GitHub - eh8/chenglab: a straightforward NixOS setup for my homelab and personal computers

3 min read Original article ↗

chenglab
chenglab
Homelab hardware: ThinkCenter M710q Tiny, Intel i5-7500T and 8GB RAM

nixos 25.11 blog post stars

Highlights

This repo contains the Nix configurations for my homelab, AMD Ryzen desktop, M1 MacBook Air, and work WSL setup.

  • ❄️ Nix flakes handle upstream dependencies and track latest stable release of Nixpkgs (currently 25.11)
  • 🏠 home-manager manages dotfiles
  • 🍎 nix-darwin manages MacBook
  • 🤫 sops-nix manages secrets
  • 🔑 Remote initrd unlock system to decrypt drives on boot
  • 🌬️ Root on tmpfs aka impermanence
  • 🔒 Automatic Let's Encrypt certificate registration and renewal
  • 🧩 Tailscale, Nextcloud, Jellyfin, Homebridge, Scrypted, among other nice self-hosted applications
  • ⚡️ .justfile contains useful aliases for many frequent and atrociously long nix commands
  • 🤖 flake.lock updated daily via GitHub Action, servers are configured to automatically upgrade daily via modules/nixos/auto-update.nix
  • 🧱 Modular architecture promotes readability for me and copy-and-paste-ability for you
  • 📦 Custom ready-made tarball and ISO for installing NixOS-on-WSL and NixOS, respectively

Getting started

macOS

On macOS, this script will install nix using the Determinate Systems Nix installer and prompt you to install my configuration.

Important

You'll need to run this script as sudo or have sudo permissions.

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/eh8/chenglab/main/install.sh)"

NixOS (Linux)

Important

You'll need to run this script as sudo or have sudo permissions.

Warning

This script is primarily meant for my own use. Using it to install NixOS on your own hardware will fail. At minimum, you'll need to do the following before attemping installation:

  1. Create a configuration for your own device in the machines/ folder
  2. Retool your own sops-nix secrets or remove them entirely if you don't use sops-nix
  3. Add an entry to flake.nix referencing the configuration created in step 1

On Linux, running this script from the NixOS installation ISO will prepare your system for NixOS by partitioning drives and mounting them.

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/eh8/chenglab/main/install.sh)"

Windows Subsystem for Linux (WSL)

  1. Enable WSL if you haven't done already:
wsl --install --no-distribution

  1. Download nixos.wsl from the latest release.

  2. Either double-click the nixos.wsl file once downloaded or import the tarball into WSL:

wsl --install --from-file nixos.wsl
  1. You can now run NixOS:

Useful commands 🛠️

Install just to access the simple aliases below

Locally deploy changes

Remote deployment

To remotely deploy MACHINE, which has an IP address of 10.0.10.2

just deploy MACHINE 10.0.10.2

Edit secrets

Make sure each machine's public key is listed as entry in .sops.yaml. To modify secrets/secrets.yaml:

Syncing sops keys for a new machine

Important caveats

Changing user passwords

To modify user password, first generate a hash

echo "password" | mkpasswd -m SHA-512 -s

Then run just edit-secrets to replace the existing decrypted hash with the one that you just generated. If you use a password manager, sure to update the new password as necessary.

Changing SSH keys

Make sure you update the public key as it appears across the repository.

Installation source

Make sure the Determinate Nix installer one-liner in install.sh is consistent with how it appears on the official website.

To-do

  1. Secure boot
  2. Binary caching
  3. Wireless remote unlocking

Frequently used resources

Helpful references