nixcfg

This repository contains the declaration of my systems running Nix/NixOS

• 🦫 beaver: My VPS running NixOS and selfhosting services.
• 🐟 swordfish: My Desktop running NixOS desktop. (login only through yubikey)
• 🦜 parrot: My Laptop running NixOS. (login only through yubikey)
• 🦉 owl: My arm processor Mac M1 running nix-darwin.
• 🦎 gecko: My raspberry py configs (WIP)

Features

VPS (beaver)

• Identity management : keycloak (with SSO using github provider or yubikey)
• Reverse proxy & web server: nginx
• Monitoring (observability) : Grafana (only accessible through Keycloak)
• Monitoring (metric collector): Prometheus
• Monitoring (logs aggregator): Loki
• Monitoring (Alerts notification): Gotify
• Mail server: Simple nixos mail server
• Password management: Vaultwarden (only accessible through Keycloak)
• LLM frontend : openwebui (only accessible through Keycloak)
• Sharing gps location service: Dawarich
• CI/CD: Self-hosted GitHub Actions Runner (aarch64-linux) for building ARM64 NixOS configurations
• Security: sops-nix (secrets management), Fail2Ban (intrusion prevention)
• Binary cache: Cachix (justalternate-nixcfg.cachix.org)

Infrastructure Overview (Beaver VPS)

flowchart LR
    Me["🧑‍💼 Me"]
    subgraph Internet["🌐 Internet"]
        Users["Users"]
        GitHub["GitHub"]
        Cloudflare["Cloudflare<br/>(DNS)"]
    end

    subgraph Beaver["🖥️ Beaver VPS"]
        
        subgraph Network["🕸️ Network Layer"]
            Firewall["🔥 UFW Firewall<br/>TCP: 443, 8443, 9111<br/>Mail: 25, 465, 587, 993"]
            Nginx["🌐 Nginx<br/>Reverse Proxy + SSL"]
        end

        subgraph Security["🔒 Security Layer"]
            Sops["SOPS<br/>(Secrets Management)"]
        end

        subgraph Services["🚀 Self-Hosted Services"]
            Vaultwarden["Vaultwarden<br/>(Passwords)"]
            OpenWebUI["OpenWebUI<br/>(LLM Frontend)"]
            Mail["Simple NixOS Mail<br/>(Postfix/Dovecot)"]
            Dawarich["Dawarich<br/>(GPS Tracking)"]

            subgraph Monitoring["🔍 Monitoring"]
                Gotify["Gotify (Alerts notifier)"]
                BlackBox["BlackBox exporter"]
                Promtail["Promtail (Logs)"]
                Loki["Loki (Logs)"]
                Prometheus["Prometheus (Metrics)"]
                Grafana["Grafana<br/>"]
            end

            subgraph Auth["🔐 Identity Layer"]
                Keycloak["Keycloak SSO<br/>"]
            end
        end
    end

    %% External Traffic
    Users --> Cloudflare
    Cloudflare -->|"HTTPS (443)"| Firewall
    Users -->|"SSH (8443)"| Firewall

    %% Internal Routing
    Firewall -->|"Proxy"| Nginx

    %% Monitoring Flow
    BlackBox --> Prometheus
    Prometheus --> Grafana
    Promtail --> Loki
    Loki --> Grafana

    Sops -->|"Secret"| Grafana

    Keycloak -->|"OIDC"| Grafana

    Sops -->|"Secret"| Vaultwarden
    Sops -->|"Secret"| Mail
    Sops -->|"Secret"| Keycloak

    GitHub -->|"IdP"| Keycloak

    %% Auth Flow
    Keycloak -->|"OIDC"| OpenWebUI
    Keycloak -->|"OIDC"| Dawarich
    Keycloak -->|"OIDC"| Vaultwarden

    Sops -->|"Secret"| Dawarich

    Prometheus --> Gotify
    Gotify --> Me

Loading

Monitoring Dashboards :

Node exporter

Logs

Status, Probe and TLS certificates

Alerting

Desktop (swordfish and parrot)

• DE: Hyprland
• Terminal: Ghostty
• Bar: Waybar
• File Manager: yazi
• Editor: Neovim justnixvim
• Fetcher: fastfetch
• Font: nerdfonts
• Launcher: rofi
• Browser: firefox
• Discord: Vesktop
• Emoji wheel: rofi + bemoji
• Music Visualizer: cava
• Secrets: sops-nix
• Yubikey only login with automatic screen lock when not detected.

🔐 Security & Access Management

Since this repository is fully public, I highly value security principles, here are what I implemented and my general direction about it :

Secrets Management

• SOPS-Nix: Encrypted via age using keys derived from SSH keys
• Vaultwarden: Self-hosted credential management

Identity & Access Management

• Keycloak: Centralized IdP enforcing OIDC across services
• SSO Providers: GitHub OAuth, WebAuthn (YubiKey)

Authentication Architecture

• Host Access (Desktops): Single-factor hardware authentication via PAM U2F (YubiKey) with automatic screen lock on removal
• Remote Access (VPS): SSH with Ed25519 keys (password authentication disabled)
• Service Access: OIDC via Keycloak

Note on MFA: Currently relying on possession-factor authentication (YubiKey for local, SSH keys for remote). Planning to add biometrics (inherence factor) to achieve true 2FA for local access.

Network Hardening

• Firewall: UFW with minimal port exposure (443, 8443, mail ports)
• Fail2Ban: Automated intrusion prevention

Installation

Enter a shell with git and vim.

nix-shell -p git vim

Clone the repository and enter it

git clone https://github.com/JustAlternate/nixcfg
cd nixcfg

Create your very own host folder

mkdir <myMachineName>

Create your hardware config

nixos-generate-config --show-hardware-config > <myMachineName>/hardware-configuration.nix

Modify your host configuration by importing different modules

vim <myMachineName>/configuration.nix

Modify the flake.nix to add your machine

vim flake.nix

Temporary activate flakes experimental features and rebuild switch

NIX_CONFIG="experimental-features = nix-command flakes"
sudo nixos-rebuild switch --flake .#<myMachineName>Nixos

Advanced Install process (optional)

Create a .ssh folder and populate it with your ssh private key

mkdir -p ~/.ssh
ssh-keygen -t ed25519 -C "email@email.com"

Create your sops age private key

sudo mkdir -p /nix/sops/age
sudo nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > /nix/sops/age/keys.txt"