My NixOS & Home Manager Multi User/Host Configuration A modular Nix flake managing multiple systems and users with a focus on reproducibility and ease of maintenance.
This repository follows a layered, modular approach that separates system-level configurations from user environments, while promoting code reuse across different hosts and users.
๐ dot.nix/
โโโ โ๏ธ flake.nix # Central entry point & dependency management
โโโ ๐ secrets.nix # Encrypted secrets (git-crypt)
โโโ ๐ hosts/ # System-level configurations
โ โโโ x86/ # Intel/AMD 64-bit systems
โ โโโ arm/ # ARM64 systems
โโโ ๐ค home/ # User environment configurations
โโโ ๐ฆ modules/ # Reusable configuration modules
โโโ ๐จ overlays/ # Package customizations
โโโ ๐ pkgs/ # Custom package definitions
โโโ ๐ ๏ธ lib/ # Helper functions & utilities
โโโ ๐ง iso/ # ISO build configurations
โโโ โ๏ธ .github/workflows/ # CI/CD automation
The heart of the configuration, managing:
- External Dependencies:
nixpkgs,home-manager,stylix,hardware modules,solaar,snapraid-aio,chaotic - System Outputs: Complete NixOS configurations for each host
- Custom Packages: Exposed packages from
pkgs/ - Overlays: Package modifications and additions
- Encryption:
git-cryptsecures sensitive data insecrets.nix - Structure: Defined by
modules/global/secret-spec.nix - Content: SSH keys, API tokens, hashed passwords, SMTP credentials
host-spec.nix: Defines host attributes (hostname, user, hardware type, desktop environment,isMinimalfor server configurations)secret-spec.nix: Structures for secrets, firewall rules, Docker environments, Users, etc- Example secrets.nix
hosts/global/
โโโ core/ # Essential base settings
โ โโโ default.nix # Core system imports & Nix configuration
โ โโโ fonts.nix # Font management
โ โโโ networking.nix # Network configuration
โ โโโ ssh.nix # SSH server setup
โ โโโ user.nix # User account setup & Home Manager integration
โโโ common/ # Optional system features
โโโ audio.nix # PipeWire audio stack
โโโ gaming.nix # Steam, GameMode, hardware optimizations
โโโ gnome.nix # GNOME desktop environment
โโโ docker.nix # Docker setup with update-containers script
โโโ libvirt.nix # VM tools and management
โโโ warp.nix # Cloudflare WARP VPN support
โโโ system/
โโโ pool.nix # NFS pool mounting & symlink management
โโโ lxc.nix # Central hardware configuration for LXC hosts
Each system in hosts/nixos/<hostname>/ contains:
default.nix: Main configuration importing globals + host-specific settingshardware.nix: Hardware-specific configuration (bootloader, filesystems, drivers)config/: Service-specific configurations (optional)
| Host | Type | Purpose | Hardware | Services |
|---|---|---|---|---|
| rune | Desktop | My workstation | Ryzen 9 7900X3D, RX 9070 XT | Gaming, Development, VMs |
| gojo | Desktop | Giovanni's workstation | Ryzen 7 7800X3D, RX 7900 XT | Gaming, Development |
| haze | Desktop | Cesar's workstation | Ryzen 5 7600x, RX 7600 | Gaming, Development |
| caenus | Server | Oracle VPS | ARM 4vCPU, 24GB RAM, 200GB | FRP, Public IP |
| sock | Server | Backup & Storage | Intel N150 | Komodo (Docker), Backups, Newt |
| cloud | LXC Container | Storage & NFS | 4C/4GB | File storage, NFS, Newt |
| komodo | LXC Container | Docker orchestration | 12C/30GB | Authentik, Komodo (Docker), Newt |
| proxy | LXC Container | Network proxy | 3C/2GB | Pangolin, AdGuard, Newt |
| nix | LXC Container | Development server | 10C/12GB | Not Deployed ATM |
| vm | VM | Testing environment | Variable | System testing |
home/global/
โโโ core/ # Essential user tools
โ โโโ fastfetch/ # System info shell prompt with custom scripts
โ โโโ fish/ # Shell configuration
โ โโโ git.nix # Git setup with signing
โ โโโ ssh.nix # SSH client configuration
โโโ common/ # Optional user applications
โโโ gaming/ # Gaming tools & emulator backups
โ โโโ switch.nix # Nintendo Switch emulator with Borg backups
โโโ gnome/ # GNOME-specific programs & settings
โ โโโ dconf.nix # Enhanced PaperWM & extension configs
โโโ vscode/ # VS Code with patched SSH
โโโ xdg.nix # XDG directory & file associations
โโโ zen.nix # Zen browser configuration
Each user in home/users/<username>/ includes:
- Theme Configuration: Stylix-based theming with custom color schemes
- Host Adaptations: Per-host overrides in
home/hosts/<hostname>/
| User | Theme | Primary Host | Desktop Setup |
|---|---|---|---|
| toph | Invincible (blue/yellow) | rune | GNOME + PaperWM |
| gio | Gojo (red/white) | gojo | GNOME + PaperWM |
| cesar | Soraka (purple/violet) | haze | GNOME + PaperWM |
- Unified Theming: Base16 color schemes applied system-wide
- Custom Schemes: User-specific YAML color definitions
- Coverage: GTK, terminal (
ghostty), VS Code (optional), wallpapers - Fonts: Consistent typography (Lexend,
Monocraft Nerd Fonts, Laila)
- Window Management: PaperWM for tiling workflow
- Extensions: Blur My Shell, Vitals, Pano clipboard, custom keybindings, ...
