From 2c323c7bb845c443f40eca412d4a8ad4397173b8 Mon Sep 17 00:00:00 2001 From: Nico Jensch Date: Fri, 23 Aug 2024 20:20:49 +0200 Subject: [PATCH] docs: even more updates and improvements --- .gitignore | 1 + README.md | 57 ++++-- SECURITY.md | 5 +- docs/src/code-of-conduct.md | 184 ++++++++++++++------ docs/src/common.md | 2 + docs/src/hosts/docker-proxied.md | 1 - docs/src/hosts/garuda-build.md | 8 +- docs/src/hosts/garuda-mail.md | 14 +- docs/src/hosts/immortalis.md | 53 +++++- docs/src/important-links.md | 1 + docs/src/nixos-containers/chaotic-v4.md | 6 + docs/src/nixos-containers/docker-proxied.md | 10 +- docs/src/nixos-containers/docker.md | 14 +- docs/src/nixos-containers/forum.md | 3 +- docs/src/nixos-containers/github-runner.md | 21 ++- docs/src/nixos-containers/lemmy.md | 2 +- docs/src/nixos-containers/mongodb.md | 2 + docs/src/nixos-containers/postgres.md | 5 + docs/src/nixos-containers/temeraire.md | 3 + docs/src/nixos-containers/web-front.md | 2 + docs/src/privacy-policy.md | 80 ++++++--- docs/src/repositories/general.md | 15 +- docs/src/repositories/pkgbuilds.md | 2 +- docs/src/users.md | 13 +- docs/src/users/current_users.md | 3 +- docs/src/websites/documentation.md | 33 ++-- 26 files changed, 401 insertions(+), 139 deletions(-) delete mode 100644 docs/src/hosts/docker-proxied.md diff --git a/.gitignore b/.gitignore index a8c1c69..bbba89a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .direnv +.idea .pre-commit-config.yaml .vault_pass buildiso/** diff --git a/README.md b/README.md index 56cab8a..311ed9e 100644 --- a/README.md +++ b/README.md @@ -5,22 +5,28 @@ ## General information - Our current infrastructure is hosted in one of [these](https://www.hetzner.com/dedicated-rootserver/ax102). -- The only other server not being contained in this dedicated server is our mail server. -- Both servers are being backed up to Hetzner storage boxes via [Borg](https://www.borgbackup.org/). -- After multiple different setups, we settled on [NixOS](https://nixos.org/) as our main OS as it provides reproducible and atomically updated system states -- Most (sub)domains are protected by Cloudflare while also making use of its caching feature. +- The only other server not being contained in this dedicated server is our mail server, as well as a legacy build server. +- The first two mentioned servers are being backed up to Hetzner storage boxes via [Borg](https://www.borgbackup.org/). +- After multiple different setups, we settled on [NixOS](https://nixos.org/) as our main OS as it provides reproducible + and atomically updated system states +- Cloudflare protects Most (sub)domains while also making use of its caching feature. Exemptions are services such as our mail server and parts violating Cloudflares rules such as proxying Piped content. +- Cloudflare Access in combination with Cloudflared is used to secure access to high-risk services such as admin panels. ## Quick links - [Common maintenance tasks](https://docs.garudalinux.net/common) +- [Host: garuda-build](./hosts/garuda-build.md) - [Host: garuda-mail](https://docs.garudalinux.net/hosts/garuda-mail) - [Host: immortalis](https://docs.garudalinux.net/hosts/immortalis) ## Devshell and how to enter it -This NixOS flake provides a [devshell](https://github.com/numtide/devshell) which contains all deployment tools as well as handy aliases for common tasks. -The only requirement for using it is having the Nix package manager available. It can be installed on various distributions via the package manager or the following script ([click me for more information](https://zero-to-nix.com/start/install)): +This NixOS flake provides a [devshell](https://github.com/numtide/devshell) +which contains all deployment tools as well as handy aliases for common tasks. +The only requirement for using it is having the Nix package manager available. +It can be installed on various distributions via the package manager or the following +script ([click me for more information](https://zero-to-nix.com/start/install)): ```shell curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix -o nix-install.sh # Check its content afterwards @@ -34,19 +40,36 @@ nix develop # The intended way to use the devshell nix-shell # Legacy, non-flakes way if flakes are not available for some reason ``` -This also sets up pre-commit-hooks and shows the currently implemented tasks, which can be executed by running the command. +This also sets up pre-commit-hooks and shows the currently implemented tasks, which can be executed by running the +command. ```shell +🔨 Welcome to Garuda's infra-nix shell ❄️ + +[[general commands]] + + ansible-core - Radically simple IT automation + apply - Applies the infra-nix configuration pushed to the servers + clean - Runs the garbage collection on the servers + commitizen - Tool to create committing rules for projects, auto bump versions, and generate changelogs + deploy - Deploys the local NixOS configuration to the servers + manix - Fast CLI documentation searcher for Nix + mdbook - Create books from MarkDown + mdbook-admonish - Preprocessor for mdbook to add Material Design admonishments + mdbook-emojicodes - MDBook preprocessor for converting emojicodes (e.g. `: cat :`) into emojis 🐱 + menu - prints this menu + nixos-install-tools - The essential commands from the NixOS installer as a package + pre-commit - Framework for managing and maintaining multi-language pre-commit hooks + prettier - Prettier is an opinionated code formatter + rsync - Fast incremental file transfer utility + update - Performs a full system update on the servers bumping flake lock + [infra-nix] -ansible-core - Radically simple IT automation -apply - Applies the infra-nix configuration previously deployed to the servers -buildiso-local - Spawns a local buildiso shell to build to ./buildiso (needs Docker) -buildiso-remote - Spawns a buildiso shell on the iso-runner builder -clean - Runs the garbage collection on the servers -deploy - Deploys the local NixOS configuration to the servers -update - Performs a full system update on the servers by bumping flake lock -update-forum - Updates the Discourse container of our forum -update-toolbox - Updates the locked Chaotic toolbox commit and deploys the changes -update-website - Updates the locked website commit and deploys the changes + buildiso-local - Spawns a local buildiso shell to build to ./buildiso (needs Docker) + buildiso-remote - Spawns a buildiso shell on the iso-runner builder + ipv6-generator - Generates random IPv6 addresses in our /64 subnet to help rorating them + update-forum - Updates the Discourse container of our forum + update-toolbox - Updates the locked Chaotic toolbox commit and deploys the changes + ``` diff --git a/SECURITY.md b/SECURITY.md index 08586d4..2d1e6ee 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,6 @@ # Security Policy -If any vulnerability or security flaw is discovered please contact us directly via [team@garudalinux.org](mailto:team@garudalinux.org). +If any vulnerability or security flaw is discovered, please contact us directly +via [team@garudalinux.org](mailto:team@garudalinux.org). -We will try to respond within 24-48 hours on a best-effort basis. +We will try to respond within 24–48 hours on a best-effort basis. diff --git a/docs/src/code-of-conduct.md b/docs/src/code-of-conduct.md index 4e6aad9..8f33ef7 100644 --- a/docs/src/code-of-conduct.md +++ b/docs/src/code-of-conduct.md @@ -1,6 +1,9 @@ # Garuda Linux Code of Conduct -Thank you for being a part of the Garuda Linux community. We value your participation and want everyone to have an enjoyable and fulfilling experience. Accordingly, all participants are expected to follow this Code of Conduct, and to show respect, understanding, and consideration to one another. Thank you for helping make this a welcoming, friendly community for everyone. +Thank you for being a part of the Garuda Linux community. We value your participation and want everyone to have an +enjoyable and fulfilling experience. Accordingly, all participants are expected to follow this Code of Conduct, and to +show respect, understanding, and consideration to one another. Thank you for helping make this a welcoming, friendly +community for everyone. ## Scope @@ -11,13 +14,22 @@ This Code of Conduct applies to all Garuda Linux community spaces, including, bu - Mailing `*@garudalinux.org` - Community spaces hosted on `garudalinux.org` infrastructure -Communication channels and private conversations that are normally out of scope may be considered in scope if a Garuda Linux participant is being stalked or harassed. Social media conversations may be considered in-scope if the incident occurred under a Garuda Linux related hashtag, or when an official Garuda Linux account on social media is tagged, or within any other discussion about Garuda Linux. The Garuda Linux's staff reserves the right to take actions against behaviors that happen in any context, if they are deemed to be relevant to the Garuda Linux project and its participants. +Communication channels and private conversations that are normally out of scope may be considered in scope if a Garuda +Linux participant is being stalked or harassed. Social media conversations may be considered in-scope if the incident +occurred under a Garuda Linux related hashtag, or when an official Garuda Linux account on social media is tagged, or +within any other discussion about Garuda Linux. The Garuda Linux's staff reserves the right to take actions against +behaviors that happen in any context, if they are deemed to be relevant to the Garuda Linux project and its +participants. -All participants in Garuda Linux community spaces are subject to the Code of Conduct. This includes founding members, staff members, corporate sponsors, and paid employees. This also includes volunteers, maintainers, leaders, contributors, contribution reviewers, issue reporters, Garuda Linux users, and anyone participating in discussion in Garuda Linux community spaces. +All participants in Garuda Linux community spaces are subject to the Code of Conduct. This includes founding members, +staff members, corporate sponsors, and paid employees. This also includes volunteers, maintainers, leaders, +contributors, contribution reviewers, issue reporters, Garuda Linux users, and anyone participating in discussion in +Garuda Linux community spaces. ## Reporting an Incident -If you believe that someone is violating the Code of Conduct, or have any other concerns, please contact . +If you believe that someone is violating the Code of Conduct, or have any other concerns, please +contact . ## Our Standards @@ -55,47 +67,77 @@ Behaviors that contribute to creating a positive environment include: - **Be friendly.