I ended up just building a box after looking for the perfect NAS and finding it didn’t exist. The software is usually just crap or the hardware is underwhelming. Got a Node 804 case to slap in plenty of HDD space. Running NixOS so I’m in control of the software. In retrospect I wish I had gotten a rackmount type case. Tossed in an Arc GPU for better transcoding shortly after the initial setup.

Same. Just don’t become too good at it. Now I have to write whitepapers and participate in speaker panels at conferences. Ugh.

I’m both experienced and know jack shit because there is just too much to learn. I just started using it (1998ish) to make cool looking UIs. Its been my daily driver for 15 years now.

You will never learn it all. Over time you may become more familiar with the terminal or you may not. Doesn’t matter. You do you.

Its pretty easy to test drive. Grab a distros “Live CD” version, put in on a thumb drive, reboot and play around. This wont be persistent. When you’re ready, install it on an external SSD. Play around some more now that your edits will be persistent. You’ll mess up. Take notes. Start again once you’ve hosed your system.

There are libraries that do just this like https://effect.website/docs/guides/schema/introduction.

Appreciate the write up though! All too easy to rely on libraries without understanding what’s under the hood.

Thanks for sharing, it was a good read.

For the networking I found some repos with Nix and Gluetun (OCI containers). I don’t see them in my bookmarks, so it was probably a day project when I set up and didn’t keep the references.

That part is still in docker / podman. So any docker network guide just needs to be translated to nix.

Best resource I’ve found is searching GitHub.

My setup closely follows https://github.com/Misterio77/nix-config.

For servarr I just translated someone else’s docker compose setup to nix. There are some ready made nix ones you can look at like https://github.com/rasmus-kirk/nixarr/tree/main/nixarr.

The complex networking I just picked up over time once I knew my way around a little bit.

GitHub is your best resource. lang:nix search terms.

I wouldn’t run NixOS in a container. With native nix containers I’m pretty sure they share the store. For docker I’d use images built with nix (doesn’t run nix itself) or pull from docker hub.

OS: NixOS (high learning curve but its been worth it). Nix (the config language) is a functional programming language, so it can be difficult to grok. Documentation is shit as its evolved while maintaining backwards compatibility. If you use the new stuff (Nix Flakes) you have to figure what’s old and likely not applicable (channels or w/e).

BYOD: Just using LVM. All volumes are mirrored across several drives of different sizes. Some HDD volumes have an SSD cache layer on top (e.g., monero node). Some are just on an SSD (e.g., main system). No drive failures yet so can’t speak to how complex restoring is. All managed through NixOS with https://github.com/nix-community/disko.

I run stuff on a mix of OCI containers (podman or docker, default is podman which is what I use) and native NixOS containers which use systemd-nspawn.

The OS itself I don’t back up outside of mirroring. I run an immutable OS (every reboot is like a fresh install). I can redeploy from git so no need to backup. I have some persistent BTRFS volumes mounted where logs, caches, and state go. Don’t backup, but I swap the volume every boot and keep the last 30 days of volumes or a min of at least 10 for debugging.

I just use rclone for backups with some bash scripts. Devices back up to home lab which backs up to cloud (encrypted with my keys) all using rclone (RoundSync for phone).

Runs Arrs, Jellyfin, Monero node, Tor entry node, wireguard VPN (to get into network from remote), I2C, Mullvad VPN (default), Proton VPN (torrents with port forwarding use this), DNS (forced over VPN using DoT), PiHole in front of that, three of my WiFi vlans route through either Mulvad, I2C, or Tor. I’ll use TailsOS for anything sensitive. WiFi is just to get to I2C or Onion sites where I’m not worried about my device possibly leaking identity.

Its pretty low level. Everything is configured in NixOS. No GUIs. If its not configured in nix its wiped next reboot since the OS is immutable. All tracked in git including secrets using SOPS. Every device has its own master key setup on first install. I have a personal master key should I need to reinstall which is tracked outside of git in a password manager.

Took a solid month to get the initial setup done while learning NixOS. I had a very specific setup of LVM > LUKS encryption /w Secure Boot and Hardware Key > BTRFS. Overkill on security but I geek out on that stuff. Been stable but still tinkering with it a year later.

It was really good. Seeing Logan and Loki (series) would help follow the plot some if you haven’t seen either but I didn’t feel it was hard requirement. There are throwbacks to past Fox superhero movies, but they didn’t add critical plot points.

Lots of 4th wall breaking including ripping into Disney, Fox, and the post Endgame downward spiral of MCU.

Immutable Nixos. My entire server deployment from partitioning to config is stored in git on all my machines.

Every time I boot all runtime changes are “wiped”, which is really just BTRFS subvolume swapping.

Persistence is possible, but I’m forced to deal with it otherwise it will get wiped on boot.

I use LVM for mirrored volumes for local redundancy.

My persisted volumes are backed up automatically to B2 Backblaze using rclone. I don’t backup everything. Stuff I can download again are skipped for example. I don’t have anything currently that requires putting a process in “maint mode” like a database getting corrupt if I backup while its being written to. When I did, I’d either script gracefully shutting down the process or use any export functionality if the process supported it.

