phg/bitpoll-nix
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bitpoll-nix/memory-bank/techContext.md

281 lines
7.1 KiB
Markdown
Raw Blame History

# Tech Context: Bitpoll Nix Flake
## Technology Stack
### Core Technologies
- **Nix/NixOS**: Package management and system configuration
- **Django**: Web framework (Bitpoll's foundation)
- **Python 3**: Runtime environment
- **SQLite**: Default database (PostgreSQL supported)
- **systemd**: Service management
### Nix Ecosystem
- **Flakes**: Modern Nix package management
- **nixpkgs**: Package repository (NixOS 25.05)
- **flake-utils**: Cross-platform utilities
- **NixOS Modules**: System service configuration
### Python Dependencies
#### Core Django Stack
```nix
django # Web framework
django-encrypted-model-fields # Data encryption
django-simple-csp # Content Security Policy
django-markdownify # Markdown processing
django-pipeline # Asset pipeline
django-friendly-tag-loader # Template utilities
django-token-bucket # Rate limiting
django-widget-tweaks # Form widgets
```
#### Calendar and Date Handling
```nix
caldav # CalDAV protocol support
icalendar # iCalendar format handling
python-dateutil # Date parsing utilities
pytz # Timezone handling
vobject # vCard/vCalendar objects
recurring-ical-events # Recurring event processing
```
#### Security and Crypto
```nix
cryptography # Cryptographic primitives
libsasscompiler # SASS compilation
```
#### Data and Markup
```nix
markdown # Markdown processing
bleach # HTML sanitization
pydantic # Data validation
lxml # XML processing
```
#### Database Support
```nix
psycopg2 # PostgreSQL adapter
# SQLite support built into Python
```
#### System Integration
```nix
openldap # LDAP authentication
cyrus_sasl # SASL authentication
```
## Development Setup
### Nix Environment
```bash
# Development shell
nix develop
# Available tools in dev shell:
- python3
- pip
- virtualenv
- gettext (internationalization)
- openldap
- cyrus_sasl
```
### Build Environment
```nix
nativeBuildInputs = [
gettext # Message compilation
pythonEnv # Python with packages
];
buildInputs = [
openldap # LDAP support
cyrus_sasl # SASL support
];
```
## Technical Constraints
### Nix-Specific Constraints
- **Reproducible Builds**: All dependencies must be pinned
- **Pure Builds**: No network access during build
- **FHS Compliance**: Must work within Nix store structure
- **Cross-platform**: Support Linux and macOS development
### Django Constraints
- **Settings Management**: Must handle production vs development
- **Static Files**: Proper collection and serving
- **Database Migrations**: Automatic handling required
- **Secret Management**: Secure key handling
### System Constraints
- **User Isolation**: Dedicated system user required
- **File Permissions**: Proper ownership and access control
- **Service Management**: systemd integration
- **Security Hardening**: Comprehensive restrictions
## Dependencies Management
### Package Resolution Strategy
1. **nixpkgs packages**: Use when available and compatible
2. **pip installation**: For packages not in nixpkgs
3. **Custom patches**: When upstream packages need fixes
4. **Version pinning**: Ensure reproducible builds
### Python Path Management
```bash
# Build-time PYTHONPATH
export PYTHONPATH=$out/lib/python3.12/site-packages:$out/share/bitpoll:$PYTHONPATH
# Runtime PYTHONPATH (in wrapper scripts)
export PYTHONPATH=$out/lib/python3.12/site-packages:$out/share/bitpoll:$PYTHONPATH
```
### Dependency Installation Process
1. Core packages via `python3.withPackages`
2. Missing packages via pip to `$out/lib/python3.12/site-packages`
3. PYTHONPATH configuration in wrapper scripts
4. Runtime environment variable setup
## Tool Usage Patterns
### Nix Commands
```bash
# Build package
nix build
# Run development server
nix run
# Run management commands
nix run .#bitpoll-manage -- <command>
# Enter development shell
nix develop
# Check flake
nix flake check
```
### Django Management
```bash
# Database operations
bitpoll-manage migrate
bitpoll-manage createsuperuser
bitpoll-manage collectstatic
# Development
bitpoll-manage runserver
bitpoll-manage shell
# Maintenance
bitpoll-manage check
bitpoll-manage generate_encryption_key
```
### System Operations
```bash
# NixOS deployment
sudo nixos-rebuild switch --flake .#hostname
# Service management
systemctl status bitpoll
systemctl restart bitpoll
journalctl -u bitpoll
```
## Configuration Management
### Build-time Configuration
- **settings_local.py**: Generated at build time
- **Default values**: Secure production defaults
- **Path configuration**: Nix store and data directory paths
### Deploy-time Configuration
- **NixOS options**: Service configuration
- **Module parameters**: Port, host, data directory
- **Security settings**: User, permissions, hardening
### Runtime Configuration
- **Environment variables**: Secret overrides
- **Secret files**: External key management
- **Dynamic settings**: Runtime-generated values
## Security Architecture
### User Isolation
```nix
users.users.bitpoll = {
isSystemUser = true;
group = "bitpoll";
home = cfg.dataDir;
createHome = true;
};
```
### systemd Hardening
```nix
serviceConfig = {
NoNewPrivileges = true;
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ReadWritePaths = [ cfg.dataDir ];
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
};
```
### File System Security
- **Data directory**: `/var/lib/bitpoll` with restricted access
- **Read-only system**: Most filesystem read-only
- **Temporary isolation**: Private temporary directories
- **Device restrictions**: No device access
## Performance Considerations
### Build Performance
- **Cached builds**: Nix store caching
- **Incremental builds**: Only rebuild changed components
- **Parallel builds**: Multi-core build support
### Runtime Performance
- **Python optimization**: Compiled bytecode
- **Static file serving**: Efficient asset delivery
- **Database optimization**: Proper indexing and queries
- **Memory management**: Controlled resource usage
### Deployment Performance
- **Atomic updates**: Zero-downtime deployments
- **Rollback capability**: Instant rollback to previous versions
- **Service restart**: Graceful restart handling
## Integration Points
### External Systems
- **LDAP**: Authentication integration
- **CalDAV**: Calendar system integration
- **Email**: Notification system
- **Reverse Proxy**: nginx/traefik integration
### Monitoring and Logging
- **systemd journals**: Centralized logging
- **Django logging**: Application-level logs
- **Health checks**: Service monitoring
- **Metrics collection**: Performance monitoring
## Version Management
### Upstream Tracking
- **Bitpoll version**: master branch (commit 4a3e6a5)
- **nixpkgs version**: NixOS 25.05
- **Python version**: 3.x from nixpkgs
- **Django version**: Latest from nixpkgs
### Update Strategy
- **Pin specific commits**: Reproducible builds
- **Test before update**: Comprehensive testing
- **Gradual rollout**: Staged deployment
- **Rollback plan**: Quick recovery capability
Reference in a new issue View git blame Copy permalink