# VaultMesh Infrastructure Templates ## Kubernetes Deployment ### Namespace ```yaml apiVersion: v1 kind: Namespace metadata: name: vaultmesh labels: app.kubernetes.io/name: vaultmesh app.kubernetes.io/part-of: civilization-ledger pod-security.kubernetes.io/enforce: restricted ``` ### Generic Deployment Template ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: vaultmesh-{component} namespace: vaultmesh labels: app.kubernetes.io/name: {component} app.kubernetes.io/component: {role} app.kubernetes.io/part-of: vaultmesh spec: replicas: {replicas} selector: matchLabels: app.kubernetes.io/name: {component} template: metadata: labels: app.kubernetes.io/name: {component} annotations: prometheus.io/scrape: "true" prometheus.io/port: "9090" prometheus.io/path: "/metrics" spec: serviceAccountName: vaultmesh-{component} securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: {component} image: ghcr.io/vaultmesh/{component}:{version} imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL ports: - name: http containerPort: {http_port} protocol: TCP - name: metrics containerPort: 9090 protocol: TCP env: - name: RUST_LOG value: "info,vaultmesh=debug" - name: CONFIG_PATH value: "/config/{component}.toml" - name: DATABASE_URL valueFrom: secretKeyRef: name: vaultmesh-db-credentials key: {component}-url volumeMounts: - name: config mountPath: /config readOnly: true - name: receipts mountPath: /data/receipts - name: tmp mountPath: /tmp resources: requests: cpu: {cpu_request} memory: {memory_request} limits: cpu: {cpu_limit} memory: {memory_limit} livenessProbe: httpGet: path: /health/live port: http initialDelaySeconds: 10 periodSeconds: 10 readinessProbe: httpGet: path: /health/ready port: http initialDelaySeconds: 5 periodSeconds: 5 volumes: - name: config configMap: name: vaultmesh-{component}-config - name: receipts persistentVolumeClaim: claimName: vaultmesh-receipts - name: tmp emptyDir: {} ``` ### Service Template ```yaml apiVersion: v1 kind: Service metadata: name: vaultmesh-{component} namespace: vaultmesh spec: selector: app.kubernetes.io/name: {component} ports: - name: http port: 80 targetPort: http - name: metrics port: 9090 targetPort: metrics type: ClusterIP ``` ### ConfigMap Template ```yaml apiVersion: v1 kind: ConfigMap metadata: name: vaultmesh-{component}-config namespace: vaultmesh data: {component}.toml: | [server] bind = "0.0.0.0:{port}" metrics_bind = "0.0.0.0:9090" [database] max_connections = 20 min_connections = 5 [receipts] base_path = "/data/receipts" # Component-specific configuration ``` ### PersistentVolumeClaim ```yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: vaultmesh-receipts namespace: vaultmesh spec: accessModes: - ReadWriteMany storageClassName: nfs-csi resources: requests: storage: 100Gi ``` ### Ingress ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: vaultmesh-ingress namespace: vaultmesh annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "50m" nginx.ingress.kubernetes.io/rate-limit: "100" nginx.ingress.kubernetes.io/rate-limit-window: "1m" spec: ingressClassName: nginx tls: - hosts: - portal.vaultmesh.io - guardian.vaultmesh.io - oracle.vaultmesh.io secretName: vaultmesh-tls rules: - host: portal.vaultmesh.io http: paths: - path: / pathType: Prefix backend: service: name: vaultmesh-portal port: name: http ``` --- ## Component Configurations ### Portal ```yaml # Deployment overrides replicas: 2 http_port: 8080 cpu_request: 100m memory_request: 256Mi cpu_limit: 1000m memory_limit: 1Gi ``` ```toml # portal.toml [server] bind = "0.0.0.0:8080" metrics_bind = "0.0.0.0:9090" [database] max_connections = 20 min_connections = 5 [receipts] base_path = "/data/receipts" [scrolls] enabled = [ "Drills", "Compliance", "Guardian", "Treasury", "Mesh", "OffSec", "Identity", "Observability", "Automation", "PsiField", "Federation", "Governance" ] [auth] jwt_issuer = "vaultmesh-portal" session_ttl_hours = 24 ``` ### Guardian ```yaml # Deployment overrides replicas: 1 # Single for coordination strategy: type: Recreate http_port: 8081 cpu_request: 200m memory_request: 512Mi cpu_limit: 2000m memory_limit: 2Gi ``` ```toml # guardian.toml [server] bind = "0.0.0.0:8081" metrics_bind = "0.0.0.0:9090" [proofchain] receipts_path = "/data/receipts" roots_path = "/data/receipts" [anchor] primary = "ethereum" interval_seconds = 3600 min_receipts_threshold = 10 [anchor.ethereum] rpc_url = "https://mainnet.infura.io/v3/${INFURA_PROJECT_ID}" contract_address = "0x..." chain_id = 1 [anchor.ots] enabled = true calendar_urls = [ "https://a.pool.opentimestamps.org", "https://b.pool.opentimestamps.org" ] [sentinel] enabled = true alert_webhook = "http://alertmanager:9093/api/v2/alerts" ``` ### Oracle ```yaml # Deployment overrides replicas: 2 http_port: 8082 mcp_port: 8083 cpu_request: 200m memory_request: 512Mi cpu_limit: 2000m memory_limit: 4Gi ``` ```toml # oracle.toml [server] http_bind = "0.0.0.0:8082" mcp_bind = "0.0.0.0:8083" metrics_bind = "0.0.0.0:9090" [corpus] path = "/data/corpus" index_path = "/data/cache/index" supported_formats = ["docx", "pdf", "md", "txt"] [llm] primary_provider = "anthropic" primary_model = "claude-sonnet-4-20250514" fallback_provider = "openai" fallback_model = "gpt-4o" temperature = 0.1 max_tokens = 4096 [receipts] endpoint = "http://vaultmesh-portal/api/receipts/oracle" ``` --- ## Docker Compose (Development) ```yaml version: "3.9" services: portal: build: context: . dockerfile: docker/portal/Dockerfile ports: - "8080:8080" - "9090:9090" environment: - RUST_LOG=info,vaultmesh=debug - VAULTMESH_CONFIG=/config/portal.toml - DATABASE_URL=postgresql://vaultmesh:vaultmesh@postgres:5432/vaultmesh - REDIS_URL=redis://redis:6379 volumes: - ./config/portal.toml:/config/portal.toml:ro - receipts:/data/receipts depends_on: postgres: condition: service_healthy redis: condition: service_started guardian: build: context: . dockerfile: docker/guardian/Dockerfile ports: - "8081:8081" environment: - RUST_LOG=info,guardian=debug - GUARDIAN_CONFIG=/config/guardian.toml - DATABASE_URL=postgresql://vaultmesh:vaultmesh@postgres:5432/vaultmesh volumes: - ./config/guardian.toml:/config/guardian.toml:ro - receipts:/data/receipts - guardian-state:/data/guardian depends_on: portal: condition: service_healthy oracle: build: context: . dockerfile: docker/oracle/Dockerfile ports: - "8082:8082" - "8083:8083" environment: - ORACLE_CONFIG=/config/oracle.toml - OPENAI_API_KEY=${OPENAI_API_KEY} - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY} - VAULTMESH_RECEIPT_ENDPOINT=http://portal:8080/api/receipts volumes: - ./config/oracle.toml:/config/oracle.toml:ro - ./corpus:/data/corpus:ro depends_on: portal: condition: service_healthy postgres: image: postgres:16-alpine environment: - POSTGRES_USER=vaultmesh - POSTGRES_PASSWORD=vaultmesh - POSTGRES_DB=vaultmesh volumes: - postgres-data:/var/lib/postgresql/data healthcheck: test: ["CMD-SHELL", "pg_isready -U vaultmesh"] interval: 5s timeout: 5s retries: 5 redis: image: redis:7-alpine volumes: - redis-data:/data command: redis-server --appendonly yes prometheus: image: prom/prometheus:v2.47.0 ports: - "9091:9090" volumes: - ./config/prometheus.yaml:/etc/prometheus/prometheus.yml:ro - prometheus-data:/prometheus grafana: image: grafana/grafana:10.1.0 ports: - "3000:3000" environment: - GF_SECURITY_ADMIN_PASSWORD=admin volumes: - ./config/grafana/provisioning:/etc/grafana/provisioning:ro - grafana-data:/var/lib/grafana volumes: receipts: guardian-state: postgres-data: redis-data: prometheus-data: grafana-data: networks: default: name: vaultmesh ``` --- ## Dockerfile Templates ### Rust Service ```dockerfile # Build stage FROM rust:1.75-alpine AS builder RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static WORKDIR /build COPY Cargo.toml Cargo.lock ./ COPY