Dotnix follow-up

[Ra33it0]

Project Abstract

Dotnix is a collection of Nix packages and NixOS modules designed for creating and managing Polkadot/Kusama Validator Nodes, emphasizing both security and ease of use. This application is for a follow-up grant: https://github.com/w3f/Grants-Program/commit/0e034e3eb2179a60ac2a50cddc97be0edba1ec69

Grant level

• [ ] Level 1: Up to $10,000, 2 approvals
• [ ] Level 2: Up to $30,000, 3 approvals
• [ x ] Level 3: Unlimited, 5 approvals (for >$100k: Web3 Foundation Council approval)

Application Checklist

• [x] The application template has been copied and aptly renamed (project_name.md).
• [ x ] I have read the application guidelines.
• [ x ] Payment details have been provided (Polkadot AssetHub (USDC & DOT) address in the application and bank details via email, if applicable).
• [ x ] I understand that an agreed upon percentage of each milestone will be paid in vested DOT, to the Polkadot address listed in the application.
• [ x ] I am aware that, in order to receive a grant, I (and the entity I represent) have to successfully complete a KYC/KYB check.
• [ x ] The software delivered for this grant will be released under an open-source license specified in the application.
• [ x ] The initial PR contains only one commit (squash and force-push if needed).
• [ x ] The grant will only be announced once the first milestone has been accepted (see the announcement guidelines).

[ajk-code]

Hey there A couple of questions regarding this project, not sure I clearly understood while reading the application:

• In general, to me it sounds like an in-house deployment project, not something for a wider audience
• You mention as ecosystem fit 'people that want to host a validator, don't have the technical knowledge': Honestly I do not think someone without technical knowledge can deploy nixOS or nix packages on their machine. Installing docker on peoples notebooks with network bridges etc. might not be a good idea either. Copy/pasting from the polkadot wiki and using the parity repo is probably way easier, don't you think? A single line edit of the default config file is enough. If necessary in a VM for testing purposes.
• How is the system gonna be scanned for CVEs? What is this integrated scanner and which public CVE databases are used for the enrichment? How is an operator getting the result for high CVSS CVEs?
• How is usability improved by exposing the validator to polkadot.js?
• What is meant with polkadot.js in general? The libraries or the public frontend?
• What is the purpose of exposing a validators RPC in a 'validator' context? And why over VPN?
• Is the deliverable an OCI image or nix packages? Is is it podman compatible or docker only?
• Is dotnix gonna be available in the public nix repos (stable/unstable channels?)
• How is the polkadot binary built? From source, parity binaries or parity OCI/docker images?
• Is the secure validator mode supported? Referring to landlock/seccomp
• Is session key management somehow integrated apart from node key mgmt?
• How/who is gonna maintain this? What are the recurring costs?
• What about other standard security features such as selinux policies, secure boot, CIS compliance, fido2 authentication etc.?

Thank you