<img src="docs/shinyflakes.png" width="200" />

✨ shinyflakes ❄️

My personal NixOS setup. Everything from servers to desktops to laptops, all defined in one git repo. Because if it's not in git, did it even happen?

Why NixOS?

I use NixOS to manage my homelab and it's been pretty awesome having my whole infrastructure version-controlled. No more "it worked on my machine" moments - my machines ARE the configuration.

The real killer here is using Quadlet (via quadlet-nix) for container management.

Why not NixOS services?

Because versioning is just horrendous. I can't really control versions of specific services if I don't want to have 100 flake inputs. Also with container images I always get the newest version as soon as its out.

Why not docker-compose?

Because I want proper systemd integration, individual container metrics, and the ability to manage each container separately - not just restart the whole docker-compose when one thing breaks. Plus, Nix lets me do cool stuff like ensuring directories exist before mounting them, templating configs with secrets, and using actual Nix references between resources.

My machines (Can you guess the theme?)

mentat - Main homelab server (x86_64-linux)

The big boi running everything in my apartment:

• Media: Jellyfin, Navidrome, and the full *arr stack for Linux ISOs and music
• Home Automation: Home Assistant with ESPHome, Zigbee2MQTT and Music Assistant
• AI Things: ~~Ollama + Open WebUI,~~ LibreChat ~~, Perplexica,~~ various MCP servers because AI is everywhere now apparently (I took my GPU out of the server because of the power draw...)
• Self-hosted Goodness: Immich (photos), Forgejo (git), Dawarich (location tracking), Copyparty (file sharing)
• Monitoring: Grafana, Prometheus, Loki, Beszel, Renovate for keeping tabs on container and flake.lock updates
• Storage: Garage (S3-compatible storage), NAS with Samba, ZFS for data integrity
• DNS: AdGuard Home for blocking the internet's nonsense
• GitOps: Comin for automatic deployments because manual deploys are so 2023

prime - Hetzner VPS (x86_64-linux)

The public-facing server that makes everything accessible:

• Reverse Proxy: Caddy with Coraza for a self-hosted WAF solution, because I am paranoid (rightfully so)
• Identity: Kanidm for centralized auth (so I only forget one password)
• VPN: My self made mesh network with WireGuard (everything is declarative)
• GitOps: Comin for automatic deployments because manual deploys are so 2023

carryall, thopter - Lenovo ThinkPad T14s (x86_64-linux)

My work and private laptop:

• Desktop: NNN is the goat, that stands for NixOS, Noctalia-Shell and Niri. This definitely is my favorite way to use a DE now.
• Development: All the tools, all the compilers, all the debuggers
• Security: Lanzaboote for secure boot with TPM because we're fancy now
• Boot: Plymouth for those sick boot animations
• Extras: Fingerprint auth, auto-rotation, distrobox for when Nix isn't enough

muadib - Tower Desktop for gaming (x86_64-linux)

Shares most of the config with the laptops, but of course has:

• Gaming: Steam + Lutris for procrastination

Components

Quadlet for Container Management

I wrote a whole blog post about this, but TL;DR: Quadlet gives me proper systemd services for each container. That means:

• Individual systemctl start/stop/restart commands
• Actual CPU/memory metrics per container (not just the whole compose)
• Automatic restarts that don't nuke everything
• Health checks that actually work
• Renovate for keeping track of updates
• Generic alerts for systemd will also alert me of failing containers

No more docker-compose bullshit where everything shares one log output and you can't tell what's broken.

Secrets with SOPS

All secrets are encrypted with sops-nix using age keys. That means I can commit my secrets to git (encrypted, obviously) and they get decrypted on the hosts. Each host has its own key, containers restart automatically when secrets change and I don't have to worry about accidentally leaking API keys.

Another reason to use SOPS is that it enables me to have templates to basically inject secrets into a config file for services.

For an example on this look at my forgejo setup. (You have to search it because I will probably restructure at some point.)

Networking

• WireGuard mesh network connects everything. Doesn't matter if I'm home or at a coffee shop, everything just works. This is very custom and is using my own module. I will probably write a blogpost about that setup one day.
• Nginx reverse proxy with automatic Let's Encrypt SSL via Cloudflare DNS challenges. And a whitelist to not allow everybody on the mesh to access every service.
• Caddy on prime with Coraza WAF to keep all the bad guys out.

