{"id":35887152,"url":"https://github.com/homestak-dev/site-config","last_synced_at":"2026-03-07T06:09:06.960Z","repository":{"id":331566957,"uuid":"1127921104","full_name":"homestak-dev/site-config","owner":"homestak-dev","description":"Site-specific configuration template for homestak deployments","archived":false,"fork":false,"pushed_at":"2026-02-22T22:46:22.000Z","size":241,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-02-23T03:56:46.608Z","etag":null,"topics":["homelab","infrastructure-as-code","proxmox","secrets-management","sops"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/homestak-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-04T21:11:23.000Z","updated_at":"2026-02-22T22:38:07.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/homestak-dev/site-config","commit_stats":null,"previous_names":["homestak-dev/site-config"],"tags_count":42,"template":false,"template_full_name":null,"purl":"pkg:github/homestak-dev/site-config","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/homestak-dev%2Fsite-config","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/homestak-dev%2Fsite-config/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/homestak-dev%2Fsite-config/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/homestak-dev%2Fsite-config/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/homestak-dev","download_url":"https://codeload.github.com/homestak-dev/site-config/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/homestak-dev%2Fsite-config/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30208829,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T05:23:27.321Z","status":"ssl_error","status_checked_at":"2026-03-07T05:00:17.256Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["homelab","infrastructure-as-code","proxmox","secrets-management","sops"],"created_at":"2026-01-08T21:15:18.164Z","updated_at":"2026-03-07T06:09:06.948Z","avatar_url":"https://github.com/homestak-dev.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# site-config\n\nSite-specific configuration for [homestak](https://github.com/homestak-dev) deployments.\n\n## Overview\n\nConfiguration entities:\n- **hosts/** - Physical machines (SSH access, storage, network)\n- **nodes/** - PVE instances (API access)\n- **postures/** - Security postures (SSH, sudo, auth model)\n- **specs/** - Node specifications (what to become: packages, users, services)\n- **presets/** - VM size presets (cores, memory, disk)\n- **manifests/** - Deployment topologies (graph-based node orchestration)\n\nAll secrets are centralized in a single encrypted `secrets.yaml` file.\n\n## Quick Start\n\n```bash\n# Clone the template\ngit clone https://github.com/homestak-dev/site-config.git\ncd site-config\n\n# Initial setup (age/sops optional for new users)\nmake setup\n\n# Create local config files from .example templates\nmake init-site       # → site.yaml (from site.yaml.example)\nmake init-secrets    # → secrets.yaml (from secrets.yaml.example, or decrypts .enc if age key exists)\n\n# Edit site.yaml and secrets.yaml with your values\n# Then on your PVE host: auto-generate config from system inventory\nmake host-config    # → hosts/{hostname}.yaml\nmake node-config    # → nodes/{hostname}.yaml\n\n# When ready, set up encryption and encrypt secrets\nmake encrypt\n```\n\n## Structure\n\n```\nsite-config/\n├── site.yaml.example      # Template for site defaults (tracked)\n├── site.yaml              # Local site defaults (gitignored, from .example)\n├── secrets.yaml.example   # Template for secrets (tracked)\n├── secrets.yaml           # Local secrets (gitignored, from .example or .enc)\n├── hosts/                 # Physical machines\n│   └── {name}.yaml        # SSH access, network, storage\n├── nodes/                 # PVE instances\n│   └── {name}.yaml        # API endpoint, token ref, IP, datastore\n├── postures/              # Security postures\n│   └── {name}.yaml        # SSH, sudo, auth model settings\n├── specs/                 # Node specifications\n│   ├── base.yaml          # General-purpose VM (user, packages, timezone)\n│   └── pve.yaml           # PVE hypervisor (proxmox packages, services)\n├── presets/               # Size presets (vm- prefix)\n│   └── vm-{size}.yaml     # cores, memory, disk\n└── manifests/             # Deployment topologies\n    └── {name}.yaml        # Graph-based node orchestration\n```\n\n## Schema\n\nPrimary keys are derived from filenames (e.g., `nodes/pve.yaml` → `pve`).\nForeign keys (FK) are explicit references between entities.\n\n### site.yaml\n```yaml\ndefaults:\n  timezone: America/Denver\n  domain: \"\"               # Optional, blank by default\n  ssh_user: root\n```\n\n### secrets.yaml\n```yaml\napi_tokens:\n  pve: \"root@pam!tofu=...\"\npasswords:\n  vm_root: \"$6$...