burrow/docs/PLATFORM_SERVICES.md
Conrad Kramer 002bd382e9
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Wire Forge-native release infrastructure
2026-06-07 05:51:12 -07:00

4.3 KiB

Platform Services

Burrow's next platform layer is split into service boundaries that can be enabled independently after their security and rollback checks pass.

Identity and KMS

infra/identity owns Google Cloud KMS and Workload Identity Federation resources for the Burrow Google project:

  • project id: project-88c23ce9-918a-470a-b33
  • project number: 416198671487
  • key ring: burrow-identity
  • intended keys: Authentik signing, SAML CA signing, release signing

The WIF path is for Authentik-backed Forgejo runners. Runners should exchange an OIDC token for a short-lived Google credential instead of carrying static service-account JSON.

Release storage uses provider-neutral upload wrappers. Garage is the required S3-compatible primary target. GCS is the first backup target and remains the compatibility source for current Sparkle/store follow-on jobs:

  • release artifacts: burrow-net-releases
  • signed package repositories: burrow-net-packages
  • private Nix cache backup: burrow-net-nix-cache

Forgejo jobs authenticate to the same Google project through Authentik-backed WIF, then use gcloud storage for upload/download and Google KMS for release and repository signatures. No rclone transport or Google service-account JSON key is part of the release path.

services.burrow.garage is enabled by the forge host. It provides the host activation point for Garage API, static-web, and admin listeners, and bootstraps the initial single-node layout plus the attic, burrow-releases, and burrow-packages buckets. It creates separate owner/write keys for Attic, release artifacts, and package repositories, plus a read-only backup key for the scheduled Garage-to-GCS mirror.

Garage is now the primary object-storage surface for release/package uploads and the Nix cache. It uses host-local storage for object data and metadata; it does not fan out writes to multiple object-store backends. Multi-cloud failover should be implemented as explicit Garage bucket mirrors/backups, with GCS as the first backup target.

Nix Cache

nix.burrow.net is the Burrow Nix binary cache surface. The forge host runs Attic behind Caddy and stores cache chunks in the Garage attic bucket through Garage's local S3 API. Workers can use https://nix.burrow.net/burrow once the cache public key is published as BURROW_NIX_CACHE_PUBLIC_KEY in Forgejo. The host bootstrap also creates /var/lib/burrow/nix-cache/ci-push-token; seal it as BURROW_NIX_CACHE_PUSH_TOKEN before enabling broad cache publication.

Observability

graphs.burrow.net is backed by Grafana with Authentik SSO. The forge host now imports services.burrow.observability, which starts local Prometheus, OpenTelemetry collector, and Jaeger services. NixOS provisions Grafana datasources; OpenTofu manages checked-in dashboards for the Burrow overview, Headscale, and the broader Prometheus/OpenTelemetry/Jaeger spine.

Jaeger is local-only at first and is queried through Grafana. Headscale metrics are scraped locally. Tailscale SaaS metrics are optional until the OAuth credential file exists.

OpenBao

vault.burrow.net is the planned OpenBao surface. The repository now has:

  • infra/openbao for KMS seal wrapping and OpenBao auth/policy resources
  • services.burrow.openbao as a disabled-by-default NixOS switch point
  • Scripts/openbao-tofu.sh for stack-local OpenTofu operations

OpenBao should not be enabled until the KMS seal key, bootstrap token handling, backup/restore procedure, and Authentik roles are verified.

Jitsi Meet

meet.burrow.net is the planned Jitsi Meet surface. The repository now has services.burrow.jitsi as a disabled-by-default NixOS switch point.

Jitsi is not just an HTTP service. The rollout needs DNS, TLS, XMPP/prosody state, and an explicit UDP media-port decision before activation.

Mail and Webmail

inbox.burrow.net is the intended webmail surface. Stalwart is the planned mail server, but this flake does not currently expose the expected Stalwart NixOS option. Forward Email remains the current production mail path until the Stalwart module name, ports, DKIM rotation, backup target, spam policy, and migration steps are pinned in a follow-up BEP update.

MCP Hub

The MCP hub should be extracted to compatible.systems/burrow/mcp-hub. Until that repository exists, services/mcp-hub/ records the extraction boundary and tool inventory.