** Use welcoming and inclusive language. - **Be empathetic.** Be respectful of others' viewpoints and experiences. - **Be respectful.** Express disagreements in a polite and constructive manner. -- **Be considerate.** Focus on what is best for the community. Keep discussions around technology choices constructive and respectful. Remember that decisions are often a difficult choice between competing priorities. -- **Be patient and generous.** If someone asks for help, it is because they need it. When documentation is available that answers the question, politely point them to it. If the question is off-topic, suggest a more appropriate online space to seek help. +- **Be considerate.** Focus on what is best for the community. Keep discussions around technology choices constructive + and respectful. Remember that decisions are often a difficult choice between competing priorities. +- **Be patient and generous.** If someone asks for help, it is because they need it. When documentation is available + that answers the question, politely point them to it. If the question is off-topic, suggest a more appropriate online + space to seek help. - **Try to be concise.** Read the discussion before commenting in order to not repeat a point that has been made. ## Inappropriate Behavior -We want all participants in the Garuda Linux community have the best possible experience they can. Community members asked to stop any inappropriate behavior are expected to comply immediately. +We want all participants in the Garuda Linux community have the best possible experience they can. Community members +asked to stop any inappropriate behavior are expected to comply immediately. Inappropriate behaviors include, but are not limited to: - **Deliberate intimidation, stalking, or following.** -- **Sustained disruption of online discussion, talks, or other events.** Sustained disruption of events, online discussions, or meetings, including talks and presentations, will not be tolerated. This includes 'Talking over' or 'heckling' event speakers or influencing crowd actions that cause hostility in event sessions. Sustained disruption also includes drinking alcohol to excess or using recreational drugs to excess, or pushing others to do so. -- **Harassment of people who don't drink alcohol or other legal substances.** We do not tolerate derogatory comments about those who abstain from alcohol or other legal substances. We do not tolerate pushing people to drink, talking about their abstinence or preferences to others, or pressuring them to drink - physically or through jeering. -- **Sexist, racist, homophobic, transphobic, ableist language or otherwise exclusionary language.** This includes deliberately referring to someone by a gender that they do not identify with, and/or questioning the legitimacy of an individual's gender identity. If you're unsure if a word is derogatory, don't use it. This also includes repeated subtle and/or indirect discrimination. -- **Unwelcome sexual attention or behavior that contributes to a sexualized environment.** This includes sexualized comments, jokes or imagery in interactions, communications or presentation materials, as well as inappropriate touching, groping, or sexual advances. Sponsors should not use sexualized images, activities, or other material. Meetup organizing staff and other volunteer organizers should not use sexualized clothing/uniforms/costumes, or otherwise create a sexualized environment. -- **Unwelcome physical contact.** This includes touching a person without permission, including sensitive areas such as their hair, pregnant stomach, mobility device (wheelchair, scooter, etc) or tattoos. This also includes physically blocking or intimidating another person. Physical contact without affirmative consent is not acceptable. This includes sharing or distribution of sexualized images or text. -- **Violence or threats of violence.** Violence and threats of violence are not acceptable - online or offline. This includes incitement of violence toward any individual, including encouraging a person to commit self-harm. This also includes posting or threatening to post other people's personally identifying information ("doxxing") online. -- **Influencing or encouraging inappropriate behavior.** If you influence or encourage another person to violate the Code of Conduct, you may face the same consequences as if you had violated the Code of Conduct. +- **Sustained disruption of online discussion, talks, or other events.** Sustained disruption of events, online + discussions, or meetings, including talks and presentations, will not be tolerated. This includes 'Talking over' or ' + heckling' event speakers or influencing crowd actions that cause hostility in event sessions. Sustained disruption + also includes drinking alcohol to excess or using recreational drugs to excess, or pushing others to do so. +- **Harassment of people who don't drink alcohol or other legal substances.** We do not tolerate derogatory comments + about those who abstain from alcohol or other legal substances. We do not tolerate pushing people to drink, talking + about their abstinence or preferences to others, or pressuring them to drink - physically or through jeering. +- **Sexist, racist, homophobic, transphobic, ableist language or otherwise exclusionary language.** This includes + deliberately referring to someone by a gender that they do not identify with, and/or questioning the legitimacy of an + individual's gender identity. If you're unsure if a word is derogatory, don't use it. This also includes repeated + subtle and/or indirect discrimination. +- **Unwelcome sexual attention or behavior that contributes to a sexualized environment.** This includes sexualized + comments, jokes or imagery in interactions, communications or presentation materials, as well as inappropriate + touching, groping, or sexual advances. Sponsors should not use sexualized images, activities, or other material. + Meetup organizing staff and other volunteer organizers should not use sexualized clothing/uniforms/costumes, or + otherwise create a sexualized environment. +- **Unwelcome physical contact.** This includes touching a person without permission, including sensitive areas such as + their hair, pregnant stomach, mobility device (wheelchair, scooter, etc) or tattoos. This also includes physically + blocking or intimidating another person. Physical contact without affirmative consent is not acceptable. This includes + sharing or distribution of sexualized images or text. +- **Violence or threats of violence.** Violence and threats of violence are not acceptable - online or offline. This + includes incitement of violence toward any individual, including encouraging a person to commit self-harm. This also + includes posting or threatening to post other people's personally identifying information ("doxxing") online. +- **Influencing or encouraging inappropriate behavior.** If you influence or encourage another person to violate the + Code of Conduct, you may face the same consequences as if you had violated the Code of Conduct. ### Safety versus Comfort -The Garuda Linux community prioritizes marginalized people's safety over privileged people's comfort. The following are not against the Code of Conduct. +The Garuda Linux community prioritizes marginalized people's safety over privileged people's comfort. The following are +not against the Code of Conduct. - "Reverse"-isms, including "reverse racism," "reverse sexism," and "cisphobia" - Reasonable communication of boundaries, such as "leave me alone," "go away," or "I'm not discussing this with you." - Criticizing racist, sexist, cissexist, or otherwise oppressive behavior or assumptions - Communicating boundaries or criticizing oppressive behavior in a "tone" you don't find congenial -If you have questions about the above statements, please read [GNOME Foundation's document on Supporting Diversity](https://wiki.gnome.org/Foundation/CodeOfConduct/SupportingDiversity). +If you have questions about the above statements, please +read [GNOME Foundation's document on Supporting Diversity](https://wiki.gnome.org/Foundation/CodeOfConduct/SupportingDiversity). -Outreach and diversity efforts directed at under-represented groups are permitted under the code of conduct. For example, a social event for women would not be classified as being outside the Code of Conduct under this provision. +Outreach and diversity efforts directed at under-represented groups are permitted under the code of conduct. For +example, a