ccd8e800df
* hacking at dns * hack * hax * start dics! * hacking * feat: docs! --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
2.1 KiB
2.1 KiB
Goals
When I set about making this lab I had a number of goals - I wonder how well I will do 🤔?
A master list of ideas/goals/etc can be found at :octicons-issue-tracks-16: Issue #1
- :material-sword: Stability
NixOS stable channel for core services unstable for desktop apps/non-mission critical where desired. Containers with SHA256 pinning for server apps - 💋 KISS
Keep it Simple, use boring, reliable, trusted tools - not todays flashy new software repo - 💤 Easy Updates
Weekly update schedule, utilizing Renovate for updating lockfile and container images. Autoupdates enabled off main branch for mission critical. Aim for 'magic rollback' on upgrade failure - :material-cloud-upload: Backups
Nightly restic backups to both cloud and NAS. All databases to have nightly backups. Test backups regulary - 🔁 Reproducability
Flakes & Git for version pinning, SHA256 tags for containers. - ⏰ Monitoring
Automated monitoring on failure & critical summaries, using basic tools. Use Gatus for both internal and external monitoring - 📋 Continuous Integration
CI against main branch to ensure all code compiles OK. Use PR's to add to main and dont skip CI due to impatience - :material-security: Security
Dont use containers with S6 overlay/root (i.e. LSIO ❔{ title="LSIO trades security for convenience with their container configuration" }). Expose minimal ports at router, Reduce attack surface by keeping it simple, review hardening containers/podman/NixOS - :fontawesome-solid-martini-glass-citrus: Ease of administration
Lean into the devil that is SystemD - and have one standard interface to see logs, manipulate services, etc. Run containers as podman services, and webui's for watching/debugging - :simple-letsencrypt: Secrets
ssshh..
Sops-nix for secrets, living in my gitrepo. Avoid cloud services like I used in k8s (i.e. Doppler.io)