fediversity/fediversity
13
2
Fork 6
Code Issues 162 Pull requests 23 Projects 1 Activity Actions

ephemeral state is automatically provisioned #314

New issue
Open
opened 2025-04-19 13:03:25 +02:00 by kiara · 1 comment
kiara commented 2025-04-19 13:03:25 +02:00
Owner
Copy link

our current setup has left many things hard-coded, whereas in practice there is quite some ephemeral state that should likely be generated, whether sensitive or not.

this includes at least:

  • automating generate-vars
  • implement vars openbao back-end (c.f. #493)
  • needed to facilitate contributions (#288)
    • name servers - make configurable (offering a default)?
    • users (developers, shared account) - see clan modules root-password / user-password
  • needed for security (#291)
  • needed to streamline dev-ops (#224)
    • NixOS system.stateVersion - see clan module state-version
  • #116: needed to automatically test proxmox
  • prevent clashes between applications

state scenarios:

destination sensitive storage distribution
orchestration * openbao nimbolus
build no (depends on source) build
system no on-machine vars
system yes on-machine (vars) -> openbao vars -> openbao?
service no on-machine (nix-templating +) vars
service yes on-machine (vars) -> openbao (nix-templating +) vars -> systemd-openbao
destination unsensitive sensitive
orchestration TF state TF state
build n/a
system vars openbao?
service (nix-templating +) vars systemd-openbao
info sensitive destination source goal
MAC address no build provisioning #116 provisioning
IP address no build provisioning #116 provisioning
architecture no build provisioning #116 provisioning
gateway no build provisioning #116 provisioning
hardware no? build nixos-facter #116 provisioning
authorized SSH keys no system config: host #116 provisioning
TLS/SSL certificates yes service bao PKI #116 provisioning
SSH keys yes system bao PKI / vars sshd #291 security
service credentials yes service vars? #291 security
system.stateVersion no build vars state-version #224 devops
name servers no build config: operator #288 contributions
user credentials yes build? vars {root,user}-password #288 contributions
our current setup has left many things hard-coded, whereas in practice there is quite some ephemeral state that should likely be generated, whether sensitive or not. this includes at least: - [x] [automating `generate-vars`](https://github.com/Lassulus/vars/issues/5) - [ ] implement vars openbao back-end (c.f. #493) - [ ] needed to facilitate contributions (#288) - [ ] name servers - make configurable (offering a default)? - [ ] users (developers, shared account) - see clan modules `root-password` / `user-password` - [ ] needed for security (#291) - [ ] SSL credentials (see selfhostblocks' [SSL contract](https://shb.skarabox.com/contracts-ssl.html) or openbao's [PKI secrets engine](https://openbao.org/docs/secrets/pki/) (#87) - [ ] garage credentials - [ ] machine SSH keys ((`test-`)`machines/`) - see clan module `sshd` or openbao's [PKI secrets engine](https://openbao.org/docs/secrets/pki/)) - [ ] service credentials (current `age` secrets) - [ ] needed to streamline dev-ops (#224) - [ ] NixOS `system.stateVersion` - see clan module `state-version` - ~~#116: needed to automatically test proxmox~~ - [ ] prevent clashes between applications - [ ] ports: [alloc](https://discourse.nixos.org/t/alloc-nix-a-tool-to-help-you-allocate-ranges-to-services/72603)? state scenarios: | destination | sensitive | storage | distribution | |---|---|---|---| | orchestration | * | openbao | nimbolus | | build | no | (depends on source) | build | | system | no | on-machine | vars | | system | yes | on-machine (vars) -> openbao | vars -> openbao? | | service | no | on-machine | (nix-templating +) vars | | service | yes | on-machine (vars) -> openbao | (nix-templating +) vars -> systemd-openbao | | destination | unsensitive | sensitive | |-|-|-| | orchestration | TF state | TF state | | build | | n/a | | system | vars | openbao? | | service (nix-templating +) | vars | systemd-openbao | | info | sensitive | destination | source | goal | |-|-|-|-|-| | MAC address | no | build | provisioning | #116 provisioning | | IP address | no | build | provisioning | #116 provisioning | | architecture | no | build | provisioning | #116 provisioning | | gateway | no | build | provisioning | #116 provisioning | | hardware | no? | build | `nixos-facter` | #116 provisioning | | authorized SSH keys | no | system | config: host | #116 provisioning | | TLS/SSL certificates | yes | service | bao PKI | #116 provisioning | | SSH keys | yes | system | bao PKI / vars `sshd` | #291 security | | service credentials | yes | service | vars? | #291 security | | `system.stateVersion` | no | build | vars `state-version` | #224 devops | | name servers | no | build | config: operator | #288 contributions | | user credentials | yes | build? | vars `{root,user}-password` | #288 contributions |
kiara commented 2025-04-19 13:08:45 +02:00
Author
Owner
Copy link

clan's vars (+ templating) may help generate these, and supports different back-ends (could be used with openbao / even TF state?).