social event for women would not be classified as being outside the Code of Conduct under this provision. -Basic expectations for conduct are not covered by the "reverse-ism clause" and would be enforced irrespective of the demographics of those involved. For example, racial discrimination will not be tolerated, irrespective of the race of those involved. Nor would unwanted sexual attention be tolerated, whatever someone's gender or sexual orientation. Members of our community have the right to expect that participants in the project will uphold these standards. +Basic expectations for conduct are not covered by the "reverse-ism clause" and would be enforced irrespective of the +demographics of those involved. For example, racial discrimination will not be tolerated, irrespective of the race of +those involved. Nor would unwanted sexual attention be tolerated, whatever someone's gender or sexual orientation. +Members of our community have the right to expect that participants in the project will uphold these standards. -If a participant engages in behavior that violates this code of conduct, the Garuda Linux's staff may take any action they deem appropriate. In cases involving the staff or founding members the immediate action is expelishment. +If a participant engages in behavior that violates this code of conduct, the Garuda Linux's staff may take any action +they deem appropriate. In cases involving the staff or founding members the immediate action is expelishment. ## Procedure for Handling Incidents You can make a report by emailing . -If you make a report via email, we hope you can provide us with some information that will help us identify the reported person. If you don’t remember all the details, we still encourage you to make a report. +If you make a report via email, we hope you can provide us with some information that will help us identify the reported +person. If you don’t remember all the details, we still encourage you to make a report. We encourage you to include the following information in your report: @@ -110,8 +152,10 @@ We encourage you to include the following information in your report: - Additional circumstances surrounding the incident - Other people involved in or witnesses to the incident and their contact information or # Garuda Linux Code of Conduct -Thank you for being a part of the Garuda Linux community. We value your participation and want everyone to have an enjoyable and fulfilling experience. -Accordingly, all participants are expected to follow this Code of Conduct, and to show respect, understanding, and consideration to one another. +Thank you for being a part of the Garuda Linux community. We value your participation and want everyone to have an +enjoyable and fulfilling experience. +Accordingly, all participants are expected to follow this Code of Conduct, and to show respect, understanding, and +consideration to one another. Thank you for helping make this a welcoming, friendly community for everyone. ## Scope @@ -123,16 +167,22 @@ This Code of Conduct applies to all Garuda Linux community spaces, including, bu - Mailing `*@garudalinux.org` - Community spaces hosted on `garudalinux.org` infrastructure -Communication channels and private conversations that are normally out of scope may be considered in scope if a Garuda Linux participant is being stalked or harassed. -Social media conversations may be considered in-scope if the incident occurred under a Garuda Linux related hashtag, or when an official Garuda Linux account on social media is tagged, or within any other discussion about Garuda Linux. -The Garuda Linux's staff reserves the right to take actions against behaviors that happen in any context, if they are deemed to be relevant to the Garuda Linux project and its participants. +Communication channels and private conversations that are normally out of scope may be considered in scope if a Garuda +Linux participant is being stalked or harassed. +Social media conversations may be considered in-scope if the incident occurred under a Garuda Linux related hashtag, or +when an official Garuda Linux account on social media is tagged, or within any other discussion about Garuda Linux. +The Garuda Linux's staff reserves the right to take actions against behaviors that happen in any context, if they are +deemed to be relevant to the Garuda Linux project and its participants. -All participants in Garuda Linux community spaces are subject to the Code of Conduct. This includes founding members, staff members, corporate sponsors, and paid employees. -This also includes volunteers, maintainers, leaders, contributors, contribution reviewers, issue reporters, Garuda Linux users, and anyone participating in discussion in Garuda Linux community spaces. +All participants in Garuda Linux community spaces are subject to the Code of Conduct. This includes founding members, +staff members, corporate sponsors, and paid employees. +This also includes volunteers, maintainers, leaders, contributors, contribution reviewers, issue reporters, Garuda Linux +users, and anyone participating in discussion in Garuda Linux community spaces. ## Reporting an Incident -If you believe that someone is violating the Code of Conduct, or have any other concerns, please contact . +If you believe that someone is violating the Code of Conduct, or have any other concerns, please +contact . ## Our Standards @@ -170,54 +220,82 @@ Behaviors that contribute to creating a positive environment include: - **Be friendly.** Use welcoming and inclusive language. - **Be empathetic.** Be respectful of others' viewpoints and experiences. - **Be respectful.** Express disagreements in a polite and constructive manner. -- **Be considerate.** Focus on what is best for the community. Keep discussions around technology choices constructive and respectful. - Remember that decisions are often a difficult choice between competing priorities. +- **Be considerate.** Focus on what is best for the community. Keep discussions around technology choices constructive + and respectful. + Remember that decisions are often a difficult choice between competing priorities. - **Be patient and generous.** If someone asks for help, it is because they need it. - When documentation is available that answers the question, politely point them to it. If the question is off-topic, suggest a more appropriate online space to seek help. + When documentation is available that answers the question, politely point them to it. If the question is off-topic, + suggest a more appropriate online space to seek help. - **Try to be concise.** Read the discussion before commenting in order to not repeat a point that has been made. ## Inappropriate Behavior -We want all participants in the Garuda Linux community have the best possible experience they can. Community members asked to stop any inappropriate behavior are expected to comply immediately. +We want all participants in the Garuda Linux community have the best possible experience they can. Community members +asked to stop any inappropriate behavior are expected to comply immediately. Inappropriate behaviors include, but are not limited to: - **Deliberate intimidation, stalking, or following.** -- **Sustained disruption of online discussion, talks, or other events.** Sustained disruption of events, online discussions, or meetings, including talks and presentations, will not be tolerated. - This includes 'Talking over' or 'heckling' event speakers or influencing crowd actions that cause hostility in event sessions. - Sustained disruption also includes drinking alcohol to excess or using recreational drugs to excess, or pushing others to do so. -- **Harassment of people who don't drink alcohol or other legal substances.** We do not tolerate derogatory comments about those who abstain from alcohol or other legal substances. - We do not tolerate pushing people to drink, talking about their abstinence or preferences to others, or pressuring them to drink - physically or through jeering. -- **Sexist, racist, homophobic, transphobic, ableist language or otherwise exclusionary language.** This includes deliberately referring to someone by a gender that they do not identify with, and/or +- **Sustained disruption of online discussion, talks, or other events.** Sustained disruption of events, online + discussions, or meetings, including talks and presentations, will not be tolerated. + This includes 'Talking over' or 'heckling' event speakers or influencing crowd actions that cause hostility in event + sessions. + Sustained disruption also includes drinking alcohol to excess or using recreational drugs to excess, or pushing others + to do so. +- **Harassment of people who don't drink alcohol or other legal substances.** We do not tolerate derogatory comments + about those who abstain from alcohol or other legal substances. + We do not tolerate pushing people to drink, talking about their abstinence or preferences to others, or pressuring + them to drink - physically or through jeering. +- **Sexist, racist, homophobic, transphobic, ableist language or otherwise exclusionary language.** This includes + deliberately referring to someone by a gender that they do not identify with, and/or questioning the legitimacy of an individual's gender identity. - If you're unsure if a word is derogatory, don't use it. This also includes repeated subtle and/or indirect discrimination. -- **Unwelcome sexual attention or behavior that contributes to a sexualized environment.