[Nosial/flake] Issue opened: #7 Set up remote desktop: GNOME v. KDE by glitchkill
Both GNOME and KDE have a similar component that enables RDP system access, however KDE's krdp for use with e.g. mobile devices was fixed only recently.
Both GNOME and KDE have a similar component that enables RDP system access, however KDE's krdp for use with e.g. mobile devices was fixed only recently.
[Nosial/flake] Issue opened: #8 Move Traefik to Maple by glitchkill
To save costs and bandwidth loss, Traefik should be moved to Maple and put behind Cloudflare.
- [ ] Check for potential IP-exposing services
- [ ] Check for new Cloudflare-imposed limitations
- [ ] Check for certificate issue vulnerabilities
- [ ] Move Traefik
To save costs and bandwidth loss, Traefik should be moved to Maple and put behind Cloudflare.
- [ ] Check for potential IP-exposing services
- [ ] Check for new Cloudflare-imposed limitations
- [ ] Check for certificate issue vulnerabilities
- [ ] Move Traefik
[Nosial/flake] Issue edited: #5 Revamp service configuration and data by glitchkill
Current config-data storage leaves much to be desired. Proposed solution:
- [ ] Configure all services exclusively through environment variables set through system configuration.
- [ ] Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- [ ] Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
Current config-data storage leaves much to be desired. Proposed solution:
- [ ] Configure all services exclusively through environment variables set through system configuration.
- [ ] Split all auxiliary services (e.g. `data/forgejo-main, data/forgejo-postgres` instead of `data/forgejo/data`).
- [ ] Move all volumes to top-level (e.g. `data/forgejo-main` instead of `data/forgejo-main/data`).
[Nosial/flake] Issue edited: #3 Switch Podman to rootless by glitchkill
Until #1 is complete, all containers should be switched to rootless.
- [ ] Create a user to run the containers
- [ ] chown all service directories, restrict access to other users
- [ ] Configure user in NixOS config
Until #1 is complete, all containers should be switched to rootless.
- [ ] Create a user to run the containers
- [ ] chown all service directories, restrict access to other users
- [ ] Configure user in NixOS config
[Nosial/flake] Issue opened: #9 Project Apotheosis by glitchkill
Top-level stages can be skipped if possible.
- [ ] Move all nodes on Maple off Proxmox
- [ ] Profile all nodes for hardware quirks
- [ ] Write NixOS config for all nodes
- [ ] Deploy NixOS
- [ ] Reduce node count
- [ ] Use profiled data to identify most upgradeable node
- [ ] Move all services and data of other nodes to node
- [ ] Decommission other nodes
- [ ] Upgrade last-man-standing node
Nodes that should not be affected:
- Blueberrychan (unless SBC upgrades)
- Sitephone (technically not node yet, CC @netkas)
Top-level stages can be skipped if possible.
- [ ] Move all nodes on Maple off Proxmox
- [ ] Profile all nodes for hardware quirks
- [ ] Write NixOS config for all nodes
- [ ] Deploy NixOS
- [ ] Reduce node count
- [ ] Use profiled data to identify most upgradeable node
- [ ] Move all services and data of other nodes to node
- [ ] Decommission other nodes
- [ ] Upgrade last-man-standing node
Nodes that should not be affected:
- Blueberrychan (unless SBC upgrades)
- Sitephone (technically not node yet, CC @netkas)
[Nosial/flake] Issue opened: #10 Re-deploy Xpress by glitchkill
For this iteration, Garage will be used.
Options:
- Local-only (e.g. over Tailscale)
- Over clearnet (blocked by #8)
For this iteration, Garage will be used.
Options:
- Local-only (e.g. over Tailscale)
- Over clearnet (blocked by #8)
[Nosial/flake] Issue opened: #11 Deploy Stalwart by glitchkill
Due to a lack of a publicly-exposable public IP, Stalwart will be deployed on Edge. Data will be stored remotely, on Xpress (blocked by #10).
Due to a lack of a publicly-exposable public IP, Stalwart will be deployed on Edge. Data will be stored remotely, on Xpress (blocked by #10).
