mirror of
https://github.com/bnas82/nastoupil-home.git
synced 2026-04-24 20:31:57 +00:00
Nastoupil Home Infrastructure — K3s cluster, Atlas AI, services
- JavaScript 64.4%
- TypeScript 20.1%
- CSS 5.6%
- Python 4.4%
- Shell 3.1%
- Other 2.3%
bnas82
c323ef2bcfCloses the "source-level dependency CVEs that Trivy misses" gap identified in the 2026-04-24 security-tool audit. Trivy scans built container images; OSV-Scanner walks every package-lock.json / Cargo.lock / go.sum / etc. in the repo and cross-references the OSV database. Catches: - CVEs disclosed between container rebuilds (Trivy only sees what's baked into the current image) - Build-time tooling that never ships in a container (tsx, npm audit tools, playwright harnesses) - Transitive dep CVEs before they escalate to CRITICAL and get rebuild- triggered by Renovate ## Workflow - PR: runs `osv-scanner-reusable-pr.yml` — diff-based, only emits findings introduced by the PR - Push to master: `osv-scanner-reusable.yml` — full-repo scan, catches newly-disclosed CVEs on already-landed code - Mon 12:00 UTC schedule: same as push behavior; offset from Mon 14:00 Trivy-unfixed + Wed 15:00 TruffleHog so the three scans don't stack Both publish to GitHub's code-scanning UI (Security tab) via SARIF. ## Action pin google/osv-scanner-action@c518547 # v2.3.5 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .claude | ||
| .github | ||
| archive | ||
| audits | ||
| branding | ||
| clusters/home | ||
| db/migrations | ||
| docs | ||
| frigate | ||
| ha | ||
| kiosk-local | ||
| packages | ||
| scripts | ||
| services | ||
| tests/portal | ||
| tools/migrator | ||
| vps | ||
| x.Archive/monitoring-legacy | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitignore | ||
| .gitleaks.toml | ||
| .pre-commit-config.yaml | ||
| .prettierrc | ||
| .sops.yaml | ||
| .trivyignore | ||
| CLAUDE.md | ||
| eslint.config.mjs | ||
| package-lock.json | ||
| package.json | ||
| README.md | ||
| renovate.json | ||
Nastoupil Home
Homelab infrastructure and smart-home platform for a family of three in Houston, TX. Runs on a 3-node K3s cluster with ~60 services behind *.nastoupil.org. Source of truth is code and YAML; prose docs summarize and link.
What's here
- K3s cluster — 3 nodes (alpha, bravo, delta) on Proxmox LXCs. Flux GitOps. Charlie remains a Proxmox host for the HAOS and Wazuh indexer VMs only.
- Home Assistant — HAOS VM; 94 HAOP packages in
ha-packages/packages/. - Atlas platform — 7 AI services in
services/atlas-*(agent, voice, proactive, learning, security, ops, ui). - Edge — VPS running Caddy + Vaultwarden + ntfy + Pingvin Share + Gatus.
- Family apps — Immich, Jellyfin, Mealie, Vikunja, Nextcloud, Paperless, Linkwarden, Navidrome, and the *arr stack.
Getting started
- New maintainer: start at docs/README.md.
- Architecture overview: docs/architecture/overview.md.
- Day-2 operations: docs/operations/.
- AI coding sessions: CLAUDE.md is the working guide for Claude Code.
Repository layout
See docs/repo-structure.md. Short version:
| Path | Contents |
|---|---|
ha-packages/packages/ |
Home Assistant packages (source of truth for HA) |
clusters/home/ |
Flux-managed K8s manifests |
services/atlas-*/ |
Atlas AI service source code |
frigate/ |
Frigate NVR config |
vps/ |
Edge host configuration |
docs/ |
Prose documentation |
scripts/ |
Operational utilities |
x.Archive/ |
Superseded material |
Conventions
- Model string for Claude API calls is always
claude-sonnet-4-20250514. - All services reach the internet via
*.nastoupil.orgbehind Traefik (at home) or Caddy on the VPS (away). - Secrets are SOPS-encrypted with age; private key is in Vaultwarden.
- No hardcoded values — config via env vars, K8s Secrets, or HA input helpers.
Project status
See docs/architecture/overview.md for current state. Roadmap items live only in the roadmap doc — do not assume they are implemented.
License / contact
Personal repository. Maintained by Brandon Nastoupil.