

Providers

We rely on several external providers to host some of our services that are critical to the proper functioning of our infrastructure. Those services are necessary to be run by external providers in order to be able to rely on them in the event of a downtime on our side.

Git hosting, CI/CD

We host the git repositories describing our infrastructure and our configuration at GitLab. Currently, the CI for building our hosts in ran on duck through shabka (our configuration manager).

GitLab

We host our repositories at GitLab.com. All our repositories are grouped in the Lama Corp. Infrastructure group. Here is an exhaustive list of what we are using for our infrastructure:

• dotshabka: holds the NixOS configuration of our hosts. As of today, it also holds the users' personal configuration. This is going to change as part of the development of shabka. This repository is where you'll work most of the time.
• dotshabka-secrets: as dotshabka is a public repository, this is a private one where we hold all needed secrets to run our services, like API keys.
• nur-packages: this is where we package custom packages for shabka or for our services.
• shabka: this is simply a mirror of shabka's upstream repository in case we get fucked by GitHub or Microsoft (never trust anyone, right?).
• documentation: the source of this website.
• Mirrors: a bunch of mirrors of repositories of tools we use for our infrastructure. This is mostly because of some paranoia risson's helding.

Status

You can check the status of GitLab through several channels:

• Status website
• Twitter

Self-hosted

This section needs expansion. It is not critical to the understanding of the infrastructure so it has not been properly completed just yet.

There is currently no CI done on GitLab.com for our infrastructure. Our hosts are built by shabka's CI, but also by Hercules CI and then pushed to Cachix.

DNS

Our DNS is managed by Cloudflare. The admin interface is available at dash.cloudflare.com. There, you'll find the list of domains we manage. If you click on a domain, let's say lama-corp.space, you'll get an overview of the domain. From there, the only thing you will be using is the DNS tab. Here are all our record DNS. As you can see, they are all DNS only. This is due to the fact that we want to use Let's Encrypt certificates for our YunoHost instance, and YunoHost checks that the DNS IP is the same as the public IP of the instance. This implies that we can't get a certificate while being proxied through Cloudflare. However, if we ever get in an event where we get DDoSed, we can still enable Cloudflare proxying to protect us until the certificate expire. There are ways to stay protected by Cloudflare even if our Let's Encrypt certificate expires, but that event is unlikely to happen, so we won't be expanding that topic here.

Status

You can check the status of Cloudflare through several channels:

• Status website
• Twitter

Servers

As we try to keep our costs at a minimum while having a minimum downtime, we hosts our critical services with online providers, and the less critical services are self-managed (understand at home).

Hetzner

This is where we rent our physical servers. Unfortunately, there is no way to add a second admin, so risson is the only administrator.

You can check the status of Hetzner through several channels:

• Status website
• Twitter

Google Cloud

For future use

Google Cloud offers a very small virtual machine for free, so we plan to use it for external monitoring.

Status

You can check the status of Google Cloud through several channels:

• Status website
• Twitter (unofficial)

Self-managed

For now, none of our home-based servers are used in production. This is bound to change once we have a running k8s cluster and some real backups.