~ ~ whoami whoami projects projects blog blog

If It Boots, It Runs NixOS. Even Grandma's Laptop. Welcome to My Home Network.

Years ago, I stumbled across hlissner's dotfiles and his brutally honest take on NixOS. He tried to warn people off. I should have listened.

Instead, I went full send on the declarative dream. What started as "I'll just try NixOS on one machine" became "everything in my house runs NixOS, including the coffee maker" (kidding about the coffee maker... for now).

Three categories of machines. All Warhammer 40K themed because if you're going to over-engineer your home network, you might as well commit to the bit. Like the Adeptus Mechanicus with their STC templates, I've created reproducible configurations for every piece of hardware. The difference? My templates actually work and don't require 10,000 years of ritualistic incantations.

This is the story of how I accidentally built a datacentre in my living room.

The Legion

Astartes (Personal Devices)

Loken: Ryzen 7 3700X, 32GB DDR4, RX 5700 XT - Daily driver for work and gaming

Saul: Dell Latitude 7440, i7-1370P, 32GB - Company laptop dual-booting Windows/NixOS

Primarchs (Home Servers)

Alpharius: Experimental staging server for testing configurations

Ferrus Manus: Raspberry Pi 5, 8GB - Planned for monitoring stack, PiVPN, PiHole

Rogal Dorn: Minisforum MS-A2, AMD Ryzen 9 9955HX, 32GB DDR5 - Main services backbone

Imperial Navy (Cloud)

Lotara: Hetzner VPS running Pangolin reverse proxy for secure remote access

Edge Devices (The Survivors)

Son's Gaming Rig: NixOS gaming setup - even the kids get proper infrastructure

MinisForum UM580: Home cinema HTPC running NixOS - because the TV deserves declarative configuration

The Ancient Laptops: Parents' machines from 2018 running NixOS - proving old hardware never dies, it just gets better package management

Infrastructure as Code

Deployment: Colmena

Multi-host deployment management. No more SSH-ing into boxes to run commands. Everything declared, everything versioned.

# Deploy to all primarchs
colmena apply --on primarchs

# Deploy specific service changes
colmena apply --on primarchs/rogaldorn

# Test before deployment
colmena apply --dry-run

Secrets: sops-nix

Age encryption for API keys, passwords, certificates. No more plaintext secrets in git repos.

# Edit secrets securely
./edit-secrets.sh

# Secrets automatically distributed to hosts
# No manual key copying required

Cloud Infrastructure: OpenTofu

Hetzner VPS provisioning integrated with the same secrets management. Infrastructure and configuration in one repository.

# Plan cloud changes
nix run .#tofu-plan

# Deploy VPS with Pangolin
nix run .#tofu-apply

Services on Rogal Dorn

Currently Active

Available But Dormant

Service modules exist but aren't imported. Ready to activate:

Reverse Proxy: Caddy

Automatic SSL certificates, service discovery, clean URLs. Set it and forget it.

# Example Caddy config (generated by Nix)
jellyfin.cleencode.dev {
    reverse_proxy localhost:8096
}

# SSL certificates handled automatically
# No more manual certificate renewals

The Monitoring Stack

Planned for Ferrus Manus (Pi 5) because why not use a £100 computer to monitor £2000 worth of hardware:

Prometheus: Metrics collection from all devices

Grafana: Pretty dashboards that make you feel like you know what's happening

PiHole: DNS-level ad blocking

PiVPN: WireGuard VPN for remote access

Network Architecture

Standard home setup with some improvements:

Internet → Router → Switch → Devices
                ↓
         Ferrus Manus (DNS/VPN - planned)
                ↓
           Rogal Dorn (Services)
                ↓
         Pangolin Tunnel (Remote Access)

Remote Access: Pangolin reverse proxy on Hetzner VPS creates secure tunnels to home services

DNS: PiHole will handle local DNS resolution and ad blocking

VPN: WireGuard planned for secure remote connections

Why This Approach Works

Reproducibility

Every configuration is declared in Nix. Hardware dies? Rebuild from config in 20 minutes.

Version Control

Infrastructure changes go through git. No more "what did I change last week?"

Security

Secrets encrypted with sops-nix. API keys never touch plaintext files.

Testing

Dry-run deployments. Test configurations before they hit production.

The Pain Points

Complexity: This is not a beginner setup. NixOS has a learning curve steeper than Mount Everest.

Time Investment: Getting everything working took months of tweaking configurations.

Documentation: Some services require creative Nix expressions to configure properly.

Worth It? Absolutely. Once it works, it really works.

The Reality Check

Rogal Dorn is doing the heavy lifting with cleencode.dev subdomains for everything. Ferrus Manus and Alpharius? Configured but waiting for their moment. Sometimes infrastructure grows faster than you can populate it with services.

The real magic is in the deployment. Change a service config, run `colmena deploy --on primarchs/rogaldorn`, and it's live. No SSH. No manual configuration. No "how did I set this up six months ago?"

What's Next

Infrastructure evolves. Current roadmap:

Repository Structure

nix-templates/
├── hosts/
│   ├── astartes/        # Personal devices
│   ├── primarchs/       # Home servers
│   └── imperial-navy/   # Cloud infrastructure
├── colmena/
│   └── secrets/         # Encrypted secrets
└── vars/               # Global configuration

Everything Infrastructure as Code. Everything versioned. Everything reproducible.

Want the configs? They're all on my GitHub (when I make it public). Use at your own risk. Your mileage may vary. No warranty expressed or implied.

Final warning: If you need someone else to tell you whether you need a homelab like this, you don't need a homelab like this. But if you've read this far, you're probably already planning your first Raspberry Pi purchase.

The Emperor protects. Your backups should too.

^G Help ^O Write Out ^X Exit ^R Read File ^W Where Is