1583890199
Contains: - 1m-brag - tem - VaultMesh_Catalog_v1 - VAULTMESH-ETERNAL-PATTERN 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
60 lines
3.5 KiB
Markdown
60 lines
3.5 KiB
Markdown
Page Title: Canonical Infrastructure — VaultMesh v1
|
||
Summary: This page defines the canonical infrastructure for VaultMesh as of the first full catalog: which nodes exist, what runs where, and which services are considered "core mesh". It is the reference snapshot for future migrations and evolutions.
|
||
|
||
Key Findings:
|
||
- BRICK + v1-nl-gate + nexus-0 form the spine of the system.
|
||
- gate-vm (mesh-core-01) is the canonical host for the mesh-stack-migration bundle.
|
||
- shield-vm is the canonical Shield/TEM node with OffSec tooling and machine-secrets vault.
|
||
- Dual-vault pattern is standard: Vaultwarden (human), HashiCorp Vault (machine).
|
||
- Grafana is the canonical dashboard layer; Wiki.js is explicitly **not** part of the new architecture (external portals like burocrat serve documentation).
|
||
|
||
Canonical Nodes and Roles:
|
||
| Node | Role | Description |
|
||
|--------------|------------------------------|---------------------------------------------|
|
||
| nexus-0 | Forge | Primary dev/forge node (BlackArch) |
|
||
| brick | Hypervisor | Hosts core VMs (debian-golden, gate-vm, shield-vm) |
|
||
| v1-nl-gate | External Gate | Cloud-facing edge server, future ingress |
|
||
| gate-vm | mesh-core-01 (Core Stack) | GitLab, MinIO, Postgres, Prometheus, Grafana, Vaultwarden, backup-freshness, Traefik, WG-Easy |
|
||
| shield-vm | shield-01 (Shield/TEM) | OffSec agents, TEM, HashiCorp Vault, incidents & simulations |
|
||
| lab-* | Experimental Mesh | lab-mesh-01, lab-agent-01, lab-chaos-01, phoenix-01 |
|
||
|
||
Canonical Core Services (gate-vm / mesh-core-01):
|
||
- GitLab – source control, CI/CD.
|
||
- MinIO – object storage & backups.
|
||
- PostgreSQL – GitLab and future service DBs.
|
||
- Prometheus – metrics.
|
||
- Grafana – dashboards (infra, backup freshness, proof metrics).
|
||
- Vaultwarden – human password vault (browsers, logins).
|
||
- backup-freshness – monitors MinIO backup age.
|
||
- Traefik – reverse proxy and ingress.
|
||
- WG-Easy (optional) – simplified WireGuard access.
|
||
|
||
Canonical Security / Shield Services (shield-vm):
|
||
- HashiCorp Vault – machine/app secrets.
|
||
- TEM daemon – threat transmutation engine.
|
||
- OffSec tools and MCP – Oracle, Shield, AppSec scanners.
|
||
- Agent/task scheduler – scheduled security workflows.
|
||
- Optional: local Prometheus exporters for node/security metrics.
|
||
|
||
Explicitly Non-Core (but allowed as external):
|
||
- Wiki.js – not part of canonical infra; documentation handled via Git-based docs/portals (e.g., burocrat, catalogs).
|
||
- Legacy projects marked ARCHIVE (e.g., old offsec-shield architecture, sovereign-swarm).
|
||
|
||
Migration & Portability:
|
||
- `mesh-stack-migration/` enables redeploying the entire core stack (GitLab, MinIO, monitoring, backup) to a fresh host:
|
||
- Copy bundle → set `.env` → `docker compose up -d`.
|
||
- Run FIRST-LAUNCH and DRY-RUN checklists.
|
||
- VMs can be moved or recreated using debian-golden as base.
|
||
|
||
Evolution Rules:
|
||
- If a service becomes critical and stateful, it must:
|
||
- Emit receipts and have a documented backup/restore plan.
|
||
- Expose metrics consumable by Prometheus.
|
||
- Be referenced in the Canonical Infrastructure page with node placement.
|
||
- Experimental services stay on Lab HV until they prove their value.
|
||
|
||
Linked Assets:
|
||
- `mesh-stack-migration/STACK-MANIFEST.md` and `STACK-VERSION`.
|
||
- `VAULTMESH-ETERNAL-PATTERN.md` (architectural shape).
|
||
- `VaultMesh_Infrastructure_Catalog_v1.*` (this catalog).
|