A complete, production-ready NixOS configuration for self-hosting 20+ services with enterprise-grade security, automated backups, and zero-trust networking.
Perfect for: Home lab enthusiasts, privacy-conscious users, and anyone wanting to self-host their digital life with minimal maintenance.
DISCLAIMER - this entire project was vibe-engineered with claude.ai
- Jellyfin - Stream your movies, TV shows, and music
- Jellyseerr - Media request management for Jellyfin
- Sonarr/Radarr - Automated TV show and movie management
- Readarr/Lidarr - Ebook and music library management
- Prowlarr/Bazarr - Indexer management and subtitles
- qBittorrent - Torrent download client with modern web UI
- Audiobookshelf - Audiobook and podcast server
- Immich - Google Photos alternative with ML features
- NextCloud - File sync and collaboration
- Paperless-ngx - Document management with OCR
- Home Assistant - Home automation platform
- Mealie - Recipe manager and meal planner
- Homepage - Beautiful dashboard for all services
- Homarr - Advanced dashboard with built-in authentication and 30+ integrations
- Open WebUI - ChatGPT-like interface
- Ollama - Run Llama, Mistral, and other models locally
- SearXNG - Private web search integration
- Authentik - Single sign-on (SSO) provider
- CrowdSec - Collaborative threat protection
- Tailscale - Zero-config VPN (remote access)
- Local Network Access - Direct LAN access with domain-based routing
- Caddy - Automatic HTTPS reverse proxy
- PostgreSQL - Centralized database
- Redis - Shared caching layer for services
- pgAdmin - Database management interface
- Grafana - Monitoring and metrics
- Restic - Encrypted, deduplicated backups to Azure Blob Storage
- Multi-disk optimization - Separate SSDs/HDDs for performance
- Automated retention - Daily, weekly, monthly, and yearly snapshots
┌─────────────────────────────────────────────────────────────────┐
│ Internet │
└───────────────────────────────┬─────────────────────────────────┘
│
│ (Tailscale VPN - 100.x.x.x)
│ (No exposed ports!)
│
┌───────────────────────────────┼─────────────────────────────────┐
│ Your Devices │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Laptop │ │ Phone │ │ Tablet │ │ Desktop │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
└───────────────────────────────┬─────────────────────────────────┘
│
┌───────────┴───────────┐
│ │
(Remote: Tailscale VPN) (Local: LAN/WiFi)
*.home.yourdomain.com *.home.yourdomain.com
│ │
└───────────┬───────────┘
│
│ HTTPS (Let's Encrypt + Internal CA)
│
┌───────────────────────────────┼─────────────────────────────────┐
│ Caddy Reverse Proxy │
│ ┌──────────────────────────────────────────┐ │
│ │ Authentik SSO │ CrowdSec Protection │ │
│ └──────────────────────────────────────────┘ │
└───────────────────────────────┬─────────────────────────────────┘
│
┌───────────────────────┼───────────────────────┐
│ │ │
┌───────▼────────┐ ┌────────▼────────┐ ┌───────▼────────┐
│ Media Services│ │ Document Services│ │ Smart Home │
│ • Jellyfin │ │ • NextCloud │ │ • Home Assist. │
│ • Jellyseerr │ │ • Paperless │ │ • Mealie │
│ • Sonarr │ │ • Immich │ │ • Open WebUI │
│ • Radarr │ │ │ │ • Homarr │
│ • Readarr │ │ │ │ • Homepage │
│ • Lidarr │ │ │ │ │
│ • qBittorrent │ │ │ │ │
│ • Audiobooks │ │ │ │ │
└────────────────┘ └──────────────────┘ └────────────────┘
│ │ │
└───────────────────────┼───────────────────────┘
│
┌───────────▼──────────┐
│ PostgreSQL Database │
│ (Centralized) │
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Redis Cache │
│ (Shared) │
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Multi-Disk Storage │
│ 📀 SSD: Docs/Photos │
│ 💿 HDD: Media │
└──────────────────────┘
│
┌───────────▼──────────┐
│ Restic Backups │
│ → Azure Blob │
└──────────────────────┘
- NixOS installed on a server/VM
- Domain name (optional but recommended)
- Azure account (for backups and DNS)
- Tailscale account (free)
- Basic understanding of NixOS
# 1. Clone this repository
git clone https://github.com/yourusername/nixos-homeserver
cd nixos-homeserver
# 2. Copy and customize variables
cp vars.nix.example vars.nix
vim vars.nix # Set your hostname, timezone, domain, etc.
