reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions
No description
405 commits 1 branch 0 tags 1,003 KiB
  • Nix 71.4%
  • Shell 28.6%
Find a file
Exact
reinitialized 9f43f6c64c
 docs: rewrite README.md for clarity and conciseness 
Refactor the main documentation to provide a more streamlined overview of the infrastructure flake. Key changes include:

- Simplified the introduction and quick start guide.
- Added concrete bash examples for building configurations and VMA images.
- Updated the host inventory table with more detailed purpose descriptions and mesh IP addresses.
- Removed redundant sections and reorganized the layout for better readability.
2026-05-26 18:47:50 -05:00
.agents/workflows feat: add Authentik and ownCloud Infinite Scale services to apps1, document new workflows, and update network port mappings. 2026-04-01 11:34:55 -05:00
.vscode - fixes to infra 2026-02-07 18:20:06 -06:00
docs docs: rewrite README.md for clarity and conciseness 2026-05-26 18:47:50 -05:00
hosts docs: add documentation and implementation for container auto-updates 2026-05-26 17:30:25 -05:00
library Make secrets file optional in makeConfiguration 2026-04-17 19:30:00 -05:00
modules docs: rewrite README.md for clarity and conciseness 2026-05-26 18:47:50 -05:00
overrides Update hash for QEMU source in vma.nix 2026-01-18 19:59:35 -06:00
.clinerules feat(ai1): replace llama.cpp with native openclaw package 2026-04-14 12:10:26 -05:00
.codex feat: add SearXNG service and update development environment 2026-05-02 11:41:39 -05:00
.gitignore Add new Nix configuration files for VM management and system setup 2026-01-18 14:34:55 -06:00
AGENTS.md docs: add AGENTS.md guide for repository onboarding 2026-05-26 18:16:31 -05:00
CHANGELOG.md feat(auth): enable Forgejo OIDC auto-registration and document SSO architecture 2026-05-22 16:38:10 -05:00
flake.lock docs: add documentation and implementation for container auto-updates 2026-05-26 17:30:25 -05:00
flake.nix feat: add SearXNG service and update development environment 2026-05-02 11:41:39 -05:00
README.md docs: rewrite README.md for clarity and conciseness 2026-05-26 18:47:50 -05:00

README.md

Reinitialized Infrastructure

NixOS infrastructure flake for building Proxmox VMA images and managing the Reinitialized fleet. The repository defines host configurations, reusable NixOS modules, WireGuard mesh networking, Docker-based services, secret templates, and deployment tools installed on the devenv host.

For standard NixOS options, use the NixOS manual. This documentation covers repository-specific behavior.

Quick Start

Show current flake outputs without updating flake.lock:

nix flake show path:. --no-write-lock-file

Build one host configuration without activating it:

nix build path:.#nixosConfigurations.rp1.config.system.build.toplevel

Build one Proxmox VMA image:

nix build path:.#packages.x86_64-linux.rp1

The VMA build writes result/vzdump-qemu-<vmId>.vma.zst and result/CREDENTIALS.txt. Treat CREDENTIALS.txt as sensitive; it contains the generated rnetadmin password for the image.

Current Flake Outputs

The source of truth for exported hosts is flake.nix. As of this update, these hosts are exported as both nixosConfigurations.<host> and packages.x86_64-linux.<host>:

Host VM ID VLAN Mesh IP Purpose
devenv 202 200 10.255.0.1 Development VM and fleet management tools
rp1 203 12 10.255.0.2 Reverse proxy, public ingress, DNS/mail stream proxying
apps1 204 11 10.255.0.3 Hudu, Technitium DNS primary, Stalwart, Forgejo, Jaeger, Grafana, Authentik
apps2 205 11 10.255.0.4 Technitium DNS secondary, UniFi, pgAdmin, Redis Insight, Forgejo Runner, Cinny
apps3 207 11 10.255.0.5 Immich, Tuwunel Matrix, Paperless-ngx, Pelican Panel, OCIS, SearXNG
ai1 208 11 10.255.0.9 OpenClaw gateway and AI tooling
db1 206 11 10.255.0.11 PostgreSQL, Valkey, OpenTelemetry Collector, Prometheus

gs1 exists in hosts/, modules/secrets.example/, and meshTopology.nix, but it is commented out in flake.nix; .#gs1 builds and deploys do not work until it is exported.

Common Commands

Build all exported NixOS configurations without generating VMA images:

nix build \
  path:.#nixosConfigurations.devenv.config.system.build.toplevel \
  path:.#nixosConfigurations.rp1.config.system.build.toplevel \
  path:.#nixosConfigurations.apps1.config.system.build.toplevel \
  path:.#nixosConfigurations.apps2.config.system.build.toplevel \
  path:.#nixosConfigurations.apps3.config.system.build.toplevel \
  path:.#nixosConfigurations.ai1.config.system.build.toplevel \
  path:.#nixosConfigurations.db1.config.system.build.toplevel

Build a Proxmox image for one host:

nix build path:.#packages.x86_64-linux.apps1

Import a built VMA on a Proxmox host:

scp result/vzdump-qemu-204.vma.zst root@proxmox:/var/lib/vz/dump/
qmrestore /var/lib/vz/dump/vzdump-qemu-204.vma.zst 204 --storage hotData
qm start 204

Format changed Nix files when the formatter is available:

nixfmt-rfc-style <file>.nix

This flake does not define checks, formatter, apps, or devShells, so do not assume nix fmt or nix flake check provides repository validation.

Fleet Management

The devenv host installs generated tools from hosts/devenv/tools/.

Deploy one host:

rebuildHost apps1
rebuildHost rp1 --boot
rebuildHost devenv

Deploy every host listed in meshTopology.nix:

updateInfra

Important behavior:

  • rebuildHost <remote> and updateInfra use SSH as rnetadmin and pass --sudo to the remote rebuild.
  • Do not run remote deploys with sudo; the scripts reject root because root breaks the SSH key flow.
  • rebuildHost devenv is local and uses sudo nixos-rebuild internally.
  • updateInfra derives its host list from modules/profiles/meshNetwork/meshTopology.nix, not from flake.nix; verify flake exports before deploying a newly added topology host.

Generate OPNsense firewall rule recommendations from traffic logs:

updateNetworkFirewallRules --dry-run

Credentials come from secrets.opnsenseFirewall on devenv, or from environment variables documented in Secrets Management.

Repository Layout

Path Purpose
flake.nix Inputs, host definitions, nixosConfigurations, VMA packages
library/ Internal helpers for NixOS configs, dual exports, VMA generation, and user modules
library/generateVMAImage/ Proxmox VMA builder and generated QEMU config
hosts/ Host-specific NixOS modules
hosts/devenv/tools/ Generated deployment and firewall helper scripts
modules/profiles/ Standard, firewall, secrets, mesh, containers, and data-disk profiles
modules/packages/ Package overrides used by service hosts
modules/secrets.example/ Checked-in templates for live secrets
modules/secrets/ Live secrets, ignored by git
docs/ Architecture, module, example, and investigation notes
overrides/vma.nix QEMU package override with VMA support

Documentation

Secrets

Do not commit live secrets. Real secrets live in modules/secrets/<host>.nix; templates live in modules/secrets.example/<host>.nix.

makeConfiguration imports modules/secrets/<host>.nix automatically when the file exists. When adding or renaming a secret key used by a host, update the matching example file.