** This includes sexualized comments, jokes or imagery in interactions, communications or presentation materials, as well as inappropriate touching, groping, or sexual advances. Sponsors should not use sexualized images, activities, or other material. Meetup organizing staff and other volunteer organizers should not use sexualized clothing/uniforms/costumes, or otherwise create a sexualized environment. -- **Unwelcome physical contact.** This includes touching a person without permission, including sensitive areas such as their hair, pregnant stomach, mobility device (wheelchair, scooter, etc) or tattoos. This also includes physically blocking or intimidating another person. Physical contact without affirmative consent is not acceptable. This includes sharing or distribution of sexualized images or text. -- **Violence or threats of violence.** Violence and threats of violence are not acceptable - online or offline. This includes incitement of violence toward any individual, including encouraging a person to commit self-harm. This also includes posting or threatening to post other people's personally identifying information ("doxxing") online. -- **Influencing or encouraging inappropriate behavior.** If you influence or encourage another person to violate the Code of Conduct, you may face the same consequences as if you had violated the Code of Conduct. + If you're unsure if a word is derogatory, don't use it. This also includes repeated subtle and/or indirect + discrimination. +- **Unwelcome sexual attention or behavior that contributes to a sexualized environment.** This includes sexualized + comments, jokes or imagery in interactions, communications or presentation materials, as well as inappropriate + touching, groping, or sexual advances. Sponsors should not use sexualized images, activities, or other material. + Meetup organizing staff and other volunteer organizers should not use sexualized clothing/uniforms/costumes, or + otherwise create a sexualized environment. +- **Unwelcome physical contact.** This includes touching a person without permission, including sensitive areas such as + their hair, pregnant stomach, mobility device (wheelchair, scooter, etc) or tattoos. This also includes physically + blocking or intimidating another person. Physical contact without affirmative consent is not acceptable. This includes + sharing or distribution of sexualized images or text. +- **Violence or threats of violence.** Violence and threats of violence are not acceptable - online or offline. This + includes incitement of violence toward any individual, including encouraging a person to commit self-harm. This also + includes posting or threatening to post other people's personally identifying information ("doxxing") online. +- **Influencing or encouraging inappropriate behavior.** If you influence or encourage another person to violate the + Code of Conduct, you may face the same consequences as if you had violated the Code of Conduct. ### Safety versus Comfort -The Garuda Linux community prioritizes marginalized people's safety over privileged people's comfort. The following are not against the Code of Conduct. +The Garuda Linux community prioritizes marginalized people's safety over privileged people's comfort. The following are +not against the Code of Conduct. - "Reverse"-isms, including "reverse racism," "reverse sexism," and "cisphobia" - Reasonable communication of boundaries, such as "leave me alone," "go away," or "I'm not discussing this with you." - Criticizing racist, sexist, cissexist, or otherwise oppressive behavior or assumptions - Communicating boundaries or criticizing oppressive behavior in a "tone" you don't find congenial -If you have questions about the above statements, please read [GNOME Foundation's document on Supporting Diversity](https://wiki.gnome.org/Foundation/CodeOfConduct/SupportingDiversity). +If you have questions about the above statements, please +read [GNOME Foundation's document on Supporting Diversity](https://wiki.gnome.org/Foundation/CodeOfConduct/SupportingDiversity). -Outreach and diversity efforts directed at under-represented groups are permitted under the code of conduct. For example, a social event for women would not be classified as being outside the Code of Conduct under this provision. +Outreach and diversity efforts directed at under-represented groups are permitted under the code of conduct. For +example, a social event for women would not be classified as being outside the Code of Conduct under this provision. -Basic expectations for conduct are not covered by the "reverse-ism clause" and would be enforced irrespective of the demographics of those involved. For example, racial discrimination will not be tolerated, irrespective of the race of those involved. Nor would unwanted sexual attention be tolerated, whatever someone's gender or sexual orientation. Members of our community have the right to expect that participants in the project will uphold these standards. +Basic expectations for conduct are not covered by the "reverse-ism clause" and would be enforced irrespective of the +demographics of those involved. For example, racial discrimination will not be tolerated, irrespective of the race of +those involved. Nor would unwanted sexual attention be tolerated, whatever someone's gender or sexual orientation. +Members of our community have the right to expect that participants in the project will uphold these standards. -If a participant engages in behavior that violates this code of conduct, the Garuda Linux's staff may take any action they deem appropriate. In cases involving the staff or founding members the immediate action is expelishment. +If a participant engages in behavior that violates this code of conduct, the Garuda Linux's staff may take any action +they deem appropriate. In cases involving the staff or founding members the immediate action is expelishment. ## Procedure for Handling Incidents You can make a report by emailing . -If you make a report via email, we hope you can provide us with some information that will help us identify the reported person. If you don’t remember all the details, we still encourage you to make a report. +If you make a report via email, we hope you can provide us with some information that will help us identify the reported +person. If you don’t remember all the details, we still encourage you to make a report. We encourage you to include the following information in your report: @@ -234,11 +312,15 @@ We encourage you to include the following information in your report: ## License -The Garuda Linux Code of Conduct is licensed under a [Creative Commons Attribution Share-Alike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/). +The Garuda Linux Code of Conduct is licensed under +a [Creative Commons Attribution Share-Alike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/). ![Creative Commons License](https://licensebuttons.net/l/by-sa/3.0/88x31.png) ## Attribution -The Garuda Linux Code of Conduct was forked from GNOME Foundation's Code of Conduct (last modified 2020-10-01), which is under a Creative Commons license. See the [original page](https://web.archive.org/web/20210813233606/https://wiki.gnome.org/Foundation/CodeOfConduct) for the original attributions. +The Garuda Linux Code of Conduct was forked from GNOME Foundation's Code of Conduct (last modified 2020-10-01), which is +under a Creative Commons license. See +the [original page](https://web.archive.org/web/20210813233606/https://wiki.gnome.org/Foundation/CodeOfConduct) for the +original attributions. description diff --git a/docs/src/common.md b/docs/src/common.md index bd71479..7fd5e6b 100644 --- a/docs/src/common.md +++ b/docs/src/common.md @@ -172,3 +172,5 @@ Using native Nix expressions has the advantage of being more flexible and easier as well as taking advantage of Systemd service management, e.g., by restarting crashed containers. This was not working reliably with our `docker-compose-runner` module, which simply started existing `docker-compose.yml` files. +In case secrets are required, one needs to provide them via `.env` files and +the `virtualisation.oci-containers.containers.environmentFiles` key. diff --git a/docs/src/hosts/docker-proxied.md b/docs/src/hosts/docker-proxied.md deleted file mode 100644 index 4064763..0000000 --- a/docs/src/hosts/docker-proxied.md +++ /dev/null @@ -1 +0,0 @@ -# docker-proxied diff --git a/docs/src/hosts/garuda-build.md b/docs/src/hosts/garuda-build.md index 26bfedc..46c9584 100644 --- a/docs/src/hosts/garuda-build.md +++ b/docs/src/hosts/garuda-build.md @@ -5,7 +5,13 @@ This server is a legacy, still up Fosshost VPS. Fosshost itself ceased to be quite a while ago, but this server is still up for some reason. Since we can't be sure how long it will stay up, we don't want to put anything important on it. -Therefore, its sole purpose is running a disposable build environment for the Chaotic-AUR infra 4.0 +Therefore, its sole purpose is running a disposable build environment for the Chaotic-AUR infra 4.0. + +### Host-specific tasks + +- Restarting the Docker stack: + - `sudo systemctl restart docker-compose-chaotic-v4-builder-root` + - alternatively: `sudo chaotic-restart` ### Nix expression diff --git a/docs/src/hosts/garuda-mail.md b/docs/src/hosts/garuda-mail.md index 36c86e1..3726722 100644 --- a/docs/src/hosts/garuda-mail.md +++ b/docs/src/hosts/garuda-mail.md @@ -2,9 +2,11 @@ ### General -This system mainly consists of the [simple-nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver). +This system mainly consists of +the [simple-nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver). Its only purpose is providing a mail service to team members. -The current config looks like [this](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/nixos/hosts/garuda-mail.nix?ref_type=heads#L47). +The current config looks +like [this](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/nixos/hosts/garuda-mail.nix?ref_type=heads#L47). In case of issues, the [documentation](https://nixos-mailserver.readthedocs.io/en/latest/) can be consulted. ### Mail server setup @@ -44,14 +46,16 @@ Backups are happening daily via Borg. A Hetzner storage box is used to store mul ### Creating a new user A new user can be created be adding a new `loginAccounts` value and supplying the password via `secrets`. -We make use of `hashedPasswordFile`, therefore, new hashes can be generated by running `nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'`. Add it to the `secrets`, then execute `deploy` and `apply`. -Don't forget to commit both changes. +We make use of `hashedPasswordFile`, therefore, new hashes can be generated by +running `nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'`. Add it to the `secrets`, then execute `deploy` and `apply`. +Remember to commit both changes. ### Issues and their solution #### Local DNS resolver failing to start -Simple NixOS mail server runs a local DNS server to prevent the log filling up with junk ([source](https://mailserver.readthedocs.io/en/latest/options.html#cmdoption-arg-mailserver.localDnsResolver)). +Simple NixOS mail server runs a local DNS server to prevent the log filling up with +junk ([source](https://mailserver.readthedocs.io/en/latest/options.html#cmdoption-arg-mailserver.localDnsResolver)). There can be cases of the persisted files need to be deleted in order for the service to recover from dumping core. See [this issue](https://gitlab.nic.cz/knot/knot-resolver/-/issues/627) for reference. diff --git a/docs/src/hosts/immortalis.md b/docs/src/hosts/immortalis.md index 0721ad3..e3d3378 100644 --- a/docs/src/hosts/immortalis.md +++ b/docs/src/hosts/immortalis.md @@ -2,9 +2,16 @@ ### General -This system utilizes a NixOS host which uses [nixos-containers](https://nixos.wiki/wiki/NixOS_Containers) to build declarative `systemd-nspawn` machines for different purposes. To make the best use of the available resources, common directories are shared between containers. This includes `/home` (home-manager / NixOS configurations writing to home are generated by the host and disabled for the containers), Pacman and Chaotic cache, the `/nix` directory, and a few others. Further details can be found in the [Nix expression](hhttps://gitlab.com/garuda-linux/infra-nix/-/blob/main/nixos/hosts/immortalis/containers.nix) of the host. +This system utilizes a NixOS host which uses [nixos-containers](https://nixos.wiki/wiki/NixOS_Containers) to build +declarative `systemd-nspawn` machines for different purposes. To make the best use of the available resources, common +directories are shared between containers. This includes `/home` (home-manager / NixOS configurations writing to home +are generated by the host and disabled for the containers), Pacman and Chaotic cache, the `/nix` directory, and a few +others. Further details can be found in +the [Nix expression](hhttps://gitlab.com/garuda-linux/infra-nix/-/blob/main/nixos/hosts/immortalis/containers.nix) of +the host. -All directories containing important data were mapped to `/data_1` and `/data_2` to have them all in one place. The first mostly contains web services' files, the latter only builds related directories such as the Pacman cache. +All directories containing important data were mapped to `/data_1` and `/data_2` to have them all in one place. The +first mostly contains web services' files, the latter only builds related directories such as the Pacman cache. The current line-up looks as follows: @@ -35,7 +42,9 @@ We are seeing: ### Connecting to the server -After connecting to the host via `ssh -p 666 $user@116.202.208.112`, containers can generally be entered by running `nixos-container login $containername`, eg. `nixos-container login web-front`. Some containers may also be connected via SSH using the following ports: +After connecting to the host via `ssh -p 666 $user@116.202.208.112`, containers can generally be entered by +running `nixos-container login $containername`, eg. `nixos-container login web-front`. Some containers may also be +connected via SSH using the following ports: - 22: `temeraire` (needs to be 22 to allow pushing packages to the main Chaotic-AUR node via rsync) - 224: `forum` @@ -47,11 +56,19 @@ After connecting to the host via `ssh -p 666 $user@116.202.208.112`, containers ### Docker containers -Some services not packaged in NixOS or are easier to deploy this way are serviced via the Docker engine. This contains services like Piped, Whoogle, and Matrix. We use a custom [NixOS module](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/nix/garuda/services/docker-compose-runner/docker-compose-runner.nix?ref_type=heads) to deploy those with the rest of the system. Secrets are handled via our secret management which consists of a git submodule `secret` (private repo with `ansible-vault` encrypted files) and `garuda-lib` (see secrets section). Those contain a `docker-compose` directory in which the `.env` files for the `docker-compose.yml` are stored. +Some services not packaged in NixOS or are easier to deploy this way are serviced via the Docker engine. This contains +services like Piped, Whoogle, and Matrix. We use a +custom [NixOS module](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/nix/garuda/services/docker-compose-runner/docker-compose-runner.nix?ref_type=heads) +to deploy those with the rest of the system. Secrets are handled via our secret management which consists of a git +submodule `secret` (private repo with `ansible-vault` encrypted files) and `garuda-lib` (see secrets section). Those +contain a `docker-compose` directory in which the `.env` files for the `docker-compose.yml` are stored. ### Chaotic-AUR / repository -Our repository leverages [Chaotic-AUR's](https://aur.chaotic.cx) [toolbox](https://github.com/chaotic-aur/toolbox) to provide the main node for the `[chaotic-aur]` repository as well as two more instances building the `[garuda]` and `[chaotic-kde]` repositories. Users of the `chaotic_op` group may build packages on the corresponding nixos-container via the [chaotic](https://github.com/chaotic-aur/toolbox/blob/main/README.md) command: +Our repository leverages [Chaotic-AUR's](https://aur.chaotic.cx) [toolbox](https://github.com/chaotic-aur/toolbox) to +provide the main node for the `[chaotic-aur]` repository as well as two more instances building the `[garuda]` +and `[chaotic-kde]` repositories. Users of the `chaotic_op` group may build packages on the corresponding +nixos-container via the [chaotic](https://github.com/chaotic-aur/toolbox/blob/main/README.md) command: ```sh chaotic get $package # pull PKGBUILD @@ -66,16 +83,34 @@ Further information may be obtained by clicking `chaotic` seen above. The corres ### Squid proxy -Squid is being installed on the host machine to proxy outgoing requests via random IPv6 addresses of the /64 subnet Hetzner provides for services that need it, eg. Piped, the Chaotic-AUR builders, and other services that are getting rate limited quickly. The process is not entirely automated, which means that we currently have a pool of IPv6 addresses active and need to switch them whenever those are getting rate-limited again. -Since we supplied an invalid IPv4 to force outgoing IPv6, the log files were somewhat cluttered by (expected) errors. Systemd-unit logging has been set to `LogLevelMax=1` to un-clutter the journal and needs to be increased again if debugging needs to be done. +Squid is being installed on the host machine to proxy outgoing requests via random IPv6 addresses of the /64 subnet +Hetzner provides for services that need it, eg. Piped, the Chaotic-AUR builders, and other services that are getting +rate limited quickly. The process is not entirely automated, which means that we currently have a pool of IPv6 addresses +active and need to switch them whenever those are getting rate-limited again. +Since we supplied an invalid IPv4 to force outgoing IPv6, the log files were somewhat cluttered by (expected) errors. +Systemd-unit logging has been set to `LogLevelMax=1` to un-clutter the journal and needs to be increased again if +debugging needs to be done. ### Backups -Backups are provided by daily Borg runs. Only the `/data_1` directory is backed up (minus `/data_1/{dockercache,dockerdata}`) as the rest are either Nix-generated or build-related files that can easily recovered from another repository mirror. The corresponding systemd-unit is named `borgbackup-job-backupToHetzner`. +Backups are provided by daily Borg runs. Only the `/data_1` directory is backed up ( +minus `/data_1/{dockercache,dockerdata}`) as the rest are either Nix-generated or build-related files that can easily +recovered from another repository mirror. The corresponding systemd-unit is named `borgbackup-job-backupToHetzner`. ### Tailscale / mesh network -While Tailscale was commonly used to connect multiple VMs before, this server only has it active on the host. However, we are leveraging Tailscale's [subnet router](https://tailscale.com/kb/1019/subnets/) feature to serve the `10.0.5.0/24` subnet via Tailscale, which means that other Tailscale clients may access the `nixos-containers` via their IP if `tailscale up --accept-routes` was used to set up the service. +While Tailscale was commonly used to connect multiple VMs before, this server only has it active on the host. However, +we are leveraging Tailscale's [subnet router](https://tailscale.com/kb/1019/subnets/) feature