jsutter/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add development standards and procedures for app deployment

Browse source 
- Add curl timeout requirement (5 seconds)
- Add comprehensive 8-step workflow for new application deployment
- Add troubleshooting procedures for domain availability and SSL certs
- Add infrastructure roadmap for Borg backup server and sops-nix
- Update README with session start protocol and infrastructure tasks
This commit is contained in:
Julian Sutter 2026-02-16 22:05:18 -08:00
parent 12bb7b0eac
commit 7c014f6534
2 changed files with 101 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -1,7 +1,7 @@
# NixOS Configuration Repository # NixOS Configuration Repository
## Session Start Protocol ## Session Start Protocol
Always begin by reading agents.md for workflow instructions. Always begin by reading agents.md for workflow instructions and development standards.
## System Installation ## System Installation
@ -37,3 +37,18 @@ nixos-install --flake .#<name> --no-root-password --impure
nixos-enter --root '/mnt' nixos-enter --root '/mnt'
passwd jsutter passwd jsutter
``` ```
## Infrastructure Roadmap
### Planned Work
#### Borg Backup Server
- Set up a dedicated Borg backup server for automated backups
- Configure backup schedules for critical systems
- Implement retention policies and pruning rules
#### Secrets Management with sops-nix
- Implement sops-nix for secrets management
- Move all hardcoded secrets from server configs into sops-nix
- Set up encryption keys and key rotation policies
- Document the secrets management workflow

88
agents.md
View file

@ -23,11 +23,93 @@
4. Check success message: `"Done. The new configuration is /nix/store/..."` 4. Check success message: `"Done. The new configuration is /nix/store/..."`
## Important ## Important
- Server configs may contain hardcoded credentials - use agenix or systemd credentials for production - Server configs may contain hardcoded credentials
- **Always carefully inspect the NixOS wiki for instructions before adding new applications to the repo** - Always carefully inspect the NixOS wiki for instructions before adding new applications to the repo
- Both warp and skip build successfully - Do not editorialize or pass judgement. Be a robot.
- Repository root: `/home/jsutter/src/nixos` - Repository root: `/home/jsutter/src/nixos`
## Development Standards
### curl Usage
When using curl commands, always set a timeout to 5 seconds:
```bash
curl --max-time 5 <url>
# or
curl -m 5 <url>
```
## Procedures
### Adding a New Application to the Repository
1. **Gather Requirements**
- Ask the user what server to deploy to
- Ask the user what domain name the app will be available on
2. **Research and Planning**
- Build a brief plan to construct the app
- Review the NixOS wiki (https://nixos.org/nixos/manual/) to see if packages are available
- Check for existing NixOS modules or services that can be used
- Identify dependencies and configuration requirements
3. **Implementation**
- Follow the plan constructed in step 2
- Add the necessary configuration to the appropriate server file in `servers/`
- Include nginx reverse proxy configuration if the app needs to be accessible via HTTP/HTTPS
- Add any required firewall rules, services, or users
4. **Local Testing**
- Test the build locally: `nixos-rebuild build --flake .#<system>`
- Refine the configuration until the build succeeds
- Review the generated configuration for correctness
5. **Remote Deployment**
- Push the repo to the remote machine: `git push origin master`
- SSH to the target server
- Pull the changes: `cd ~/src/nixos && git pull origin master`
- Build and switch to the new config: `sudo nixos-rebuild switch --flake .#`
6. **Verification**
- Ensure the service is available on the chosen domain
- Ensure the certificate is issued by Let's Encrypt (check with: `openssl s_client -connect <domain>:443 | openssl x509 -noout -issuer`)
- Test basic functionality of the application
7. **Troubleshooting**
- If the app isn't available on the chosen domain:
- Check service status: `systemctl status <service>`
- Check nginx logs: `journalctl -u nginx -f`
- Check application logs: `journalctl -u <service> -f`
- Verify DNS resolution
- Check firewall rules
- Verify nginx configuration syntax: `nginx -t`
- If the certificate isn't issued by Let's Encrypt:
- Check ACME challenge configuration
- Verify domain ownership record
- Check Let's Encrypt logs: `journalctl -u certbot -f`
- Manually trigger certificate renewal if needed
8. **Process Improvement**
- After successful deployment, propose 3 suggestions to add to agents.md that would help with future deployments:
1. [Specific pattern or configuration approach discovered]
2. [Common pitfall to avoid]
3. [Useful command or tool discovered]
### Infrastructure Tasks
#### Planned Work
1. **Borg Backup Server**
- Set up a dedicated Borg backup server for automated backups
- Configure backup schedules for critical systems
- Implement retention policies and pruning rules
2. **Secrets Management with sops-nix**
- Implement sops-nix for secrets management
- Move all hardcoded secrets from server configs into sops-nix
- Set up encryption keys and key rotation policies
- Document the secrets management workflow
## Remote System Management ## Remote System Management
### Access Systems ### Access Systems