ESPO open-source self-hosted platform - module + profile system for NixOS

Nix 82.9%
JavaScript 6.3%
Shell 6%
HTML 4.8%

Find a file

opadmin 1f34509ae3 Some checks failed module-ci / validate modules and profiles (push) Failing after 1s Details Revert "fix: lowercase repo path + add kubectl deploy step" This reverts commit `84863fb09e`.		2026-04-23 15:01:50 -05:00
.claude	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
.forgejo/workflows	Revert "fix: lowercase repo path + add kubectl deploy step"	2026-04-23 15:01:50 -05:00
_Before	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
docs	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
modules	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
profiles	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
scripts	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
upstream	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
.gitignore	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
CLAUDE.md	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
LICENSE	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00
README.md	Initial MDMZ scaffold	2026-04-16 16:18:47 -05:00

README.md

MDMZ

ESPO's open-source self-hosted fun zone. Declarative NixOS profiles that turn bare metal into a running platform — k3s, Forgejo, Woodpecker, Cloudflare Tunnel, Ollama, and whatever else is bolted onto *.espoautos.com — via a single apply.

MDMZ is a fused downstream of two upstream projects, reviewed weekly through a Claude-driven CI pipeline and human-approved pull requests.

Lineage

MDMZ draws from two upstream sources:

Trevato/open-platform — Helm chart with Forgejo, Woodpecker, MinIO, Mailpit, Postgres, and oauth2-proxy
vespo92/open-platform-infra — NixOS + K3s + Traefik + MetalLB + Flux + vCluster infrastructure layer

Both sources remain tracked as living repositories under upstream/, with weekly diffs and human-reviewed ingestion into MDMZ's module system.

MDMZ is a sibling of vespo92/nick-rig. Same scaffold, same two upstreams, different target: nick-rig targets Ubuntu, MDMZ targets NixOS. The two use distinct apiVersion namespaces so modules are not silently portable.

Home

MDMZ lives on Forgejo. No GitHub.

Repo: https://forgejo.espoautos.com/espoautos/mdmz
CI: Forgejo Actions (.forgejo/workflows/)
Public deploy: *.espoautos.com via Cloudflare Tunnel

Quickstart

git clone https://forgejo.espoautos.com/espoautos/mdmz.git
cd mdmz
./scripts/mdmz apply profiles/espoautos.yaml

The apply engine remains unimplemented in the MVP; the repository currently provides the declaration layer (modules, profiles, contract, CI) to allow schema stabilization before runtime development.

Repository Structure

mdmz/
├── CLAUDE.md                  # policy for humans + agents
├── upstream/                  # frozen snapshots of the two upstreams
│   ├── trevato-open-platform/
│   └── vespo92-open-platform-infra/
├── modules/                   # reusable, opinionated building blocks
├── profiles/                  # declarative compositions (one per hardware target)
│   └── espoautos.yaml         # the reference profile
├── _Before/                   # historical snapshot from ChildCompanies (read-only)
├── .claude/                   # agent + slash-command config
├── .forgejo/workflows/        # CI: module-ci + weekly upstream-sync
├── scripts/                   # mdmz CLI + sync helpers
└── docs/                      # architecture, module contract, ingestion policy

Three Layers

Layer	Purpose	Owner
Upstream	Source snapshots of lineage repos	Automated (weekly)
Modules	Reusable, opinionated building blocks	Humans + Claude
Profiles	Declarative compositions for hardware	Humans

Origin

MDMZ is what ESPO's ChildCompanies/ directory grew up to be. The old tree (NixOS configs, foospxe PXE boot, enrollment-web, infrastructure docs) is preserved under _Before/ as historical context.

License

MIT (inherited from both upstreams and from the nick-rig scaffold).

Contributing

Review CLAUDE.md and docs/module-contract.md before submitting pull requests with new modules or profiles.