Storage

• ZFS on mentat for data integrity and snapshots
• Disko for declarative disk setup - because manual partitioning is for chumps
• Samba for network shares I guess
• Backups: ~~uh... maybe? I should probably work on that.~~ I have that now. Everything gets backupped every night via restic!

Monitoring

• Grafana for dashboards that make me feel like a real sysadmin
• Prometheus for metrics collection
• Loki for log aggregation
• Beszel for lightweight system monitoring
• Renovate for tracking container updates

Infrastructure as Code

• Tofunix for managing Terraform with Nix because why have two config languages when you can have one?
  • Cloudflare DNS records
  • Hetzner Cloud resources
  • S3 backend in Cloudflare R2 for state management

How It's Structured (Using Blueprint instead of flake-parts)

I recently restructured everything using blueprint, which is basically a convention-over-configuration thing for Nix flakes. Instead of manually wiring up all the flake outputs, blueprint just looks at your folder structure and figures it out.

The magic happens in flake.nix:

outputs = inputs: inputs.blueprint {
  inherit inputs;
  prefix = "nix";  # Everything lives in the nix/ folder
};

And here's what that folder structure looks like:

nix/
├── hosts/              # NixOS and nix-darwin host configurations
│   ├── mentat/        # Host-specific config + modules
│   │   ├── configuration.nix
│   │   ├── hardware-configuration.nix
│   │   └── modules/
│   │       ├── stacks/      # Quadlet container definitions
│   │       ├── adguard.nix
│   │       └── ...
│   ├── prime/
│   └── thopter/
├── modules/           # Shared/reusable modules
│   ├── nixos/        # NixOS modules
│   ├── darwin/       # nix-darwin modules
│   ├── home/         # Home Manager modules
│   │   ├── linux/
│   │   └── mac/
│   └── services/     # Service-specific modules
├── packages/         # Custom package definitions
└── secrets.yaml      # SOPS encrypted secrets

Blueprint automatically:

• Creates nixosConfigurations from nix/hosts/*/configuration.nix
• Exposes modules from nix/modules/
• Makes packages available from nix/packages/

It's pretty neat. No more manually maintaining a giant flake.nix with all the outputs.

Dependencies

This changes a lot as I'm working on my config daily, for the most up-to-date info look into the flake.nix.

• nixpkgs (+ stable/small variants) - The Nix packages, multiple channels for flexibility
• blueprint - Convention-based flake structure (the new hotness)
• quadlet-nix - The star of the show, Podman containers as systemd services
• sops-nix - Secrets management that doesn't suck
• home-manager - User environment configuration
• disko - Declarative disk partitioning
• lanzaboote - Secure boot for NixOS with TPM support
• zen-browser - Privacy-focused Firefox fork
• nix-gaming - Gaming optimizations and fixes
• vicinae - Launcher - Raycast alternative for Linux (shoutout to the Vicinae project)
• niri - Scrollable tiling Wayland compositor
• spicetify-nix - Spotify theming because aesthetics matter
• nvf - Neovim configuration framework
• iio-sway - Auto-rotation for convertible laptops
• nix-flatpak - Declarative Flatpak management
• comin - GitOps for NixOS (automatic deployments)
• niks3 - S3 backend support for Nix binary caches
• copyparty - Simple file sharing server
• sirberus - My own project integration

How To's

Secrets Management

Adding a New Host

When you add a new machine, you need to give it access to secrets:

# Convert the host's SSH key to an age key
nix-shell -p ssh-to-age --run 'ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub'

Add the output to .sops.yaml as a new server_* key, then re-encrypt secrets:

sops updatekeys nix/secrets.yaml

Adding New Secrets

Edit the secrets file with sops:

sops nix/secrets.yaml

Then reference them in your Nix config:

sops.secrets.mySecret = {
  # Secrets with restartUnits will trigger service restarts on change
  restartUnits = [ "my-service.service" ];
};

# Use in containers via environment templates
sops.templates."my-service.env" = {
  restartUnits = [ "my-service.service" ];
  content = ''
    SECRET=${config.sops.placeholder.mySecret}
  '';
};

Check out CLAUDE.md or any of the stack modules for more examples.

Installing a New Host

Prerequisites

• NixOS minimal ISO USB drive
• Internet connection (Ethernet or WiFi)
• Your disk partition scheme ready (check the disko configs in nix/hosts/*/disko.nix)

Installation Steps

1. Boot the Installer

Boot from the NixOS minimal ISO and wait for the prompt.

2. C