torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
680 Commits 2 Branches 0 Tags
4076361bf756a405f341ec74f4f50a8fa623f2c7
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Torjus Håkestad 4076361bf7
All checks were successful
Run nix flake check / flake-check (push) Successful in 3m36s
Details
Merge pull request 'hosts: remove decommissioned media1, ns3, ns4, nixos-test1' (#18) from host-cleanup into master 
Reviewed-on: #18
2026-02-05 00:38:56 +00:00
.github/workflows
Fix flake-update workflow
2024-10-07 23:42:28 +02:00
common/vm
Add qemu guest agent to all VMs
2024-12-05 18:35:06 +01:00
docs
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
hosts
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
lib
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
modules/homelab
monitoring: auto-generate Prometheus scrape targets from host configs
2026-02-05 00:49:07 +01:00
playbooks
proxmox: add VM automation with OpenTofu and Ansible
2026-01-31 21:54:08 +01:00
scripts
create-host: add delete feature
2026-02-03 12:11:41 +01:00
secrets
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
services
monitoring: exclude step-ca serving cert from general expiry alert
2026-02-05 01:12:42 +01:00
system
dns: auto-generate zone entries from host configurations
2026-02-04 21:43:44 +01:00
terraform
pki: add new vault root ca to pki
2026-02-03 06:53:59 +01:00
.gitignore
terraform: add vault secret managment to terraform
2026-02-01 23:07:47 +01:00
.mcp.json
docs: add plan management workflow and lab-monitoring MCP server
2026-02-05 00:21:08 +01:00
.sops.yaml
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
CLAUDE.md
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
flake.lock
flake.lock: Update
2026-02-05 00:01:37 +00:00
flake.nix
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
inventory
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
README.md
hosts: remove decommissioned media1, ns3, ns4, nixos-test1
2026-02-05 01:36:57 +01:00
rebuild-all.sh
Update rebuild script
2025-01-26 00:55:15 +01:00
TODO.md
docs: update TODO.md
2026-02-03 06:53:59 +01:00

README.md

nixos-servers

NixOS Flake-based configuration repository for a homelab infrastructure. All hosts run NixOS 25.11 and are managed declaratively through this single repository.

Hosts

Host Role
ns1, ns2 Primary/secondary authoritative DNS
ca Internal Certificate Authority
ha1 Home Assistant + Zigbee2MQTT + Mosquitto
http-proxy Reverse proxy
monitoring01 Prometheus, Grafana, Loki, Tempo, Pyroscope
jelly01 Jellyfin media server
nix-cache01 Nix binary cache
pgdb1 PostgreSQL
nats1 NATS messaging
auth01 Authentication (LLDAP + Authelia)
vault01 OpenBao (Vault) secrets management
template1, template2 VM templates for cloning new hosts

Directory Structure

flake.nix              # Flake entry point, defines all host configurations
hosts/<hostname>/      # Per-host configuration
system/                # Shared modules applied to ALL hosts
services/              # Reusable service modules, selectively imported per host
modules/               # Custom NixOS module definitions
lib/                   # Nix library functions (DNS zone generation, etc.)
secrets/               # SOPS-encrypted secrets (age encryption)
common/                # Shared configurations (e.g., VM guest agent)
terraform/             # OpenTofu configs for Proxmox VM provisioning
terraform/vault/       # OpenTofu configs for OpenBao (secrets, PKI, AppRoles)
playbooks/             # Ansible playbooks for template building and fleet ops
scripts/               # Helper scripts (create-host, vault-fetch)

Key Features

Automatic DNS zone generation - A records are derived from each host's static IP configuration. CNAME aliases are defined via homelab.dns.cnames. No manual zone file editing required.

SOPS secrets management - Each host has a unique age key. Shared secrets live in secrets/secrets.yaml, per-host secrets in secrets/<hostname>/.

Daily auto-upgrades - All hosts pull from the master branch and automatically rebuild and reboot on a randomized schedule.

Shared base configuration - Every host automatically gets SSH, monitoring (node-exporter + Promtail), internal ACME certificates, and Nix binary cache access via the system/ modules.

Proxmox VM provisioning - Build VM templates with Ansible and deploy VMs with OpenTofu from terraform/.

OpenBao (Vault) secrets - Centralized secrets management with AppRole authentication, PKI infrastructure, and automated bootstrap. Managed as code in terraform/vault/.

Usage

# Enter dev shell (provides ansible, opentofu, openbao, create-host)
nix develop

# Build a host configuration locally
nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel

# List all configurations
nix flake show

Deployments are done by merging to master and triggering the auto-upgrade on the target host.

Provisioning New Hosts

The repository includes an automated pipeline for creating and deploying new hosts on Proxmox.

1. Generate host configuration

The create-host tool (available in the dev shell) generates all required files for a new host:

create-host \
  --hostname myhost \
  --ip 10.69.13.50/24 \
  --cpu 4 \
  --memory 4096 \
  --disk 50G

This creates:

  • hosts/<hostname>/ - NixOS configuration (networking, imports, hardware)
  • Entry in flake.nix
  • VM definition in terraform/vms.tf
  • Vault AppRole policy and wrapped bootstrap token

Omit --ip for DHCP. Use --dry-run to preview changes. Use --force to regenerate an existing host's config.

2. Build and deploy the VM template

The Proxmox VM template is built from hosts/template2 and deployed with Ansible:

nix develop -c ansible-playbook -i playbooks/inventory.ini playbooks/build-and-deploy-template.yml

This only needs to be re-run when the base template changes.

3. Deploy the VM

cd terraform && tofu apply

4. Automatic bootstrap

On first boot, the VM automatically:

  1. Receives its hostname and Vault credentials via cloud-init
  2. Unwraps the Vault token and stores AppRole credentials
  3. Runs nixos-rebuild boot against the flake on the master branch
  4. Reboots into the host-specific configuration
  5. Services fetch their secrets from Vault at startup

No manual intervention is required after tofu apply.

Network

  • Domain: home.2rjus.net
  • Infrastructure subnet: 10.69.13.0/24
  • DNS: ns1/ns2 authoritative with primary-secondary AXFR
  • Internal CA for TLS certificates (migrating from step-ca to OpenBao PKI)
  • Centralized monitoring at monitoring01
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 2.2 MiB
Languages
Nix 56.7%
Python 22.8%
HCL 12.6%
Smarty 4%
Shell 3.2%
Other 0.7%