1583890199
Contains: - 1m-brag - tem - VaultMesh_Catalog_v1 - VAULTMESH-ETERNAL-PATTERN 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
3.5 KiB
3.5 KiB
Page Title: Canonical Infrastructure — VaultMesh v1 Summary: This page defines the canonical infrastructure for VaultMesh as of the first full catalog: which nodes exist, what runs where, and which services are considered "core mesh". It is the reference snapshot for future migrations and evolutions.
Key Findings:
- BRICK + v1-nl-gate + nexus-0 form the spine of the system.
- gate-vm (mesh-core-01) is the canonical host for the mesh-stack-migration bundle.
- shield-vm is the canonical Shield/TEM node with OffSec tooling and machine-secrets vault.
- Dual-vault pattern is standard: Vaultwarden (human), HashiCorp Vault (machine).
- Grafana is the canonical dashboard layer; Wiki.js is explicitly not part of the new architecture (external portals like burocrat serve documentation).
Canonical Nodes and Roles:
| Node | Role | Description |
|---|---|---|
| nexus-0 | Forge | Primary dev/forge node (BlackArch) |
| brick | Hypervisor | Hosts core VMs (debian-golden, gate-vm, shield-vm) |
| v1-nl-gate | External Gate | Cloud-facing edge server, future ingress |
| gate-vm | mesh-core-01 (Core Stack) | GitLab, MinIO, Postgres, Prometheus, Grafana, Vaultwarden, backup-freshness, Traefik, WG-Easy |
| shield-vm | shield-01 (Shield/TEM) | OffSec agents, TEM, HashiCorp Vault, incidents & simulations |
| lab-* | Experimental Mesh | lab-mesh-01, lab-agent-01, lab-chaos-01, phoenix-01 |
Canonical Core Services (gate-vm / mesh-core-01):
- GitLab – source control, CI/CD.
- MinIO – object storage & backups.
- PostgreSQL – GitLab and future service DBs.
- Prometheus – metrics.
- Grafana – dashboards (infra, backup freshness, proof metrics).
- Vaultwarden – human password vault (browsers, logins).
- backup-freshness – monitors MinIO backup age.
- Traefik – reverse proxy and ingress.
- WG-Easy (optional) – simplified WireGuard access.
Canonical Security / Shield Services (shield-vm):
- HashiCorp Vault – machine/app secrets.
- TEM daemon – threat transmutation engine.
- OffSec tools and MCP – Oracle, Shield, AppSec scanners.
- Agent/task scheduler – scheduled security workflows.
- Optional: local Prometheus exporters for node/security metrics.
Explicitly Non-Core (but allowed as external):
- Wiki.js – not part of canonical infra; documentation handled via Git-based docs/portals (e.g., burocrat, catalogs).
- Legacy projects marked ARCHIVE (e.g., old offsec-shield architecture, sovereign-swarm).
Migration & Portability:
mesh-stack-migration/enables redeploying the entire core stack (GitLab, MinIO, monitoring, backup) to a fresh host:- Copy bundle → set
.env→docker compose up -d. - Run FIRST-LAUNCH and DRY-RUN checklists.
- Copy bundle → set
- VMs can be moved or recreated using debian-golden as base.
Evolution Rules:
- If a service becomes critical and stateful, it must:
- Emit receipts and have a documented backup/restore plan.
- Expose metrics consumable by Prometheus.
- Be referenced in the Canonical Infrastructure page with node placement.
- Experimental services stay on Lab HV until they prove their value.
Linked Assets:
mesh-stack-migration/STACK-MANIFEST.mdandSTACK-VERSION.VAULTMESH-ETERNAL-PATTERN.md(architectural shape).VaultMesh_Infrastructure_Catalog_v1.*(this catalog).