bphenriques's fleet (Homelab & Laptops & Misc)

Hi! 👋 This is my personal NixOS and nix-darwin flake that works for me. I hope this helps you!

Hosts

Host	Platform	Description
compute	NixOS	Self-hosted homelab (service catalogue, OIDC SSO, secret provisioning).
laptop	NixOS	Personal workstation
inky	NixOS	Raspberry Pi Zero 2W connected to Inky Impression and speakers
work-macos	Darwin	Work MacBook

The compute host uses a declarative service framework where a single registration drives ingress, OIDC, secrets, monitoring, homepage, and backups:

custom.homelab.services.miniflux = {
  metadata = { description = "RSS"; category = "General"; /* ... */ };
  port = 8081;
  oidc.enable = true;
  integrations.homepage.enable = true;
  healthcheck.path = "/healthcheck";
  backup.package = /* pre-backup hook script */;
};

Nix Stack

Layout:

• hosts/: per-host configurations (hardware, services, users)
• modules/: reusable modules that define options (e.g., custom.homelab.*)
• profiles/: shared opinionated configuration that sets standard options (imported by hosts)
• packages/: custom packages and scripts
• lib/: custom helpers and builders
• apps/: runnable scripts (installation, post-install)

Key dependencies:

• disko for declarative disk partitioning
• stylix for consistent theming
• sops-nix for secrets
• nixos-anywhere for remote installations

Not using flake-utils or impermanence intentionally.

Sensitive Configuration

I use a companion private dotfiles-private repository as a flake input for private configuration mapped to self.private because:

• I do not want to expose private information such as public domain, user definitions, and SMTP settings.
• I do not want to overexpose the sops encrypted file nor the .sops.yaml.

Structure of dotfiles-private

.
├── flake.lock
├── flake.nix
├── hosts
│   ├── compute
│   │   ├── default.nix
│   │   ├── secrets.yaml    <- Encrypted
│   │   ├── settings.nix
│   │   └── users
│   │       ├── bphenriques.nix
│   │       └── johndoe.nix
│   └── laptop
│       ├── default.nix
│       └── secrets.yaml    <- Encrypted
├── packages
│   └── wallpapers
│       ├── default.nix
│       └── src
│           ├── beach-night-sky.jpg
│           ├── ...
│           └── watch-tower.png
├── README.md
└── shell.nix               <- With sops package inside

Workflow

A dot CLI wraps the native rebuild tools:

dot . s              # apply changes to the current host
dot . u              # update flake inputs
dot . c              # show changelog between last two local profiles
dot compute s        # deploy to the compute host remotely
dot compute c        # show changelog for the compute host

AI Disclaimer

AI was used from January 2026 onwards, starting with the compute host to learn and iterate faster, not to replace understanding. I drive the architecture, review and own every line.

Acknowledgements

Thanks to everyone sharing dotfiles, maintaining the Arch Wiki and NixOS Wiki, and helping in the NixOS community.