[Nosial/fedora-jail:master] 1 new commit
[470936f] chore: force hostname for shell
Ephemeral nodes are automatically deleted within 30 minutes to 48 hours after they go offline if they weren't shut down gracefully. By default, if a hostname is not specified, the node "leniently" avoids overtaking the hostname. This ensures that it's overtaken anyway. - glitchkill
[470936f] chore: force hostname for shell
Ephemeral nodes are automatically deleted within 30 minutes to 48 hours after they go offline if they weren't shut down gracefully. By default, if a hostname is not specified, the node "leniently" avoids overtaking the hostname. This ensures that it's overtaken anyway. - glitchkill
Package created: fedora-jail:470936f14674ad0beb45569571bbb1fcbad664a5 by glitchkill
👍1
[Nosial/flake] Issue opened: #12 Automate image and nixpkgs updates by glitchkill
[Nosial/flake:master] 1 new commit
[baf215d] chore: bump image version - badPointer
[baf215d] chore: bump image version - badPointer
[Nosial/flake] Issue edited: #6 Theme deployed services by glitchkill
[Nosial/flake] Issue opened: #13 Set up backups by glitchkill
Use BorgBackup to complete backups to Xpress (blocked by #10). Use a pattern of 1 full backup and 10 deltas.
Use BorgBackup to complete backups to Xpress (blocked by #10). Use a pattern of 1 full backup and 10 deltas.
[Nosial/flake] Issue opened: #14 Move to Lanzaboote by glitchkill
Blocked by #9 for Maple, install Secure Boot and Measured Boot on enabled systems.
Blocked by #9 for Maple, install Secure Boot and Measured Boot on enabled systems.
[Nosial/flake] Issue opened: #15 Encrypt data partitions with LUKS by glitchkill
Might require merging /nix with /srv due to much of service configuration and the flake being baked in with generations. Possibly blocked by #9.
Authentication options:
-
- Automated (TPM-only, very likely not supported by most deployed nodes)
- Manual (passwords, passkey files, public-private keys)
Might require merging /nix with /srv due to much of service configuration and the flake being baked in with generations. Possibly blocked by #9.
Authentication options:
-
- Automated (TPM-only, very likely not supported by most deployed nodes)
- Manual (passwords, passkey files, public-private keys)
[Nosial/flake] Issue edited: #15 Encrypt data partitions with LUKS by glitchkill
Might require merging /nix with /srv due to much of service configuration and the flake being baked in with generations. Possibly blocked by #9.
Authentication options:
-
- Automated (TPM-only, very likely not supported by most deployed nodes)
- Manual (passwords, passkey files, public-private keys)
Might require merging /nix with /srv due to much of service configuration and the flake being baked in with generations. Possibly blocked by #9.
Authentication options:
-
- Automated (TPM-only, very likely not supported by most deployed nodes)
- Manual (passwords, passkey files, public-private keys)
[Nosial/flake] Issue opened: #16 Install dm-verity by glitchkill
Likely a white elephant.
Existing implementation: https://github.com/arianvp/server-optimised-nixos
Likely a white elephant.
Existing implementation: https://github.com/arianvp/server-optimised-nixos
[Nosial/flake] Issue opened: #17 DragonflyDB v. Valkey v. Redis by glitchkill
All services are Redis API-compatible, making them plug-and-play.
- Redis has moved back to an open-source license since 8.x. However, no limitations were imposed on its usage by server administrators. If it works, don't fix it.
- Valkey is a fork of Redis which emerged when Redis switched to a non-open-source license. A project of the Linux Foundation, claims to be _somewhat_ faster than Redis.
- DragonflyDB is a custom solution which claims to be ~20x faster than Redis. However, I have yet to see if anyone actually uses it in production as a "drop-in Redis replacement".
All services are Redis API-compatible, making them plug-and-play.
- Redis has moved back to an open-source license since 8.x. However, no limitations were imposed on its usage by server administrators. If it works, don't fix it.
- Valkey is a fork of Redis which emerged when Redis switched to a non-open-source license. A project of the Linux Foundation, claims to be _somewhat_ faster than Redis.
- DragonflyDB is a custom solution which claims to be ~20x faster than Redis. However, I have yet to see if anyone actually uses it in production as a "drop-in Redis replacement".
👍1