[Nosial/flake] Issue opened: #1 No containers v. Podman containers v. nixos-containers by glitchkill
No containers:
-
Pros:
- Declarative
- Best performance out of all other options
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Least secure way to run a service (RCE -> it's over)
Podman containers:
-
Pros:
- Little performance loss
- Sufficient security when running rootless
- Expandable into replication by Kubernetes
Cons:
- Not as declarative as NixOS modules
- Heterogenous (unknown impact)
nixos-containers:
-
Pros:
- Declarative
- Most secure way to run a service (systemd-nspawn sits firmly on the line between a container and a VM)
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Highest performance penalty of all other options
No containers:
-
Pros:
- Declarative
- Best performance out of all other options
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Least secure way to run a service (RCE -> it's over)
Podman containers:
-
Pros:
- Little performance loss
- Sufficient security when running rootless
- Expandable into replication by Kubernetes
Cons:
- Not as declarative as NixOS modules
- Heterogenous (unknown impact)
nixos-containers:
-
Pros:
- Declarative
- Most secure way to run a service (systemd-nspawn sits firmly on the line between a container and a VM)
- Next-to-none abstractions
Cons:
- No way to run software without a Nix module
- Highest performance penalty of all other options
[Nosial/flake] Issue opened: #2 Generation rebuild CI by glitchkill
CI modes:
-
- Skip (skips rebuild on all nodes for commit)
- Switch (rebuilds on all _affected_ nodes for commit, switches to new generation)
- Boot (rebuilds on all _affected_ nodes for commit, sets new generation as default for next boot)
- Force-switch (rebuilds on both affected and unaffected nodes for commit, switches to new generation)
- Force-boot (rebuilds on both affected and unaffected nodes for commit, sets new generation as default for next boot)
Affected node judgment: if any of the modules/files imported by the node are modified, node is marked as affected.
Rebuild process should be a CI pipeline over SSH (ephemeral Tailscale node?)
CI modes:
-
- Skip (skips rebuild on all nodes for commit)
- Switch (rebuilds on all _affected_ nodes for commit, switches to new generation)
- Boot (rebuilds on all _affected_ nodes for commit, sets new generation as default for next boot)
- Force-switch (rebuilds on both affected and unaffected nodes for commit, switches to new generation)
- Force-boot (rebuilds on both affected and unaffected nodes for commit, sets new generation as default for next boot)
Affected node judgment: if any of the modules/files imported by the node are modified, node is marked as affected.
Rebuild process should be a CI pipeline over SSH (ephemeral Tailscale node?)
[Nosial/flake] Issue opened: #3 Switch Podman to rootless by glitchkill
Until #1 is complete, all containers should be switched to rootless.
- Create a user to run the containers
- chown all service directories, restrict access to other users
- Configure user in NixOS config
Until #1 is complete, all containers should be switched to rootless.
- Create a user to run the containers
- chown all service directories, restrict access to other users
- Configure user in NixOS config
[Nosial/flake] Issue opened: #4 Gatus as uptime service by glitchkill
Blocker: https://github.com/TwiN/gatus/issues/720
Deploy alerts for bot and public uptime page.
Blocker: https://github.com/TwiN/gatus/issues/720
Deploy alerts for bot and public uptime page.
[Nosial/flake] Issue opened: #5 Revamp service configuration and data by glitchkill
Current config-data storage leaves much to be desired. Proposed solution:
- Configure all services exclusively through environment variables set through system configuration.
- Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
Current config-data storage leaves much to be desired. Proposed solution:
- Configure all services exclusively through environment variables set through system configuration.
- Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
[Nosial/flake] Issue opened: #7 Set up remote desktop: GNOME v. KDE by glitchkill
Both GNOME and KDE have a similar component that enables RDP system access, however KDE's krdp for use with e.g. mobile devices was fixed only recently.
Both GNOME and KDE have a similar component that enables RDP system access, however KDE's krdp for use with e.g. mobile devices was fixed only recently.
[Nosial/flake] Issue opened: #8 Move Traefik to Maple by glitchkill
To save costs and bandwidth loss, Traefik should be moved to Maple and put behind Cloudflare.
