Parker Jones Dev Blog - homelabDev Blog of Parker JonesZola2026-06-26T00:00:00+00:00https://parkerjones.dev/tags/homelab/atom.xmlNix Fleet, Part 4: Installing a Helios64 NAS from Bare Metal with nixos-anywhere and disko2026-06-26T00:00:00+00:002026-06-26T00:00:00+00:00
Unknown
https://parkerjones.dev/posts/nix-fleet-helios64-disko/<blockquote>
<p><strong>Nix Fleet, part 4.</strong> The series so far: <a href="/posts/nix-fleet-one-flake/">the one-flake architecture</a>, <a href="/posts/nix-fleet-remote-builders/">remote builders</a>, and <a href="/posts/nix-fleet-agenix-secrets/">fleet-wide secrets</a>. This part is where it all gets pointed at bare metal — a 5-bay ARM NAS, installed declaratively and reproducibly.</p>
</blockquote>
<p>The <a rel="external" href="https://wiki.kobol.io/helios64/intro/">Kobol Helios64</a> is a 5-bay NAS built on a Rockchip RK3399 (<code>aarch64</code>, 4–8 GB RAM). It's a lovely, slightly cantankerous little ARM board, and it's the storage backbone of my homelab. The goal for this host was the same as every other machine in the fleet: <strong>I should be able to reinstall it from the flake and get an identical result, disks and all.</strong> No clicking through an installer, no hand-partitioning, no "what did I configure last time."</p>
<p>That's what <code>disko</code> and <code>nixos-anywhere</code> make possible.</p>
<h2 id="the-two-tools">The two tools</h2>
<ul>
<li><strong><a rel="external" href="https://github.com/nix-community/disko">disko</a></strong> turns disk layout into declarative Nix. Instead of running <code>fdisk</code> and <code>mkfs</code> by hand, you <em>describe</em> the partitions, filesystems, and pools you want, and disko makes the disks match. Partitioning becomes config you can review, version, and re-apply.</li>
<li><strong><a rel="external" href="https://github.com/numtide/nixos-anywhere">nixos-anywhere</a></strong> installs a NixOS flake onto a remote machine over SSH — it can kexec into an installer, run disko to lay out the disks, and install the full system, all from my workstation.</li>
</ul>
<p>Together they collapse "install a NAS" into one command:</p>
<pre><code data-lang="bash">nix run github:numtide/nixos-anywhere -- --flake .#helios64 <ssh-host>
</code></pre>
<p>That partitions the drives per the disko spec, installs the <code>helios64</code> host config from my flake, and reboots into a running NixOS. The disk layout is no longer a one-time manual act I'd have to remember — it's part of the host definition.</p>
<h2 id="the-arm-specific-bits">The ARM-specific bits</h2>
<p>An ARM SBC NAS has a few wrinkles a generic x86 box doesn't, and the host config names them explicitly:</p>
<pre><code data-lang="nix"># hosts/nixos/helios64.nix
{
networking.hostName = "helios64";
# The RK3399 needs its device tree to boot correctly
hardware.deviceTree.enable = true;
hardware.deviceTree.name = "rockchip/rk3399-kobol-helios64.dtb";
services.openssh.enable = true;
system.stateVersion = "24.11";
}
</code></pre>
<p>The <strong>device tree</strong> is the load-bearing line — without <code>rk3399-kobol-helios64.dtb</code>, the board doesn't come up right. The boot chain itself is U-Boot/Tow-Boot on SD/eMMC with the NixOS root on SATA. And because this is <code>aarch64-linux</code>, the system image builds on my x86 box via the emulation I set up in <a href="/posts/nix-fleet-remote-builders/">Part 2</a> — I never need a native ARM build host just for the NAS.</p>
<blockquote>
<p>A note on honesty: the committed host config is intentionally minimal right now (it even evaluates as a container in CI to bypass boot/filesystem asserts). Storage and services are phased work. So treat this post as the <em>design and install method</em> I'm executing against, not a claim that every service below is already live. The series documents the build as it happens.</p>
</blockquote>
