Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
99 lines
4.3 KiB
Markdown
99 lines
4.3 KiB
Markdown
# Platform Services
|
|
|
|
Burrow's next platform layer is split into service boundaries that can be
|
|
enabled independently after their security and rollback checks pass.
|
|
|
|
## Identity and KMS
|
|
|
|
`infra/identity` owns Google Cloud KMS and Workload Identity Federation
|
|
resources for the Burrow Google project:
|
|
|
|
- project id: `project-88c23ce9-918a-470a-b33`
|
|
- project number: `416198671487`
|
|
- key ring: `burrow-identity`
|
|
- intended keys: Authentik signing, SAML CA signing, release signing
|
|
|
|
The WIF path is for Authentik-backed Forgejo runners. Runners should exchange an
|
|
OIDC token for a short-lived Google credential instead of carrying static
|
|
service-account JSON.
|
|
|
|
Release storage uses provider-neutral upload wrappers. Garage is the required
|
|
S3-compatible primary target. GCS is the first backup target and remains the
|
|
compatibility source for current
|
|
Sparkle/store follow-on jobs:
|
|
|
|
- release artifacts: `burrow-net-releases`
|
|
- signed package repositories: `burrow-net-packages`
|
|
- private Nix cache backup: `burrow-net-nix-cache`
|
|
|
|
Forgejo jobs authenticate to the same Google project through Authentik-backed
|
|
WIF, then use `gcloud storage` for upload/download and Google KMS for release
|
|
and repository signatures. No rclone transport or Google service-account JSON
|
|
key is part of the release path.
|
|
|
|
`services.burrow.garage` is enabled by the forge host. It provides the host
|
|
activation point for Garage API, static-web, and admin listeners, and
|
|
bootstraps the initial single-node layout plus the `attic`, `burrow-releases`,
|
|
and `burrow-packages` buckets. It creates separate owner/write keys for Attic,
|
|
release artifacts, and package repositories, plus a read-only backup key for
|
|
the scheduled Garage-to-GCS mirror.
|
|
|
|
Garage is now the primary object-storage surface for release/package uploads and
|
|
the Nix cache. It uses host-local storage for object data and metadata; it does
|
|
not fan out writes to multiple object-store backends. Multi-cloud failover
|
|
should be implemented as explicit Garage bucket mirrors/backups, with GCS as the
|
|
first backup target.
|
|
|
|
## Nix Cache
|
|
|
|
`nix.burrow.net` is the Burrow Nix binary cache surface. The forge host runs
|
|
Attic behind Caddy and stores cache chunks in the Garage `attic` bucket through
|
|
Garage's local S3 API. Workers can use `https://nix.burrow.net/burrow` once the
|
|
cache public key is published as `BURROW_NIX_CACHE_PUBLIC_KEY` in Forgejo. The
|
|
host bootstrap also creates `/var/lib/burrow/nix-cache/ci-push-token`; seal it
|
|
as `BURROW_NIX_CACHE_PUSH_TOKEN` before enabling broad cache publication.
|
|
|
|
## Observability
|
|
|
|
`graphs.burrow.net` is backed by Grafana with Authentik SSO. The forge host now
|
|
imports `services.burrow.observability`, which starts local Prometheus,
|
|
OpenTelemetry collector, and Jaeger services. NixOS provisions Grafana
|
|
datasources; OpenTofu manages checked-in dashboards for the Burrow overview,
|
|
Headscale, and the broader Prometheus/OpenTelemetry/Jaeger spine.
|
|
|
|
Jaeger is local-only at first and is queried through Grafana. Headscale metrics
|
|
are scraped locally. Tailscale SaaS metrics are optional until the OAuth
|
|
credential file exists.
|
|
|
|
## OpenBao
|
|
|
|
`vault.burrow.net` is the planned OpenBao surface. The repository now has:
|
|
|
|
- `infra/openbao` for KMS seal wrapping and OpenBao auth/policy resources
|
|
- `services.burrow.openbao` as a disabled-by-default NixOS switch point
|
|
- `Scripts/openbao-tofu.sh` for stack-local OpenTofu operations
|
|
|
|
OpenBao should not be enabled until the KMS seal key, bootstrap token handling,
|
|
backup/restore procedure, and Authentik roles are verified.
|
|
|
|
## Jitsi Meet
|
|
|
|
`meet.burrow.net` is the planned Jitsi Meet surface. The repository now has
|
|
`services.burrow.jitsi` as a disabled-by-default NixOS switch point.
|
|
|
|
Jitsi is not just an HTTP service. The rollout needs DNS, TLS, XMPP/prosody
|
|
state, and an explicit UDP media-port decision before activation.
|
|
|
|
## Mail and Webmail
|
|
|
|
`inbox.burrow.net` is the intended webmail surface. Stalwart is the planned mail
|
|
server, but this flake does not currently expose the expected Stalwart NixOS
|
|
option. Forward Email remains the current production mail path until the
|
|
Stalwart module name, ports, DKIM rotation, backup target, spam policy, and
|
|
migration steps are pinned in a follow-up BEP update.
|
|
|
|
## MCP Hub
|
|
|
|
The MCP hub should be extracted to `compatible.systems/burrow/mcp-hub`. Until
|
|
that repository exists, `services/mcp-hub/` records the extraction boundary and
|
|
tool inventory.
|