Robin's Branch

NixOS Home Server Series - Part 3

In part 3 I will cover setting up services, aka modules or applications. This is where the real fun begins, as we start to build out our system and make it our own.

1 Step services

One of the motivations of moving to Nix was to have a single source of truth for my system. I wanted to be able to see what was installed, and how it was configured, in one place. That way if I could keep things lightweight and self-documenting. My goal was if somethingbroke my entire system would be reproducible almost instantly.

Little did I know, my user account would be accidently deleted by a wonky security update at work this week and I would get a chance to experience the pain of the problem this solves so soon. Namely reinstalling an entire development environment manually. No fun.

What I call 1 step services would have been a god send in this situation. If my system was setup this way I could have just run a single command and my entire system would be back up and running in no time. And not just up and running but fully configured and ready to go as though nothing had happened.

This will also seem deceptively simple, but there are some tradeoffs to be aware of. Here they are upfront.

  • Less available documentation
  • Not always, but generally slower package updates

Vaultwarden

The first service I will be setting up is Vaultwarden. This is a self-hosted password manager that is a drop in replacement for Bitwarden. It is a great way to get started with NixOS as it is a simple service to set up and is also genuine canditate for self hosting.

Here goes.

# configuration.nix
...
{
  imports = [
    ./hardware-configuration.nix
    ./boot.nix
    ./filesystems.nix
    ./networking.nix
    ./system.nix
    ./users.nix
    ./modules/vaultwarden.nix # new module
  ];
...

# vaultwarden.nix

{ config, lib, pkgs, ... }:

{
  services.vaultwarden = {
    enable = true;
    config = {
      ROCKET_PORT = 8222;
      ROCKET_ADDRESS = "0.0.0.0";  # Listen on all interfaces
      DATA_FOLDER = "/var/lib/vaultwarden";
      WEB_VAULT_ENABLED = true;
    };
  };
}

# rebuild the system

sudo nixos-rebuild switch

And that’s it. You can now access your vaultwarden instance at http://<your-ip>:8222.

You can also use the Bitwarden app to access your vault, but don’t do that yet, as we need to set up secure connection first.

In Part 4 I will cover setting up a reverse proxy with Caddy and securing your instance locally with auto-renewing SSL over DNS-01 (no more certificate warnings!).

Get out your fancy pants 🩲 for that one.

MAY 11, 2025

Page 3 of 10

Previous page

Next page