NAS Server (jallen-nas)
systems/x86_64-linux/jallen-nas/
Hardware
- CPU: AMD (x86_64)
- GPU: AMD (LACT for fan/power control)
- Disk: NVMe system drive + bcachefs NAS pool
- Security: TPM2 (Clevis disk unlock), Lanzaboote (Secure Boot)
Key Features
- bcachefs storage pool mounted at
/media/nas/main
- Clevis-based TPM disk unlock at boot (no passphrase required)
- Impermanence — root is ephemeral; state persists to
/media/nas/main/persist
- Samba shares (Windows file sharing, Time Machine)
- Nebula VPN node (overlay peer, lighthouse at pi5)
- ~40 self-hosted services behind a Caddy reverse proxy
- Authentik SSO protecting most web UIs
- CrowdSec for intrusion detection
- Restic backups
Network
- LAN IP: 10.0.1.3 (static,
enp197s0)
- Gateway: 10.0.1.1
- Nebula: overlay peer, lighthouse at
mjallen.dev:4242
Storage
| Mount |
Filesystem |
Description |
/media/nas/main |
bcachefs |
Primary NAS pool (media, appdata, documents) |
/media/nas/test |
bcachefs |
Secondary test pool |
Samba Shares
| Share |
Time Machine |
3d_printer |
no |
Backup |
no |
Documents |
no |
isos |
no |
app_data |
no |
TimeMachine |
yes (max 1 TB) |
Enabled Services
| Service |
Port |
Notes |
| Caddy |
443/80 |
Reverse proxy for all services |
| Authentik |
9000 |
SSO / identity provider |
| Attic |
9012 |
Nix binary cache (cache.mjallen.dev) |
| Immich |
2283 |
Photo management |
| Jellyfin |
8096 |
Media server |
| Seerr |
5055 |
Media request manager |
| Nextcloud |
9988 |
Cloud storage |
| Paperless |
28981 |
Document management |
| Paperless AI |
28982 |
AI-assisted document tagging |
| Gitea |
3000 |
Self-hosted Git |
| Matrix |
8448 |
Matrix homeserver |
| Ntfy |
2586 |
Push notifications |
| Glance |
5555 |
Dashboard |
| Immich |
2283 |
Photo library |
| Uptime Kuma |
3001 |
Uptime monitoring |
| Code Server |
4444 |
VS Code in the browser |
| Cockpit |
9090 |
System management UI |
| Collabora |
9980 |
Online office suite |
| CrowdSec |
8181 |
Intrusion detection |
| Glances |
61208 |
System stats |
| Coturn |
3478 |
TURN/STUN server |
| Nebula |
4242 |
Overlay VPN node |
| Restic |
8008 |
Backup service |
| Sunshine |
47989 |
Remote desktop (Moonlight) |
| Unmanic |
8265 |
Media transcoding |
| Lubelogger |
6754 |
Vehicle maintenance log |
| Manyfold |
3214 |
3D model library |
| Booklore |
6066 |
Book library |
| Tunarr |
8000 |
Virtual TV channels |
| Termix |
7777 |
Web terminal |
| Sparky Fitness |
3004/3010 |
Fitness tracking |
| Protonmail Bridge |
1025/1143 |
SMTP/IMAP bridge |
| Arrs |
various |
Sonarr, Radarr, etc. |
| AI |
various |
Ollama, etc. |
| Wyoming |
various |
Voice assistant pipeline |
Configuration Files
| File |
Purpose |
default.nix |
Main config — network, hardware, filesystems, packages |
apps.nix |
All service enable/disable declarations |
nas-defaults.nix |
Sets configDir/dataDir defaults for all services |
boot.nix |
Lanzaboote, kernel, initrd |
services.nix |
Home Assistant, samba, and other platform services |
users.nix |
User accounts (admin, nix-apps) |
sops.nix |
Secret declarations |
vpn.nix |
Nebula VPN configuration |
disabled.nix |
Services explicitly disabled |
Secrets
Secrets are in secrets/nas-secrets.yaml, encrypted for: matt, desktop, admin, jallen-nas.
