Server Overview
The server configuration (homelab) is a headless Intel-based system running containerised services. It uses an ephemeral root filesystem (impermanence pattern), aggressive security hardening, and automated maintenance.
Hardware
| Component | Detail |
|---|---|
| CPU | Intel (with kvm-intel module) |
| GPU | Intel integrated (hardware transcoding via intel-media-driver) |
| Primary disk | WD Black SN850X 2000GB NVMe |
| Backup disk | 512GB SATA SSD |
| Network | Realtek r8169 Gigabit Ethernet |
| Firmware | Intel microcode updates enabled |
System Identity
nix
specialArgs = {
username = "nixos";
hostname = "homelab";
domain = "nemnix.site";
};Design Philosophy
The server follows a minimal, hardened, reproducible approach:
- No desktop environment -- headless operation only.
- No documentation -- man pages, info, and NixOS docs are all disabled.
- No default packages --
environment.defaultPackages = lib.mkForce []. - No nano --
programs.nano.enable = false. - No fonts, icons, sounds -- all XDG features disabled.
- No stub ld --
environment.stub-ld.enable = false.
Only five packages are installed:
nix
environment.systemPackages = [ btop yazi helix lynis agenix ];| Package | Purpose |
|---|---|
btop | System monitoring |
yazi | File manager |
helix | Text editor ($EDITOR and $VISUAL) |
lynis | Security auditing tool |
agenix | Secrets management CLI |
Module Map
| Module | Purpose |
|---|---|
bootloader.nix | systemd-boot |
kernel.nix | Hardened kernel + extensive sysctl |
disko.nix | BTRFS + LUKS + backup disk + remote unlock + rollback |
impermanence.nix | Persistent paths declaration |
network.nix | Static IP + NAT + firewall |
openssh.nix | Hardened SSH daemon |
nix.nix | Nix daemon settings |
users.nix | User account |
bash.nix | Shell aliases |
git.nix | Git identity |
packages.nix | Minimal packages + disabled features |
graphics.nix | Intel media driver |
fstrim.nix | SSD TRIM + I/O scheduler udev rules |
systemd.nix | systemd hardening + disabled services |
restic.nix | Encrypted daily backups |
podman.nix | Container runtime |
auto-upgrade.nix | Weekly unattended upgrades |
hardware-configuration.nix | Generated hardware config |
Shell Aliases
Defined in bash.nix for quick server administration:
bash
# Container access
immich # sudo nixos-container root-login immich
adguard # sudo nixos-container root-login adguard
traefik # sudo nixos-container root-login traefik
authelia # sudo nixos-container root-login authelia
vaultwarden # sudo nixos-container root-login vaultwarden
opencloud # sudo nixos-container root-login opencloud
# System management
update # nix flake update --flake ~/nixos-homelab
rebuild # sudo nixos-rebuild switch --flake ~/nixos-homelab
garbage # Full garbage collection + store verification + optimisationI/O Scheduler Tuning
Custom udev rules in fstrim.nix set optimal I/O schedulers per device type:
| Device Type | Scheduler | Rationale |
|---|---|---|
HDD (rotational=1) | bfq | Fair queuing for rotational media |
SATA SSD (rotational=0) | mq-deadline | Low latency for SATA SSDs |
NVMe (nvme*) | none | NVMe has internal scheduling; kernel scheduler adds overhead |
systemd Configuration
The server has aggressive systemd hardening in systemd.nix:
- Emergency mode disabled -- the server must never drop to an interactive prompt.
- Emergency targets suppressed in initrd.
- Unused services disabled:
pre-sleep,prepare-kexec,systemd-rfkill,systemd-hibernate-clear,systemd-networkd-wait-online. - Journal hardened: private network, protected hostname and kernel modules, restrictive umask.
- Fast shutdown timeouts: runtime 15s, reboot 30s, kexec 1m.