🔔 Read a blog post about this repository

This is my personal Nix configuration repository managing both macOS (via nix-darwin) and NixOS systems with home-manager. While I try to keep everything working properly, use any part of this repo on your own system at your own risk! I'd recommend using this more for inspiration than exact instructions.

This flake-based configuration uses a modular architecture:

• modules/common/myConfig/ - Shared configuration options and implementations
• modules/darwin/myConfig/ - macOS-specific extensions
• modules/nixos/myConfig/ - NixOS-specific extensions
• modules/home-manager/myHomeConfig/ - User environment configuration
• hosts/ - Host-specific configurations
• home/joseph/ - User dotfiles and program configurations
• keys/ - SSH public keys for system access and encryption
• secrets/ - Age-encrypted secrets using agenix

# Build and switch configuration (auto-detects platform)
just switch  # or just s

# Update flake inputs
just update

# Deploy to remote NixOS server
just deploy

# Format and lint code
nix fmt
nix run nixpkgs#statix check .

# Garbage collect old generations
just gc [age=7]  # defaults to 7 days

# Check configuration builds correctly
nix flake check

1. Generate host keys (if they don't exist):

   sudo ssh-keygen -A

2. Install Nix: Follow the Zero to Nix guide

3. Install Homebrew:

   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

1. Clone this repository
2. Update flake.nix to match your hostname and preferences
3. Configure SSH keys in keys/default.nix
4. Run just switch to build and activate the configuration

• Josephs-MacBook-Air - Primary development machine

• terminus (x86_64-linux) - Homelab server
• orbstack (aarch64-linux) - Development container
• iso-gnome (aarch64-linux) - Live ISO image

NixOS installation uses nixos-anywhere for unattended/remote setups.

1. Boot the target system with NixOS installer
2. Set password for nixos user: passwd
3. Get IP address: ip a
4. Install remotely from this repository

nix run github:nix-community/nixos-anywhere -- \
  --flake .#terminus \
  --target-host nixos@<IP_ADDRESS> \
  --build-on remote \

nix run github:nix-community/nixos-anywhere -- \
  --generate-hardware-config nixos-generate-config ./hosts/nixos/terminus/hardware-configuration.nix \
  --flake .#terminus \
  --target-host nixos@<IP_ADDRESS> \
  --build-on remote \

Note: --build-on-remote is necessary for cross-architecture builds. Ensure disk setup is configured with disko (see examples in hosts/nixos/*/disko.nix).

This repository uses agenix for secrets management.

• --copy-host-keys - Copies SSH host keys to the new system (the NixOS installer will generate keys, we'll copy those keys onto the installed system. This allows to re-key Agenix with the new keys prior to finishing the install)
• --extra-files "$temp" - Copies user SSH keys for secret decryption

temp=$(mktemp -d)
install -d -m755 "$temp/home/joseph/.ssh"

# Get keys from 1Password or generate new ones
op read "op://Private/<item>/private key" > "$temp/home/joseph/.ssh/id_ed25519"
op read "op://Private/<item>/public key" > "$temp/home/joseph/.ssh/id_ed25519.pub"

# Set correct permissions
chmod 600 "$temp/home/joseph/.ssh/id_ed25519"*

• Re-key all secrets (agenix -r -i /path/to/ed_25519) with new keys (added to /keys/default.nix) before installation

Lanzaboote should be disabled for the install. Once installed, enable Lanzaboote and Secure Boot. Then enable disk unlocking using TPM2: sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+11 /dev/nvme0n1p2, assuming that the LUKS partition is /dev/nvme0n1p2.

tailscale up --ssh --advertise-exit-node

• Update dynamic DNS records with Tailscale IP for external access
• Ensures devices on the Tailnet can resolve hostnames via public DNS

The terminus server runs various self-hosted services. Some require manual setup:

• Jellyfin: Access web interface for initial media library setup
• Sonarr/Radarr: Configure indexers and download clients
• Prowlarr: Set up indexer connections
• SABnzbd:
  • Edit /var/lib/sabnzbd/sabnzbd.ini
  • Add sabnzbd.terminus.josephstahl.com to host_whitelist
  • Configure port (default: 8082 to avoid conflicts with Unifi on 8080)

• Configure devices and integrations via web interface
• Zigbee and Z-Wave devices managed through dedicated containers

• Homepage: Dashboard aggregating all services

• VS Code Server: Remote development access
• Ollama: Local LLM inference server

To adapt this configuration for your own use:

1. Update personal information:

   • Change user details in flake.nix commonConfig
   • Update SSH keys in keys/default.nix
   • Modify email and name in git configuration

2. Host configuration:

   • Add your systems to nixosConfigurations or darwinConfigurations
   • Create host-specific configs in hosts/
   • Update networking and hardware configurations

3. Services:

   • Enable/disable services in host configurations
   • Modify service configurations in hosts/*/services/
   • Update domain names and certificates

4. Secrets:

   • Re-key all secrets with your own SSH keys
   • Update secret paths in configurations
   • Configure agenix for your key management

• Always run git add --all before nix operations
• Use nix flake check to validate configurations
• Review systemd logs for service problems: journalctl -u <service>