vaultsovereign/vm-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7a01aebbc0f7c5a5ec029be7357999b98c4fa7fb
vm-core/docs/skill/INFRASTRUCTURE.md
Vault Sovereign 110d644e10 Initialize repository snapshot
2025-12-27 00:10:32 +00:00

712 lines
14 KiB
Markdown
Raw Blame History

# VaultMesh Infrastructure Templates
## Kubernetes Deployment
### Namespace
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: vaultmesh
labels:
app.kubernetes.io/name: vaultmesh
app.kubernetes.io/part-of: civilization-ledger
pod-security.kubernetes.io/enforce: restricted
```
### Generic Deployment Template
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: vaultmesh-{component}
namespace: vaultmesh
labels:
app.kubernetes.io/name: {component}
app.kubernetes.io/component: {role}
app.kubernetes.io/part-of: vaultmesh
spec:
replicas: {replicas}
selector:
matchLabels:
app.kubernetes.io/name: {component}
template:
metadata:
labels:
app.kubernetes.io/name: {component}
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9090"
prometheus.io/path: "/metrics"
spec:
serviceAccountName: vaultmesh-{component}
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: {component}
image: ghcr.io/vaultmesh/{component}:{version}
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: {http_port}
protocol: TCP
- name: metrics
containerPort: 9090
protocol: TCP
env:
- name: RUST_LOG
value: "info,vaultmesh=debug"
- name: CONFIG_PATH
value: "/config/{component}.toml"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: vaultmesh-db-credentials
key: {component}-url
volumeMounts:
- name: config
mountPath: /config
readOnly: true
- name: receipts
mountPath: /data/receipts
- name: tmp
mountPath: /tmp
resources:
requests:
cpu: {cpu_request}
memory: {memory_request}
limits:
cpu: {cpu_limit}
memory: {memory_limit}
livenessProbe:
httpGet:
path: /health/live
port: http
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /health/ready
port: http
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: config
configMap:
name: vaultmesh-{component}-config
- name: receipts
persistentVolumeClaim:
claimName: vaultmesh-receipts
- name: tmp
emptyDir: {}
```
### Service Template
```yaml
apiVersion: v1
kind: Service
metadata:
name: vaultmesh-{component}
namespace: vaultmesh
spec:
selector:
app.kubernetes.io/name: {component}
ports:
- name: http
port: 80
targetPort: http
- name: metrics
port: 9090
targetPort: metrics
type: ClusterIP
```
### ConfigMap Template
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: vaultmesh-{component}-config
namespace: vaultmesh
data:
{component}.toml: |
[server]
bind = "0.0.0.0:{port}"
metrics_bind = "0.0.0.0:9090"
[database]
max_connections = 20
min_connections = 5
[receipts]
base_path = "/data/receipts"
# Component-specific configuration
```
### PersistentVolumeClaim
```yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultmesh-receipts
namespace: vaultmesh
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs-csi
resources:
requests:
storage: 100Gi
```
### Ingress
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultmesh-ingress
namespace: vaultmesh
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/rate-limit-window: "1m"
spec:
ingressClassName: nginx
tls:
- hosts:
- portal.vaultmesh.io
- guardian.vaultmesh.io
- oracle.vaultmesh.io
secretName: vaultmesh-tls
rules:
- host: portal.vaultmesh.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultmesh-portal
port:
name: http
```
---
## Component Configurations
### Portal
```yaml
# Deployment overrides
replicas: 2
http_port: 8080
cpu_request: 100m
memory_request: 256Mi
cpu_limit: 1000m
memory_limit: 1Gi
```
```toml
# portal.toml
[server]
bind = "0.0.0.0:8080"
metrics_bind = "0.0.0.0:9090"
[database]
max_connections = 20
min_connections = 5
[receipts]
base_path = "/data/receipts"
[scrolls]
enabled = [
"Drills", "Compliance", "Guardian", "Treasury", "Mesh",
"OffSec", "Identity", "Observability", "Automation",
"PsiField", "Federation", "Governance"
]
[auth]
jwt_issuer = "vaultmesh-portal"
session_ttl_hours = 24
```
### Guardian
```yaml
# Deployment overrides
replicas: 1 # Single for coordination
strategy:
type: Recreate
http_port: 8081
cpu_request: 200m
memory_request: 512Mi
cpu_limit: 2000m
memory_limit: 2Gi
```
```toml
# guardian.toml
[server]
bind = "0.0.0.0:8081"
metrics_bind = "0.0.0.0:9090"
[proofchain]
receipts_path = "/data/receipts"
roots_path = "/data/receipts"
[anchor]
primary = "ethereum"
interval_seconds = 3600
min_receipts_threshold = 10
[anchor.ethereum]
rpc_url = "https://mainnet.infura.io/v3/${INFURA_PROJECT_ID}"
contract_address = "0x..."