to serve the `10.0.5.0/24` +subnet via Tailscale, which means that other Tailscale clients may access the `nixos-containers` via their IP +if `tailscale up --accept-routes` was used to set up the service. + +### Known issues and their solution + +#### System update gets stuck + +For some reason, while running `nixos-rebuild switch`, the system update gets stuck and doesn't continue. +In this case, re-running the command will fix the issue. +It is unclear, what the exact reason is, yet. ### Nix expression diff --git a/docs/src/important-links.md b/docs/src/important-links.md index 4d005b1..e9fa09d 100644 --- a/docs/src/important-links.md +++ b/docs/src/important-links.md @@ -31,6 +31,7 @@ This is a collection of important links when working with the infrastructure: - [Hetzner Robot](https://accounts.hetzner.com/) - [Matrix Admin](https://matrixadmin.garudalinux.net) - [Netdata](https://app.netdata.cloud) +- [PGAdmin](https://pgadmin.garudalinux.net) - [Renovate Dashboard](https://developer.mend.io/github/garuda-linux) - [Tailscale](https://login.tailscale.com/) diff --git a/docs/src/nixos-containers/chaotic-v4.md b/docs/src/nixos-containers/chaotic-v4.md index ec935f9..60b3340 100644 --- a/docs/src/nixos-containers/chaotic-v4.md +++ b/docs/src/nixos-containers/chaotic-v4.md @@ -4,6 +4,12 @@ This is the nspawn container used to run Chaotic-AUR's new build system, `infra 4.0`. +Restarting the Docker stack, in case it is needed, can happen via `sudo chaotic-restart`. +For information on how to use the new build system, please refer to the [documentation](../services/chaotic-4.0.md). + +In general, manual intervention should not be needed, +as the system is designed to be fully automated via GitLab CI or GitHub actions. + ## Nix expression ```nix diff --git a/docs/src/nixos-containers/docker-proxied.md b/docs/src/nixos-containers/docker-proxied.md index 045660c..cca8f64 100644 --- a/docs/src/nixos-containers/docker-proxied.md +++ b/docs/src/nixos-containers/docker-proxied.md @@ -2,7 +2,15 @@ ## General -Here, all of the Docker containers that need to have proxied outgoing requests are being deployed. +Here, all the Docker containers that need to have proxied outgoing requests are being deployed. + +## Restarting containers + +This can happen via the following command: + +```bash +sudo systemctl restart docker-compose-proxied-root +``` ## Nix expression diff --git a/docs/src/nixos-containers/docker.md b/docs/src/nixos-containers/docker.md index c292667..0fefdeb 100644 --- a/docs/src/nixos-containers/docker.md +++ b/docs/src/nixos-containers/docker.md @@ -2,7 +2,19 @@ ## General -This container consists of our `docker-compose-runner` module, which deploys all Docker-based services that don't need to proxied outgoing requests. For the other ones, have a look [here](./docker-proxied.md). +This container is used to run regular Docker containers. +Recently, the `docker-compose-runner` module has been replaced by native Nix expressions. + +## Nextcloud AIO + +This container also runs a Nextcloud AIO master container, which administrates its containers by itself. +Consult its [extensive documentation for more information](https://github.com/nextcloud/all-in-one). +Since this container requires a Nextcloud volume at a fixed place, without being able to change it, it is not +included in the regular data directory. + +Instead, backups are regularly performed via the inbuilt backup function in the admin interface. +They can be found at `/var/garuda/docker-compose-runner/all-in-one/nextcloud-aio` +and are included in the offsite system backups. ## Nix expression diff --git a/docs/src/nixos-containers/forum.md b/docs/src/nixos-containers/forum.md index 89a55e0..cf0e94c 100644 --- a/docs/src/nixos-containers/forum.md +++ b/docs/src/nixos-containers/forum.md @@ -2,7 +2,8 @@ ## General -In here, we only have Docker set up and use the traditional way of installing Discourse to `/var/discourse`. Since own scripts are provided to handle the container, not much is to be seen here. +In here, we only have Docker set up and use the traditional way of installing Discourse to `/var/discourse`. Since own +scripts are provided to handle the container, not much is to be seen here. ## Links diff --git a/docs/src/nixos-containers/github-runner.md b/docs/src/nixos-containers/github-runner.md index 7aa1ea1..1371233 100644 --- a/docs/src/nixos-containers/github-runner.md +++ b/docs/src/nixos-containers/github-runner.md @@ -2,8 +2,20 @@ ## General -With this container, we provide a GitHub runner as well as (more recently), a GitLab runner. This container does **not** have the regular Garuda configurations because it is considered untrusted. -Access needs to happen by running `nixos-container root-login` on `immortalis` ([click me](http://docs.garudalinux.net/hosts/immortalis.html#connecting-to-the-server)). +With this container, we provide a GitHub runner as well as (more recently), a GitLab runner. This container does **not** +have the regular Garuda configurations because it is considered untrusted. +Access needs to happen by running `nixos-container root-login` +on `immortalis` ([click me](http://docs.garudalinux.net/hosts/immortalis.html#connecting-to-the-server)). + +## Restarting containers + +This can happen via the following command: + +```bash +sudo systemctl restart docker-compose-gitlab-runner-root +``` + +Watchtower additionally keeps the containers up to date. ## Nix expression @@ -13,11 +25,12 @@ Access needs to happen by running `nixos-container root-login` on `immortalis` ( ### Docker containers (GitHub) -````nix +```nix {{#include ../../../nixos/hosts/github-runner/github-compose.nix}} +``` ### Docker containers (GitLab) ```nix {{#include ../../../nixos/hosts/github-runner/gitlab-compose.nix}} -```` +``` diff --git a/docs/src/nixos-containers/lemmy.md b/docs/src/nixos-containers/lemmy.md index b9d6e38..b965f39 100644 --- a/docs/src/nixos-containers/lemmy.md +++ b/docs/src/nixos-containers/lemmy.md @@ -2,7 +2,7 @@ ## General -This container provides our Lemmy instance +This container provides our Lemmy instance. ## Nix expression diff --git a/docs/src/nixos-containers/mongodb.md b/docs/src/nixos-containers/mongodb.md index 43244cd..bd6c725 100644 --- a/docs/src/nixos-containers/mongodb.md +++ b/docs/src/nixos-containers/mongodb.md @@ -7,6 +7,8 @@ This container contains our MongoDB instance, which is primarily used for storin The instance requires the use of TLS, but can be accessed without presenting a valid client certificate, so that the Heroku instance the router runs on can access it easier. +Access happens via the regular MongoDB port, `27017` and the domain `builds.garudalinux.org`. + ## Nix expression ```nix diff --git a/docs/src/nixos-containers/postgres.md b/docs/src/nixos-containers/postgres.md index a72347f..127ff2e 100644 --- a/docs/src/nixos-containers/postgres.md +++ b/docs/src/nixos-containers/postgres.md @@ -10,6 +10,11 @@ This container houses our Postgres database. Multiple services access it: - Matrix bridges - WikiJs +## Admin interface + +The admin interface powered by Pgadmin can be accessed [here](https://pgadmin.garudalinux.net). +Authentication happens via Cloudflare Access. + ## Nix expression ```nix diff --git a/docs/src/nixos-containers/temeraire.md b/docs/src/nixos-containers/temeraire.md index e7833ce..2fe119d 100644 --- a/docs/src/nixos-containers/temeraire.md +++ b/docs/src/nixos-containers/temeraire.md @@ -4,6 +4,9 @@ This is our package builder, which also serves as the main node for Chaotic-AUR. +For information on how to use the build system, +please refer to the [Chaotic toolbox](https://github.com/chaotic-aur/toolbox) documentation. + ## Nix expression ```nix diff --git a/docs/src/nixos-containers/web-front.md b/docs/src/nixos-containers/web-front.md index 778078c..a11d586 100644 --- a/docs/src/nixos-containers/web-front.md +++ b/docs/src/nixos-containers/web-front.md @@ -3,6 +3,8 @@ ## General This container is used as a reverse proxy for all of our public facing services. +It also contains a Cloudflared instance, +which a few services are only being exposed to, instead of being reverse proxied by Nginx itself. ## Nix expression diff --git a/docs/src/privacy-policy.md b/docs/src/privacy-policy.md index 0036d57..3821542 100644 --- a/docs/src/privacy-policy.md +++ b/docs/src/privacy-policy.md @@ -2,31 +2,41 @@ ## About this document -This Privacy Policy governs the manner in which Garuda Linux collects, uses, maintains and discloses information collected from users (each, a “User”) of our website and web services.. +This Privacy Policy governs the manner in which Garuda Linux collects, uses, maintains and discloses information +collected from users (each, a “User”) of our website and web services.. ## What information do we collect? -We collect information from you when you register on our site and gather data when you participate in the forum by reading, writing, and evaluating the content shared here. +We collect information from you when you register on our site and gather data when you participate in the forum by +reading, writing, and evaluating the content shared here. -When registering on our site, you may be asked to enter your name and e-mail address. You may, however, visit our site without registering. Your e-mail address will be verified by an email containing a unique link. If that link is visited, we know that you control the e-mail address. Your IP address will be checked against a database of known spammers to prevent such actions. +When registering on our site, you may be asked to enter your name and e-mail address. You