Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
9b628caaef89e93d5f0ec191c61458f8c1c23f45
nixos/.roo/rules/rules.md

3.6 KiB
Raw Blame History

RULES.md

Overview

This repository manages NixOS configurations for multiple systems, structured to promote modularity, security, and maintainability.

Directory Structure

Each host has its own directory under hosts/, containing:


hosts/
└── hostname/
    ├── configuration.nix
    ├── modules/
    └── secrets.yaml
  • configuration.nix: Main configuration file for the host.
  • modules/: Custom NixOS modules specific to the host.
  • secrets.yaml: Encrypted secrets file (see Secrets Management).

Configuration Management

Modularization

  • Break down configurations into reusable modules placed in the modules/ directory.
  • Use the imports directive in configuration.nix to include necessary modules.
  • Avoid monolithic configurations; modularity enhances clarity and reusability.

Version Control

  • Track all configuration files using Git.
  • Exclude sensitive files like secrets.yaml from version control.
  • Use descriptive commit messages to document changes.

Deployment with Bento

Bento is utilized for deploying configurations across systems.

  • Centralize configurations on a management server.
  • Ensure each host accesses only its specific configuration files.
  • Leverage Bento's features to manage deployments efficiently.(NixOS Discourse, Reddit, cbiit.github.io)

Security Best Practices

Secrets Management

  • Never store plain-text secrets in the Nix store or configuration files.
  • Use tools like sops-nix to encrypt secrets.yaml.
  • Restrict access to decrypted secrets using appropriate file permissions.(Reddit, dade)

System Hardening

  • Disable unnecessary services to minimize attack surfaces.
  • Configure firewalls to allow only essential traffic.
  • Regularly update systems to apply security patches.

User Management

  • Implement the principle of least privilege for user accounts.
  • Use SSH keys for authentication; disable password-based logins.
  • Monitor user activities and access logs for suspicious behavior.

Maintenance Guidelines

  • Regularly review and refactor modules for efficiency and clarity.
  • Document all modules and configurations for future reference.
  • Test configurations in a controlled environment before deploying to production systems.(NixOS & Flakes)
  • After developing a feature, delete the corresponding development plan.

Adhering to these guidelines will help maintain a secure, organized, and efficient NixOS configuration across multiple systems.

Reference in New Issue View Git Blame Copy Permalink