Nix Podman Stacks

Collection of opinionated Podman stacks managed by Home Manager.

The goal is to easily deploy various self-hosted projects, including a reverse proxy, dashboard and monitoring setup. Under the hood rootless Podman (Quadlets) will be used to run the containers. It works on most Linux distros including Ubuntu, Arch, Mint, Fedora & more and is not limited to NixOS.

The projects also contains integrations with Traefik, Homepage, Grafana and more. Some examples include:

• Enabling a stack will add the respective containers to Traefik and Homepage
• Enabling CrowdSec or Authelia will automatically configure necessary Traefik plugins and middlewares
• When stacks support exporting metrics, scrape configs for Prometheus can be automatically set up
• Similariy, Grafana dashboards for Traefik, Blocky & others can be automatically added
• and more ...

Disabling any of those options will of course also remove all associated configurations and containers.

While most stacks can be activated by setting a single flag, some stacks require setting mandatory values, especially for secrets. For managing secrets, projects such as sops-nix or agenix can be used, which allow you to store your secrets along with the configuration inside a single Git repository.

📔 Option Documentation

Refer to the documentation for a full list of available options. There is also an Option Search to easily explore existing options.

Most stacks will rely or use a few centrally defined variables. These include:

nps Option	Description
hostIP4Address	The IPv4 address of the host. Will be used for example in case of explicit port bindings.
hostUid	The UID of the host user running the podman stacks.
storageBaseDir	Base storage location used for bind mounts. Used as a base location for bind mounts.
externalStorageBaseDir	Base storage location used for media files, e.g. pictures used by Immich.

📦 Available Stacks

• Adguard

• AIOStreams

• Audiobookshelf

• Authelia

• Baikal

• Beszel

• Blocky

• ByteStash

• Calibre-Web

  • Calibre-Web Automated
  • Calibre-Web Automated Book Downloader

• Changedetection

  • Changedetection
  • Sock Puppet Browser

• CrowdSec

• Davis

• DockDNS

• Docker Socket Proxy

• Donetick

• Dozzle

• Filebrowser

• Filebrowser Quantum

• Forgejo

• FreshRSS

• Gatus

• Guaamole

• Healthchecks

• Home Assistant

• Homepage

• Immich

• IT-Tools

• Karakeep

• Kimai

• LLDAP

• Mealie

• MicroBin

• 🔍 Monitoring

  • Alloy
  • Grafana
  • Loki
  • Prometheus
  • Podman Metrics Exporter

• n8n

• ntfy

• OmniTools

• Paperless-ngx

  • Paperless-ngx
  • 📂 FTP Server

• Pocket ID

• RomM

• Stirling-PDF

• 📺 Streaming

  • Bazarr
  • Flaresolverr
  • Gluetun
  • Jellyfin
  • Prowlarr
  • qBittorrent
  • Radarr
  • Sonarr

• Traefik

• Uptime-Kuma

• Vaultwarden

• Vikunja

• wg-easy

• wg-portal

⚙️ Prerequisites

• Nix Installation
• net.ipv4.ip_unprivileged_port_start=0 or any other way of allowing non-root processes to bind to ports below 1024

🚀 Setup

If you already have an existing flake setup, add this projects flake as an input and include the flake output homeModules.nps in your Home Manager modules.

---

If you don't use Nix yet, you can use the projects template to get started:

nix flake init --template github:Tarow/nix-podman-stacks

Make sure to go through the flake.nix, stacks.nix & sops.nix files and adapt options as needed. Also make sure to generate your own encryption age key and encrypt your secrets with it!

To apply your configuration, run:

nix run home-manager -- switch --experimental-features "nix-command flakes pipe-operators" -b bak --flake .#myhost

The template includes an example configuration of the following setup:

• Authelia as an OIDC provider with LLDAP as the user backend
• Immich & Paperless with OIDC login pre-configured
• Traefik as a reverse proxy including a Geoblocking middleware. Wildcard certificates will be fetched from Let's Encrypt (DNS Challenge).
• CrowdSec including a Traefik middleware setup
• Blocky as DNS proxy
• Monitoring stack with Alloy, Loki, Grafana & Prometheus. Comes with Grafana dashboards for Traefik & Blocky
• Podman Socket Access through a read-only proxy
• Secrets are provisioned by sops-nix

A basic overview of the templates architecture will look like this:

🔧 Customize Settings

The Podman stacks are mostly opinionated and configured to work out of the box. Refer to option documentation or the source code of each module to see which options are exposed on stack level and can be modified. An example would be Traefik, which requires a domain to be set. Also it ships with preconfigured static and dynamic configurations, but allows you to extend or customize those.

If the exposed options are not enough, you can always refer to the container definition directly by using the nps.stacks.<stackname>.containers.<containername> options.

Refer to the examples to see different use cases of setting and overriding options.

💡 Missing a Stack / Option / Integration ?

Is your favorite self-hosted app not included yet? Or would you like to see additional options or integrations? I'm always looking to expand the collection! Feel free to open an issue or contribute directly with a pull request.