vaultsovereign/test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
test/VaultMesh_Catalog_v1/pages/page10-canonical-infrastructure.md
Vault Sovereign 1583890199 Initial commit - combined iTerm2 scripts 
Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 03:58:39 +00:00

60 lines
3.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Page Title: Canonical Infrastructure — VaultMesh v1
Summary: This page defines the canonical infrastructure for VaultMesh as of the first full catalog: which nodes exist, what runs where, and which services are considered "core mesh". It is the reference snapshot for future migrations and evolutions.
Key Findings:
- BRICK + v1-nl-gate + nexus-0 form the spine of the system.
- gate-vm (mesh-core-01) is the canonical host for the mesh-stack-migration bundle.
- shield-vm is the canonical Shield/TEM node with OffSec tooling and machine-secrets vault.
- Dual-vault pattern is standard: Vaultwarden (human), HashiCorp Vault (machine).
- Grafana is the canonical dashboard layer; Wiki.js is explicitly **not** part of the new architecture (external portals like burocrat serve documentation).
Canonical Nodes and Roles:
| Node | Role | Description |
|--------------|------------------------------|---------------------------------------------|
| nexus-0 | Forge | Primary dev/forge node (BlackArch) |
| brick | Hypervisor | Hosts core VMs (debian-golden, gate-vm, shield-vm) |
| v1-nl-gate | External Gate | Cloud-facing edge server, future ingress |
| gate-vm | mesh-core-01 (Core Stack) | GitLab, MinIO, Postgres, Prometheus, Grafana, Vaultwarden, backup-freshness, Traefik, WG-Easy |
| shield-vm | shield-01 (Shield/TEM) | OffSec agents, TEM, HashiCorp Vault, incidents & simulations |
| lab-* | Experimental Mesh | lab-mesh-01, lab-agent-01, lab-chaos-01, phoenix-01 |
Canonical Core Services (gate-vm / mesh-core-01):
- GitLab source control, CI/CD.
- MinIO object storage & backups.
- PostgreSQL GitLab and future service DBs.
- Prometheus metrics.
- Grafana dashboards (infra, backup freshness, proof metrics).
- Vaultwarden human password vault (browsers, logins).
- backup-freshness monitors MinIO backup age.
- Traefik reverse proxy and ingress.
- WG-Easy (optional) simplified WireGuard access.
Canonical Security / Shield Services (shield-vm):
- HashiCorp Vault machine/app secrets.
- TEM daemon threat transmutation engine.
- OffSec tools and MCP Oracle, Shield, AppSec scanners.
- Agent/task scheduler scheduled security workflows.
- Optional: local Prometheus exporters for node/security metrics.
Explicitly Non-Core (but allowed as external):
- Wiki.js not part of canonical infra; documentation handled via Git-based docs/portals (e.g., burocrat, catalogs).
- Legacy projects marked ARCHIVE (e.g., old offsec-shield architecture, sovereign-swarm).
Migration & Portability:
- `mesh-stack-migration/` enables redeploying the entire core stack (GitLab, MinIO, monitoring, backup) to a fresh host:
- Copy bundle → set `.env``docker compose up -d`.
- Run FIRST-LAUNCH and DRY-RUN checklists.
- VMs can be moved or recreated using debian-golden as base.
Evolution Rules:
- If a service becomes critical and stateful, it must:
- Emit receipts and have a documented backup/restore plan.
- Expose metrics consumable by Prometheus.
- Be referenced in the Canonical Infrastructure page with node placement.
- Experimental services stay on Lab HV until they prove their value.
Linked Assets:
- `mesh-stack-migration/STACK-MANIFEST.md` and `STACK-VERSION`.
- `VAULTMESH-ETERNAL-PATTERN.md` (architectural shape).
- `VaultMesh_Infrastructure_Catalog_v1.*` (this catalog).
Reference in New Issue View Git Blame Copy Permalink