chain_id = 1
[anchor.ots]
enabled = true
calendar_urls = [
"https://a.pool.opentimestamps.org",
"https://b.pool.opentimestamps.org"
]
[sentinel]
enabled = true
alert_webhook = "http://alertmanager:9093/api/v2/alerts"
```
### Oracle
```yaml
# Deployment overrides
replicas: 2
http_port: 8082
mcp_port: 8083
cpu_request: 200m
memory_request: 512Mi
cpu_limit: 2000m
memory_limit: 4Gi
```
```toml
# oracle.toml
[server]
http_bind = "0.0.0.0:8082"
mcp_bind = "0.0.0.0:8083"
metrics_bind = "0.0.0.0:9090"
[corpus]
path = "/data/corpus"
index_path = "/data/cache/index"
supported_formats = ["docx", "pdf", "md", "txt"]
[llm]
primary_provider = "anthropic"
primary_model = "claude-sonnet-4-20250514"
fallback_provider = "openai"
fallback_model = "gpt-4o"
temperature = 0.1
max_tokens = 4096
[receipts]
endpoint = "http://vaultmesh-portal/api/receipts/oracle"
```
---
## Docker Compose (Development)
```yaml
version: "3.9"
services:
portal:
build:
context: .
dockerfile: docker/portal/Dockerfile
ports:
- "8080:8080"
- "9090:9090"
environment:
- RUST_LOG=info,vaultmesh=debug
- VAULTMESH_CONFIG=/config/portal.toml
- DATABASE_URL=postgresql://vaultmesh:vaultmesh@postgres:5432/vaultmesh
- REDIS_URL=redis://redis:6379
volumes:
- ./config/portal.toml:/config/portal.toml:ro
- receipts:/data/receipts
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_started
guardian:
build:
context: .
dockerfile: docker/guardian/Dockerfile
ports:
- "8081:8081"
environment:
- RUST_LOG=info,guardian=debug
- GUARDIAN_CONFIG=/config/guardian.toml
- DATABASE_URL=postgresql://vaultmesh:vaultmesh@postgres:5432/vaultmesh
volumes:
- ./config/guardian.toml:/config/guardian.toml:ro
- receipts:/data/receipts
- guardian-state:/data/guardian
depends_on:
portal:
condition: service_healthy
oracle:
build:
context: .
dockerfile: docker/oracle/Dockerfile
ports:
- "8082:8082"
- "8083:8083"
environment:
- ORACLE_CONFIG=/config/oracle.toml
- OPENAI_API_KEY=${OPENAI_API_KEY}
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
- VAULTMESH_RECEIPT_ENDPOINT=http://portal:8080/api/receipts
volumes:
- ./config/oracle.toml:/config/oracle.toml:ro
- ./corpus:/data/corpus:ro
depends_on:
portal:
condition: service_healthy
postgres:
image: postgres:16-alpine
environment:
- POSTGRES_USER=vaultmesh
- POSTGRES_PASSWORD=vaultmesh
- POSTGRES_DB=vaultmesh
volumes:
- postgres-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U vaultmesh"]
interval: 5s
timeout: 5s
retries: 5
redis:
image: redis:7-alpine
volumes:
- redis-data:/data
command: redis-server --appendonly yes
prometheus:
image: prom/prometheus:v2.47.0
ports:
- "9091:9090"
volumes:
- ./config/prometheus.yaml:/etc/prometheus/prometheus.yml:ro
- prometheus-data:/prometheus
grafana:
image: grafana/grafana:10.1.0
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
volumes:
- ./config/grafana/provisioning:/etc/grafana/provisioning:ro
- grafana-data:/var/lib/grafana
volumes:
receipts:
guardian-state:
postgres-data:
redis-data:
prometheus-data:
grafana-data:
networks:
default:
name: vaultmesh
```
---
## Dockerfile Templates
### Rust Service
```dockerfile
# Build stage
FROM rust:1.75-alpine AS builder
RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static
WORKDIR /build
COPY Cargo.toml Cargo.lock ./
COPY src ./src
RUN cargo build --release --target x86_64-unknown-linux-musl
# Runtime stage
FROM alpine:3.19
RUN apk add --no-cache ca-certificates tzdata
RUN adduser -D -u 1000 vaultmesh
USER vaultmesh
WORKDIR /app
COPY --from=builder /build/target/x86_64-unknown-linux-musl/release/{binary} /app/
EXPOSE 8080 9090
ENTRYPOINT ["/app/{binary}"]
```
### Python Service
```dockerfile
FROM python:3.12-slim
RUN useradd -m -u 1000 vaultmesh
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY --chown=vaultmesh:vaultmesh . .