clan further implemented modules using this like:

  • general
    • state-version
    • machine-id
    • disk-id
    • root-password
    • user-password
  • service-specific
    • sshd
    • garage

edit: (untested) attempt PR to decouple those modules from clan using vars

mrVanDalo/clan-vars-generators contains:

  • matrix-synapse
  • nix-serve
  • openssh
  • syncthing
  • tinc
  • tor
  • wireguard
  • xkcdpass
  • zfs
clan's [vars](https://clan.lol/blog/vars/) (+ [templating](https://github.com/Lassulus/nix-templating)) may help generate these, and supports different [back-ends](https://docs.clan.lol/manual/vars-backend/) (could be used with openbao / even TF state?). clan further implemented [modules](https://docs.clan.lol/reference/clanModules/) using this like: - general - `state-version` - `machine-id` - `disk-id` - `root-password` - `user-password` - service-specific - `sshd` - `garage` edit: (untested) ~~[attempt](https://git.clan.lol/clan/clan-core/compare/main...kiara/clan-core:decouple-ephemeral)~~ [PR](https://github.com/Lassulus/vars/pull/12) to decouple those modules from clan using [vars](https://github.com/Lassulus/vars) `mrVanDalo/clan-vars-generators` [contains](https://github.com/mrVanDalo/clan-vars-generators/tree/main/lib/generators): - `matrix-synapse` - `nix-serve` - `openssh` - `syncthing` - `tinc` - `tor` - `wireguard` - `xkcdpass` - `zfs`
👍 1
kiara added this to the Fediversity project 2025-04-19 13:08:59 +02:00
kiara added the
type: task
 label 2025-05-01 12:00:09 +02:00
kiara added a new dependency 2025-06-03 14:22:38 +02:00
#224 automated dev-ops workflows
kiara changed title from generating ephemeral state to ephemeral state is automatically provisioned 2025-06-03 14:23:50 +02:00
kiara added a new dependency 2025-06-03 14:24:45 +02:00
#225 kick-started initial feedback cycle
kiara removed this from the Fediversity project 2025-06-10 19:07:14 +02:00
kiara added a new dependency 2025-07-30 09:04:50 +02:00
#483 [D2.2] Software release beta version [2027-03-31]
kiara added a new dependency 2025-09-11 19:29:01 +02:00
#493 portable ephemeral state
kiara added this to the Fediversity project 2025-11-17 15:38:52 +01:00
kiara added the
34 points
 label 2025-12-02 22:33:16 +01:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
ci/pixelfed
pixelfed-ci
No results found.
Labels
Clear labels   
0 points

fibonacci complexity: 0 points

  
0.5 points

fibonacci complexity: 0.5 points

  
1 point

fibonacci complexity: 1 point

  
13 points

fibonacci complexity: 13 points

  
2 points

fibonacci complexity: 2 points

  
21 points

fibonacci complexity: 21 points

  
3 points

fibonacci complexity: 3 points

  
34 points

fibonacci complexity: 34 points

  
5 points

fibonacci complexity: 5 points

  
55 points

fibonacci complexity: 55 points

  
8 points

fibonacci complexity: 8 points

  
api service

features that may relate more to a (to be created) API service

  
blocked

   
component: fediversity panel

   
component: nixops4

   
documentation

   
estimation high: >3d

   
estimation low: <2h

   
estimation mid: <8h

   
infinite points

fibonacci complexity: infinite points

  
productisation

features out-scoped with the decoupling of the productisation effort

  
project-management

Project management related tasks

  
question

   
role: application developer

   
role: application operator

   
role: hosting provider

   
role: maintainer

   
security

   
technical debt

   
testing

   
type unclear

   
type: bug

Anything that doesn't work as advertised

  
type: key result

   
type: objective

   
type: task

   
type: user story

   
user experience
No labels
0 points
0.5 points
1 point
13 points
2 points
21 points
3 points
34 points
5 points
55 points
8 points
api service
blocked
component: fediversity panel
component: nixops4
documentation
estimation high: >3d
estimation low: <2h
estimation mid: <8h
infinite points
productisation
project-management
question
role: application developer
role: application operator
role: hosting provider
role: maintainer
security
technical debt
testing
type unclear
type: bug
type: key result
type: objective
type: task
type: user story
user experience
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Fediversity
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
#224 automated dev-ops workflows}
fediversity/fediversity
#225 kick-started initial feedback cycle}
fediversity/fediversity
#483 [D2.2] Software release beta version [2027-03-31]}
fediversity/fediversity
#493 portable ephemeral state}
fediversity/fediversity
Reference: fediversity/fediversity#314
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?