[Nosial/FederationServer:main] 1 new commit
[14ed240] Refactor date handling to use DateTime directly and improve PDO usage consistency - netkas
[14ed240] Refactor date handling to use DateTime directly and improve PDO usage consistency - netkas
[Nosial/FederationServer:main] 1 new commit
[f341af7] Implement file upload handling with size and MIME type validation, and add configuration for max upload size and storage path - netkas
[f341af7] Implement file upload handling with size and MIME type validation, and add configuration for max upload size and storage path - netkas
[Nosial/flake:master] 1 new commit
[9e6a8cd] chore: add packages - badPointer
[9e6a8cd] chore: add packages - badPointer
[Nosial/flake:master] 1 new commit
[bc59821] chore: fix Smallstep package - badPointer
[bc59821] chore: fix Smallstep package - badPointer
[Nosial/flake:master] 1 new commit
[71ec892] feat: add rauthy - badPointer
[71ec892] feat: add rauthy - badPointer
[Nosial/flake:master] 1 new commit
[e94e836] feat: kill rauthy with fire - badPointer
[e94e836] feat: kill rauthy with fire - badPointer
[Nosial/flake:master] 1 new commit
[31df382] chore: make Kanidm trust X-Forwarded-For - badPointer
[31df382] chore: make Kanidm trust X-Forwarded-For - badPointer
[Nosial/flake] Issue opened: #1 No containers v. Podman containers v. nixos-containers by glitchkill
No containers:
-
Pros:
- Declarative
- Best performance out of all other options
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Least secure way to run a service (RCE -> it's over)
Podman containers:
-
Pros:
- Little performance loss
- Sufficient security when running rootless
- Expandable into replication by Kubernetes
Cons:
- Not as declarative as NixOS modules
- Heterogenous (unknown impact)
nixos-containers:
-
Pros:
- Declarative
- Most secure way to run a service (systemd-nspawn sits firmly on the line between a container and a VM)
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Highest performance penalty of all other options
No containers:
-
Pros:
- Declarative
- Best performance out of all other options
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Least secure way to run a service (RCE -> it's over)
Podman containers:
-
Pros:
- Little performance loss
- Sufficient security when running rootless
- Expandable into replication by Kubernetes
Cons:
- Not as declarative as NixOS modules
- Heterogenous (unknown impact)
nixos-containers:
-
Pros:
- Declarative
- Most secure way to run a service (systemd-nspawn sits firmly on the line between a container and a VM)
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Highest performance penalty of all other options
[Nosial/flake] Issue opened: #2 Generation rebuild CI by glitchkill
CI modes:
-
- Skip (skips rebuild on all nodes for commit)
- Switch (rebuilds on all _affected_ nodes for commit, switches to new generation)
- Boot (rebuilds on all _affected_ nodes for commit, sets new generation as default for next boot)
- Force-switch (rebuilds on both affected and unaffected nodes for commit, switches to new generation)
- Force-boot (rebuilds on both affected and unaffected nodes for commit, sets new generation as default for next boot)
Affected node judgment: if any of the modules/files imported by the node are modified, node is marked as affected.
Rebuild process should be a CI pipeline over SSH (ephemeral Tailscale node?)
CI modes:
-
- Skip (skips rebuild on all nodes for commit)
- Switch (rebuilds on all _affected_ nodes for commit, switches to new generation)
- Boot (rebuilds on all _affected_ nodes for commit, sets new generation as default for next boot)
- Force-switch (rebuilds on both affected and unaffected nodes for commit, switches to new generation)
- Force-boot (rebuilds on both affected and unaffected nodes for commit, sets new generation as default for next boot)
Affected node judgment: if any of the modules/files imported by the node are modified, node is marked as affected.
Rebuild process should be a CI pipeline over SSH (ephemeral Tailscale node?)
[Nosial/flake] Issue opened: #3 Switch Podman to rootless by glitchkill
Until #1 is complete, all containers should be switched to rootless.
- Create a user to run the containers
- chown all service directories, restrict access to other users
- Configure user in NixOS config
Until #1 is complete, all containers should be switched to rootless.
- Create a user to run the containers
- chown all service directories, restrict access to other users
- Configure user in NixOS config
[Nosial/flake] Issue opened: #4 Gatus as uptime service by glitchkill
Blocker: https://github.com/TwiN/gatus/issues/720
Deploy alerts for bot and public uptime page.
Blocker: https://github.com/TwiN/gatus/issues/720
Deploy alerts for bot and public uptime page.
[Nosial/flake] Issue opened: #5 Revamp service configuration and data by glitchkill
Current config-data storage leaves much to be desired. Proposed solution:
- Configure all services exclusively through environment variables set through system configuration.
- Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
Current config-data storage leaves much to be desired. Proposed solution:
- Configure all services exclusively through environment variables set through system configuration.
- Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
[Nosial/flake] Issue opened: #7 Set up remote desktop: GNOME v. KDE by glitchkill
Both GNOME and KDE have a similar component that enables RDP system access, however KDE's krdp for use with e.g. mobile devices was fixed only recently.
Both GNOME and KDE have a similar component that enables RDP system access, however KDE's krdp for use with e.g. mobile devices was fixed only recently.
[Nosial/flake] Issue opened: #8 Move Traefik to Maple by glitchkill
To save costs and bandwidth loss, Traefik should be moved to Maple and put behind Cloudflare.
- [ ] Check for potential IP-exposing services
- [ ] Check for new Cloudflare-imposed limitations
- [ ] Check for certificate issue vulnerabilities
- [ ] Move Traefik
To save costs and bandwidth loss, Traefik should be moved to Maple and put behind Cloudflare.
- [ ] Check for potential IP-exposing services
- [ ] Check for new Cloudflare-imposed limitations
- [ ] Check for certificate issue vulnerabilities
- [ ] Move Traefik
[Nosial/flake] Issue edited: #5 Revamp service configuration and data by glitchkill
Current config-data storage leaves much to be desired. Proposed solution:
- [ ] Configure all services exclusively through environment variables set through system configuration.
- [ ] Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- [ ] Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
Current config-data storage leaves much to be desired. Proposed solution:
- [ ] Configure all services exclusively through environment variables set through system configuration.
- [ ] Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- [ ] Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).