USER vaultmesh
EXPOSE 8080 9090
CMD ["python", "-m", "{module}"]
```
---
## Prometheus Rules
```yaml
groups:
- name: vaultmesh.receipts
rules:
- alert: ReceiptWriteFailure
expr: rate(vaultmesh_receipt_write_errors_total[5m]) > 0
for: 1m
labels:
severity: critical
annotations:
summary: "Receipt write failures detected"
- alert: ReceiptRateAnomaly
expr: |
abs(rate(vaultmesh_receipts_total[5m]) -
avg_over_time(rate(vaultmesh_receipts_total[5m])[1h:5m]))
> 2 * stddev_over_time(rate(vaultmesh_receipts_total[5m])[1h:5m])
for: 10m
labels:
severity: warning
annotations:
summary: "Unusual receipt rate"
- name: vaultmesh.guardian
rules:
- alert: AnchorDelayed
expr: time() - vaultmesh_guardian_last_anchor_timestamp > 7200
for: 5m
labels:
severity: warning
annotations:
summary: "Guardian anchor delayed"
- alert: AnchorCriticallyDelayed
expr: time() - vaultmesh_guardian_last_anchor_timestamp > 14400
for: 5m
labels:
severity: critical
annotations:
summary: "No anchor in over 4 hours"
- alert: ProofChainDivergence
expr: vaultmesh_guardian_proofchain_divergence == 1
for: 1m
labels:
severity: critical
annotations:
summary: "ProofChain divergence detected"
- name: vaultmesh.governance
rules:
- alert: ConstitutionalViolation
expr: increase(vaultmesh_governance_violations_total[1h]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Constitutional violation detected"
- alert: EmergencyActive
expr: vaultmesh_governance_emergency_active == 1
for: 0m
labels:
severity: warning
annotations:
summary: "Emergency powers in effect"
```
---
## Kustomization
### Base
```yaml
# kubernetes/base/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vaultmesh
resources:
- namespace.yaml
- rbac.yaml
- portal/
- guardian/
- oracle/
- database/
- storage/
- ingress/
commonLabels:
app.kubernetes.io/part-of: vaultmesh
app.kubernetes.io/managed-by: kustomize
```
### Production Overlay
```yaml
# kubernetes/overlays/production/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vaultmesh
resources:
- ../../base
patches:
- path: portal-resources.yaml
- path: guardian-resources.yaml
- path: oracle-resources.yaml
configMapGenerator:
- name: vaultmesh-portal-config
behavior: merge
files:
- portal.toml=configs/portal-prod.toml
replicas:
- name: vaultmesh-portal
count: 3
- name: vaultmesh-oracle
count: 3
```
---
## Terraform (Infrastructure)
```hcl
# main.tf
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.23"
}
helm = {
source = "hashicorp/helm"
version = "~> 2.11"
}
}
}
resource "kubernetes_namespace" "vaultmesh" {
metadata {
name = "vaultmesh"
labels = {
"app.kubernetes.io/name" = "vaultmesh"
"app.kubernetes.io/part-of" = "civilization-ledger"
}
}
}
resource "helm_release" "vaultmesh" {
name = "vaultmesh"
namespace = kubernetes_namespace.vaultmesh.metadata[0].name
chart = "./charts/vaultmesh"
values = [
file("values-${var.environment}.yaml")
]
set {
name = "portal.replicas"
value = var.portal_replicas
}
set {
name = "guardian.anchor.ethereum.rpcUrl"
value = var.ethereum_rpc_url
}
set_sensitive {
name = "secrets.anthropicApiKey"
value = var.anthropic_api_key
}
}
variable "environment" {
type = string
default = "production"
}
variable "portal_replicas" {
type = number
default = 3
}
variable "ethereum_rpc_url" {
type = string
}
variable "anthropic_api_key" {
type = string
sensitive = true
}
```
Reference in New Issue View Git Blame Copy Permalink