Best resource I’ve found is searching GitHub.
My setup closely follows https://github.com/Misterio77/nix-config.
For servarr I just translated someone else’s docker compose setup to nix. There are some ready made nix ones you can look at like https://github.com/rasmus-kirk/nixarr/tree/main/nixarr.
The complex networking I just picked up over time once I knew my way around a little bit.
GitHub is your best resource. lang:nix search terms.
I wouldn’t run NixOS in a container. With native nix containers I’m pretty sure they share the store. For docker I’d use images built with nix (doesn’t run nix itself) or pull from docker hub.
OS: NixOS (high learning curve but its been worth it). Nix (the config language) is a functional programming language, so it can be difficult to grok. Documentation is shit as its evolved while maintaining backwards compatibility. If you use the new stuff (Nix Flakes) you have to figure what’s old and likely not applicable (channels or w/e).
BYOD: Just using LVM. All volumes are mirrored across several drives of different sizes. Some HDD volumes have an SSD cache layer on top (e.g., monero node). Some are just on an SSD (e.g., main system). No drive failures yet so can’t speak to how complex restoring is. All managed through NixOS with https://github.com/nix-community/disko.
I run stuff on a mix of OCI containers (podman or docker, default is podman which is what I use) and native NixOS containers which use systemd-nspawn.
The OS itself I don’t back up outside of mirroring. I run an immutable OS (every reboot is like a fresh install). I can redeploy from git so no need to backup. I have some persistent BTRFS volumes mounted where logs, caches, and state go. Don’t backup, but I swap the volume every boot and keep the last 30 days of volumes or a min of at least 10 for debugging.
I just use rclone for backups with some bash scripts. Devices back up to home lab which backs up to cloud (encrypted with my keys) all using rclone (RoundSync for phone).
Runs Arrs, Jellyfin, Monero node, Tor entry node, wireguard VPN (to get into network from remote), I2C, Mullvad VPN (default), Proton VPN (torrents with port forwarding use this), DNS (forced over VPN using DoT), PiHole in front of that, three of my WiFi vlans route through either Mulvad, I2C, or Tor. I’ll use TailsOS for anything sensitive. WiFi is just to get to I2C or Onion sites where I’m not worried about my device possibly leaking identity.
Its pretty low level. Everything is configured in NixOS. No GUIs. If its not configured in nix its wiped next reboot since the OS is immutable. All tracked in git including secrets using SOPS. Every device has its own master key setup on first install. I have a personal master key should I need to reinstall which is tracked outside of git in a password manager.
Took a solid month to get the initial setup done while learning NixOS. I had a very specific setup of LVM > LUKS encryption /w Secure Boot and Hardware Key > BTRFS. Overkill on security but I geek out on that stuff. Been stable but still tinkering with it a year later.
I have a few of those. During the reddit exodus when the API changes went live, I had to register on a few servers to finally get a working and stable account. Issues with email or setting up captchas to prevent bots resulted in a few of my accounts not going live until a week+ later on some instances.
https://feddit.org/post/3143093
Download 5 seasons of some show from multiple sources or some artist’s entire discography, and want to normalize all the file names? It is way easier in the terminal.
I’ll check this out, but I use https://github.com/stevearc/oil.nvim for such tasks as I have nvim’s full suite of editor commands to rename all the files way faster than I could in a GUI. I’m sure there are GUI apps to perform a similar task, but I already know how to use nvim.
Let em fight it out!
Ruling class does it all the time. Keep citizens enraged on issues of race, gender, religion, sports, and so on so they are distracted from realising the one true war of ruling class vs everybody else.
/s in a sense that shit flung at the ruling class tends to roll downhill. If nestle loses a bunch of money, they will raise prices to keep the infinite growth machine running. If Russia steals a bunch of money, they have more capital for weapons.
Its kind of lose/lose for us :(
Won’t auto update but you could add the upgrade command to a login script or something.
Won’t lie, nix has a high learning curve to get the most out of it, but installing a single app is pretty simple.
Most startups I’ve applied to are Linux friendly.
I currently work for a fortune 100 and managed to get a Linux machine purchased as a “lab” machine.
I’m fully in control. IT doesn’t even know it exists. I’m not allowed on the corporate network, but I managed to get some internal corporate access through another department’s lab network (IT sanctioned) that has a VPN with a few routes to things like ticketing, time cards, and our internal wiki. Most of the stuff I need to do my job is in AWS and we are allowed to add home IPs to the security groups.
IT still gives me a MacBook. I use it like once every 6 months.
nixos-unstable is the only thing I will use currently.
I’m running bleeding edge stuff like the latest kernel, Hyprland nightly, my own “shell” built from Gnome components and lots of custom stuff using GJS (Gnome JavaScript).
If you get one, and you are free to do whatever on it, encrypt your drives like your job depends on it. I have a memorized passphrase, pin protected hardware key, and a key in TPM. No biometrics.
