One thing that makes a project good is knowing what it does, I’ve seen quite a few projects where they talk about all the features and technology and how to configure it but not a word about what it actually does, what problems it solves and so on.

I won’t self host your program if you don’t even tell me what it does, don’t make me search and clue together large parts of the documentation just to find if I want it. A simple explanation is enough but somehow I’ve seen quite a few programs that don’t have it.

SystemG ^{sadly doesn’t exist}

Yeah it works great and is very secure but every time I create a new service it’s a lot of copy paste boilerplate, maybe I’ll put most of that into a nix function at some point but until then here’s an example n8n config, as loaded from the main nixos file.

I wrote this last night for testing purposes and just added comments, the config works but n8n uses sqlite and probably needs some other stuff that I hadn’t had a chance to use yet so keep that in mind.
Podman support in home-manager is also really new and doesn’t support pods (multiple containers, one loopback) and some other stuff yet, most of it can be compensated with the extraarguments but before this existed I used pure file definitions to write quadlet/systemd configs which was even more boilerplate but also mostly copypasta.

{ config, pkgs, lib, ... }:

{
    users.users.n8n = {
        # calculate sub{u,g}id using uid
        subUidRanges = [{
            startUid = 100000+65536*( config.users.users.n8n.uid - 999);
            count = 65536;
        }];
        subGidRanges = [{
            startGid = 100000+65536*( config.users.users.n8n.uid - 999);
            count = 65536;
        }];
        isNormalUser = true;
        linger = true; # start user services on system start, fist time start after `nixos-switch` still has to be done manually for some reason though
        openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; # allows the ssh keys that can login as root to login as this user too
    };
    home-manager.users.n8n = { pkgs, ... }:
    let
        dir = config.users.users.n8n.home;
        data-dir = "${dir}/${config.users.users.n8n.name}-data"; # defines the path "/home/n8n/n8n-data" using evaluated home paths, could probably remove a lot of redundant n8n definitions....
    in
    {
        home.stateVersion = "24.11";
        systemd.user.tmpfiles.rules =
        let
            folders = [
                "${data-dir}"
                #"${data-dir}/data-volume-name-one" 
            ];
            formated_folders = map (folder: "d ${folder} - - - -") folders; # a function that takes a path string and formats it for systemd tmpfiles such that they get created as folders
        in formated_folders;

        services.podman = {
            enable = true;
            containers = {
                n8n-app = { # define a container, service name is "podman-n8n-app.service" in case you need to make multiple containers depend and run after each other
                    image = "docker.n8n.io/n8nio/n8n";
                    ports = [
                        "${config.local.users.users.n8n.listenIp}:${toString config.local.users.users.n8n.listenPort}:5678" # I'm using a self defined option to keep track of all ports and uids in a seperate file, these values just map to "127.0.0.1:30023:5678", a caddy does a reverse proxy there with the same option as the port.
                    ];
                    volumes = [
                        "${data-dir}:/home/node/.n8n" # the folder we created above
                    ];
                    userNS = "keep-id:uid=1000,gid=1000"; # n8n stores files as non-root inside the container so they end up as some high uid outside and the user which runs these containers can't read it because of that. This maps the user 1000 inside the container to the uid of the user that's running podman. Takes a lot of time to generate the podman image for a first run though so make sure systemd doesn't time out
                    environment = {
                        # MYHORSE = "amazing";
                    };
                    # there's also an environmentfile option for secret management, which works with sops if you set the owner of the secret/secret template
                    extraPodmanArgs = [
                        "--pull=newer" # always pull newer images when starting, I could make this declaritive but I haven't found a good way to automagically update the container hashes in my nix config at the push of a button.
                    ];
                 # few more options exist that I didn't need here
                };
            };
        };
    };
}

DNS turns a domain name into an IP which can then be used to send data through your router, a dns server is the server which is used to do this conversion (www.google.com turns into an IP 1.2.3.4 (that isn’t the actual IP of google)).

There are many dns servers, normally your local devices use your router as the dns server, which forwards it to your ISP which they further transfer it over global dns servers.

Alternatively you could use Google’s DNS server (8.8.8.8) or cloudflares DNS server (1.1.1.1) but if the one on your router works then just use it.

nameserver is the same as DNS server

Tldr: set the router IP as your dns server, you only need this one.

…that’s the valid response, does ping www.google.com work and curl www.google.com return a bunch of text?

If ping www.google.com doesn’t work then your system isn’t using the correct dns server, though your local dns server works (as seen by the prior dig).

If curl works then…you have a working internet connection, maybe check the browser settings for proxy or something.

That seems correct, don’t change anything in there, try the command dig @<routerip> www.google.com or nslookup www.google.com <router ip> if the dig command is not found.

I use podman using home-manager configs, I could run the services natively but currently I have a user for each service that runs the podman containers. This way each service is securely isolated from each other and the rest of the system. Maybe if/when NixOS supports good selinux rules I’ll switch back to running it native.

Hey now, you can also spend 20 pages of documentation and 10 pages of blogs/forums/github¹ and you can implement a whole nix module such that you only need to write a further 3 lines to activate the service.

1 Your brain can have a little source code, as a threat.

No one can ping 4.4.4.4, it doesn’t answer pings.

This seems like a dns issue, check cat /etc/resolv.conf and try setting the dns server in Networkmanager to “8.8.8.8”.

Gluster is EOL is my biggest takeaway.

NVK seems to be moving way faster than I expected.

The truth hurts.

You create a (self-signed) CA certificate, put its certificate as the client ca in your web server.

Then you can create certificates using this CA that you distribute to your devices, only devices that have a certificate signed by your CA are allowed to connect.

see systemd.unit(5), systemd.service(5), systemd.socket(5), systemd.device(5), systemd.mount(5), systemd.automount(5), systemd.swap(5), systemd.target(5), systemd.path(5), systemd.timer(5), systemd.slice(5), systemd.scope(5) systemd.link(5), systemd.netdev(5), systemd.network(5) and honorable mentions podman-systemd.unit .container, .volume, .network(…again), .kube, .image, .build and .pod

Well, on linux I’d use systemd’s resolved which would listen on localhost:53 (it would also point resolv.conf there) and then set resolved’s uplink server to your custom port. I don’t have the exact config in mind but it seems to support custom uplink ports(“expects IPv4 or IPv6 address specifications of DNS servers […] optionally take a port number separated with “:”[…]”)

Edit: found this: https://en.opensuse.org/Network_Management_With_Systemd

Just set the DNS server to localhost:1053 for the nas?

Use -B instead.

Sets Advanced Power Management feature. Possible values are between 1 and 255, low values mean more aggressive power management and higher values mean better performance. Values from 1 to 127 permit spin-down, whereas values from 128 to 254 do not. A value of 255 completely disables the feature.)

Define “sandboxed”

Application can only access a limited part of the system? = use flatpak or build a container/VM image using the nix pkgs.

Application can be uninstalled completely and has separate libraries? I prefer nix.

Especially since they don’t talk about how they secure the local data

They don’t because they don’t

All the data you import is indexed in a SQLite database and stored on disk organized by date, without obfuscation or anything complicated.

Probably because this is still in early alpha and “the schema is still changing”.