Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a11ywatch and related configurations for Podman and Nginx

Browse Source 
- Introduced a new module for a11ywatch with Podman support, creating a bridge network and defining backend and frontend containers.
- Configured Nginx to serve the a11ywatch application with SSL and ACME support.
- Added user and group configurations for a11ywatch.
- Created a systemd service to ensure the Podman network exists on boot.

Implement Firefox Container Controller extension and host

- Added a module for the Firefox Container Controller extension, allowing installation via Nix.
- Created a native messaging host for the extension to communicate with the container controller.
- Included CLI helpers to enqueue commands for showing and hiding containers.

Enable fingerprint authentication in PAM

- Configured fingerprint authentication for login, sudo, and swaylock services.

Setup Raspberry Pi OS image creation script

- Developed a script to create a read-only Raspberry Pi OS Lite image with Snapcast client.
- Included configuration for Wi-Fi, hostname, and Snapcast server.
- Implemented user and group setup for Snapcast client and ensured necessary services are enabled.

Document Raspberry Pi Zero W setup instructions

- Added detailed instructions for configuring Raspberry Pi OS on Zero W, including disabling unused services and setting up Snapcast client.

Create test configuration script for NixOS

- Implemented a script to perform dry-builds for NixOS configurations, allowing for easy validation of host configurations.
This commit is contained in:
Dominik Polakovics Polakovics
2025-05-29 00:10:07 +02:00
parent 8e52274edd
commit 53d73142ae
32 changed files with 1280 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
.roo/rules/rules.md Normal file
View File

@@ -0,0 +1,83 @@
# RULES.md
## Overview
This repository manages NixOS configurations for multiple systems, structured to promote modularity, security, and maintainability.
### Directory Structure
Each host has its own directory under `hosts/`, containing:
```
hosts/
└── hostname/
├── configuration.nix
├── modules/
└── secrets.yaml
```
* `configuration.nix`: Main configuration file for the host.
* `modules/`: Custom NixOS modules specific to the host.
* `secrets.yaml`: Encrypted secrets file (see [Secrets Management](#secrets-management)).
## Configuration Management
### Modularization
* Break down configurations into reusable modules placed in the `modules/` directory.
* Use the `imports` directive in `configuration.nix` to include necessary modules.
* Avoid monolithic configurations; modularity enhances clarity and reusability.
### Version Control
* Track all configuration files using Git.
* Exclude sensitive files like `secrets.yaml` from version control.
* Use descriptive commit messages to document changes.
## Deployment with Bento
Bento is utilized for deploying configurations across systems.
* Centralize configurations on a management server.
* Ensure each host accesses only its specific configuration files.
* Leverage Bento's features to manage deployments efficiently.([NixOS Discourse][1], [Reddit][2], [cbiit.github.io][3])
## Security Best Practices
### Secrets Management
* Never store plain-text secrets in the Nix store or configuration files.
* Use tools like [sops-nix](https://github.com/Mic92/sops-nix) to encrypt `secrets.yaml`.
* Restrict access to decrypted secrets using appropriate file permissions.([Reddit][4], [dade][5])
### System Hardening
* Disable unnecessary services to minimize attack surfaces.
* Configure firewalls to allow only essential traffic.
* Regularly update systems to apply security patches.
### User Management
* Implement the principle of least privilege for user accounts.
* Use SSH keys for authentication; disable password-based logins.
* Monitor user activities and access logs for suspicious behavior.
## Maintenance Guidelines
* Regularly review and refactor modules for efficiency and clarity.
* Document all modules and configurations for future reference.
* Test configurations in a controlled environment before deploying to production systems.([NixOS & Flakes][6])
---
Adhering to these guidelines will help maintain a secure, organized, and efficient NixOS configuration across multiple systems.
[1]: https://discourse.nixos.org/t/introducing-bento-a-nixos-deployment-framework/21446?utm_source=chatgpt.com "Introducing bento, a NixOS deployment framework"
[2]: https://www.reddit.com/r/NixOS/comments/1e95b69/how_do_you_guys_organize_your_nix_config_files_i/?utm_source=chatgpt.com "How do you guys organize your .nix config files? I have a ... - Reddit"
[3]: https://cbiit.github.io/bento-docs/master/installation/bento-quick-start.html?utm_source=chatgpt.com "1. Quick Start Tutorial — Bento release-4.1.0 documentation"
[4]: https://www.reddit.com/r/NixOS/comments/1cnhx6z/best_security_practices_for_nixos_devices_exposed/?utm_source=chatgpt.com "Best Security practices for NixOS devices exposed to the Internet"
[5]: https://0xda.de/blog/2024/07/framework-and-nixos-sops-nix-secrets-management/?utm_source=chatgpt.com "Framework and NixOS - Sops-nix Secrets Management - dade"
[6]: https://nixos-and-flakes.thiscute.world/nixos-with-flakes/modularize-the-configuration?utm_source=chatgpt.com "Modularize Your NixOS Configuration | NixOS & Flakes Book"