- Per-User: Customized dconf settings for each user's workflow
- Optimized Stack: Steam integration with Proton, GameScope, and GameMode.
- Automated Emulator Backups:
borg-wrapperscript (Fish-based) leveragesinotify-toolsandborgbackupfor automatic, incremental save file backups for emulators like Ryujinx.# Example: Automatic save backup for Ryujinx borg-wrapper -p "~/.config/Ryujinx/bis/user/save" \ -o "/pool/Backups/Switch/RyubingSaves" \ -m 30 -- ryujinx
- Hardware Tuning: Includes AMD GPU specific settings (e.g.,
lactfor tuning) and Variable Refresh Rate (VRR) support.
- Centralized Storage (Cloud Host): Utilizes a MergerFS pool for unified drive access, exported via NFS (mounted as
/poolon other hosts). - Data Integrity: SnapRAID provides parity-based data protection for the storage pool.
- Comprehensive Backups: Provides incremental backups of critical data, like Docker volumes and Forgejo instances, with Apprise notifications.
- Automated Backup Chain: Systemd timers orchestrate SnapRAID syncs and Borg backups.
- Custom Fish Shell: Enhanced with the Tide prompt,
grcfor colorized output, and some utility functions - Modern Terminal:
ghosttyas the default terminal emulator, themed with Stylix. - Efficient File Management:
yaziconfigured as the terminal file manager. - Curated Applications: Includes configurations for applications like the Zen browser and VS Code.
- XDG & Mime Associations: Sensible default applications configured via
xdg.mimeApps, usinghandlr-regexfor flexibility.
- Docker Orchestration: Komodo provides a web UI for managing Docker stacks.
- Key Services: Pre-defined declarative configurations for services like Authentik (SSO) and Pangolin (reverse proxy).
- Declarative Stacks:
compose2nixis used to convert Docker Compose files into NixOS declarative modules for services like FileRun, Authentik, etc.
- Encrypted Secrets:
git-cryptfor managing sensitive data in git. - Secure Remote Access: Cloudflare Tunnels for Zero Trust access to services.
- Automated Certificates: ACME (Let's Encrypt) with DNS challenges for SSL/TLS.
- SSH Key Deployment: Automated management and deployment of SSH keys.
For setting up a new system (in NixOS) with this configuration:
# Enter development shell with necessary tools for installation
nix develop github:TophC7/dot.nix --extra-experimental-features "flakes nix-command"
# Clone the configuration repository using yay try
FLAKE=~/Documents/dot.nix
cd ~/Documents
git clone https://github.com/tophc7/dot.nixcd ~/Documents/dot.nix
git-crypt unlock <<path/to/symmetric.key>> # Or use GPG keySetup Your Own Secrets
Since you won't have access to the encrypted secrets, create your own:
