Files

Dominik Polakovics 53d73142ae Add a11ywatch and related configurations for Podman and Nginx

- Introduced a new module for a11ywatch with Podman support, creating a bridge network and defining backend and frontend containers.
- Configured Nginx to serve the a11ywatch application with SSL and ACME support.
- Added user and group configurations for a11ywatch.
- Created a systemd service to ensure the Podman network exists on boot.

Implement Firefox Container Controller extension and host

- Added a module for the Firefox Container Controller extension, allowing installation via Nix.
- Created a native messaging host for the extension to communicate with the container controller.
- Included CLI helpers to enqueue commands for showing and hiding containers.

Enable fingerprint authentication in PAM

- Configured fingerprint authentication for login, sudo, and swaylock services.

Setup Raspberry Pi OS image creation script

- Developed a script to create a read-only Raspberry Pi OS Lite image with Snapcast client.
- Included configuration for Wi-Fi, hostname, and Snapcast server.
- Implemented user and group setup for Snapcast client and ensured necessary services are enabled.

Document Raspberry Pi Zero W setup instructions

- Added detailed instructions for configuring Raspberry Pi OS on Zero W, including disabling unused services and setting up Snapcast client.

Create test configuration script for NixOS

- Implemented a script to perform dry-builds for NixOS configurations, allowing for easy validation of host configurations.

2025-05-29 00:10:07 +02:00

3.5 KiB

Raw Blame History

RULES.md

Overview

This repository manages NixOS configurations for multiple systems, structured to promote modularity, security, and maintainability.

Directory Structure

Each host has its own directory under hosts/, containing:


hosts/
└── hostname/
    ├── configuration.nix
    ├── modules/
    └── secrets.yaml

configuration.nix: Main configuration file for the host.
modules/: Custom NixOS modules specific to the host.
secrets.yaml: Encrypted secrets file (see Secrets Management).

Configuration Management

Modularization

Break down configurations into reusable modules placed in the modules/ directory.
Use the imports directive in configuration.nix to include necessary modules.
Avoid monolithic configurations; modularity enhances clarity and reusability.

Version Control

Track all configuration files using Git.
Exclude sensitive files like secrets.yaml from version control.
Use descriptive commit messages to document changes.

Deployment with Bento

Bento is utilized for deploying configurations across systems.

Centralize configurations on a management server.
Ensure each host accesses only its specific configuration files.
Leverage Bento's features to manage deployments efficiently.(NixOS Discourse, Reddit, cbiit.github.io)

Security Best Practices

Secrets Management

Never store plain-text secrets in the Nix store or configuration files.
Use tools like sops-nix to encrypt secrets.yaml.
Restrict access to decrypted secrets using appropriate file permissions.(Reddit, dade)

System Hardening

Disable unnecessary services to minimize attack surfaces.
Configure firewalls to allow only essential traffic.
Regularly update systems to apply security patches.

User Management

Implement the principle of least privilege for user accounts.
Use SSH keys for authentication; disable password-based logins.
Monitor user activities and access logs for suspicious behavior.

Maintenance Guidelines

Regularly review and refactor modules for efficiency and clarity.
Document all modules and configurations for future reference.
Test configurations in a controlled environment before deploying to production systems.(NixOS & Flakes)

Adhering to these guidelines will help maintain a secure, organized, and efficient NixOS configuration across multiple systems.

3.5 KiB Raw Blame History