One more project 
16 Likes
I wonder if we can make a home for opinionated configs in the Nixpkgs repo. If certain modules had their opinions/ideologies documented, it might be possible.
I think this kind of system could eventually evolve into taking the place of distro flavors.
8 Likes
It’s me or when using srvos.nixosModules.server, something is running shellcheck?
It complains about a pre-start script that might be generated by using virtualisation.oci-containers.containers.<name>.login. which translate to something like:
podman rm -f something || true
cat /run/secrets/gitlab | \
podman login [...]
Sounds good; that would be a bit like Ubuntu and all its flavours.
The main reason it’s outside is because it allows us to iterate faster. In general, I think it’s a good strategy: experiment outside of nixpkgs, and then integrate. And also because there is no official place to put the distro flavours in nixpkgs.
If anybody wants to work on this, I don’t think the contributors to SrvOS would mind.
I don’t think so. Do you mind opening an issue with the details?
1 Like
My bad. It was caused by updating nixpkgs (0cbe9f69 → fa804edf). I’ll test and report it.
EDIT: seems to be fixed by nixos/virtualization: fix shellcheck login · NixOS/nixpkgs@2ed7a5a · GitHub
1 Like
Are you planning to push the changes “upstream” when possible?
Like the openssh “hardened” options might be good enough for nixos “vanilla”.
We already do it in practice. It depends on the level of effort that’s required. By default, upstream first. And then there is a gradient of difficulty, up to: we have to change all of the computing industry first.
By default, NixOS has to be more lax because it has to work in a wider set of environments. In SrvOS we can assume that none of our servers will require OpenSSH password authentication. We know that all our SSH clients are modern so we can reduce the supported cypher list.
5 Likes
What about using the existing nixos/modules/profiles directory?
Yes maybe. The SrvOS profiles are a bit larger than what exists in that folder right now.