GitHub - eh8/chenglab: a straightforward NixOS setup for my homelab and personal computers

3 min read Original article ↗

chenglab
chenglab
Homelab hardware: ThinkCenter M710q Tiny, Intel i5-7500T and 8GB RAM

nixos 26.05 blog post stars

Highlights

This repo contains the Nix configurations for my homelab, desktop, and work laptops (both macOS and WSL).

  • ❄️ Nix flakes track the latest stable Nixpkgs release (currently 26.05)
  • 🏠 home-manager manages dotfiles
  • 🍎 nix-darwin manages macOS systems
  • 🤫 sops-nix manages secrets, including credentials used for remote initrd disk unlocking
  • 🌬️ Root on tmpfs aka impermanence
  • 🔒 Automatic Let's Encrypt certificate registration and renewal
  • 🧩 Tailscale, Nextcloud, Jellyfin, Homebridge, Scrypted, among other nice self-hosted applications
  • ⚡️ just aliases for common deployment, validation, and maintenance commands
  • 📦 Ready-made WSL and ISO artifacts

Repository layout

  • machines/ — host-specific configuration
  • modules/ — shared NixOS, macOS, WSL, and Home Manager configuration
  • services/ — self-hosted service modules
  • secrets/ — sops-encrypted secrets

Getting started

macOS

On macOS, this script will install nix using the Determinate Systems Nix installer and prompt you to install my configuration.

Important

You'll need to run this script as sudo or have sudo permissions.

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/eh8/chenglab/main/install.sh)"

NixOS (Linux)

Important

You'll need to run this script as sudo or have sudo permissions.

Warning

This script is primarily meant for my own use. Using it to install NixOS on your own hardware will fail. At minimum, you'll need to do the following before attempting installation:

  1. Create a configuration for your own device in the machines/ folder
  2. Retool your own sops-nix secrets or remove them entirely if you don't use sops-nix
  3. Add an entry to flake.nix referencing the configuration created in step 1

On Linux, running this script from the NixOS installation ISO will prepare your system for NixOS by partitioning drives and mounting them.

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/eh8/chenglab/main/install.sh)"

Windows Subsystem for Linux (WSL)

  1. Enable WSL if you haven't done already:
wsl --install --no-distribution
  1. Download nixos.wsl from the latest release.

  2. Either double-click the nixos.wsl file once downloaded or import the tarball into WSL:

wsl --install --from-file nixos.wsl
  1. You can now run NixOS:

Useful commands 🛠️

Install just to use these aliases:

Command Purpose
just deploy [MACHINE] [IP] Deploy locally, to another configuration, or to a remote host
just check Evaluate every supported system
just fmt / just lint Format and lint Nix files
just sops-edit Edit secrets/secrets.yaml
just sops-update Update secret recipients from .sops.yaml
just build-iso Build the installer ISO

Important caveats

Changing user passwords

To modify user password, first generate a hash

echo "password" | mkpasswd -m SHA-512 -s

Then run just sops-edit to replace the existing decrypted hash with the one that you just generated. If you use a password manager, update it too.

Changing SSH keys

Make sure you update the public key as it appears across the repository.

Installation source

Make sure the Determinate Nix installer one-liner in install.sh is consistent with how it appears on the official website.

To-do

  1. Secure boot
  2. Binary caching
  3. Wireless remote unlocking

Helpful references