No description
  • Nix 75.3%
  • Shell 24.7%
Find a file
infratainer 43c2645791 Auto-merge Renovate PR #68
Validated by infra-promote before merge.

chore(deps): update ghcr.io/matrix-construct/tuwunel docker tag to v1.8.2
2026-07-18 02:04:22 -05:00
.agents/workflows docs: update host lists and refine updateInfra logic 2026-06-18 17:01:19 -05:00
.vscode - fixes to infra 2026-02-07 18:20:06 -06:00
docs docs: update Technitium DNS cluster recursion ACL and verification 2026-06-27 16:57:12 -05:00
hosts chore(deps): update ghcr.io/matrix-construct/tuwunel docker tag to v1.8.2 2026-07-18 01:01:21 -05:00
library fix(secrets): allow importing host secrets from external directory 2026-06-19 18:27:52 -05:00
modules fix(profiles): bound generation and journal growth to prevent disk-full deploys 2026-06-29 11:25:49 -05:00
overrides Update hash for QEMU source in vma.nix 2026-01-18 19:59:35 -06:00
.gitignore Add new Nix configuration files for VM management and system setup 2026-01-18 14:34:55 -06:00
AGENTS.md docs: update AGENTS.md with refined project purpose and tooling 2026-06-21 17:48:24 -05:00
CHANGELOG.md fix(profiles): bound generation and journal growth to prevent disk-full deploys 2026-06-29 11:25:49 -05:00
flake.lock chore(deps): lock file maintenance 2026-07-18 01:12:01 -05:00
flake.nix chore(deps): update dependency nixpkgsstable to v26 2026-06-22 01:09:09 -05:00
README.md docs: remove references to ai1 host and OpenClaw 2026-06-18 16:25:45 -05:00
renovate.json feat(containers): enhance Renovate labeling and failure reporting 2026-06-26 10:55:38 -05:00

Reinitialized Infrastructure

NixOS infrastructure flake for building Proxmox VMA images and managing the Reinitialized fleet. The repository defines host configurations, reusable NixOS modules, WireGuard mesh networking, Docker-based services, secret templates, and deployment tools installed on the devenv host.

For standard NixOS options, use the NixOS manual. This documentation covers repository-specific behavior.

Quick Start

Show current flake outputs without updating flake.lock:

nix flake show path:. --no-write-lock-file

Build one host configuration without activating it:

nix build path:.#nixosConfigurations.rp1.config.system.build.toplevel

Build one Proxmox VMA image:

nix build path:.#packages.x86_64-linux.rp1

The VMA build writes result/vzdump-qemu-<vmId>.vma.zst and result/CREDENTIALS.txt. Treat CREDENTIALS.txt as sensitive; it contains the generated rnetadmin password for the image.

Current Flake Outputs

The source of truth for exported hosts is flake.nix. As of this update, these hosts are exported as both nixosConfigurations.<host> and packages.x86_64-linux.<host>:

Host VM ID VLAN Mesh IP Purpose
devenv 202 200 10.255.0.1 Development VM and fleet management tools
rp1 203 12 10.255.0.2 Reverse proxy, public ingress, DNS/mail stream proxying
apps1 204 11 10.255.0.3 Hudu, Technitium DNS primary, Stalwart, Forgejo, Jaeger, Grafana, Authentik
apps2 205 11 10.255.0.4 Technitium DNS secondary, UniFi, pgAdmin, Redis Insight, Forgejo Runner, Cinny
apps3 207 11 10.255.0.5 Immich, Tuwunel Matrix, Paperless-ngx, Pelican Panel, OCIS, SearXNG
db1 206 11 10.255.0.11 PostgreSQL, Valkey, OpenTelemetry Collector, Prometheus

gs1 exists in hosts/, modules/secrets.example/, and meshTopology.nix, but it is commented out in flake.nix; .#gs1 builds and deploys do not work until it is exported.

Common Commands

Build all exported NixOS configurations without generating VMA images:

nix build \
  path:.#nixosConfigurations.devenv.config.system.build.toplevel \
  path:.#nixosConfigurations.rp1.config.system.build.toplevel \
  path:.#nixosConfigurations.apps1.config.system.build.toplevel \
  path:.#nixosConfigurations.apps2.config.system.build.toplevel \
  path:.#nixosConfigurations.apps3.config.system.build.toplevel \
  path:.#nixosConfigurations.db1.config.system.build.toplevel

Build a Proxmox image for one host:

nix build path:.#packages.x86_64-linux.apps1

Import a built VMA on a Proxmox host:

scp result/vzdump-qemu-204.vma.zst root@proxmox:/var/lib/vz/dump/
qmrestore /var/lib/vz/dump/vzdump-qemu-204.vma.zst 204 --storage hotData
qm start 204

Format changed Nix files when the formatter is available:

nixfmt-rfc-style <file>.nix

This flake does not define checks, formatter, apps, or devShells, so do not assume nix fmt or nix flake check provides repository validation.

Fleet Management

The devenv host installs generated tools from hosts/devenv/tools/.

Deploy one host:

rebuildHost apps1
rebuildHost rp1 --boot
rebuildHost devenv

Deploy every host listed in meshTopology.nix:

updateInfra

Important behavior:

  • rebuildHost <remote> and updateInfra use SSH as rnetadmin and pass --sudo to the remote rebuild.
  • Do not run remote deploys with sudo; the scripts reject root because root breaks the SSH key flow.
  • rebuildHost devenv is local and uses sudo nixos-rebuild internally.
  • updateInfra derives its host list from modules/profiles/meshNetwork/meshTopology.nix, not from flake.nix; verify flake exports before deploying a newly added topology host.

Generate OPNsense firewall rule recommendations from traffic logs:

updateNetworkFirewallRules --dry-run

Credentials come from secrets.opnsenseFirewall on devenv, or from environment variables documented in Secrets Management.

Repository Layout

Path Purpose
flake.nix Inputs, host definitions, nixosConfigurations, VMA packages
library/ Internal helpers for NixOS configs, dual exports, VMA generation, and user modules
library/generateVMAImage/ Proxmox VMA builder and generated QEMU config
hosts/ Host-specific NixOS modules
hosts/devenv/tools/ Generated deployment and firewall helper scripts
modules/profiles/ Standard, firewall, secrets, mesh, containers, and data-disk profiles
modules/packages/ Package overrides used by service hosts
modules/secrets.example/ Checked-in templates for live secrets
modules/secrets/ Live secrets, ignored by git
docs/ Architecture, module, example, and investigation notes
overrides/vma.nix QEMU package override with VMA support

Documentation

Secrets

Do not commit live secrets. Real secrets live in modules/secrets/<host>.nix; templates live in modules/secrets.example/<host>.nix.

makeConfiguration imports modules/secrets/<host>.nix automatically when the file exists. When adding or renaming a secret key used by a host, update the matching example file.