Repository Structure
nixos-config/
├── flake.nix # Dev shell (nil, nixfmt, deadnix, statix)
├── docs/ # This documentation (VitePress)
│
├── laptop/
│ ├── flake.nix # Laptop flake definition
│ └── modules/
│ ├── hardware-configuration.nix
│ ├── disko.nix # LUKS + ext4 disk layout
│ ├── boot.nix # Lanzaboote Secure Boot
│ ├── kernel.nix # CachyOS kernel + sysctl tuning
│ ├── network.nix # iwd WiFi + MAC randomisation
│ ├── nix.nix # Nix daemon settings + caches
│ ├── nh.nix # nh helper + garbage collection
│ ├── users.nix # User account + sudo + autologin
│ ├── zsh.nix # Default shell
│ ├── font.nix # JetBrains Mono, Nerd Fonts, Noto Emoji
│ ├── packages.nix # All user and system packages
│ ├── graphics.nix # GPU acceleration
│ ├── pipewire.nix # Audio (PipeWire + ALSA + JACK + Pulse)
│ ├── bluetooth.nix # Bluetooth (off by default)
│ ├── tlp.nix # Power management profiles
│ ├── fstrim.nix # Weekly SSD TRIM
│ ├── virtualisation.nix # Podman + libvirtd/KVM
│ ├── configuration.nix # Swaylock PAM + dbus broker
│ ├── time.nix # Timezone (Europe/Rome)
│ ├── tailscale.nix # Tailscale VPN (disabled)
│ ├── adb.nix # Android Debug Bridge (disabled)
│ └── alsa.nix # ALSA persistence (disabled)
│
└── server/
├── flake.nix # Server flake definition
├── modules/
│ ├── hardware-configuration.nix
│ ├── disko.nix # LUKS + BTRFS + backup disk + remote unlock
│ ├── bootloader.nix # systemd-boot
│ ├── kernel.nix # Hardened kernel params + sysctl
│ ├── network.nix # Static IP + NAT + firewall
│ ├── nix.nix # Nix daemon settings
│ ├── users.nix # User account
│ ├── bash.nix # Shell aliases
│ ├── git.nix # Git identity
│ ├── packages.nix # Minimal packages + disabled docs
│ ├── graphics.nix # Intel media driver (hardware transcoding)
│ ├── openssh.nix # Hardened SSH daemon
│ ├── fstrim.nix # SSD TRIM + I/O scheduler udev rules
│ ├── systemd.nix # systemd hardening
│ ├── impermanence.nix # Persistent paths declaration
│ ├── restic.nix # Encrypted daily backups
│ ├── podman.nix # Container runtime
│ └── auto-upgrade.nix # Weekly unattended updates
│
├── containers/
│ ├── traefik.nix # Reverse proxy + TLS
│ ├── authelia.nix # SSO / OIDC provider
│ ├── adguard.nix # DNS filtering
│ ├── immich.nix # Photo management
│ ├── vaultwarden.nix # Password manager
│ ├── opencloud.nix # Cloud storage (oCIS)
│ ├── cloudflared.nix # Cloudflare Tunnel
│ ├── nextcloud.nix # Cloud storage (disabled)
│ └── linkwarden.nix # Bookmark manager (disabled)
│
└── secrets/
├── secrets.nix # Public key declarations for agenix
├── restic_password.age
├── cloudflare_dns_token.age
├── cloudflare_tunnel_token.age
├── nextcloud_adminpassFile.age
├── nextcloud_client_secret.age
├── authelia_jwtSecretFile.age
├── authelia_sessionSecretFile.age
├── authelia_storageEncryptionKeyFile.age
├── authelia_oidcIssuerPrivateKeyFile.age
├── authelia_oidcHmacSecretFile.age
└── authelia_users_database.ageDev Shell
The root flake.nix provides two dev shells:
nix
devShells.${system} = {
default = pkgs.mkShell {
packages = with pkgs; [ nil nixfmt deadnix statix ];
};
docs = pkgs.mkShell {
packages = with pkgs; [ nodejs ];
};
};nix develop-- Nix development tools (LSP, formatter, linter, dead code detector).nix develop .#docs-- Node.js for building this documentation site.
Module Naming Convention
Modules are named after the primary NixOS option or feature they configure:
| File | Configures |
|---|---|
kernel.nix | boot.kernelPackages, boot.kernelParams, boot.kernel.sysctl |
network.nix | networking.* |
openssh.nix | services.openssh.* |
restic.nix | services.restic.* + age.secrets.* |
impermanence.nix | environment.persistence.* |
Container modules in containers/ follow the same pattern but additionally define the Traefik routing configuration for that service, keeping all service-related config in one place.