Oh nice! I’ll have to dig into that. Wonder if its an implementation issue across vendors. I was always under the impression that DHCPv6 was the common convention if not static.

Ok. So a device didn’t get a dhcp address? No problem… It creates it’s open IP address and starts talking and try to get out on internet on its own…

Its not that different from a conceptual point of view. Your router is still the gate keeper.

Home router to ISP will usually use DHCPv6 to get a prefix. Sizes vary by ISP but its usually like a /64. This is done with Prefix Delegation.

Client to Home Router will use either SLACC, DHCPv6, or both.

SLACC uses ICMPv6 where the client asks for the prefix (Router Solicitation) and the router advertises the prefix (Router Advertisement) and the client picks an address in it. There is some duplication protection for clients picking the same IP, but its nothing you have to configure. Conceptually its not that different from DHCP Request/Offer. The clients cannot just get to the internet on their own.

SLACC doesn’t support sending stuff like DNS servers. So DHCPv6 may still be used to get that information, but not an assigned IP.

Just DHCPv6 can also be used, but SLACC has the feature of being stateless. No leases or anything.

The only other nuance worth calling out is interfaces will pick a link local address so it can talk to the devices its directly connected to over layer 3 instead of just layer 2. This is no different than configuring 169.254.1.10/31 on one side and 169.254.1.11/31 on the other. These are not routed, its just for two connected devices to send packets to each other. This with Neighbor Discovery fills the role of ARP.

There is a whole bunch more to IPv6, but for a typical home network these analogies pretty much cover what you’d use.

I haven’t tested in Windows, but this is my setup Linux to Linux using rclone which the docs say works with Windows.

Server

• LUKS
• LVM
• Volgroup with a mishmash of drives in a mirror configuration
• Cache volume with SSD
• BTRFS /w Snapshots (or ZFS or any other snapshotting FS)
• (optional) Rclone local “remote” with Crypt if you want runtime encryption at rest and the ability to decrypt files on the server. You can skip this and do client side only if you don’t want the decryption key on the server.
• SFTP (or any other self-hosted protocol from https://rclone.org/docs/)

Client

• Rclone Config /w SFTP (or chosen protocol)
• (optional) Rclone Config /w Crypt
• Rclone mount with VFS.

I use this setup for my local files and a similar setup to my Backblaze B2 off site backups.

The VFS implementation has been pretty good. You can also manually sync. Their bisync I don’t fully trust though.

I can access everything through android using https://github.com/newhinton/Round-Sync. Not great for photos though as thumbnails weren’t loading without pulling the whole file last I tested a year ago.

I’m coming from a Haskell/Scala background. This job just pays more. TS has been “good enough” for types. I don’t think I could be as effective without them at this point.

I don’t see it dying from my perspective. Its only been getting better and better. The only thing I could see displacing it in my org is maybe Rust due to WASM proving a transition path.

We use TS on the back end to leverage our teams existing skill set and libraries we’ve built up.

I know it’s a meme to use “the next best thing” in the ecosystem, but we’ve been really happy with the newish Effect library + Bun runtime. Effect is like a merger of the older fp-ts/io-ts libraries (same author works on both) with Zio from the Scala ecosystem. It vastly simplifies the former and the new stuff with dependency injection and defect management is refreshing. With the Bun runtime, we see a 15x faster startup time (great for dev). Its halved the RAM requirements in prod. We don’t even need to transpile… We still do for prod to tree-shake dev-only code to ensure its not available in prod, but deploying to dev is FAST.

One method depends on your storage provider. Rsync may have incremental snapshots, but I haven’t looked because my storage provider has it.

Sometimes a separate tool like rsnapshot (but probably not rsnapshot itself as I dont think its hard links interact well with rsync) might be used to manage snapshots locally that are then rsynced.

On to storage providers or back ends. I use B2 Backblaze configured to never delete. When a file changes it uploads the new version and renames the old version with a timestamp and hides it. Rsync has tools to recover the old file versions or delete any history. Again, it only uploads the changed files so its not full snapshots.

Yes. You compose a crypted vault over your storage vault. I pay about $1/mo for B2 Backblaze. Around 150G last I checked.

Important stuff (about 150G) is synced to all my machines and a b2 Backblaze bucket.

I have a rented seed box for those low seeder torrents.

The stuff I can download again is only on a mirrored lvm pool with an lvmcache. I don’t have any redundancy for my monerod data which is on an nvme.

I’m moving towards an immutable OS with 30 days of snapshots. While not the main reason, it does push one to practicing better sync habits.

I believe you will see OOM errors in journalctl. Also considered a systemd service or something to restart the process?

Glad you figured it out though!

I use EteSync to sync my contacts. It can do calendars also and has a self-hosted option. Personally I just use Proton for my calendar at the moment.

I haven’t tested any desktop syncing with EteSync, but maybe it will work for you.

I use DavMail to proxy an Exchange account so I don’t have to install Outlook on my phone.