Let’s encrypt doesn’t have to be accessible from the web, it accesses the web itself. It’s a subtly difference i guess, but you don’t need port forwarding or anything. Of course if your jellyfin/immich service is completely blocked from going out on the internet then it still won’t work.

as far as I know, there is no way to put a valid certificate like let’s encrypt for a service that is not accessible from the net

I don’t think that’s true. But Let’s encrypt does need to verify the domain name. If it’s just a domain you made up in your LAN that is an issue yes. But I have no experience with that though.

You could use self-signed certificates, they are free. but you would need to add custom trusted CA to all the user devices manually. I’ve never done this myself so no clue how troublesome this really is.

What I do is have a reverse proxy that requests a wildcard certificate (e.g ‘*.example.com’) with Let’s encrypt. And then route all my services through the reverse proxy with subdomains. You can get free domains with duckdns.org or others.

Buys closed eco system phone. Shocked it’s a closed eco system. Cue shocked Pikachu face?

I love it for using klipper. But when I started doing it the klipper pkgs did give me some troubles. You can work around them, but know you might find some issues on the way. Maybe it’s better now, I haven’t really updated that part of my config much recently.

Do know that not all arm devices are equally supported. rpi 3 and 4 are, the rest is community based (see: https://nixos.wiki/wiki/NixOS_on_ARM). Personally I run klipper on a x86_64 thin client for this reason and because raspberry pi’s were scarce and expensive back then.

I have to be honest and say it was a journey. Nix in itself isn’t really difficult I find. But everything together and finding the right documentation and figure out how NixOS comes together can be a bit daunting.

But a simple straight forward config is pretty doable. My advice is to start small and build up. You can reuse your old dotfiles and include them in the configuration directly, so you don’t have to convert everything to nix (right away). Also don’t scare away from using flakes, they are the way to go in my opinion.

You can define multiple hosts/systems in one configuration with each their own nixosSystem call. So you can define hardware/fs/network etc per system.

Also I like to add that the vimjoyer video’s on nix helped me with understanding some of the concepts, They are usually short and straight to the point.

I’ve converted everything to NixOS (Desktop, laptop, nas and 3d printer, rpi with home assistant) only my router is still pfSense (and thus BSD). It just makes configuration and updating so much easier from one central configuration. And I don’t have to remember what and how I installed something. It’s just there in my flake.