Dev

.envrc

@@ -1 +1 @@
-use flake
+use devenv

.gitignore

@@ -36,3 +36,7 @@ dist/
 
 # cdk8s-specific ignores
 cdk.out/
+vendor/
+result
+.devenv
+pulumi/uv.lock

AGENTS.md

@@ -584,6 +584,13 @@ The Pulumi approach replaced this by centralizing all generation logic in `pulum
 
 ## 8. Development Workflow
 
+This project uses **devenv** (powered by flake-parts) for the development shell, and **uv2nix-style** Python dependency management via `pkgs.python3.withPackages`.
+
+### Prerequisites
+
+- [Nix](https://nixos.org/download) with flakes enabled
+- [direnv](https://direnv.net/) (recommended) or use `nix develop`
+
 ### Setup
 
 ```bash
@@ -593,6 +600,23 @@ nix develop
 direnv allow
 ```
 
+The dev shell provides:
+- `pulumi` CLI + Python SDK
+- `crd2pulumi` for CRD import
+- `uv` for Python tooling
+- `python3` with all required packages (including `pulumi_crds`)
+
+### Available Commands (in dev shell)
+
+| Command | Description |
+|---------|-------------|
+| `generate-manifests` | Generate Argo CD Application manifests |
+| `import-crds` | Import CRDs for Pulumi |
+| `setup-pulumi` | Setup Pulumi configuration |
+| `diff-manifests` | Diff generated manifests against current state |
+
+Or run outside the shell via `nix run .#<command>`.
+
 ### Generate Local Preview
 
 ```bash
@@ -617,6 +641,10 @@ nix run .#import-crds pulumi/crd-imports.json
 
 This regenerates the Pulumi CRD type stubs in `pulumi/crds/` using `crd2pulumi`.
 
+The `pulumi_crds` Python package is built as a proper Nix package
+(from `pulumi/crds/`) and included in the Python environment —
+no `sys.path` hacks needed.
+
 ### Commit and Deploy
 
 1. Edit `apps.yaml` and/or `clusters/*.yaml` (never `manifests/` directly)
@@ -631,6 +659,7 @@ This regenerates the Pulumi CRD type stubs in `pulumi/crds/` using `crd2pulumi`.
 - **Unexpected diff**: The Pulumi generator may have a bug or a shared config changed
 - **Vault secrets not syncing**: Verify the VaultAuth is correct, the ServiceAccount exists, and Vault has the role configured
 - **CRD imports failing**: Check `pulumi/crd-imports.json` URLs are reachable
+- **Python import errors**: Run `python3 -c "from pulumi_crds.argoproj.v1alpha1 import Application; print('OK')"` to verify the CRD package is installed
 
 ---
 

apps.yaml

@@ -96,6 +96,17 @@ catalog:
       - repoURL: https://github.com/projectinitiative/homelab.git
         targetRevision: HEAD
         path: bootstrap/base/openbao/config
+    vaultSecrets:
+      createAuth: true
+      role: openbao-secrets-operator
+      namespace: production
+      audiences:
+        - vault
+      secrets:
+        - name: openbao-snapshot-s3
+          mount: k8s
+          path: "openbao-snapshot/s3"
+          destination: "openbao-snapshot-s3"
     ignoreDifferences:
       - group: admissionregistration.k8s.io
         jsonPointers:
@@ -109,14 +120,11 @@ catalog:
       syncOptions: []
 
   openbao-secrets-operator:
-    repoURL: https://github.com/openbao/openbao-secrets-operator.git
+    repoURL: https://github.com/hashicorp/vault-secrets-operator.git
     path: chart
-    targetRevision: main
+    targetRevision: v1.4.0
     helm:
       values: |
-        controller:
-          manager:
-            args: ["-v=4"]
         defaultVaultConnection:
           enabled: false
 
@@ -438,6 +446,35 @@ catalog:
 
   docker-registry:
     path: apps/base/docker-registry/config
+
+  kubevirt:
+    path: bootstrap/base/kubevirt/config
+    annotations:
+      argocd.argoproj.io/sync-wave: "30"
+    syncPolicy:
+      syncOptions:
+        - CreateNamespace=true
+        - ServerSideApply=true
+
+  argo:
+    path: apps/vms/argo/config
+    annotations:
+      argocd.argoproj.io/sync-wave: "40"
+    vaultSecrets:
+      createAuth: true
+      role: openbao-secrets-operator
+      namespace: production
+      audiences:
+        - vault
+      secrets:
+        - name: argo-s3-creds
+          mount: k8s
+          path: "argo/s3-creds"
+          destination: "argo-s3-creds"
+    syncPolicy:
+      syncOptions:
+        - CreateNamespace=true
+        - ServerSideApply=true
 
