3.4 KiB
Executable File
3.4 KiB
Executable File
NAS Server (jallen-nas)
systems/x86_64-linux/jallen-nas/
Hardware
- CPU: AMD (x86_64)
- GPU: AMD (LACT for fan/power control)
- Disk: NVMe system drive + bcachefs NAS pool
- Security: TPM2 (Clevis disk unlock), Lanzaboote (Secure Boot)
Key Features
- bcachefs storage pool mounted at
/media/nas/main - Clevis-based TPM disk unlock at boot (no passphrase required)
- Impermanence — root is ephemeral; state persists to
/media/nas/main/persist - Samba shares (Windows file sharing, Time Machine)
- Nebula VPN node (overlay peer, lighthouse at pi5)
- ~40 self-hosted services behind a Caddy reverse proxy
- Authentik SSO protecting most web UIs
- CrowdSec for intrusion detection
- Restic backups
Network
- LAN IP: 10.0.1.3 (static,
enp197s0) - Gateway: 10.0.1.1
- Nebula: overlay peer, lighthouse at
mjallen.dev:4242
Storage
| Mount | Filesystem | Description |
|---|---|---|
/media/nas/main |
bcachefs | Primary NAS pool (media, appdata, documents) |
/media/nas/test |
bcachefs | Secondary test pool |
Samba Shares
| Share | Time Machine |
|---|---|
3d_printer |
no |
Backup |
no |
Documents |
no |
isos |
no |
app_data |
no |
TimeMachine |
yes (max 1 TB) |
Enabled Services
| Service | Port | Notes |
|---|---|---|
| Caddy | 443/80 | Reverse proxy for all services |
| Authentik | 9000 | SSO / identity provider |
| Attic | 9012 | Nix binary cache (cache.mjallen.dev) |
| Immich | 2283 | Photo management |
| Jellyfin | 8096 | Media server |
| Seerr | 5055 | Media request manager |
| Nextcloud | 9988 | Cloud storage |
| Paperless | 28981 | Document management |
| Paperless AI | 28982 | AI-assisted document tagging |
| Gitea | 3000 | Self-hosted Git |
| Matrix | 8448 | Matrix homeserver |
| Ntfy | 2586 | Push notifications |
| Glance | 5555 | Dashboard |
| Immich | 2283 | Photo library |
| Uptime Kuma | 3001 | Uptime monitoring |
| Code Server | 4444 | VS Code in the browser |
| Cockpit | 9090 | System management UI |
| Collabora | 9980 | Online office suite |
| CrowdSec | 8181 | Intrusion detection |
| Glances | 61208 | System stats |
| Coturn | 3478 | TURN/STUN server |
| Nebula | 4242 | Overlay VPN node |
| Restic | 8008 | Backup service |
| Sunshine | 47989 | Remote desktop (Moonlight) |
| Unmanic | 8265 | Media transcoding |
| Lubelogger | 6754 | Vehicle maintenance log |
| Manyfold | 3214 | 3D model library |
| Booklore | 6066 | Book library |
| Tunarr | 8000 | Virtual TV channels |
| Termix | 7777 | Web terminal |
| Sparky Fitness | 3004/3010 | Fitness tracking |
| Protonmail Bridge | 1025/1143 | SMTP/IMAP bridge |
| Arrs | various | Sonarr, Radarr, etc. |
| AI | various | Ollama, etc. |
| Wyoming | various | Voice assistant pipeline |
Configuration Files
| File | Purpose |
|---|---|
default.nix |
Main config — network, hardware, filesystems, packages |
apps.nix |
All service enable/disable declarations |
nas-defaults.nix |
Sets configDir/dataDir defaults for all services |
boot.nix |
Lanzaboote, kernel, initrd |
services.nix |
Home Assistant, samba, and other platform services |
users.nix |
User accounts (admin, nix-apps) |
sops.nix |
Secret declarations |
vpn.nix |
Nebula VPN configuration |
disabled.nix |
Services explicitly disabled |
Secrets
Secrets are in secrets/nas-secrets.yaml, encrypted for: matt, desktop, admin, jallen-nas.