test/VaultMesh_Catalog_v1/pages/page1-introduction.md

Page Title: VaultMesh Infrastructure Overview (Canon v1) Summary: VaultMesh runs on a sovereign mesh of home, cloud, and virtual nodes. Core services (GitLab, monitoring, backup, dual-vault) live on the BRICK hypervisor and v1-nl-gate, with all access flowing over a Tailscale-powered SSH fabric. The system is designed as a living "civilization ledger": verifiable, reproducible, and portable across hosts.

Key Findings:

• Core "mesh-core-01" stack runs on a Debian VM (gate-vm) hosted on brick.
• External edge/gate server (v1-nl-gate) fronts public connectivity and future tunnels.
• shield-vm acts as the OffSec / TEM / machine-secrets node.
• Dual-vault pattern: Vaultwarden for human secrets, HashiCorp Vault for machine/app secrets.
• Tailscale tailnet + per-node SSH keys provide zero-trust style access across all layers.
• Grafana + Prometheus give observability for both infrastructure and proof engines.

Components:

• Tailscale mesh network (story-ule.ts.net tailnet).
• GitLab (self-hosted) on gate-vm for source, CI, and artifacts.
• MinIO object storage for backups and artifacts.
• PostgreSQL for GitLab and future ledgers.
• Prometheus + Grafana for metrics and dashboards.
• Vaultwarden (human credentials) + HashiCorp Vault (machine secrets).
• shield-vm: OffSec agents, TEM daemon, security experiments.
• lab HV: experimental cluster for Phoenix/PSI and chaos drills.

Workflows / Pipelines:

• Forge Flow: Android/laptop → SSH (Tailscale) → nexus-0 → edit/test → git push → GitLab on gate-vm → CI → deploy to shield-vm / lab.
• Backup Flow: mesh-stack-migration bundle backs up GitLab/Postgres/Vaultwarden to MinIO with freshness monitoring and restore scripts.
• Proof Flow: VaultMesh engines emit receipts and Merkle roots; DevOps release pipeline anchors PROOF.json and ROOT.txt to external ledgers.

Inputs:

• Per-node SSH keypairs and Tailscale identities.
• Git repositories (vaultmesh, mesh-stack-migration, offsec labs).
• Docker/Compose definitions for core stack (gate-vm).
• libvirt VM definitions on brick hypervisor.

Outputs:

• Authenticated SSH sessions over Tailscale with per-node isolation.
• Reproducible infrastructure stack (mesh-stack-migration) deployable onto any compatible host.
• Cryptographically verifiable receipts, Merkle roots, and anchored proof artifacts.
• Observability dashboards for infrastructure health and backup freshness.

Security Notes:

• No password SSH: ed25519 keys only, with IdentitiesOnly enforced.
• Tailscale tailnet isolates nodes from the public internet; v1-nl-gate used as controlled edge.
• Dual-vault split: Vaultwarden for human secrets; HashiCorp Vault for machine/app secrets and CI.
• Backups stored in MinIO, monitored by backup-freshness service with Prometheus metrics and Grafana alerts.

Nodes / Topology:

• Forge Node: nexus-0 (BlackArch) – primary development forge.
• Mine Nodes: gamma, beta, brick, w3 – home infra, storage, hypervisor.
• Gate Nodes: v1-nl-gate (cloud edge), gate-vm (mesh-core-01 on brick).
• VM Nodes on brick: debian-golden (template), gate-vm (core stack), shield-vm (security).
• Lab HV Nodes: lab-mesh-01, lab-agent-01, lab-chaos-01, phoenix-01 – experiments and PSI/Phoenix.
• Mobile Nodes: shield (Termux), bank-mobile (iOS).

Dependencies:

• Tailscale client on all nodes (including VMs where needed).
• libvirt/QEMU on brick for virtualization.
• Docker/Compose on gate-vm for mesh-core stack.
• SSH servers on all nodes; per-node SSH keys for access.

Deployment Requirements:

• At least one capable hypervisor (brick) and one external gate (v1-nl-gate).
• DNS or MagicDNS entries for internal hostnames (e.g. gitlab.mesh.local).
• MinIO and backup-freshness configured via mesh-stack-migration bundle.
• Dual-vault services deployed according to canonical pattern.

Linked Assets:

• /Users/sovereign/Library/CloudStorage/Dropbox/VaultMesh_Catalog_v1/VaultMesh_Infrastructure_Catalog_v1.*
• mesh-stack-migration/ bundle for core stack deployment.
• vaultmesh repo (Guardian, Console, Treasury, OffSec engines).