   privateer:
     path: apps/base/privateer/config

apps/vms/argo/config/argo-vm.yaml

@@ -0,0 +1,78 @@
+---
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: argo
+  labels:
+    app: argo
+spec:
+  runStrategy: Halted
+  dataVolumeTemplates:
+    - metadata:
+        name: argo-root
+      spec:
+        pvc:
+          accessModes:
+            - ReadWriteMany
+          volumeMode: Block
+          resources:
+            requests:
+              storage: 32Gi
+          storageClassName: juicefs-sc
+        source:
+          s3:
+            url: "http://garage.garage:3900/iso/nixos.qcow2"
+            secretRef: argo-s3-creds
+  template:
+    metadata:
+      labels:
+        app: argo
+    spec:
+      domain:
+        cpu:
+          cores: 4
+          sockets: 1
+          threads: 1
+        memory:
+          guest: 4Gi
+        devices:
+          disks:
+            - name: root
+              disk:
+                bus: virtio
+              dedicatedIOThread: true
+            - name: cloudinit
+              disk:
+                bus: virtio
+          interfaces:
+            - name: default
+              masquerade: {}
+        ioThreadsPolicy: auto
+      networks:
+        - name: default
+          pod: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: root
+          dataVolume:
+            name: argo-root
+        - name: cloudinit
+          cloudInitNoCloud:
+            userData: |
+              #cloud-config
+              hostname: argo
+              users:
+                - name: kyle
+                  sudo: ALL=(ALL) NOPASSWD:ALL
+                  lock_passwd: false
+                  ssh_authorized_keys:
+                    - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAplaceholder"
+              ssh_pwauth: true
+              chpasswd:
+                expire: false
+                list: |
+                  kyle:changeme
+              packages:
+                - qemu-guest-agent
+              runcmd:
+                - [ systemctl, enable, --now, qemu-guest-agent ]

apps/vms/argo/config/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - argo-vm.yaml

bootstrap/base/juicefs-platform/kustomization.yaml

@@ -3,4 +3,15 @@ kind: Kustomization
 resources:
   - storage-class.yaml
   - job-format.yaml
+  - node-config.yaml
 namespace: juicefs-platform
+
+patches:
+  # juicefs-csi-node-config must live in kube-system where the CSI driver watches for it
+  - target:
+      kind: ConfigMap
+      name: juicefs-csi-node-config
+    patch: |-
+      - op: replace
+        path: /metadata/namespace
+        value: kube-system

bootstrap/base/juicefs-platform/node-config.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: juicefs-csi-node-config
+  labels:
+    app.kubernetes.io/component: juicefs-csi-driver
+data:
+  config.yaml: |
+    nodeConfig:
+      # astrolabe: 1.5TB NVMe cache
+      - nodeName: astrolabe
+        mountPodPatch:
+          - op: add
+            path: /spec/containers/0/env/-
+            value:
+              name: JFS_CACHE_DIR
+              value: /mnt/pool/juicefs
+          - op: add
+            path: /spec/containers/0/env/-
+            value:
+              name: JFS_CACHE_SIZE
+              value: "1500000"
+      # default for other nodes: 100GB at same path
+      - nodeName: "*"
+        mountPodPatch:
+          - op: add
+            path: /spec/containers/0/env/-
+            value:
+              name: JFS_CACHE_DIR
+              value: /mnt/pool/juicefs
+          - op: add
+            path: /spec/containers/0/env/-
+            value:
+              name: JFS_CACHE_SIZE
+              value: "102400"

bootstrap/base/kubevirt/config/kubevirt-cr.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kubevirt.io/v1
+kind: KubeVirt
+metadata:
+  name: kubevirt
+  namespace: kubevirt
+spec:
+  certificateRotateStrategy: {}
+  configuration:
+    developerConfiguration:
+      featureGates: []
+    imagePullPolicy: IfNotPresent
+  customizeComponents: {}
+  imagePullPolicy: IfNotPresent
+  workloadUpdateStrategy: {}