One thing that makes a project good is knowing what it does, I’ve seen quite a few projects where they talk about all the features and technology and how to configure it but not a word about what it actually does, what problems it solves and so on.

I won’t self host your program if you don’t even tell me what it does, don’t make me search and clue together large parts of the documentation just to find if I want it. A simple explanation is enough but somehow I’ve seen quite a few programs that don’t have it.

The one I forgot, obviously.

Yeah it works great and is very secure but every time I create a new service it’s a lot of copy paste boilerplate, maybe I’ll put most of that into a nix function at some point but until then here’s an example n8n config, as loaded from the main nixos file.

I wrote this last night for testing purposes and just added comments, the config works but n8n uses sqlite and probably needs some other stuff that I hadn’t had a chance to use yet so keep that in mind.
Podman support in home-manager is also really new and doesn’t support pods (multiple containers, one loopback) and some other stuff yet, most of it can be compensated with the extraarguments but before this existed I used pure file definitions to write quadlet/systemd configs which was even more boilerplate but also mostly copypasta.

{ config, pkgs, lib, ... }:

{
    users.users.n8n = {
        # calculate sub{u,g}id using uid
        subUidRanges = [{
            startUid = 100000+65536*( config.users.users.n8n.uid - 999);
            count = 65536;
        }];
        subGidRanges = [{
            startGid = 100000+65536*( config.users.users.n8n.uid - 999);
            count = 65536;
        }];
        isNormalUser = true;
        linger = true; # start user services on system start, fist time start after `nixos-switch` still has to be done manually for some reason though
        openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; # allows the ssh keys that can login as root to login as this user too
    };
    home-manager.users.n8n = { pkgs, ... }:
    let
        dir = config.users.users.n8n.home;
        data-dir = "${dir}/${config.users.users.n8n.name}-data"; # defines the path "/home/n8n/n8n-data" using evaluated home paths, could probably remove a lot of redundant n8n definitions....
    in
    {
        home.stateVersion = "24.11";
        systemd.user.tmpfiles.rules =
        let
            folders = [
                "${data-dir}"
                #"${data-dir}/data-volume-name-one" 
            ];
            formated_folders = map (folder: "d ${folder} - - - -") folders; # a function that takes a path string and formats it for systemd tmpfiles such that they get created as folders
        in formated_folders;

        services.podman = {
            enable = true;
            containers = {
                n8n-app = { # define a container, service name is "podman-n8n-app.service" in case you need to make multiple containers depend and run after each other
                    image = "docker.n8n.io/n8nio/n8n";
                    ports = [
                        "${config.local.users.users.n8n.listenIp}:${toString config.local.users.users.n8n.listenPort}:5678" # I'm using a self defined option to keep track of all ports and uids in a seperate file, these values just map to "127.0.0.1:30023:5678", a caddy does a reverse proxy there with the same option as the port.
                    ];
                    volumes = [
                        "${data-dir}:/home/node/.n8n" # the folder we created above
                    ];
                    userNS = "keep-id:uid=1000,gid=1000"; # n8n stores files as non-root inside the container so they end up as some high uid outside and the user which runs these containers can't read it because of that. This maps the user 1000 inside the container to the uid of the user that's running podman. Takes a lot of time to generate the podman image for a first run though so make sure systemd doesn't time out
                    environment = {
                        # MYHORSE = "amazing";
                    };
                    # there's also an environmentfile option for secret management, which works with sops if you set the owner of the secret/secret template
                    extraPodmanArgs = [
                        "--pull=newer" # always pull newer images when starting, I could make this declaritive but I haven't found a good way to automagically update the container hashes in my nix config at the push of a button.
                    ];
                 # few more options exist that I didn't need here
                };
            };
        };
    };
}

I use podman using home-manager configs, I could run the services natively but currently I have a user for each service that runs the podman containers. This way each service is securely isolated from each other and the rest of the system. Maybe if/when NixOS supports good selinux rules I’ll switch back to running it native.

Hey now, you can also spend 20 pages of documentation and 10 pages of blogs/forums/github¹ and you can implement a whole nix module such that you only need to write a further 3 lines to activate the service.

1 Your brain can have a little source code, as a threat.

Did he stutter?

Especially since they don’t talk about how they secure the local data

They don’t because they don’t

All the data you import is indexed in a SQLite database and stored on disk organized by date, without obfuscation or anything complicated.

Probably because this is still in early alpha and “the schema is still changing”.

How does mergefs compare to btrfs and bcachefs in using multiple partitions?

Drives connected to usb have an unstable connection in my experience, this is very annoying and gets worse with hubs.

RAIDs reduce the time a system is offline and reduce data loss, if a drive fails and you can afford to wait for the new disk and the backup to restore, and have regular backups that ensure no important data gets lost (though remember the data added between backups may be lost) then you don’t need a RAID.

I don’t use RAIDs cause if my disk fails then I can stomach the 2-4 days it takes to buy a new one and restore the backup

Very important: use S.M.A.R.T and a filesystem with checksums to make sure you’re not backing up corrupted data and know to get a new one

For encryption at rest you may want to look at clevis and tang, though you need a server in your home network for this to work. The client (with clevis) then decrypts the disk at boot if it can reach the server (tang). The server can’t decrypt the data without the client secret and the client can’t decrypt it without the server public key.

Don’t know what your server could be though, maybe a router with custom firmware?

You should also look into cloud storage/rclone, that way you can automate your backups more and reduce the need for manual intervention.

I use rclone and restic to automatically backup my servers daily which takes a few seconds most of the time due to them being incremental backups.

It doesn’t though? IANAL but as far as I can tell you can fork, modify and redistribute it as long as you provide the source code to your users.

It’s AGPL-3.0 so… https://www.tldrlegal.com/license/gnu-affero-general-public-license-v3-agpl-3-0

Brb, gotta defederate myself.