The Project
A multi-user, multi-host, multi-service NixOS configuration :
- 🔥 Declarative, reproducible, immutable 🡕.
- 🚀 Ready-to-use modules.
- ❄️ Simple configuration 🡕.
- 🧩 Consistent organization.
- 🌎 A complete network.
Main Features
Section titled “Main Features”| Feature | Description | |
|---|---|---|
| ⚙️ | Fully automated | With nixos-anywhere 🡕, disko 🡕 and colmena 🡕 |
| 👤 | User profiles | Profiles 🡕 and modules Home Manager 🡕 (admin, gamer…) |
| 🖥️ | Host profiles | Host profiles (servers, network nodes, workstations…) |
| 🌐 | Tailnet VPN | Mesh VPN 🡕 with headscale 🡕 + tailscale 🡕 + subnets |
| 🛡️ | Ad Blocker | Secure and ad-free internet with AdguardHome 🡕 |
| 🧩 | Unique identities | SSO with Kanidm 🡕 and Vaultwarden 🡕 |
| 🤗 | Smart services | Immich 🡕, Nextcloud 🡕, Forgejo 🡕, Matrix 🡕, Jellyfin 🡕, etc. |
| 💻 | Clean GNOME | NixOS hosts with GNOME 🡕 and pre-configured apps |
| 💾 | 3-2-1 Backups | Robust, streamlined, distributed Restic 🡕 backups |
| 🏠 | Home page | Automated home page for each zone |
Under the Hood
Section titled “Under the Hood”| Specificity | Description | |
|---|---|---|
| ❄️ | Declarative, immutable | And reproducible thanks to Nix / NixOS 🡕 and its ecosystem |
| 🔑 | Enhanced security | Simple and reliable security strategy based on sops-nix 🡕 |
| 📦 | Complete modules | High-level NixOS modules easy to configure |
| 📐 | Architecture | Consistent, extensible, scalable, customizable |
| ✴️ | Reverse proxy | Services distributed across the network via Caddy 🡕 proxies |
| 🛜 | Automated network | dnsmasq 🡕 zero-conf plumbing (DNS, DHCP, firewall…) |
| ✅ | Monitoring & Alerts | Supervision with Prometheus 🡕, Grafana 🡕 and Alertmanager 🡕 |
The DNF Network
Section titled “The DNF Network”This configuration manages the entire network and its nodes:
- Zones each containing a gateway and machines.
- The VPN that encompasses the zones and other machines on the internet.
The network operation can be summarized as follows:
File layout
Section titled “File layout”At the root:
dnf→ modules, users, hosts (framework)usr→ Local project (writable)var→ Generated files and logssrc→ Generator source filesdoc→ Project documentation
Structure
Section titled “Structure”- flake.nix Project flake
- Justfile Project management with just 🡕
Directorydnf/ Framework (modules & common files)
Directorymodules/ Framework modules
Directorystandard Standard modules
Directorysystem/ System & Hardware
- …
Directoryconsole/ CLI Applications
- …
Directorygraphic/ X Applications
- …
Directoryservice/ Network services
- …
Directoryadmin/ Administration
- …
Directoryuser/ User configurations (non-HM)
- …
Directorymixin Macro-modules “Mixins”
Directoryhost/ Host profiles (desktop, server…)
- …
Directoryprofile/ User profile add-ons
- …
Directoryhome Home Manager (HM) configuration
Directorymodules/ Nix modules (features, programs)
- …
Directoryprofiles/ Profiles: admin, student, advanced…
- …
Directorynixos/ Additional NixOS configurations (non-HM)
- …
Directoryetc/ Declarative network configuration
- config.yaml My main config
Directoryusr/ My personal network configuration
Directorymodules/ My NixOS modules, same as
dnf/modules- …
Directoryhome/ My HM modules, same as
dnf/home- …
Directorysecrets/ My passwords
- secrets.yaml SOPS passwords and keys
Directorymachines/ Host-specific configs (hardware, etc.)
- …
Directoryusers/ User-specific HM configs
- …
Directoryvar/ Generated files
Directorylog/ Log files
- …
Directorygenerated/ Generated files
- hosts.nix
- users.nix
- network.nix
Directorysrc/ Generator sources
- …
Directorydoc/ This documentation
- …
Abstraction layers
Section titled “Abstraction layers”Lower levels serve the higher levels.
These configurations are organized by category:
- Mixin modules that compose and configure hosts.
- Service modules for self-hosted services.
- System modules for base system configuration.
- Security modules for system hardening.
- CLI applications command-line tools.
- GUI applications graphical applications.
- Administration modules for fleet management.
- User management modules for accounts and access.
- Home Manager modules for user profiles.
- User profiles, standard Home Manager 🡕 configurations.
- Tools to maintain a quality configuration.
SSO Services Status (OIDC / Oauth2)
Section titled “SSO Services Status (OIDC / Oauth2)”- Oauth2 = supports oauth2 / oidc login
- Native = no plugin or extra needed, can be configured directly
- PKCE = supports PKCE
- Decl. (declarative) = all parameters can be declared in the configuration
- OK = functional implementation
| Application | Oauth2 | Native | PKCE | Decl. | OK | Comments |
|---|---|---|---|---|---|---|
| Outline 🡕 | ✅ | ✅ | ✅ | ✅ | ✅ | Works perfectly |
| Mealie 🡕 | ✅ | ✅ | ✅ | ✅ | ✅ | Works perfectly |
| Vaultwarden 🡕 | ✅ | ✅ | ✅ | ✅ | ✅ | Works perfectly |
| Matrix Synapse 🡕 | ✅ | ✅ | ✅ | ✅ | ✅ | All good (+Element +Coturn) |
| Open WebUI 🡕 | ✅ | ✅ | ✅ | ✅ | ✅ | All good (+Ollama) |
| Grafana 🡕 | ✅ | ✅ | ✅ | ✅ | ✅ | All good |
| LaSuite Docs 🡕 | ✅ | ✅ | ⚠️ | ✅ | ✅ | Good except PKCE |
| Immich 🡕 | ✅ | ✅ | ✅ | ⚠️ | ✅ | Manual configuration |
| Forgejo 🡕 | ✅ | ✅ | ✅ | ❌ | ✅ | Manual configuration |
| Nextcloud 🡕 | ✅ | ❌ | ❌ | ❌ | ✅ | Plugin + manual config |
| Oauth2 Proxy 🡕 | ✅ | ✅ | ✅ | ✅ | ✅ | Linked to Caddy and Kanidm |
| Homepage 🡕 | 🔁 | 🔁 | 🔁 | 🔁 | ✅ | Via OAuth2 Proxy |
| Prometheus 🡕 | 🔁 | 🔁 | 🔁 | 🔁 | ✅ | Via OAuth2 Proxy |
| Jellyfin 🡕 | ℹ️ | ℹ️ | ℹ️ | ℹ️ | ℹ️ | Shared access |
| AdGuard Home 🡕 | ℹ️ | ℹ️ | ℹ️ | ℹ️ | ℹ️ | Shared access |
| Geneweb 🡕 | ℹ️ | ℹ️ | ℹ️ | ℹ️ | ℹ️ | Shared access |
| ❌ | ❌ | ❌ | ❌ | ❌ | No more OAuth2 (TEAM) |