Compare commits

..

9 commits

Author SHA1 Message Date
ccada8875e typo
All checks were successful
deploy to prod / Build and deploy site (push) Successful in 38s
2024-10-04 10:36:17 +02:00
7e53156e25 update technical principles 2024-10-04 10:28:12 +02:00
d35be63111 set compression level to 7 for iso image 2024-10-03 13:35:06 +02:00
6adbd6d8ac Add nginx proxy in demo configuration 2024-10-03 11:15:01 +02:00
9785204a30 typo 2024-10-02 20:41:45 +02:00
7b02ce66f0 typo 2024-10-02 20:20:56 +02:00
26246f4a8a add install iso image to build images action 2024-10-02 20:02:46 +02:00
f29e5ad230 use version 3 of the upload-arctifact action because v4 is not yet working with forgejo 2024-10-02 13:52:09 +02:00
ae5b6c21be add artifact upload step in build image action 2024-10-02 13:44:25 +02:00
3 changed files with 98 additions and 24 deletions

View file

@ -4,14 +4,39 @@ on:
# push: # push:
# branches: # branches:
# - release # - release
# Allow only one concurrent image build, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress build as we want to allow this to complete.
concurrency:
group: images
cancel-in-progress: false
jobs: jobs:
build: build:
name: Build NixOS images name: Build NixOS images
runs-on: nixos runs-on: nixos
steps: steps:
- name: install node - name: Install node
run: nix-env -iA nixpkgs.nodejs_20 run: nix-env -iA nixpkgs.nodejs_20
- name: checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: run generator - name: Build proxmox lxc template
run: nix-shell -p nixos-generators --run "nixos-generate -c inventory/demo-configuration.nix -f proxmox-lxc" run: nix-shell -p nixos-generators --run "nixos-generate -c inventory/demo-configuration.nix -f proxmox-lxc -o nixin-image-proxmox-lxc"
- name: Upload proxmox lxc template
uses: actions/upload-artifact@v3
with:
name: nixin-proxmox-lxc-template
path: ./nixin-image-proxmox-lxc/tarball/*.tar.xz
if-no-files-found: error
compression-level: 0
overwrite: false
- name: Build install iso image
run: nix-shell -p nixos-generators --run "nixos-generate -c inventory/demo-configuration.nix -f install-iso -o nixin-image-install-iso"
- name: Upload install iso image
uses: actions/upload-artifact@v3
with:
name: nixin-install-iso
path: nixin-image-install-iso/iso/*.iso
if-no-files-found: error
compression-level: 7
overwrite: false

View file

@ -1,16 +1,20 @@
{ config, pkgs, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
virtualisation.vmVariant.virtualisation.forwardPorts = [ #virtualisation.vmVariant.virtualisation.forwardPorts = [
{ from = "host"; host.port = 8001; guest.port = 8001; } # { from = "host"; host.port = 8001; guest.port = 8001; }
]; #];
networking.hosts = { networking.hosts = {
"127.0.0.1" = [ "hedgedoc.nixin.local" ]; "127.0.0.1" = [ "hedgedoc.nixin.local" ];
}; };
networking.hostName = "demo"; networking.hostName = "demo";
#networking.firewall.enable = false; #networking.firewall.enable = false;
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 8001 ]; allowedTCPPorts = [ 80 443 ];
}; };
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
settings.domain = "hedgedoc.nixin.local"; settings.domain = "hedgedoc.nixin.local";
@ -22,11 +26,50 @@
"hedgedoc.nixin.local" "hedgedoc.nixin.local"
]; ];
}; };
users.users.operator = { users.users.operator = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
initialPassword = "test"; initialPassword = "test";
}; };
security.acme.defaults.email = "contact@nixin.local";
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."hedgedoc.nixin.local" = {
forceSSL = true;
enableACME = true;
root = "/var/www/hedgedoc";
locations."/".proxyPass = "http://127.0.0.1:8001";
locations."/socket.io/" = {
proxyPass = "http://127.0.0.1:8001";
proxyWebsockets = true;
extraConfig =
"proxy_ssl_server_name on;"
;
};
};
};
environment.systemPackages = with pkgs; [
git
wget
tmux
mosh
htop
];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }

