Page Title: VaultMesh Infrastructure Overview (Canon v1) Summary: VaultMesh runs on a sovereign mesh of home, cloud, and virtual nodes. Core services (GitLab, monitoring, backup, dual-vault) live on the BRICK hypervisor and v1-nl-gate, with all access flowing over a Tailscale-powered SSH fabric. The system is designed as a living "civilization ledger": verifiable, reproducible, and portable across hosts. Key Findings: - Core "mesh-core-01" stack runs on a Debian VM (gate-vm) hosted on brick. - External edge/gate server (v1-nl-gate) fronts public connectivity and future tunnels. - shield-vm acts as the OffSec / TEM / machine-secrets node. - Dual-vault pattern: Vaultwarden for human secrets, HashiCorp Vault for machine/app secrets. - Tailscale tailnet + per-node SSH keys provide zero-trust style access across all layers. - Grafana + Prometheus give observability for both infrastructure and proof engines. Components: - Tailscale mesh network (story-ule.ts.net tailnet). - GitLab (self-hosted) on gate-vm for source, CI, and artifacts. - MinIO object storage for backups and artifacts. - PostgreSQL for GitLab and future ledgers. - Prometheus + Grafana for metrics and dashboards. - Vaultwarden (human credentials) + HashiCorp Vault (machine secrets). - shield-vm: OffSec agents, TEM daemon, security experiments. - lab HV: experimental cluster for Phoenix/PSI and chaos drills. Workflows / Pipelines: - Forge Flow: Android/laptop → SSH (Tailscale) → nexus-0 → edit/test → git push → GitLab on gate-vm → CI → deploy to shield-vm / lab. - Backup Flow: mesh-stack-migration bundle backs up GitLab/Postgres/Vaultwarden to MinIO with freshness monitoring and restore scripts. - Proof Flow: VaultMesh engines emit receipts and Merkle roots; DevOps release pipeline anchors PROOF.json and ROOT.txt to external ledgers. Inputs: - Per-node SSH keypairs and Tailscale identities. - Git repositories (vaultmesh, mesh-stack-migration, offsec labs). - Docker/Compose definitions for core stack (gate-vm). - libvirt VM definitions on brick hypervisor. Outputs: - Authenticated SSH sessions over Tailscale with per-node isolation. - Reproducible infrastructure stack (mesh-stack-migration) deployable onto any compatible host. - Cryptographically verifiable receipts, Merkle roots, and anchored proof artifacts. - Observability dashboards for infrastructure health and backup freshness. Security Notes: - No password SSH: ed25519 keys only, with IdentitiesOnly enforced. - Tailscale tailnet isolates nodes from the public internet; v1-nl-gate used as controlled edge. - Dual-vault split: Vaultwarden for human secrets; HashiCorp Vault for machine/app secrets and CI. - Backups stored in MinIO, monitored by backup-freshness service with Prometheus metrics and Grafana alerts. Nodes / Topology: - Forge Node: nexus-0 (BlackArch) – primary development forge. - Mine Nodes: gamma, beta, brick, w3 – home infra, storage, hypervisor. - Gate Nodes: v1-nl-gate (cloud edge), gate-vm (mesh-core-01 on brick). - VM Nodes on brick: debian-golden (template), gate-vm (core stack), shield-vm (security). - Lab HV Nodes: lab-mesh-01, lab-agent-01, lab-chaos-01, phoenix-01 – experiments and PSI/Phoenix. - Mobile Nodes: shield (Termux), bank-mobile (iOS). Dependencies: - Tailscale client on all nodes (including VMs where needed). - libvirt/QEMU on brick for virtualization. - Docker/Compose on gate-vm for mesh-core stack. - SSH servers on all nodes; per-node SSH keys for access. Deployment Requirements: - At least one capable hypervisor (brick) and one external gate (v1-nl-gate). - DNS or MagicDNS entries for internal hostnames (e.g. gitlab.mesh.local). - MinIO and backup-freshness configured via mesh-stack-migration bundle. - Dual-vault services deployed according to canonical pattern. Linked Assets: - `/Users/sovereign/Library/CloudStorage/Dropbox/VaultMesh_Catalog_v1/VaultMesh_Infrastructure_Catalog_v1.*` - `mesh-stack-migration/` bundle for core stack deployment. - `vaultmesh` repo (Guardian, Console, Treasury, OffSec engines).