hdjenkov/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Personal Nix Config
149 commits 2 branches 0 tags 360 KiB
  • Nix 100%
Find a file
Exact
Hristo Djenkov c18f759cd5 caddy
2026-05-19 21:34:56 +03:00
dots fuckshit 2026-05-19 20:13:47 +03:00
machines caddy 2026-05-19 21:34:56 +03:00
modules fuckshit 2026-05-19 20:13:47 +03:00
users/hdjenkov kur 2026-04-28 17:01:46 +03:00
.DS_Store idk 2026-04-27 13:30:41 +03:00
.gitignore use native fmatrix module, add fmatrix + disko inputs 2026-05-19 15:54:01 +03:00
flake.lock caddy 2026-05-19 21:34:56 +03:00
flake.nix fuckshit 2026-05-19 20:13:47 +03:00
gitconfig.nix flake: switch secrets to forgejo HTTPS; add osxkeychain credential helper 2026-05-19 18:16:41 +03:00
LICENSE add license 2026-02-03 23:53:03 +01:00
README.md fuckshit 2026-05-19 20:13:47 +03:00

README.md

nix-config

Personal Nix configuration for macOS (nix-darwin) and NixOS machines.

Machines

Host Type Description
lambda nix-darwin (aarch64) MacBook Pro workstation
htpc NixOS (x86_64) Home theater PC
vps NixOS (aarch64) VPS — self-hosted services

Services

htpc

Service Description
Kodi Media center with Jellycon addon

vps

Service Description
Forgejo Self-hosted git
Forgejo Runner CI runner (docker-in-docker)
Headscale Self-hosted Tailscale control server
Headplane Headscale web UI
Pocket ID OIDC/SSO provider
Pangolin + Gerbil Tunneled reverse proxy stack
Uptime Kuma Uptime monitoring
FMBot Last.fm Discord bot (via fmatrix)
Epic Games Free Games Auto-claim free Epic Games
Website Static site

Secrets

Secrets are managed with agenix and stored in a private repository. Each machine decrypts secrets using its SSH host key (NixOS) or personal SSH key (macOS).

Installation

macOS (lambda)

Install Nix via Determinate Systems:

curl -fsSL https://install.determinate.systems/nix | sh -s -- install

Clone the repo:

git clone https://github.com/zerw0/nix-config.git ~/git/nix-config

Clone the private secrets repo:

git clone git@git.zerw.xyz:hdjenkov/nix-private.git ~/git/nix-private

Apply the configuration:

sudo darwin-rebuild switch --flake ~/git/nix-config#lambda --override-input secrets ~/git/nix-private

NixOS (htpc)

Boot from the installer ISO, then from your workstation copy your SSH key to the target:

export NIXOS_HOST=192.168.x.x
ssh-copy-id -i ~/.ssh/personal hdjenkov@$NIXOS_HOST

SSH in with agent forwarding:

ssh -A hdjenkov@$NIXOS_HOST

Enable flakes:

mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf

Partition and format using disko:

nix --experimental-features "nix-command flakes" run github:nix-community/disko \
  -- -m destroy,format,mount \
  /path/to/nix-config/machines/nixos/htpc/disk-config.nix

Install git and clone the repo:

nix-env -f '<nixpkgs>' -iA git
mkdir -p /mnt/home/hdjenkov/git
git clone https://github.com/zerw0/nix-config.git /mnt/home/hdjenkov/git/nix-config

Install:

nixos-install --root /mnt --no-root-passwd \
  --flake git+file:///mnt/home/hdjenkov/git/nix-config#htpc

Reboot, then SSH in with agent forwarding and add the host to the secrets repo:

ssh -A hdjenkov@$NIXOS_HOST
cat /etc/ssh/ssh_host_ed25519_key.pub

Add the host key to secrets.nix in the private repo, re-encrypt, and push:

cd ~/git/nix-private
agenix -r
git add -A && git commit -m "add htpc host key" && git push

Pull and deploy:

git clone https://github.com/zerw0/nix-config.git ~/git/nix-config
git clone git@git.zerw.xyz:hdjenkov/nix-private.git ~/git/nix-private  # SSH agent forwarded
cd ~/git/nix-config && git pull
sudo --preserve-env=SSH_AUTH_SOCK nixos-rebuild switch --flake ~/git/nix-config#htpc --override-input secrets ~/git/nix-private

NixOS (vps)

From your workstation, copy your SSH key to the VPS:

export NIXOS_HOST=<vps-ip>
ssh-copy-id -i ~/.ssh/personal root@$NIXOS_HOST

SSH in with agent forwarding:

ssh -A root@$NIXOS_HOST

Enable flakes:

mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf

Partition and format using disko:

nix --experimental-features "nix-command flakes" run github:nix-community/disko \
  -- -m destroy,format,mount \
  /path/to/nix-config/machines/nixos/vps/disk-config.nix

Install git and clone the repo:

nix-env -f '<nixpkgs>' -iA git
mkdir -p /mnt/home/hdjenkov/git
git clone https://github.com/zerw0/nix-config.git /mnt/home/hdjenkov/git/nix-config

Install:

nixos-install --root /mnt --no-root-passwd \
  --flake git+file:///mnt/home/hdjenkov/git/nix-config#vps

Reboot, then SSH in and add the host key to the secrets repo:

ssh hdjenkov@$NIXOS_HOST
cat /etc/ssh/ssh_host_ed25519_key.pub

Add the host key to secrets.nix in the private repo, re-encrypt, and push:

cd ~/git/nix-private
agenix -r
git add -A && git commit -m "add vps host key" && git push

Pull and deploy:

git clone https://github.com/zerw0/nix-config.git ~/git/nix-config
git clone git@git.zerw.xyz:hdjenkov/nix-private.git ~/git/nix-private
cd ~/git/nix-config && git pull
sudo nixos-rebuild switch --flake ~/git/nix-config#vps --override-input secrets ~/git/nix-private

Updating

lambda:

cd ~/git/nix-config && git pull
sudo darwin-rebuild switch --flake ~/git/nix-config#lambda --override-input secrets ~/git/nix-private

htpc (SSH in with -A, then):

cd ~/git/nix-config && git pull
sudo nixos-rebuild switch --flake ~/git/nix-config#htpc

After the first successful deploy, htpc preserves SSH_AUTH_SOCK through sudo automatically, so it can fetch the secrets repo directly without --override-input.

vps:

cd ~/git/nix-config && git pull
sudo nixos-rebuild switch --flake ~/git/nix-config#vps --override-input secrets ~/git/nix-private