- [ ] Check for potential IP-exposing services
- [ ] Check for new Cloudflare-imposed limitations
- [ ] Check for certificate issue vulnerabilities
- [ ] Move Traefik
To save costs and bandwidth loss, Traefik should be moved to Maple and put behind Cloudflare.
- [ ] Check for potential IP-exposing services
- [ ] Check for new Cloudflare-imposed limitations
- [ ] Check for certificate issue vulnerabilities
- [ ] Move Traefik
[Nosial/flake] Issue edited: #5 Revamp service configuration and data by glitchkill
Current config-data storage leaves much to be desired. Proposed solution:
- [ ] Configure all services exclusively through environment variables set through system configuration.
- [ ] Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- [ ] Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
Current config-data storage leaves much to be desired. Proposed solution:
- [ ] Configure all services exclusively through environment variables set through system configuration.
- [ ] Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- [ ] Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
[Nosial/flake] Issue edited: #3 Switch Podman to rootless by glitchkill
Until #1 is complete, all containers should be switched to rootless.
- [ ] Create a user to run the containers
- [ ] chown all service directories, restrict access to other users
- [ ] Configure user in NixOS config
Until #1 is complete, all containers should be switched to rootless.
- [ ] Create a user to run the containers
- [ ] chown all service directories, restrict access to other users
- [ ] Configure user in NixOS config
[Nosial/flake] Issue opened: #9 Project Apotheosis by glitchkill
Top-level stages can be skipped if possible.
- [ ] Move all nodes on Maple off Proxmox
- [ ] Profile all nodes for hardware quirks
- [ ] Write NixOS config for all nodes
- [ ] Deploy NixOS
- [ ] Reduce node count
- [ ] Use profiled data to identify most upgradeable node
- [ ] Move all services and data of other nodes to node
- [ ] Decommission other nodes
- [ ] Upgrade last-man-standing node
Nodes that should not be affected:
- Blueberrychan (unless SBC upgrades)
- Sitephone (technically not node yet, CC @netkas)
Top-level stages can be skipped if possible.
- [ ] Move all nodes on Maple off Proxmox
- [ ] Profile all nodes for hardware quirks
- [ ] Write NixOS config for all nodes
- [ ] Deploy NixOS
- [ ] Reduce node count
- [ ] Use profiled data to identify most upgradeable node
- [ ] Move all services and data of other nodes to node
- [ ] Decommission other nodes
- [ ] Upgrade last-man-standing node
Nodes that should not be affected:
- Blueberrychan (unless SBC upgrades)
- Sitephone (technically not node yet, CC @netkas)
[Nosial/flake] Issue opened: #10 Re-deploy Xpress by glitchkill
For this iteration, Garage will be used.
Options:
- Local-only (e.g. over Tailscale)
- Over clearnet (blocked by #8)
For this iteration, Garage will be used.
Options:
- Local-only (e.g. over Tailscale)
- Over clearnet (blocked by #8)
[Nosial/flake] Issue opened: #11 Deploy Stalwart by glitchkill
Due to a lack of a publicly-exposable public IP, Stalwart will be deployed on Edge. Data will be stored remotely, on Xpress (blocked by #10).
Due to a lack of a publicly-exposable public IP, Stalwart will be deployed on Edge. Data will be stored remotely, on Xpress (blocked by #10).
[Nosial/fedora-jail:master] 1 new commit
[470936f] chore: force hostname for shell
Ephemeral nodes are automatically deleted within 30 minutes to 48 hours after they go offline if they weren't shut down gracefully. By default, if a hostname is not specified, the node "leniently" avoids overtaking the hostname. This ensures that it's overtaken anyway. - glitchkill
[470936f] chore: force hostname for shell
Ephemeral nodes are automatically deleted within 30 minutes to 48 hours after they go offline if they weren't shut down gracefully. By default, if a hostname is not specified, the node "leniently" avoids overtaking the hostname. This ensures that it's overtaken anyway. - glitchkill
Package created: fedora-jail:470936f14674ad0beb45569571bbb1fcbad664a5 by glitchkill
👍1
[Nosial/flake] Issue opened: #12 Automate image and nixpkgs updates by glitchkill
[Nosial/flake:master] 1 new commit
[baf215d] chore: bump image version - badPointer
[baf215d] chore: bump image version - badPointer
[Nosial/flake] Issue edited: #6 Theme deployed services by glitchkill