KastnerRG infrastructure, as code. Three layers, split by configuration tool (not guest-vs-host — some NixOS machines are physical):
| Layer | Path | Manages | Tool |
|---|---|---|---|
| NixOS machines | nix/ |
every NixOS machine — physical (waiter) and Proxmox VMs (krg-prod, e4e-prod, krg-ldap, krg-vault, krg-deploy) | Nix flake |
| Hypervisors | ansible/ |
the Proxmox/Debian hosts those VMs run on | Ansible |
| Web-API config | terraform/ |
config of API-driven targets — Synology DSM (e4e-nas), Authentik, OpenBao, Grafana | OpenTofu |
- Building/deploying NixOS machines:
nix/README.md - Hardening the Proxmox hosts:
ansible/README.md - API-driven config (NAS / SSO / secrets / dashboards):
terraform/README.md - Operator runbooks + topology/inventory:
docs/ - Architecture + agent guidance:
CLAUDE.md
This repo is an incident-response rebuild: a Proxmox host's root SSH was
dictionary-attacked. The NixOS guests were already hardened, so ansible/ brings
the hypervisors under the same baseline (key-only SSH, fail2ban, krg-admin),
and the breached Active Directory is being rebuilt clean as a new Samba AD forest
on krg-ldap.