4.3 KiB
Platform Services
Burrow's next platform layer is split into service boundaries that can be enabled independently after their security and rollback checks pass.
Identity and KMS
infra/identity owns Google Cloud KMS and Workload Identity Federation
resources for the Burrow Google project:
- project id:
project-88c23ce9-918a-470a-b33 - project number:
416198671487 - key ring:
burrow-identity - intended keys: Authentik signing, SAML CA signing, release signing
The WIF path is for Authentik-backed Forgejo runners. Runners should exchange an OIDC token for a short-lived Google credential instead of carrying static service-account JSON.
Release storage uses provider-neutral upload wrappers. Garage is the required S3-compatible primary target. GCS is the first backup target and remains the compatibility source for current Sparkle/store follow-on jobs:
- release artifacts:
burrow-net-releases - signed package repositories:
burrow-net-packages - private Nix cache backup:
burrow-net-nix-cache
Forgejo jobs authenticate to the same Google project through Authentik-backed
WIF, then use gcloud storage for upload/download and Google KMS for release
and repository signatures. No rclone transport or Google service-account JSON
key is part of the release path.
services.burrow.garage is enabled by the forge host. It provides the host
activation point for Garage API, static-web, and admin listeners, and
bootstraps the initial single-node layout plus the attic, burrow-releases,
and burrow-packages buckets. It creates separate owner/write keys for Attic,
release artifacts, and package repositories, plus a read-only backup key for
the scheduled Garage-to-GCS mirror.
Garage is now the primary object-storage surface for release/package uploads and the Nix cache. It uses host-local storage for object data and metadata; it does not fan out writes to multiple object-store backends. Multi-cloud failover should be implemented as explicit Garage bucket mirrors/backups, with GCS as the first backup target.
Nix Cache
nix.burrow.net is the Burrow Nix binary cache surface. The forge host runs
Attic behind Caddy and stores cache chunks in the Garage attic bucket through
Garage's local S3 API. Workers can use https://nix.burrow.net/burrow once the
cache public key is published as BURROW_NIX_CACHE_PUBLIC_KEY in Forgejo. The
host bootstrap also creates /var/lib/burrow/nix-cache/ci-push-token; seal it
as BURROW_NIX_CACHE_PUSH_TOKEN before enabling broad cache publication.
Observability
graphs.burrow.net is backed by Grafana with Authentik SSO. The forge host now
imports services.burrow.observability, which starts local Prometheus,
OpenTelemetry collector, and Jaeger services. NixOS provisions Grafana
datasources; OpenTofu manages checked-in dashboards for the Burrow overview,
Headscale, and the broader Prometheus/OpenTelemetry/Jaeger spine.
Jaeger is local-only at first and is queried through Grafana. Headscale metrics are scraped locally. Tailscale SaaS metrics are optional until the OAuth credential file exists.
OpenBao
vault.burrow.net is the planned OpenBao surface. The repository now has:
infra/openbaofor KMS seal wrapping and OpenBao auth/policy resourcesservices.burrow.openbaoas a disabled-by-default NixOS switch pointScripts/openbao-tofu.shfor stack-local OpenTofu operations
OpenBao should not be enabled until the KMS seal key, bootstrap token handling, backup/restore procedure, and Authentik roles are verified.
Jitsi Meet
meet.burrow.net is the planned Jitsi Meet surface. The repository now has
services.burrow.jitsi as a disabled-by-default NixOS switch point.
Jitsi is not just an HTTP service. The rollout needs DNS, TLS, XMPP/prosody state, and an explicit UDP media-port decision before activation.
Mail and Webmail
inbox.burrow.net is the intended webmail surface. Stalwart is the planned mail
server, but this flake does not currently expose the expected Stalwart NixOS
option. Forward Email remains the current production mail path until the
Stalwart module name, ports, DKIM rotation, backup target, spam policy, and
migration steps are pinned in a follow-up BEP update.
MCP Hub
The MCP hub should be extracted to compatible.systems/burrow/mcp-hub. Until
that repository exists, services/mcp-hub/ records the extraction boundary and
tool inventory.