I can touch on it more. Docker and compose files are great for getting things going, contained, and keeping everything declarative
But I found the more services I used with Docker, the more time it took to update. I didn't want to just update to latest, I wanted to update to specific version, for better rollback. That meant manually checking and updating every single service, bringing each file down, and then back up. It's not entirely unmanageable, but it became enough friction I wasn't updating things consistently. And yes, I could have automated some of that, but never got around to it
NixOS, in addition to the things I mention in the post, is just a two step process to update everything (`nix flake update` and `nixos-rebuild`). That makes updating my OS and every package/service super easy. And provides built in rollback if it fails. Plus I can configure things like my firewall and other security things in NixOS with the same config I do everything else
Also, Nix packages/services provides a lot of the "containerization" benefits. It's reproducible. It doesn't have dependency problems (see this for morehttps://nixos.org/guides/how-nix-works/). And most services use separate users with distinct permissions, giving pretty good security.
It's not that Docker can't do those things. It's that Nix does those things in a way that work really well with how I think
Hey, I ruled out a mail server for external, since I've heard many people have issues with other providers (Gmail, Outlook, etc) randomly blocking email. Didn't feel I could rely on it
Having an internal only mail server for notifications is an interesting idea. I've been using ntfy and Matrix to achieve something like that, but not all services support those notification methods. I'll keep that in mind!
I found the Tailscale client experience is quite nice and headscale had built in OIDC support (so easy auth for my users)
If I started this setup later I might have also used pangolin, which also provides a nice management interface on top of WireGuard https://github.com/fosrl/pangolin
It is something I considered. Ultimately I didn't want to depend on Clouflare (or any other provider) for something as core to my setup as my remote access
But it's a totally valid option, just not one that fit with my preferences
I do have to sit down and walk folks through setting up Tailscale, Nextcloud, etc on their devices. So far though, I haven't had any complaints once that is done. Nextcloud just syncs in the background and they can navigate to sites like normal. But my family is probably more tech literate than most, so that helps
It's entirely because I've used it before. I just wanted something familiar to solve a problem quickly. I also think it looks nice. I'm not too worried about the security implications, since it is behind Tailscale and Authelia. I'm not committed to it, and do want to explore other options in the future
But I found the more services I used with Docker, the more time it took to update. I didn't want to just update to latest, I wanted to update to specific version, for better rollback. That meant manually checking and updating every single service, bringing each file down, and then back up. It's not entirely unmanageable, but it became enough friction I wasn't updating things consistently. And yes, I could have automated some of that, but never got around to it
NixOS, in addition to the things I mention in the post, is just a two step process to update everything (`nix flake update` and `nixos-rebuild`). That makes updating my OS and every package/service super easy. And provides built in rollback if it fails. Plus I can configure things like my firewall and other security things in NixOS with the same config I do everything else
Also, Nix packages/services provides a lot of the "containerization" benefits. It's reproducible. It doesn't have dependency problems (see this for morehttps://nixos.org/guides/how-nix-works/). And most services use separate users with distinct permissions, giving pretty good security.
It's not that Docker can't do those things. It's that Nix does those things in a way that work really well with how I think