cd ~/Documents/dot.nix
# Copy the example and customize it
cp lib/public/secrets.example.nix secrets.nix
# Edit with your credentials, SSH keys, etc.
micro secrets.nix
# Initialize git-crypt for your secrets
git-crypt init
git-crypt add-gpg-user YOUR_GPG_KEY_IDAfter setting up your secrets, encrypt the file:
git add secrets.nix
git-crypt lock-
Compare hardware configurations:
# Note: path structure (hosts/x86/ or hosts/arm/) micro ~/Documents/dot.nix/hosts/x86/gojo/hardware.nix micro /etc/nixos/hardware-configuration.nix
-
Update hardware.nix with the
fileSystemsandswapDevicesfrom the generated/etc/nixos/hardware-configuration.nix
- Switch to TTY:
Ctrl+Alt+F2(to avoid desktop service conflicts) - Login to TTY
- Rebuild system:
# Enter development shell again with necessary tools for installation nix develop github:TophC7/dot.nix --extra-experimental-features "flakes nix-command" # Rebuild with your host configuration yay rebuild -H your-hostname -p ~/Documents/dot.nix sudo reboot -f
Once installed, use the integrated yay tool for all system management:
# Build and switch system configuration
yay rebuild
# Update flake inputs
yay update
# Clean up system
yay garbage
# Try packages temporarily
yay try fastfetch -- fastfetch
# Create archives
yay tar myfiles/
# Extract archives
yay untar myfiles.tar.zstFLAKE: Set to your flake directory to avoid using-pflag repeatedlyexport FLAKE="$HOME/Documents/dot.nix" yay rebuild # Will automatically use $FLAKE path
- GitHub Actions: CI/CD pipeline for ISO releases
- Variants: Server (minimal) and Desktop (GNOME) ISOs
- Architectures: x86_64 and aarch64 support with optimized builds
- Cross-compilation: ARM ISOs can be built on x86_64 systems
- Distribution: Automatic releases with artifact uploads (X86 only)
# Build locally
cd iso
nix build .#server-iso-x86
nix build .#desktop-iso-arm
# Cross-compile ARM ISOs on x86_64 systems
nix build .#server-iso-arm --system x86_64-linux --extra-platforms aarch64-linux- Separation of Concerns: System vs. user configurations
- Reusable Components: Shared modules across hosts
- Parameterization: Host specs drive configuration choices
- Structured Secrets: Clearly defined secret specifications
- Documentation: Inline comments and clear naming
- Testing: VM configurations for safe testing
- Multiple Users: Support for different users with different preferences
- Host Adaptation: Same user config adapts to different machines
- Service Composition: Mix and match services per host needs
| Category | Technologies |
|---|---|
| Core | NixOS, Home Manager, Nix Flakes |
| Shell | Fish Shell, Tide Prompt |
| Desktop | GNOME, PaperWM, Stylix, Ghostty, Yazi |
| Virtualization | libvirt, QEMU, LXC |
| Storage | MergerFS, SnapRAID, BorgBackup, NFS, inotify-tools |
| Containers | Docker, Komodo, compose2nix |
| Networking | Newt, Pangolin, AdGuard Home, Cloudflare WARP |
| Reverse Proxy | Traefik (via Pangolin) |
| Security | git-crypt, ACME, Zero Trust tunneling |
| Development | VS Code (Patched SSH), nixfmt, biome |
| Gaming | Steam, Proton, GameScope, GameMode, lact |
| Monitoring | Apprise notifications, systemd timers |
| CI/CD | GitHub Actions, Automated ISO builds |
secrets.nix- Encrypted secrets (git-crypt)modules/global/host-spec.nix- Host attribute definitionsmodules/global/secret-spec.nix- Secret structure definitionsmodules/nixos/newt.nix- Newt tunneling service moduleflake.nix- Main dependency management & host discoveryiso/flake.nix- ISO generation configuration
home/users/<name>/- Individual user configurationshome/global/- Shared user settings & applicationshosts/global/- System-wide shared configurationshosts/{x86,arm}/<name>/- Host-specific system configshome/hosts/<name>/- Host-specific user overridespkgs/- Custom package definitions
shell.nix- Recovery environment for troubleshooting.github/workflows/- CI/CD for ISO buildsiso/- ISO build system (separate flake)
This configuration is built upon the excellent foundation provided by EmergentMind's configuration. Many core architectural decisions and implementation patterns draw heavily from their work, including but not limited to:
- Host Specification System: The
host-spec.nixpattern andmkHostfunction structure - Modular Architecture: The separation of system and user configurations
A huge thank you to EmergentMind for creating such a well-structured and educational NixOS configuration that serves as my introduction to NixOS and its wonders. Their work made this homelab setup possible and continues to influence It.
This configuration emphasizes reproducibility, security, and maintainability while supporting a complex multi-user, multi-host homelab environment. I quite love it, hope it serves as inspo to some of you out there.