Add my system

[TanvirOnGH]

Once you have stabilized your infrastructure, I would like my system to be added there. I would really appreciate it.

[Kreyren]

Once you have stabilized your infrastructure, I would like my system to be added there. I would really appreciate it. -- @TanvirOnGH

Give me the result from nixos-generate-config for all systems you want to add and your home-manager.

Currently home-manager has to be implemented in the repository as i didn't yet figured out how to add them as a git sub-module in a sane way

[TanvirOnGH]

here's my config: https://github.com/TanvirOnGH/nix-config

[Kreyren]

here's my config: TanvirOnGH/nix-config -- @TanvirOnGH (https://github.com/Kreyren/nixos-config/issues/58#issuecomment-2170938135)

I looked through the config and created tracking.

In terms of hardening i don't know what you are doing here: https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/hardened/systemd.nix -> Can you make a merge request that adds this to src/nixos/modules/system/systemd with explanations so that it can be processed?

In kernel hardening:

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/hardened/kernel.nix#L16 I don't know why you are loading this module

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/hardened/kernel.nix#L17-L50 please brainstorm

Auditing from https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/auditd.nix please brainstorm, per provided reference in README the audits should be on a remote server and i am currently unsure how that should be implemented.

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/firewall.nix#L4-L8 dunno what this means

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/firewall.nix#L14 is there any reason to why you need this?

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/noexec.nix -> please brainstorm, nixium uses impermenance for all systems which stores persistent files in /nix/persist additionally users probably want to be able to execute stuff in their home directories

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/selinux.nix -> Please brainstorm, i don't like SELinux as i feel like it's creators might have insider knowledge into it's vulnerabilities that are not disclosed.

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/build-flags.nix#L3 -> Nixium uses nixos substititers and considers them under sufficient scrutany and transparency to be trusted.

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/cache.nix#L8 -> I don't think it's a good idea to use the community cache as any user can just inject stuff to the systems, i only tolerate that for user-level software atm.

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/flox.nix -- why?

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/tweaks.nix#L3-L9 -- Automatic Updates are currently being reworked as on thin clients they eat too much processing resources as each time the timer triggers it downloads the repository and their processes it to then know if it needs to update.. I want to make it check the latest commit against itself for which we need out own git forge (gitea) with automation that i am working on rn

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/patches/cap_sys_nice_begone.patch -- Don't know why is this needed

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/configs/monero.json -- This approach likely won't work in nixium as we have lot of automatization and management to e.g. disable impermanence for set system etc.. so we need the logical gates

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/containers/docker/ollama.nix -- Ollama is currently projected to be on MRACEK system as nixos service, but i would rather put that on your AI server as it saves me a lot of pain designing one myself and MRACEK doesn't have the needed resources to do complex tasks (it's 4 core with GTX1050M designed as control server to be super energy efficient) for open-webui i am waiting for at least another week before it can be added as the maintainers are currently doing lot of changes to the package and it's been added to unstable very recently, see https://github.com/NixOS/nixpkgs/pull/316248

I will work on adding your systems in, please make backups of all data that you want to keep as all systems in nixium are installed with disko meaning that you get nixos-installation media and are expected to perform reinstall of the whole system, after that your systems will be rebuilt on new relevant commits and demand (i want to automate this later as i am adjusting the invidual hardware for this workload).

Beyond that feel free to fix FIXME tags without consultation these are always up for grabs and there are currently 40+ issues that you can help with where current run milestone are my priority.

[TanvirOnGH]

Not all configurations are currently in use; some are included for future reference. See imports.nix.

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/firewall.nix#L14 is there any reason to why you need this?

This was for testing purposes. It's not needed anymore, so I’ve disabled it.

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/cache.nix#L8 -> I don't think it's a good idea to use the community cache as any user can just inject stuff to the systems, i only tolerate that for user-level software atm.

I’ve removed it. How about using trustix?

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/selinux.nix -> Please brainstorm, i don't like SELinux as i feel like it's creators might have insider knowledge into it's vulnerabilities that are not disclosed.

How about alternative e.g. AppArmor, grsecurity/PaX, Firejail, RBAC?

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/noexec.nix -> please brainstorm, nixium uses impermenance for all systems which stores persistent files in /nix/persist additionally users probably want to be able to execute stuff in their home directories

Got the idea from Xe's blog: Paranoid NixOS Setup.

Auditing from https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/auditd.nix please brainstorm, per provided reference in README the audits should be on a remote server and i am currently unsure how that should be implemented.

Got the idea from Xe's blog: Paranoid NixOS Setup.

https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/patches/cap_sys_nice_begone.patch -- Don't know why is this needed

This is related to my first sentence about future use/reference. Additionally:

About Ollama and Open-WebUI

I prefer to build Docker images from their respective git sources to utilize the latest features.

[Kreyren]

I’ve removed it. How about using trustix?

Make an issue about it in the repository

How about alternative e.g. AppArmor, grsecurity/PaX, Firejail, RBAC?

Each feels like balancing benefits with side effects atm.. needs more research while nixos provides usable defaults -> Make an issue for it?

Got the idea from Xe's blog: Paranoid NixOS Setup.

Yes that's what i was referring to, they make a case for audits on a remote server that needs hardware adjustments here.

This is related to my first sentence about future use/reference. Additionally:

Noted.. if you want that implemented/brainstormed then make an issue about it in this repo

I prefer to build Docker images from their respective git sources to utilize the latest features.

NiXium is built for mission-critical environment so it's using older hardware and software so this needs to be brainstormed so that we can figure out how to sanitize it if it's meant to be used infrastructure-wide otherwise we can do adjustments to docker, but if they are some needed features it would be better to implement it as e.g. ollama-next package in nixos-stable. -> make an issue for it?

[Kreyren]

Cross-referencing: https://github.com/Kreyren/nixos-config/issues/16 for the remote audits.

It still needs more work to be usable atm.

[Kreyren]

Please note that there is likely going to be a delay (~1 week) on integrating your system due to events in https://github.com/matrix-org/matrix-spec/issues/975#issuecomment-2172445489 to prioritize security for a critical component.

[Kreyren]

On current run