Skip to content

Goals

When I set about making this lab I had a number of goals - I wonder how well I will do 🤔?

A master list of ideas/goals/etc can be found at Issue #1

  • Stability
    NixOS stable channel for core services unstable for desktop apps/non-mission critical where desired. Containers with SHA256 pinning for server apps
  • 💋 KISS
    Keep it Simple, use boring, reliable, trusted tools - not todays flashy new software repo
  • 💤 Easy Updates
    Weekly update schedule, utilizing Renovate for updating lockfile and container images. Autoupdates enabled off main branch for mission critical. Aim for 'magic rollback' on upgrade failure
  • Backups
    Nightly restic backups to both cloud and NAS. All databases to have nightly backups. Test backups regulary
  • 🔁 Reproducability
    Flakes & Git for version pinning, SHA256 tags for containers.
  • ⏰ Monitoring
    Automated monitoring on failure & critical summaries, using basic tools. Use Gatus for both internal and external monitoring
  • 📋 Continuous Integration
    CI against main branch to ensure all code compiles OK. Use PR's to add to main and dont skip CI due to impatience
  • Security
    Dont use containers with S6 overlay/root (i.e. LSIO ❔). Expose minimal ports at router, Reduce attack surface by keeping it simple, review hardening containers/podman/NixOS
  • Ease of administration
    Lean into the devil that is SystemD - and have one standard interface to see logs, manipulate services, etc. Run containers as podman services, and webui's for watching/debugging
  • Secrets ssshh..
    Sops-nix for secrets, living in my gitrepo. Avoid cloud services like I used in k8s (i.e. Doppler.io)