This repo uses a Makefile as the main entrypoint for building and switching
configurations. Most targets take WHAT= (a host or VM type). Running a target
without WHAT prints the available options when supported.
make inputs-update
make nixos-build-target WHAT=frame
make darwin-build-target WHAT=mair
make local-vm WHAT=builder1
make build-local-vm WHAT=builder1
make nixos-run-vm WHAT=builder1
make nixos-build-vm WHAT=builder1make prox-vm WHAT=srvarr WHERE=prx1make nixos-build
make nixos-switch
make nixos-build-target WHAT=beast REMOTE=false
make darwin-build
make darwin-switchUpdate multiple machines over SSH with scripts/update-machines.sh (defaults to --all):
# Update all personal machines (default)
./scripts/update-machines.sh -A
# Update all work machines
./scripts/update-machines.sh -A --work
# Update a subset interactively (fzf required)
./scripts/update-machines.sh -A --select
# Dry run (SSH check + disk estimate only)
./scripts/update-machines.sh -A --dry-runmake disko-install WHAT=frame DEV=/dev/sdX
make pi-imageSecrets are managed via sops-nix, with one encrypted YAML per host under secrets/.
The shared plaintext seed template is secrets/_template.yaml.
Use flake apps for bootstrap so required tools are provided automatically.
Bootstrap a remote host over SSH (beast example):
nix run .#sops-bootstrap -- beastIf SSH user differs from your local username:
nix run .#sops-bootstrap -- beast --user rootThis will:
- create
/var/lib/sops-nix/key.txton the host (if missing) - fetch the age public key
- create
.sops.yamlif needed (or patch it), including your local age key as a recipient for that host rule - create
secrets/beast.yamlencrypted using.sops.yamlcreation rules
Notes:
sops-bootstrapneeds a real terminal (ssh -tt) because it may prompt for remotesudopassword.- It reads your local age key from
$SOPS_AGE_KEY_FILEor~/.config/sops/age/keys.txt.
Afterwards, edit the secret with:
nix run .#sops-edit -- beastFor the current host (detected via hostname -s), you can omit the host argument:
nix run .#sops-cat
nix run .#sops-edit
nix run .#sops-updateOr pass a host name as a positional argument:
nix run .#sops-cat -- mair
nix run .#sops-edit -- mair
nix run .#sops-update -- mairCopy a section between host secrets (example: copy attic from mair to prx1-lab):
nix run .#sops-copy -- mair prx1-lab atticmake home-build-nv
make home-switch-nvAll VMs run on Proxmox hosts and are deployed with the nixmoxer tool
(scripts/push-vm-to-proxmox.sh).
| Machine | Type | Purpose | Config | Includes |
|---|---|---|---|---|
pi5 |
NixOS (Raspberry Pi) | DHCP and network services for the lab. | nixos/pi5/default.nix | common, nixos |
beast |
NixOS (x86_64-linux) | NAS storage + Jellyfin/Jellarr server. | nixos/beast/default.nix | common, nixos |
nvws |
Proxmox host | Work Proxmox node configuration. Single node. | nixos/nvws/default.nix | common, nixos |
prx1-lab |
Proxmox host | Lab Proxmox node (cluster leader). | nixos/prx1-lab/default.nix | common, nixos |
prx2-lab |
Proxmox host | Lab Proxmox node (cluster member). | nixos/prx2-lab/default.nix | common, nixos |
prx3-lab |
Proxmox host | Lab Proxmox node (cluster member). | nixos/prx3-lab/default.nix | common, nixos |
| Machine | Type | Purpose | Config | Includes |
|---|---|---|---|---|
builder1 |
CI VM | Primary builder VM for CI and heavy Nix builds. | nixos/default.nix | common, nixos |
builder2 |
CI VM | Additional builder VM (same profile as builder1). |
nixos/default.nix | common, nixos |
builder3 |
CI VM | Additional builder VM (same profile as builder1). |
nixos/default.nix | common, nixos |
cache |
CI VM | Cache VM backed by NFS for binary caching. | nixos/cachevm/default.nix | common, nixos |
| Machine | Type | Purpose | Config | Includes |
|---|---|---|---|---|
mair |
macOS (aarch64-darwin) | Personal Mac workstation. | darwin/mair/default.nix | common, darwin |
mmini |
macOS (aarch64-darwin) | Mac mini workstation. | darwin/default.nix | common, darwin |
JGWXHWDL4X |
macOS (aarch64-darwin) | Work Mac. | darwin/default.nix | common, darwin |
frame |
NixOS (x86_64-linux) | Desktop workstation. | nixos/frame/default.nix | common, nixos |
Jellyfin and Jellarr run on beast.
| Machine | Type | Purpose | Config | Includes |
|---|---|---|---|---|
srvarr |
NixOS VM | Media automation stack (Arr suite). | nixos/srvarrvm/default.nix | common, nixos |