View file

@ -1,47 +1,53 @@
# Technical principles # Technical principles
This page lists the technical principles we adhere to for developing NixiN and the technological choices that we have made. This page lists the technical principles we adhere to for developing NixiN and the technological choices that we have made.
Most of the principles we list here are known best software development practices that are well documented on the web or in books. So we will not describe them in detail or argument on why we should follow them and they appear here only as title under which we are putting some technological choices Most of the principles we list here are known best software development practices that are well documented on the web or in books. So we will not describe them in detail or argument on why we should follow them and they appear here only as title under which we are putting some technological choices
We regularly update this list of technological choices as the project develop
## KISS "Keep it simple, stupid!" ## KISS "Keep it simple, stupid!"
We will keep the system modular and keep the modules simples, following the [Unix philosophy](https://en.wikipedia.org/wiki/Unix_philosophy) and the [KISS principle](https://en.wikipedia.org/wiki/KISS_principle)
## Do not reinvent the wheel ## Do not reinvent the wheel
ToDo: nixos Whenever possible we will use existing software instead of writing our own code. And will favor widely accepted standards instead of inventing our own file format, protocols, languages or frameworks.
ToDo: passwordstore
ToDo: krops - Obviously we will use NixOS as the base operating system
- We will use git for version control of source code and configurations
- For storing passwords and secrets we will use zx2c4 passwordstore coupled with a git forge
- For the forge we will initially use forgejo. At a latter time we may add support for alternative forges that have a more distributed nature, like [Radicle](https://radicle.xyz/), when they become mature enough.
- For deploying NixOS to remote machines we are considering using [krops](https://github.com/krebs/krops). But we are still evaluating it.
- For formatting disks we will favor modern filesystems with snapshotting capability like zfs and btrfs
- ...
## Eat your own dog food ## Eat your own dog food
The project is bootstrapped using an infrastructure that is based on Proxmox, Debian and YunoHost for hosting its website and git forge. Currently only the forgejo action runners used for CI/CD are hosted on NixOS servers. The project is bootstrapped using an infrastructure that is based on Proxmox, Debian and YunoHost for hosting its website and git forge. Currently only the forgejo action runners used for CI/CD are hosted on NixOS servers.
But the goal is to host the whole project using itself as soon as possible. That is using NixOS servers managed with the tools and principles developed within the NixiN project. But the goal is to host the whole project using itself as soon as possible. That is using NixOS servers managed with the tools and principles developed within the NixiN project.
## Version control everything ## Version control everything
Not only will we version control our source code, but we will integrate version control at the core of NixiN, so that all the user configurations generated when using NixiN will be stored in a version control repository.
## CI/CD ## CI/CD
## Focus on user experience ## Focus on user experience
## Prioritize security ## Prioritize security
ToDo: only open ports that are strictily necessary on the public interface. go through a VPN for everything else - only open ports that are strictly necessary on the public interface. go through a VPN for everything else
ToDo: use fail2ban or reaction - use fail2ban or reaction
ToDo: passwords manager - use a passwords manager
- ...
## No premature performance optimization ## No premature performance optimization
Use best practices to write efficient code but do not write overly complicated solutions based on a-priori thinking of performance issue. Use best practices to write efficient code but do not write overly complicated solutions based on a-priori thinking of performance issue.
Only optimize what has been tested to be an issue. Only optimize what has been tested to be an issue.
## Do fast prototypes and releases cycles. ## Do fast prototypes and release cycles.
Even though we think that Rust would be a better language for developing the tools of the project we are starting the first version using Go because it is faster to develop with it and easier to find contributors with this languages. Even though we think that Rust would be a better language for developing the backend components of the project, we are starting the first version using Go because it is faster to develop with it and easier to find contributors with this languages.
## ToDo
favor modern filesystems with snapshoting capability like zfs and btrfs
## To flake or not to flake? ## To flake or not to flake?
There is a bit of controversy around flakes. They bring some interesting convenience when using NixOS and have spawned an extensive ecosystem. But they are not without drawbacks. We have decided to not use flakes for now. But we'll keep our architecture open for the users who want to use them. There is a bit of controversy around flakes. They bring some interesting convenience when using NixOS and have spawned an extensive ecosystem. But they are not without drawbacks. We have decided to not use flakes for now. But we'll keep our architecture open for the users who want to use them.
## There is only one timezone ## There is only one timezone
Experience has shown that using multiple time-zones for the servers of an infrastructure is a recipe for disaster. Experience has shown that using multiple time-zones for the servers of an infrastructure is a recipe for disaster.
Also, using the timezone of one country for an international project is a source of confusion and headaches. Also, even if using a single time zone, using the timezone of one country for an international project is a source of confusion and headaches for people.
Especially when that timezone is subject to daylight saving changes that are causing the clock to jump 1 hour forward or backward twice a year. Especially when that timezone is subject to daylight saving changes that are causing the clock to jump 1 hour forward or backward twice a year.
The only sensible choice is to set the servers time to UTC and to transalte the timestamps to the user's timezone when displaying them on an interface. The only sensible choice is to set the servers time to UTC and to translate the timestamps to the user's timezone when displaying them on an interface.
This is strongly opinion based. We may not not all agree on the subject. This is why we will make sure that it is easy for the users to choose their prefered timezone for setting up their servers. This is strongly opinion based. We may not not all agree on the subject. This is why we will make sure that it is easy for the users to choose their preferred time zone for setting up their servers.