15
README.md
15
README.md
@@ -3,8 +3,7 @@
|
|||||||
This repository contains the flake required to build critical and personal
|
This repository contains the flake required to build critical and personal
|
||||||
infrastructure running NixOS. The setup can be explored as follows.
|
infrastructure running NixOS. The setup can be explored as follows.
|
||||||
|
|
||||||
This repo supports `x86_64-linux` and `aarch64-linux`, and in theory supports
|
This repo supports `x86_64-linux` and (theorically) `aarch64-linux`.
|
||||||
Mac (althought that hasn't been tested).
|
|
||||||
|
|
||||||
## Setting Up
|
## Setting Up
|
||||||
|
|
||||||
@@ -21,15 +20,17 @@ for further information.
|
|||||||
|
|
||||||
## Repo Structure
|
## Repo Structure
|
||||||
|
|
||||||
|
- `docs/`: public documentation, including contributors and setup guides
|
||||||
|
- `hydra/`: hydra configuration, used for our CI/CD
|
||||||
- `keys/`: PGP public keys, for those who are using `SOPS` for secrets
|
- `keys/`: PGP public keys, for those who are using `SOPS` for secrets
|
||||||
|
- `lib`: custom nix library functions, including general utility functions and
|
||||||
|
dynamic system construction
|
||||||
- `modules/`: Nix modules created by us for common services or overrides
|
- `modules/`: Nix modules created by us for common services or overrides
|
||||||
(fail2ban, hydra, certain boot params, etc.)
|
(fail2ban, hydra, certain boot params, etc.)
|
||||||
- `systems/`: config for common *server* components, as well as per-server configurations
|
- `systems/`: config for common *server* components, as well as per-server configurations
|
||||||
- `users/`: this directory has two major subdirectories, both are critical
|
- `users/<user>/`: includes per-user configs for `home-manager`, `SOPS`, and
|
||||||
- `users/<user>`: includes configs for `home-manager`, `SOPS`, and `SSH` keys
|
`SSH` keys
|
||||||
, for those who use them
|
- `utils/`: utility scripts primarily used for dependency updates
|
||||||
- `users/<user>/systems`: functions similarly to `systems/`, although for
|
|
||||||
laptops, desktops, and even a Raspberry Pi now
|
|
||||||
|
|
||||||
## Contributing
|
## Contributing
|
||||||
|
|
||||||
|
|||||||
@@ -2,25 +2,26 @@
|
|||||||
|
|
||||||
## Preliminary info
|
## Preliminary info
|
||||||
|
|
||||||
This repository is written using nix-flakes on nix-unstable all the way
|
This repository is written using nix flakes on nix-unstable all the way
|
||||||
through. We do not currently have a way to provide support for NixOS stable
|
through. We do not currently have a way to provide support for NixOS stable
|
||||||
releases and nor do we plan to (please open an issue if that
|
releases and nor do we plan to (please open an issue if that
|
||||||
is a breaking issue so we can better understand your use-case).
|
is a breaking issue so we can better understand your use-case).
|
||||||
|
|
||||||
## Style Guide
|
## Pre-commit hooks
|
||||||
|
|
||||||
We do not currently have a set formatter, although work is being done to
|
We use pre-commit hooks for validating code before it is pushed into the repo.
|
||||||
narrow down our options. See
|
Please install `direnv` and run `direnv allow` in the project directory to
|
||||||
[our fork of the rfc-0101 repo](https://github.com/RAD-Development/rfc-0101).
|
add the pre-commit-hooks to your workflow. We will reject PRs if we notice
|
||||||
|
violations in the pre-commit checks.
|
||||||
|
|
||||||
## Active Development
|
## Active Development
|
||||||
|
|
||||||
To contribute to the repo, you can either ask to be provided a role
|
To contribute to the repo, you can either ask to have a role (for those who are
|
||||||
(for those who are adding machines to the repo), or fork the repo and open a PR
|
adding machines to the repo), or fork the repo and open a PR (for those who are
|
||||||
(for those who are making external contributions).
|
making external contributions).
|
||||||
|
|
||||||
Our main branch is protected (not even admins can directly push to main) and
|
Our main branch has branch-protection (not even admins can directly push to
|
||||||
all PRs require at least one approval. PRs which touch global files
|
main) and all PRs require at least one approval. PRs which touch global files
|
||||||
(`flake.nix`, `modules/`, `systems/configuration.nix`, `.sops.yaml`, etc)
|
(`flake.nix`, `modules/`, `systems/configuration.nix`, `.sops.yaml`, etc)
|
||||||
must have two approvals and may require more subject to the approvers discretion
|
must have two approvals and may require more subject to the approvers discretion
|
||||||
(ie. a change which affect all servers or users).
|
(ie. a change which affect all servers or users).
|
||||||
@@ -32,9 +33,9 @@ a strict standard, but if not followed will lead to questions from reviewers,
|
|||||||
and will eventually trip a check when merging to main.
|
and will eventually trip a check when merging to main.
|
||||||
|
|
||||||
| Branch Name | Use Case |
|
| Branch Name | Use Case |
|
||||||
|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| main | protected branch which all machines pull from, do not try to push directly |
|
| main | protected branch which all machines pull from, do not try to push directly |
|
||||||
| feature/\<item\> | \<item\> is a new feature being added to the repo, for personal or common use |
|
| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
|
||||||
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
|
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
|
||||||
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
|
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
|
||||||
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
|
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
|
||||||
@@ -49,7 +50,7 @@ auto-approved. However, for PR's affecting global files you need two
|
|||||||
approvals based on the latest commit (stale approvals will not work).
|
approvals based on the latest commit (stale approvals will not work).
|
||||||
|
|
||||||
In the event that quorum cannot be reached on approvals (specifically members
|
In the event that quorum cannot be reached on approvals (specifically members
|
||||||
that cannot approve who normally would), the PR will be placed on-hold unless
|
that cannot approve who normally would), the PR will be marked as *draft* unless
|
||||||
a member who is unable to approve defers their approval power. This deferral
|
a member who is unable to approve defers their approval power. This deferral
|
||||||
must be publicly acknowledged in the PR and confirmed by another member.
|
must be publicly acknowledged in the PR and confirmed by another member.
|
||||||
This process essentially acknowledges that at least two people besides the
|
This process essentially acknowledges that at least two people besides the
|
||||||
|
|||||||
Reference in New Issue
Block a user