may, however, visit our site +without registering. Your e-mail address will be verified by an email containing a unique link. If that link is visited, +we know that you control the e-mail address. Your IP address will be checked against a database of known spammers to +prevent such actions. -If you contact us directly, we may receive additional information about you such as your name, email address, the contents of the message and/or attachments you may send us, and any other information you may choose to provide. +If you contact us directly, we may receive additional information about you such as your name, email address, the +contents of the message and/or attachments you may send us, and any other information you may choose to provide. -When registered and posting, we record the IP address that the post originated from. We also may retain server logs which include the IP address of every request to our server, which will be purged after 30 days. +When registered and posting, we record the IP address that the post originated from. We also may retain server logs +which include the IP address of every request to our server, which will be purged after 30 days. ## What do we use your information for? Any of the information we collect from you may be used in one of the following ways: - To provide, operate, and maintain our infrastructure -- To allow using our services that require a login, as well as to provide convenience features such as staying logged in or keeping personally chosen settings. -- To send periodic emails that are generated by our services such as the forum, which may however be turned off if desired. +- To allow using our services that require a login, as well as to provide convenience features such as staying logged in + or keeping personally chosen settings. +- To send periodic emails that are generated by our services such as the forum, which may however be turned off if + desired. We have no interest in your data and only store the minimum needed to operate the services we provide to our users. ## How do we protect your information? -We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information. +We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, +or access your personal information. ## What is your data retention policy? @@ -37,18 +47,23 @@ We will make a good faith effort to: ## Third Party Privacy Policies -Garuda Linux's Privacy Policy does not apply to some of the services we utilize in our infrastructure. Thus, we are advising you to consult the respective Privacy Policies of these third-party services for more detailed information. +Garuda Linux's Privacy Policy does not apply to some of the services we utilize in our infrastructure. Thus, we are +advising you to consult the respective Privacy Policies of these third-party services for more detailed information. This includes, but may not be limited to: - [Cloudflare](https://www.cloudflare.com/) to protect against common threats and enhance our infrastructure - [Hetzner](www.hetzner.com/) as server and backup storage provider (located in Germany) - [Google Translate](https://translate.google.com/) to offer translations on our website -- [OpenCollective](https://opencollective.org/), [Liberapay](https://liberapay.com/) and [Paypal](https://www.paypal.com/) to allow the collection of donations that sustain our infrastructure +- [OpenCollective](https://opencollective.org/), [Liberapay](https://liberapay.com/) + and [Paypal](https://www.paypal.com/) to allow the collection of donations that sustain our infrastructure ## Cookies -Our Site may use “cookies” to enhance User experience. User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. The user may choose to set their web browser to refuse cookies or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly. +Our Site may use “cookies” to enhance User experience. User’s web browser places cookies on their hard drive for +record-keeping purposes and sometimes to track information about them. The user may choose to set their web browser to +refuse cookies or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not +function properly. ## Sharing your personal information @@ -56,43 +71,62 @@ We do not sell, trade, or rent User’s personal identification information to o ## How long do we retain your data -If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. +If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve +any follow-up comments automatically instead of holding them in a moderation queue. -For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information. +For users that register on our website (if any), we also store the personal information they provide in their user +profile. All users can see, edit, or delete their personal information at any time (except they cannot change their +username). Website administrators can also see and edit that information. ## Embedded content from other websites -Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. +Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other +websites behaves in the exact same way as if the visitor has visited the other website. -These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website. +These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your +interaction with that embedded content, including tracing your interaction with the embedded content if you have an +account and are logged in to that website. ## Free software -Garuda Linux develops free software. All our tools are and will always be free software. Garuda Linux is part of OIN since November 2020. The current license can be viewed here. Additional information about packages covered by this license can be viewed here. +Garuda Linux develops free software. All our tools are and will always be free software. Garuda Linux is part of OIN +since November 2020. The current license can be viewed here. Additional information about packages covered by this +license can be viewed here. If you want to check the license of a package, you can do so with Pacman. ## What rights you have over your data -If you have an account on this site or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes. +If you have an account on this site or have left comments, you can request to receive an exported file of the personal +data we hold about you, including any data you have provided to us. You can also request that we erase any personal data +we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security +purposes. ## Children's Information -Another part of our priority is adding protection for children while using the internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity. +Another part of our priority is adding protection for children while using the internet. We encourage parents and +guardians to observe, participate in, and/or monitor and guide their online activity. -Garuda Linux does not knowingly collect any personal identifiable information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records. +Garuda Linux does not knowingly collect any personal identifiable information from children under the age of 13. If you +think that your child provided this kind of information on our website, we strongly encourage you to contact us +immediately and we will do our best efforts to promptly remove such information from our records. ## Changes to This Privacy Policy -We may update our Privacy Policy from time to time. Thus, we advise you to review this page periodically for any changes. We will notify you of any -changes by posting the new Privacy Policy on this page. These changes are effective immediately, after they are posted on this page. +We may update our Privacy Policy from time to time. Thus, we advise you to review this page periodically for any +changes. We will notify you of any +changes by posting the new Privacy Policy on this page. These changes are effective immediately, after they are posted +on this page. ## Your acceptance of these terms -By using this Site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our services. Your continued use of them following the posting of changes to this policy will be deemed your acceptance of those changes. +By using this Site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use +our services. Your continued use of them following the posting of changes to this policy will be deemed your acceptance +of those changes. ## Contact Us -If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us via [email](mailto:team@garudalinux.org). +If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please +contact us via [email](mailto:team@garudalinux.org). **This privacy policy has been updated in September 2023.