# 3. Set up secrets (see docs/SOPS.md)
# Generate age key, create secrets file
# 4. Generate hardware configuration
sudo nixos-generate-config --show-hardware-config > hardware-configuration.nix
# 5. Deploy
sudo nixos-rebuild switch --flake .#homeserver- Complete Setup Guide - Step-by-step deployment instructions
- Azure Setup - Configure DNS, storage, and service principal
- Tailscale Guide - VPN configuration for remote access
- Local Network Access - LAN access configuration
- Secrets Management - Using sops-nix for secrets
- Arr Stack Setup - Complete media automation workflow setup
- Service Configuration - Individual service setup
- CrowdSec Guide - Security monitoring
- Backup Guide - Backup and restore procedures
- Troubleshooting - Common issues and solutions
NixOS - Declarative configuration, atomic upgrades, easy rollbacks
Tailscale - Zero-config VPN, no exposed ports, works everywhere
Azure DNS - Custom domain with Let's Encrypt certs, private access
CrowdSec - Community-powered threat protection
Authentik - Modern SSO with great UI
PostgreSQL - Single database instance (not multiple containers)
Restic - Encrypted backups with deduplication
sops-nix - Secrets encrypted in git
- ✅ No exposed ports - Zero internet exposure, LAN + Tailscale only
- ✅ Dual access modes - Remote (Tailscale) + Local (LAN with domain-based routing)
- ✅ Encrypted secrets - sops-nix with age encryption
- ✅ SSH hardening - Key-based only, no root login
- ✅ Automatic updates - Weekly system updates
- ✅ Fail2ban - Brute force protection
- ✅ CrowdSec - Real-time threat detection and blocking
- ✅ SSL/TLS - Let's Encrypt + Internal CA for all services
- ✅ Firewall - Interface-specific rules, minimal attack surface
Optimized for cost and performance:
- 📀 SSD: Photos (Immich), Documents (NextCloud, Paperless)
- 💿 HDD: Media (Jellyfin) - large, replaceable content
- ☁️ Cloud: Backups (Azure) - critical data only (~100-300GB)
- 🚫 Not backed up: Media files (can be re-downloaded)
Monthly cost: ~$2-3 for Azure backups
Perfect for:
- 🏠 Home Lab - Run your own cloud services
- 👨👩👧👦 Family - Shared photos, documents, media
- 🔐 Privacy - Keep your data under your control
- 📚 Learning - Understand infrastructure and DevOps
- 💼 Portfolio - Demonstrate infrastructure skills
Edit configuration.nix to comment out services you don't want:
imports = [
# ./modules/jellyfin.nix # Disable Jellyfin
./modules/immich.nix # Keep Immich
# ./modules/paperless.nix # Disable Paperless
];- Create
modules/myservice.nix - Add to
configuration.niximports - Rebuild:
sudo nixos-rebuild switch --flake .#homeserver
All user-specific settings are in vars.nix:
- Hostname and timezone
- Domain names
- Service URLs
- Storage paths
Minimum:
- CPU: 4 cores
- RAM: 8GB
- Storage: 100GB+ (root) + additional disks
Recommended:
- CPU: 6+ cores
- RAM: 16GB+ (for LLMs)
- Storage: 50GB (root) + 500GB (media) + 200GB (photos/docs)
- GPU: Optional (for LLM inference and Jellyfin transcoding)
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Test on a clean NixOS install
- Submit a pull request
Ideas for contributions:
- Additional services
- Alternative DNS providers
- Monitoring improvements
- Documentation enhancements
- Bug fixes
Built with these amazing open-source projects:
- NixOS - The Purely Functional Linux Distribution
- Tailscale - Zero config VPN
- CrowdSec - Collaborative security
- Caddy - Automatic HTTPS server
- Authentik - Identity provider
- All the incredible self-hosted services this config supports
Special thanks to the NixOS community for the excellent documentation and support.
MIT License - feel free to use, modify, and share!
If you find this useful, please give it a star! ⭐
- Questions? Open an issue or discussion
- Found a bug? Please report it
- Success story? Share it!
- GitHub: @rwiankowski
Built with ❤️ using NixOS
Self-hosting should be easy, secure, and fun!