# RULES.md ## Overview This repository manages NixOS configurations for multiple systems, structured to promote modularity, security, and maintainability. ### Directory Structure Each host has its own directory under `hosts/`, containing: ``` hosts/ └── hostname/ ├── configuration.nix ├── modules/ └── secrets.yaml ``` * `configuration.nix`: Main configuration file for the host. * `modules/`: Custom NixOS modules specific to the host. * `secrets.yaml`: Encrypted secrets file (see [Secrets Management](#secrets-management)). ## Configuration Management ### Modularization * Break down configurations into reusable modules placed in the `modules/` directory. * Use the `imports` directive in `configuration.nix` to include necessary modules. * Avoid monolithic configurations; modularity enhances clarity and reusability. ### Version Control * Track all configuration files using Git. * Exclude sensitive files like `secrets.yaml` from version control. * Use descriptive commit messages to document changes. ## Deployment with Bento Bento is utilized for deploying configurations across systems. * Centralize configurations on a management server. * Ensure each host accesses only its specific configuration files. * Leverage Bento's features to manage deployments efficiently.([NixOS Discourse][1], [Reddit][2], [cbiit.github.io][3]) ## Security Best Practices ### Secrets Management * Never store plain-text secrets in the Nix store or configuration files. * Use tools like [sops-nix](https://github.com/Mic92/sops-nix) to encrypt `secrets.yaml`. * Restrict access to decrypted secrets using appropriate file permissions.([Reddit][4], [dade][5]) ### System Hardening * Disable unnecessary services to minimize attack surfaces. * Configure firewalls to allow only essential traffic. * Regularly update systems to apply security patches. ### User Management * Implement the principle of least privilege for user accounts. * Use SSH keys for authentication; disable password-based logins. * Monitor user activities and access logs for suspicious behavior. ## Maintenance Guidelines * Regularly review and refactor modules for efficiency and clarity. * Document all modules and configurations for future reference. * Test configurations in a controlled environment before deploying to production systems.([NixOS & Flakes][6]) --- Adhering to these guidelines will help maintain a secure, organized, and efficient NixOS configuration across multiple systems. [1]: https://discourse.nixos.org/t/introducing-bento-a-nixos-deployment-framework/21446?utm_source=chatgpt.com "Introducing bento, a NixOS deployment framework" [2]: https://www.reddit.com/r/NixOS/comments/1e95b69/how_do_you_guys_organize_your_nix_config_files_i/?utm_source=chatgpt.com "How do you guys organize your .nix config files? I have a ... - Reddit" [3]: https://cbiit.github.io/bento-docs/master/installation/bento-quick-start.html?utm_source=chatgpt.com "1. Quick Start Tutorial — Bento release-4.1.0 documentation" [4]: https://www.reddit.com/r/NixOS/comments/1cnhx6z/best_security_practices_for_nixos_devices_exposed/?utm_source=chatgpt.com "Best Security practices for NixOS devices exposed to the Internet" [5]: https://0xda.de/blog/2024/07/framework-and-nixos-sops-nix-secrets-management/?utm_source=chatgpt.com "Framework and NixOS - Sops-nix Secrets Management - dade" [6]: https://nixos-and-flakes.thiscute.world/nixos-with-flakes/modularize-the-configuration?utm_source=chatgpt.com "Modularize Your NixOS Configuration | NixOS & Flakes Book"