** diff --git a/docs/src/repositories/general.md b/docs/src/repositories/general.md index 7eaa0b7..ba5d450 100644 --- a/docs/src/repositories/general.md +++ b/docs/src/repositories/general.md @@ -2,13 +2,16 @@ ## Notifications for new events at GitLab -Since GitLab has an inbuilt Telegram integration, we can leverage this feature to send notifications to our a dedicated [Telegram development updates channel](https://t.me/garuda_updates). -Posts are sent for all kinds of relevant, but non-confidential events like commits, comments or new merge requests. Failed pipelines would also be reported here. +Since GitLab has an inbuilt Telegram integration, we can leverage this feature to send notifications to our +dedicated [Telegram development updates channel](https://t.me/garuda_updates). +Posts are sent for all kinds of relevant, but non-confidential events like commits, comments or new merge requests. +Failed pipelines would also be reported here. ## Backing up current repositories Current repositories may be backed up using [ghorg](https://github.com/gabrie30/ghorg). -In order to use ghorg, one needs a GitLab access token and the application itself. To generate a fitting token, follow [these instructions](https://github.com/gabrie30/ghorg?tab=readme-ov-file#gitlab-setup). +To use ghorg, one needs a GitLab access token and the application itself. To generate a fitting token, +follow [these instructions](https://github.com/gabrie30/ghorg?tab=readme-ov-file#gitlab-setup). ```sh ghorg clone --scm gitlab --token "glpat-1234567890" garuda-linux # regular system @@ -17,5 +20,7 @@ nix run nixpkgs#ghorg -- clone --scm gitlab --token "glpat-1234567890" garuda-li ## Archive -We have an [archive repository](https://gitlab.com/garuda-linux/archive) for all files, which are no longer needed for our current operations. -It contains old PKGBUILDs and settings packages, eg. the state of the ones before we moved to a unified PKGBUILD repository. +We have an [archive repository](https://gitlab.com/garuda-linux/archive) for all files, which are no longer needed for +our current operations. +It contains old PKGBUILDs and settings packages, eg. The state of the ones before we moved to a unified PKGBUILD +repository. diff --git a/docs/src/repositories/pkgbuilds.md b/docs/src/repositories/pkgbuilds.md index 1288457..b217269 100644 --- a/docs/src/repositories/pkgbuilds.md +++ b/docs/src/repositories/pkgbuilds.md @@ -2,7 +2,7 @@ ## Types of PKGBUILDs -There are 2 types of repo packaging-wise: +There are two types of repo packaging-wise: 1. The ones that have all required files in the new pkgbuilds repo and don't reference any external repo in PKGBUILDs `source()` 2. The ones requiring external repositories as a source. These are listed in the SOURCES files below, packages _not_ listed here are automatically packages of the first category: diff --git a/docs/src/users.md b/docs/src/users.md index f079285..c8a60d1 100644 --- a/docs/src/users.md +++ b/docs/src/users.md @@ -1,6 +1,7 @@ # Users -Multiple kinds of users can make use of our infrastructure. A current list of users is available [here](./users/current_users.md). +Multiple kinds of users can make use of our infrastructure. A current list of users is +available [here](./users/current_users.md). ## Adding new users @@ -11,7 +12,8 @@ In case of a password being required, its hash needs to be generated as follows: nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > /path/to/hashedPasswordFile ``` -The file then needs to be `ansible-vault` encrypted and added to our [secrets](https://gitlab.com/garuda-linux/infra-nix-secrets) repository. +The file then needs to be `ansible-vault` encrypted and added to +our [secrets](https://gitlab.com/garuda-linux/infra-nix-secrets) repository. This one is only available to members of our GitLab org and usually is cloned as git submodule to `./secrets`. ## Onboarding a new admin @@ -19,9 +21,12 @@ This one is only available to members of our GitLab org and usually is cloned as After confirming the trustworthiness of a new admin, the following actions need to be executed: - Add them to the [admin users](./users/current_users.md#admins) -- Add their ssh public key to the [flake inputs](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/flake.nix?ref_type=heads#L59) and [specialArgs](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/nixos/flake-module.nix?ref_type=heads#L38) +- Add their ssh public key to + the [flake inputs](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/flake.nix?ref_type=heads#L59) + and [specialArgs](https://gitlab.com/garuda-linux/infra-nix/-/blob/main/nixos/flake-module.nix?ref_type=heads#L38) - Make them an owner of the [GitLab organization](https://gitlab.com/garuda-linux) -- Add them to our [Bitwarden organization](https://vault.garudalinux.org) to allow access to passwords and email accounts +- Add them to our [Vaultwarden organization](https://vault.garudalinux.org) to allow access to passwords and email + accounts - Add them to the Cloudflare Account - Make them an admin of [Discourse](https://forum.garudalinux.org) - Make them an admin of [Matrix](https://matrix.garudalinux.org) diff --git a/docs/src/users/current_users.md b/docs/src/users/current_users.md index a063da2..9e1340a 100644 --- a/docs/src/users/current_users.md +++ b/docs/src/users/current_users.md @@ -13,7 +13,8 @@ They are responsible for the well-being of the infrastructure and its developmen ## Maintainers -Maintainers have restricted access, which allows them to use `buildiso` to build new ISO files via the `iso-runner` container. +Maintainers have restricted access, which allows them to use `buildiso` to build new ISO files via the `iso-runner` +container. ```nix {{#include ../../../nixos/modules/users.nix:maintainers}} diff --git a/docs/src/websites/documentation.md b/docs/src/websites/documentation.md index db61934..667f6df 100644 --- a/docs/src/websites/documentation.md +++ b/docs/src/websites/documentation.md @@ -2,14 +2,16 @@ ## Building it -The documentation is created by using [mdBook](https://rust-lang.github.io/mdBook/index.html), which generates Markdown files and generates HTML pages for them. The documentation can be build by running: +The documentation is created by using [mdBook](https://rust-lang.github.io/mdBook/index.html), which generates Markdown +files and generates HTML pages for them. The documentation can be build by running: ```sh nix build .#docs # plain simple ``` The files can then be found at `./result/`, which is a symlink to the corresponding path in `/nix/store`. -mdBook is also able to automatically serve the current content and update it automatically whenever a change is detected. +mdBook is also able to automatically serve the current content and update it automatically whenever a change is +detected. This makes testing and previewing content easy. ```sh @@ -20,12 +22,14 @@ mdbook serve --open # the latter additionally opens the website in a browser ### mdBook syntax -While the general syntax for writing Markdown applies to mdBook, it has several extensions beyond the standard CommonMark specification. +While the general syntax for writing Markdown applies to mdBook, it has several extensions beyond the standard +CommonMark specification. - [Markdown syntax](https://rust-lang.github.io/mdBook/format/markdown.html) - [mdBook specific features](https://rust-lang.github.io/mdBook/format/mdbook.html) -Especially importing code blocks as Markdown is really handy to keep content always up-to-date and helps providing a full text searchable code documentation. +Especially importing code blocks as Markdown is really handy to keep content always up-to-date and helps providing a +full text searchable code documentation. ### Updating mdBook plugins contents @@ -33,15 +37,18 @@ Some of the mdBook parts are plugins that need their content to be updated from - mdbook-admonish: run `mdbook-admonish` inside the `docs` folder - mdbook-emojicodes: works without CSS, so no updates needed -- mdbook-catppuccin: run `mdbook-catppuccin` inside the `docs` folder (might need to grab binary from [its website](https://github.com/catppuccin/mdBook/releases), no Nix package available yet) +- mdbook-catppuccin: run `mdbook-catppuccin` inside the `docs` folder (might need to grab binary + from [its website](https://github.com/catppuccin/mdBook/releases), no Nix package available yet) ## Deployment Deployment to Cloudflare pages automated and happens whenever a commit to main occurs. -A [GitHub actions workflow](https://github.com/garuda-linux/infrastructure-nix/blob/main/.github/workflows/pages.yml) builds and pushes it to the `cf-pages` branch, which will then be used by the Cloudflare pages app to deploy the new version from. +A [GitHub actions workflow](https://github.com/garuda-linux/infrastructure-nix/blob/main/.github/workflows/pages.yml) +builds and pushes it to the `cf-pages` branch, which will then be used by the Cloudflare pages app to deploy the new +version from. ```yaml -{{#include ../../../.github/workflows/pages.yml}} +{ {#include ../../../.github/workflows/pages.yml}} ``` ## Issues and their solution @@ -49,8 +56,12 @@ A [GitHub actions workflow](https://github.com/garuda-linux/infrastructure-nix/b ### Sidebar or something else on the documentation doesn't work as expected Chances are that the custom CSS parts need to be rebased to a newer version. -They can be found in `./docs/theme/css` and the only addition we made here is to use the Fira Sans font instead of the default one. -To rebase against a newer version comment out `dditional-css` in `./docs/book.toml` and move the `css` folder somewhere else temporarily. -After that, run `mdbook build` inside the `docs` folder. The new CSS files can now be found inside the `./docs/book/css` folder. -Copy those to the `./docs/theme/css` folder and alter the occurrences of font settings to include Fira Sans (or run a diff to find out where). +They can be found in `./docs/theme/css` and the only addition we made here is to use the Fira Sans font instead of the +default one. +To rebase against a newer version comment out `dditional-css` in `./docs/book.toml` and move the `css` folder somewhere +else temporarily. +After that, run `mdbook build` inside the `docs` folder. The new CSS files can now be found inside the `./docs/book/css` +folder. +Copy those to the `./docs/theme/css` folder and alter the occurrences of font settings to include Fira Sans (or run a +diff to find out where). After uncommenting `additional-css` in `book.toml`, run `mdbook build` again to verify nothing got broken along the way.