Add my system #58
Comments
Give me the result from Currently home-manager has to be implemented in the repository as i didn't yet figured out how to add them as a git sub-module in a sane way |
|
here's my config: https://github.com/TanvirOnGH/nixos-config |
I looked through the config and created tracking. In terms of hardening i don't know what you are doing here: https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/hardened/systemd.nix -> Can you make a merge request that adds this to In kernel hardening: https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/hardened/kernel.nix#L16 I don't know why you are loading this module https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/hardened/kernel.nix#L17-L50 please brainstorm Auditing from https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/auditd.nix please brainstorm, per provided reference in README the audits should be on a remote server and i am currently unsure how that should be implemented. https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/firewall.nix#L4-L8 dunno what this means https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/firewall.nix#L14 is there any reason to why you need this? https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/noexec.nix -> please brainstorm, nixium uses impermenance for all systems which stores persistent files in https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/security/selinux.nix -> Please brainstorm, i don't like SELinux as i feel like it's creators might have insider knowledge into it's vulnerabilities that are not disclosed. https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/build-flags.nix#L3 -> Nixium uses nixos substititers and considers them under sufficient scrutany and transparency to be trusted. https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/cache.nix#L8 -> I don't think it's a good idea to use the community cache as any user can just inject stuff to the systems, i only tolerate that for user-level software atm. https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/flox.nix -- why? https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/system/nix/tweaks.nix#L3-L9 -- Automatic Updates are currently being reworked as on thin clients they eat too much processing resources as each time the timer triggers it downloads the repository and their processes it to then know if it needs to update.. I want to make it check the latest commit against itself for which we need out own git forge (gitea) with automation that i am working on rn https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/patches/cap_sys_nice_begone.patch -- Don't know why is this needed https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/configs/monero.json -- This approach likely won't work in nixium as we have lot of automatization and management to e.g. disable impermanence for set system etc.. so we need the logical gates https://github.com/TanvirOnGH/nix-config/blob/nixos%2Bhome-manager/containers/docker/ollama.nix -- Ollama is currently projected to be on MRACEK system as nixos service, but i would rather put that on your AI server as it saves me a lot of pain designing one myself and MRACEK doesn't have the needed resources to do complex tasks (it's 4 core with GTX1050M designed as control server to be super energy efficient) for open-webui i am waiting for at least another week before it can be added as the maintainers are currently doing lot of changes to the package and it's been added to unstable very recently, see NixOS/nixpkgs#316248 I will work on adding your systems in, please make backups of all data that you want to keep as all systems in nixium are installed with Beyond that feel free to fix |
|
Not all configurations are currently in use; some are included for future reference. See imports.nix.
This was for testing purposes. It's not needed anymore, so I’ve disabled it.
I’ve removed it. How about using trustix?
How about alternative e.g. AppArmor, grsecurity/PaX, Firejail, RBAC?
Got the idea from Xe's blog: Paranoid NixOS Setup.
Got the idea from Xe's blog: Paranoid NixOS Setup.
This is related to my first sentence about future use/reference. Additionally:
About Ollama and Open-WebUII prefer to build Docker images from their respective git sources to utilize the latest features. |
Make an issue about it in the repository
Each feels like balancing benefits with side effects atm.. needs more research while nixos provides usable defaults -> Make an issue for it?
Yes that's what i was referring to, they make a case for audits on a remote server that needs hardware adjustments here.
Noted.. if you want that implemented/brainstormed then make an issue about it in this repo
NiXium is built for mission-critical environment so it's using older hardware and software so this needs to be brainstormed so that we can figure out how to sanitize it if it's meant to be used infrastructure-wide otherwise we can do adjustments to docker, but if they are some needed features it would be better to implement it as e.g. |
|
Cross-referencing: https://github.com/Kreyren/nixos-config/issues/16 for the remote audits. It still needs more work to be usable atm. |
|
Please note that there is likely going to be a delay (~1 week) on integrating your system due to events in matrix-org/matrix-spec#975 (comment) to prioritize security for a critical component. |
|
On current run |
|
@TanvirOnGH hm? |
Once you have stabilized your infrastructure, I would like my system to be added there. I would really appreciate it.
The text was updated successfully, but these errors were encountered: