84 lines
3.6 KiB
Markdown
84 lines
3.6 KiB
Markdown
# RULES.md
|
|
|
|
## Overview
|
|
|
|
This repository manages NixOS configurations for multiple systems, structured to promote modularity, security, and maintainability.
|
|
|
|
### Directory Structure
|
|
|
|
Each host has its own directory under `hosts/`, containing:
|
|
|
|
```
|
|
|
|
hosts/
|
|
└── hostname/
|
|
├── configuration.nix
|
|
├── modules/
|
|
└── secrets.yaml
|
|
```
|
|
|
|
|
|
|
|
* `configuration.nix`: Main configuration file for the host.
|
|
* `modules/`: Custom NixOS modules specific to the host.
|
|
* `secrets.yaml`: Encrypted secrets file (see [Secrets Management](#secrets-management)).
|
|
|
|
## Configuration Management
|
|
|
|
### Modularization
|
|
|
|
* Break down configurations into reusable modules placed in the `modules/` directory.
|
|
* Use the `imports` directive in `configuration.nix` to include necessary modules.
|
|
* Avoid monolithic configurations; modularity enhances clarity and reusability.
|
|
|
|
### Version Control
|
|
|
|
* Track all configuration files using Git.
|
|
* Exclude sensitive files like `secrets.yaml` from version control.
|
|
* Use descriptive commit messages to document changes.
|
|
|
|
## Deployment with Bento
|
|
|
|
Bento is utilized for deploying configurations across systems.
|
|
|
|
* Centralize configurations on a management server.
|
|
* Ensure each host accesses only its specific configuration files.
|
|
* Leverage Bento's features to manage deployments efficiently.([NixOS Discourse][1], [Reddit][2], [cbiit.github.io][3])
|
|
|
|
## Security Best Practices
|
|
|
|
### Secrets Management
|
|
|
|
* Never store plain-text secrets in the Nix store or configuration files.
|
|
* Use tools like [sops-nix](https://github.com/Mic92/sops-nix) to encrypt `secrets.yaml`.
|
|
* Restrict access to decrypted secrets using appropriate file permissions.([Reddit][4], [dade][5])
|
|
|
|
### System Hardening
|
|
|
|
* Disable unnecessary services to minimize attack surfaces.
|
|
* Configure firewalls to allow only essential traffic.
|
|
* Regularly update systems to apply security patches.
|
|
|
|
### User Management
|
|
|
|
* Implement the principle of least privilege for user accounts.
|
|
* Use SSH keys for authentication; disable password-based logins.
|
|
* Monitor user activities and access logs for suspicious behavior.
|
|
|
|
## Maintenance Guidelines
|
|
|
|
* Regularly review and refactor modules for efficiency and clarity.
|
|
* Document all modules and configurations for future reference.
|
|
* Test configurations in a controlled environment before deploying to production systems.([NixOS & Flakes][6])
|
|
* After developing a feature, delete the corresponding development plan.
|
|
|
|
---
|
|
|
|
Adhering to these guidelines will help maintain a secure, organized, and efficient NixOS configuration across multiple systems.
|
|
|
|
[1]: https://discourse.nixos.org/t/introducing-bento-a-nixos-deployment-framework/21446?utm_source=chatgpt.com "Introducing bento, a NixOS deployment framework"
|
|
[2]: https://www.reddit.com/r/NixOS/comments/1e95b69/how_do_you_guys_organize_your_nix_config_files_i/?utm_source=chatgpt.com "How do you guys organize your .nix config files? I have a ... - Reddit"
|
|
[3]: https://cbiit.github.io/bento-docs/master/installation/bento-quick-start.html?utm_source=chatgpt.com "1. Quick Start Tutorial — Bento release-4.1.0 documentation"
|
|
[4]: https://www.reddit.com/r/NixOS/comments/1cnhx6z/best_security_practices_for_nixos_devices_exposed/?utm_source=chatgpt.com "Best Security practices for NixOS devices exposed to the Internet"
|
|
[5]: https://0xda.de/blog/2024/07/framework-and-nixos-sops-nix-secrets-management/?utm_source=chatgpt.com "Framework and NixOS - Sops-nix Secrets Management - dade"
|
|
[6]: https://nixos-and-flakes.thiscute.world/nixos-with-flakes/modularize-the-configuration?utm_source=chatgpt.com "Modularize Your NixOS Configuration | NixOS & Flakes Book" |