As far as other nice things to have:
I work in software dev as FYI. For the few issues I have, my team has more issues getting stuff working consistently on macOS for our project. I used that as a justification when requesting the laptop: my dev environment should closely match our runtime environment. Most of that is moot now since we use Nix flakes in our repos for local dev envs.
Yeah I don’t want locally deleted media (to free up space) to sync those deletions to my remote.
My crypted remotes wrap a B2 Backblaze one which doesn’t delete, just hides. Periodically I go clean it up.
You are correct, fixed!
https://github.com/newhinton/Round-Sync. Not in any app store and have to download and install from GitHub.
It is an Android wrapper around rsync rclone.
Setup a remote, setup tasks, and setup triggers. Mine syncs every night. It supports encrypting with your own keys. Large number of remotes supported from self-hosted to cloud.
Looks good to me. Interface to Dest Ports are your match conditions. NAT IP/Port are the translations performed on each packet matched inbound and the Dest.
Traffic going the other way reverses this operation on the Src instead of destination.
That’s an over simplification of NAT, but for basic port forwarding the general principal holds.
Immutable Nixos. My entire server deployment from partitioning to config is stored in git on all my machines.
Every time I boot all runtime changes are “wiped”, which is really just BTRFS subvolume swapping.
Persistence is possible, but I’m forced to deal with it otherwise it will get wiped on boot.
I use LVM for mirrored volumes for local redundancy.
My persisted volumes are backed up automatically to B2 Backblaze using rclone. I don’t backup everything. Stuff I can download again are skipped for example. I don’t have anything currently that requires putting a process in “maint mode” like a database getting corrupt if I backup while its being written to. When I did, I’d either script gracefully shutting down the process or use any export functionality if the process supported it.
I use rclone and the Round Sync Android client.
Supports a ton of back ends, self hosted, and commercial options. You can transparently encrypt with private keys you control.
I personally use B2 Backblaze for storage.
My phone backs up every night and Round Sync pushes them to B2. On my desktop I can mount as a volume. I can also access my storage from my phone going the other direction.
I’ve done the same using SFTP if I don’t want the overhead of persistent file storage.
It does not support indexing or previews for searching or finding say a photo. You can put whatever you want for data. So I have caches, indexes, and thumbnails that work in Linux. I can’t really make use of those on my phone though.
Rclones bisync feature is also a bit dangerous when I tried to use it a year ago. I more than once “deleted” everything. B2 doesn’t delete by default, just hides, so I was able to recover. I now do unidirectional syncs from my machines to different buckets until I’m motivated to investigate a proper 3-way merge solution.
This is news to me. That said, I’m usually one generation behind but upgrade every 2 years as my phone is usually EOL for software updates by the end of the period. I try to time it so I can get a replacement paid outright at mid-range prices.
With the Pixel 8 introducing extended software support, I’ll have to dig more into this.
I’m on Graphene. Mullvad is only 1% for me with 16h30min since last on a charge. I’m at 56% with 1h30m screen time.
I used GPS as I did some driving with maps and my music app accounting for 29% of my battery usage.
I throw my phone on the charger at night figuring battery tech and software management is good enough.
Are you WiFi or mobile? I get shitty mobile service so if I’m off WiFi my battery tends to go to shit. The VPN usually accounts for more as I assume it keeps reconnecting.
Oh nice! I’ll have to dig into that. Wonder if its an implementation issue across vendors. I was always under the impression that DHCPv6 was the common convention if not static.
Ok. So a device didn’t get a dhcp address? No problem… It creates it’s open IP address and starts talking and try to get out on internet on its own…
Its not that different from a conceptual point of view. Your router is still the gate keeper.
Home router to ISP will usually use DHCPv6 to get a prefix. Sizes vary by ISP but its usually like a /64. This is done with Prefix Delegation.
Client to Home Router will use either SLACC, DHCPv6, or both.
SLACC uses ICMPv6 where the client asks for the prefix (Router Solicitation) and the router advertises the prefix (Router Advertisement) and the client picks an address in it. There is some duplication protection for clients picking the same IP, but its nothing you have to configure. Conceptually its not that different from DHCP Request/Offer. The clients cannot just get to the internet on their own.
SLACC doesn’t support sending stuff like DNS servers. So DHCPv6 may still be used to get that information, but not an assigned IP.
Just DHCPv6 can also be used, but SLACC has the feature of being stateless. No leases or anything.
The only other nuance worth calling out is interfaces will pick a link local address so it can talk to the devices its directly connected to over layer 3 instead of just layer 2. This is no different than configuring 169.254.1.10/31 on one side and 169.254.1.11/31 on the other. These are not routed, its just for two connected devices to send packets to each other. This with Neighbor Discovery fills the role of ARP.
There is a whole bunch more to IPv6, but for a typical home network these analogies pretty much cover what you’d use.
For the networking I found some repos with Nix and Gluetun (OCI containers). I don’t see them in my bookmarks, so it was probably a day project when I set up and didn’t keep the references.
That part is still in docker / podman. So any docker network guide just needs to be translated to nix.