src ./src RUN cargo build --release --target x86_64-unknown-linux-musl # Runtime stage FROM alpine:3.19 RUN apk add --no-cache ca-certificates tzdata RUN adduser -D -u 1000 vaultmesh USER vaultmesh WORKDIR /app COPY --from=builder /build/target/x86_64-unknown-linux-musl/release/{binary} /app/ EXPOSE 8080 9090 ENTRYPOINT ["/app/{binary}"] ``` ### Python Service ```dockerfile FROM python:3.12-slim RUN useradd -m -u 1000 vaultmesh WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY --chown=vaultmesh:vaultmesh . . USER vaultmesh EXPOSE 8080 9090 CMD ["python", "-m", "{module}"] ``` --- ## Prometheus Rules ```yaml groups: - name: vaultmesh.receipts rules: - alert: ReceiptWriteFailure expr: rate(vaultmesh_receipt_write_errors_total[5m]) > 0 for: 1m labels: severity: critical annotations: summary: "Receipt write failures detected" - alert: ReceiptRateAnomaly expr: | abs(rate(vaultmesh_receipts_total[5m]) - avg_over_time(rate(vaultmesh_receipts_total[5m])[1h:5m])) > 2 * stddev_over_time(rate(vaultmesh_receipts_total[5m])[1h:5m]) for: 10m labels: severity: warning annotations: summary: "Unusual receipt rate" - name: vaultmesh.guardian rules: - alert: AnchorDelayed expr: time() - vaultmesh_guardian_last_anchor_timestamp > 7200 for: 5m labels: severity: warning annotations: summary: "Guardian anchor delayed" - alert: AnchorCriticallyDelayed expr: time() - vaultmesh_guardian_last_anchor_timestamp > 14400 for: 5m labels: severity: critical annotations: summary: "No anchor in over 4 hours" - alert: ProofChainDivergence expr: vaultmesh_guardian_proofchain_divergence == 1 for: 1m labels: severity: critical annotations: summary: "ProofChain divergence detected" - name: vaultmesh.governance rules: - alert: ConstitutionalViolation expr: increase(vaultmesh_governance_violations_total[1h]) > 0 for: 0m labels: severity: critical annotations: summary: "Constitutional violation detected" - alert: EmergencyActive expr: vaultmesh_governance_emergency_active == 1 for: 0m labels: severity: warning annotations: summary: "Emergency powers in effect" ``` --- ## Kustomization ### Base ```yaml # kubernetes/base/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: vaultmesh resources: - namespace.yaml - rbac.yaml - portal/ - guardian/ - oracle/ - database/ - storage/ - ingress/ commonLabels: app.kubernetes.io/part-of: vaultmesh app.kubernetes.io/managed-by: kustomize ``` ### Production Overlay ```yaml # kubernetes/overlays/production/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: vaultmesh resources: - ../../base patches: - path: portal-resources.yaml - path: guardian-resources.yaml - path: oracle-resources.yaml configMapGenerator: - name: vaultmesh-portal-config behavior: merge files: - portal.toml=configs/portal-prod.toml replicas: - name: vaultmesh-portal count: 3 - name: vaultmesh-oracle count: 3 ``` --- ## Terraform (Infrastructure) ```hcl # main.tf terraform { required_providers { kubernetes = { source = "hashicorp/kubernetes" version = "~> 2.23" } helm = { source = "hashicorp/helm" version = "~> 2.11" } } } resource "kubernetes_namespace" "vaultmesh" { metadata { name = "vaultmesh" labels = { "app.kubernetes.io/name" = "vaultmesh" "app.kubernetes.io/part-of" = "civilization-ledger" } } } resource "helm_release" "vaultmesh" { name = "vaultmesh" namespace = kubernetes_namespace.vaultmesh.metadata[0].name chart = "./charts/vaultmesh" values = [ file("values-${var.environment}.yaml") ] set { name = "portal.replicas" value = var.portal_replicas } set { name = "guardian.anchor.ethereum.rpcUrl" value = var.ethereum_rpc_url } set_sensitive { name = "secrets.anthropicApiKey" value = var.anthropic_api_key } } variable "environment" { type = string default = "production" } variable "portal_replicas" { type = number default = 3 } variable "ethereum_rpc_url" { type = string } variable "anthropic_api_key" { type = string sensitive = true } ```