\"\nssh_keys:\n  # Key identifiers use user@host convention (matches key comment)\n  admin@workstation: \"ssh-rsa ... admin@workstation\"\n```\n\n### hosts/{name}.yaml\n```yaml\n# Primary key derived from filename: pve.yaml -\u003e pve\naccess:\n  ssh_user: root\n  authorized_keys:\n    - admin@workstation           # FK -\u003e secrets.ssh_keys[\"admin@workstation\"]\n```\n\n### nodes/{name}.yaml\n```yaml\n# Primary key derived from filename: pve.yaml -\u003e pve\nhost: pve                         # FK -\u003e hosts/pve.yaml\napi_endpoint: \"https://localhost:8006\"\napi_token: pve                    # FK -\u003e secrets.api_tokens.pve\nip: \"10.0.0.1\"                    # Node IP for SSH access\n```\n\n### presets/vm-{size}.yaml\n```yaml\n# Presets: vm-xsmall (1c/1G/8G), vm-small (2c/2G/10G), vm-medium (2c/4G/20G),\n#          vm-large (4c/8G/40G), vm-xlarge (8c/16G/80G)\ncores: 2\nmemory: 4096    # MB\ndisk: 20        # GB\n```\n\n### specs/{name}.yaml\n```yaml\n# Specifications define \"what a node should become\"\nschema_version: 1\n\naccess:\n  posture: dev                     # FK -\u003e postures/dev.yaml\n  users:\n    - name: homestak\n      sudo: true\n      ssh_keys:\n        - ssh_keys.admin@host      # FK -\u003e secrets.ssh_keys\n\nplatform:\n  packages:\n    - htop\n    - curl\n\nconfig:\n  timezone: America/Denver\n```\n\n### manifests/{name}.yaml\n```yaml\n# Graph-based deployment topology\nschema_version: 2\nname: n1-basic\npattern: flat\nnodes:\n  - name: edge\n    type: vm\n    spec: base                     # FK -\u003e specs/base.yaml\n    preset: vm-small               # FK -\u003e presets/vm-small.yaml\n    image: debian-12\n    vmid: 99001\n```\n\n## Deploy Pattern\n\nManifests define deployment topologies. Use iac-driver to execute:\n\n```bash\n# Deploy infrastructure from manifest\ncd ../iac-driver \u0026\u0026 ./run.sh manifest apply -M n1-push -H srv1\n\n# Full roundtrip: create, verify SSH, destroy\n./run.sh manifest test -M n1-push -H srv1\n\n# Tear down\n./run.sh manifest destroy -M n1-push -H srv1 --yes\n```\n\n## Encryption\n\nOnly `secrets.yaml` is encrypted - all other config is non-sensitive. Both `site.yaml` and `secrets.yaml` are gitignored; the repo ships `.example` templates that are copied to create local files.\n\n### Setup\n\n1. Run setup (age/sops are optional for new users):\n   ```bash\n   make setup\n   ```\n\n2. Create local config files from templates:\n   ```bash\n   make init-site       # Copy site.yaml.example → site.yaml\n   make init-secrets    # Decrypt .enc (if age key exists) or copy .example → secrets.yaml\n   ```\n\n3. (Optional) For full encryption support, install dependencies and generate an age key:\n   ```bash\n   sudo make install-deps\n   mkdir -p ~/.config/sops/age\n   age-keygen -o ~/.config/sops/age/keys.txt\n   chmod 600 ~/.config/sops/age/keys.txt\n   ```\n\n4. Update `.sops.yaml` with your public key\n\n### Commands\n\n| Command | Description |\n|---------|-------------|\n| `make install-deps` | Install age and sops (requires root) |\n| `make setup` | Configure git hooks, check dependencies (age/sops optional) |\n| `make init-site` | Create site.yaml from site.yaml.example |\n| `make init-secrets` | Decrypt .enc or copy .example to create secrets.yaml |\n| `make host-config` | Generate hosts/{hostname}.yaml from system info |\n| `make node-config` | Generate nodes/{hostname}.yaml from PVE info |\n| `make encrypt` | Encrypt secrets.yaml |\n| `make decrypt` | Decrypt secrets.yaml.enc (sets 600 permissions) |\n| `make clean` | Remove plaintext secrets.yaml |\n| `make check` | Show setup status |\n| `make validate` | Validate YAML syntax |\n\nUse `FORCE=1` to overwrite existing config files:\n```bash\nmake host-config FORCE=1\n```\n\n## Discovery\n\nTools find site-config via:\n1. `$HOMESTAK_SITE_CONFIG` environment variable\n2. `../site-config/` sibling directory (dev workspace)\n3. `~homestak/etc/` (bootstrap install)\n\n## Third-Party Acknowledgments\n\nThis project relies on excellent open-source tools:\n\n| Tool | Purpose |\n|------|---------|\n| [SOPS](https://github.com/getsops/sops) | Secrets encryption with structured file support |\n| [age](https://github.com/FiloSottile/age) | Simple, modern encryption backend |\n\n## Related Repos\n\n| Repo | Purpose |\n|------|---------|\n| [bootstrap](https://github.com/homestak-dev/bootstrap) | Entry point - curl\\|bash setup |\n| [iac-driver](https://github.com/homestak-dev/iac-driver) | Orchestration engine |\n| [ansible](https://github.com/homestak-dev/ansible) | Proxmox host configuration |\n| [tofu](https://github.com/homestak-dev/tofu) | VM provisioning |\n| [packer](https://github.com/homestak-dev/packer) | Custom Debian cloud images |\n\n## License\n\nApache 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhomestak-dev%2Fsite-config","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhomestak-dev%2Fsite-config","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhomestak-dev%2Fsite-config/lists"}