Hi all, my apologies that this will be a little wordy due to the backstory. At my company I’m pretty much solely in charge of about 120 machines, 99% of which run Linux, including the employee workstations. Historically we’ve been a heavy CentOS (now Alma) shop, with just a couple of other Linux distributions in use on a handful of machines. I run my own data-center internally with offsite infrastructure being my fail-over solution. We have triple-redundant Internet connectivity, triple-redundant HVAC and triple-redundant power and it’s been extremely reliable for me over the last 20 years with no data loss, no security incidents and nearly zero downtime.
All that said, I’m contemplating moving the servers offsite so that some outside provider can deal with any hardware issues and upgrades, leaving me to deal solely with network design, OS maintenance and service config and support. In the process of moving, I thought that re-deploying everything under NixOS would help me to keep it all manageable.
I’ve been using NixOS for about a year now on a number of personal machines, as well as some employee laptops and I’ve been able to accomplish what I set out to do in all those scenarios, so I’ve got some confidence going with it. That said, I noticed that while I was attempting to duplicate one of our more complicated servers offsite with NixOS, that a few of the packages were unmaintained.
I’m a stickler for security, and historically I have religiously updated any services and packages we utilize in a very rapid fashion. I’d like to bring that same mentality forward with me into NixOS, but as a single Systems Administrator, I’m wondering if it’s feasible for me track all the packages I’ll be using in NixOS and then rapidly and manually update them when security or bug fixes are announced upstream. One example package I ran into yesterday was Apache Solr, which appears to be unmaintained, so maybe that’s a good example.
TLDR: I don’t have any experience with what it would take to personally maintain my own set of package updates for NixOS and I’m wondering if it would be possible for me, as a single sys-admin, to guarantee a high level of system security when using NixOS to natively provide services to external parties over the Internet. Would I instead be stuck with utilizing containers for any external facing service, in order to make rapid updates manageable?
PS: I’m also nervous that besides Vulnix there doesn’t appear to be much support for using automated tools to double-check the security posture of NixOS installations, except for maybe generic port scanning and the like.