<h2 id="storage-zfs-and-why">Storage: ZFS, and why</h2>
<p>The storage decision got its own <a rel="external" href="https://adr.github.io/">ADR</a> (I keep architecture decision records in the repo — <code>docs/adr/0001-choose-zfs-for-helios64.md</code>, accepted 2025-08-27). The short version:</p>
<p><strong>Decision: ZFS.</strong> End-to-end checksums, snapshots, <code>send</code>/<code>receive</code>, and self-healing are worth a lot for data I actually care about, and NixOS's ZFS integration is mature. The cost is memory pressure on a low-RAM ARM board and tighter kernel/module version coupling. The alternative considered — <code>mdraid</code> + <code>ext4</code>/<code>btrfs</code> — is simpler and lighter but has weaker integrity guarantees. For a NAS, integrity wins.</p>
<p>The pool config reflects the board's constraints:</p>
<pre><code data-lang="nix">boot.supportedFilesystems = [ "zfs" ];
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
};
# On a 4 GB board, cap the ARC so ZFS doesn't starve everything else:
# boot.kernelParams = [ "zfs.zfs_arc_max=1073741824" ]; # 1 GiB
</code></pre>
<p>Sensible defaults for the pool (<code>tank</code>): <code>ashift=12</code>, <code>compression=zstd</code>, <code>autotrim=on</code>, <code>atime=off</code> for bulk data, and a topology chosen by disk count — mirror for 2 disks, RAIDZ1 for 3–5, RAIDZ2 when I want to survive two failures. Datasets split by purpose: <code>tank/data/shares</code> for SMB, <code>tank/data/media</code> for streaming, <code>tank/backups</code> for restic targets (with credentials supplied by <a href="/posts/nix-fleet-agenix-secrets/">agenix</a> — that's the payoff of Part 3).</p>
<h2 id="the-gotchas-this-board-taught-me">The gotchas this board taught me</h2>
<p>Real hardware has opinions, and the runbook records them so I don't relearn them at 2am:</p>
<ul>
<li><strong>The 2.5GbE port can be flaky</strong> on some Helios64 units. The mitigation is unglamorous: prefer the 1GbE port, lock the link speed at the switch, and capture <code>dmesg</code> for 24h before trusting it. There's an ADR for that decision too (<code>0002-networking-1g-vs-2_5g.md</code>).</li>
<li><strong>ZFS ARC will eat a 4 GB board alive</strong> if you let it. Cap <code>zfs_arc_max</code> to 1–2 GiB and re-evaluate after watching real workload for a week.</li>
<li><strong>RAIDZ1 + power events is a risk.</strong> A NAS without tested backups isn't a backup. The drive-replacement playbook (<code>zpool offline</code> → swap → <code>zpool replace</code> → watch the resilver) lives in the design doc, and restore tests are scheduled quarterly.</li>
</ul>
<h2 id="why-the-ceremony-is-the-point">Why the ceremony is the point</h2>
<p>It would be faster, <em>once</em>, to flash an SD card and click through a setup. But "once" is the trap. The value of the disko + nixos-anywhere + flake approach is the <strong>second</strong> time — when a disk dies, or I want to rebuild on fresh drives, or I'm reproducing the NAS to test an upgrade. Then the disk layout, the ZFS topology, the device tree, the services, and the secrets are all <em>declared</em>, and the rebuild is a command, not an archaeology project.</p>
<p>That's the whole thesis of this series, taken to its hardest case. <a href="/posts/nix-fleet-one-flake/">Part 1</a> claimed one flake could configure every machine — laptop, server, and NAS — reproducibly. The NAS is the machine where reproducibility is least convenient and most valuable, and it's the one that proves the model. Same flake, same discipline, all the way down to the spinning rust.</p>
<p><em>The host config and ADRs referenced here live in <a rel="external" href="https://github.com/parallaxisjones/dotfiles"><code>parallaxisjones/dotfiles</code></a>.</em></p>
<p><em>— Parker Jones, <a rel="external" href="https://parkerjones.dev">parkerjones.dev</a></em></p>