⌃.
- Wipe storage on boot via impermanence ⌃.
host/
_modules/ - modules for nixos
<hostname>/ - nixos hosts
home/
_modules/ - modules for home-manager
<username>/ - HM users
inventory/ - metadata of users, hosts and valid pairings (see section below)
secrets/ - sops-nix secrets
shell.nix - decShells for the repo, including distinct neovim instances and dev env for home/ and host/
Modules in _modules are self gating, meaning they determine if they should be enabled or not by looking at the context.
This is different from how they're usually implemented, where hosts and users conditionally import modules or "presets", and one needs to carefully maintain lists of imports.
Consequently, modules are always wholly imported, and most default.nix on modules just import every file in its directory and every
default.nix in subdirectories.
It is required that the project is cloned to ~/nix-config when using the Home-Manager modules.
This allows symlinking out of store files to work correctly, and sidesteps file permission issues.
| Name | Hardware | Type | Note | Status |
|---|---|---|---|---|
| theseus | Framework Laptop 13 (Ryzen AI 5 340) | laptop | My daily driver. NixOS + LUKS + everything in dots. | ✅ |
| barrybenson | Beelink Mini PC (Ryzen 7 5700U) | server | Headless homeserver with impermanence. Containers setup in progress. | ✅ |
| ionobro | IONOS VPS (1G RAM, 10G Storage) | server | Acts as the router/firewall for barrybenson who is behind CGNAT. I need a minimal NixOS install to run wireguard + nftables. | 📝 |
| guinea | QEMU/KVM | VM | Used to build this config. Need to configure declaratively on theseus. | ✅ |
✅ Setup completed | 🚧 In progress | 📝 Planning
- Each NixOS host generates a ssh host key on initial install, which is used to derive the host age key (on boot). The age key is then used to decrypt host secrets.
- For each user of a NixOS host, the host decrypts the user's password for its own setup, and the user's age key to a location that the home-manager sops expects (
~/.config/sops/age/key.txt). The user's home manager config then uses the age key to decrypt secrets.
My firefox (HM) module configs can be applied to any firefox-based browser, such as floorp, librewolf, or even glide (from external flake).
For examples, see firefox.nix and glide.nix.
Both share these centralized configs:
- firefox/config - Shared policies, settings, extensions, and my custom module configs
- firefox/mkModule - My custom modules, which includes:
The shared configs and custom modules are meant to be merged with firefox-based browser modules such as programs.firefox, programs.librewolf, etc.
ionobrois my VPS which connects clients to my homeserver,barrybenson, via wireguard. It forwards packets tobarrybensonwithout source nat.barrybensonhosts services and lives behind CGNAT. Its outgoing traffic goes through wireguard if it is a response from some incoming traffic from the tunnel, otherwise it goes through the normal internet. This is achieved via nftables policy-based routing⌃.