Important
Under active development. Not production-ready.
- OS: Talos Linux (immutable, API-driven)
- Orchestration: Kubernetes
- GitOps: Flux CD
- IaC: Terraform + OpenTofu
- CNI: Cilium (with WireGuard encryption)
- Networking: Tailscale mesh
- Secret Management: External Secrets Operator + SOPS
deploy/
├── terraform/ # Infrastructure provisioning
│ ├── modules/ # Reusable Terraform modules
│ ├── environments/ # Environment-specific configs (dev, staging, production)
│ └── regions/ # Regional cluster definitions
├── flux/ # GitOps configurations
│ ├── clusters/ # Cluster-specific Flux configs
│ ├── infrastructure/ # Cluster infrastructure (CNI, operators, etc.)
│ └── apps/ # Application deployments
├── talos/ # Talos Linux configurations
├── policies/ # Kyverno and network policies
├── scripts/ # Deployment automation scripts
├── runbooks/ # Operational runbooks
├── alerts/ # Prometheus alerting rules
├── slos/ # Service Level Objectives
└── docs/ # Documentation and ADRs
Use the InferaDB CLI for local development:
# Create local cluster and deploy InferaDB stack
inferadb dev start
# Show cluster status
inferadb dev status
# Tear down cluster
inferadb dev stop --destroyThe dev environment deploys:
- FoundationDB: Single-node cluster
- Engine: Authorization policy engine
- Control: Control plane API
- Dashboard: Web console
Access services:
kubectl port-forward -n inferadb svc/inferadb-engine 8080:8080
kubectl port-forward -n inferadb svc/inferadb-control 9090:9090
kubectl port-forward -n inferadb svc/inferadb-dashboard 3000:3000# Bootstrap a cluster
./scripts/bootstrap-cluster.sh <environment> <region> <provider>
# Example: staging NYC1 on AWS
./scripts/bootstrap-cluster.sh staging nyc1 aws| Environment | Regions | Purpose |
|---|---|---|
| Development | Local (Docker) | Development and testing |
| Staging | NYC1 + monthly drills | Pre-production validation |
| Production | NYC1, SFO1 | Live workloads |
talos-cluster: Abstract Talos K8s cluster provisioningprovider-aws: AWS-specific resources (VPC, EC2, etc.)provider-gcp: GCP-specific resourcesprovider-digitalocean: DigitalOcean-specific resourcesfdb-backup: FoundationDB backup infrastructuredns: Multi-provider DNS management
infrastructure/base: Shared controllers and operatorsapps/base: Application deployments (engine, control, dashboard)
- Pod Security Standards (namespace-level)
- Cilium NetworkPolicies (default deny)
- Image signing via Kyverno
- WireGuard pod-to-pod encryption
- Trivy vulnerability scanning
Enable git hooks:
git config core.hooksPath .githooksRequired tools (via .mise.toml or manual install):
terraform- formattingyamllint- YAML linting (pip install yamllint)shellcheck- shell linting
All changes require PR review. CI runs on push/PR:
- Terraform: Format and validate checks
- Kubernetes: YAML lint and Kustomize build validation
- Security: Trivy, Checkov, and KICS scans
Join us on Discord for questions, discussions, and contributions.
Dual-licensed under MIT or Apache 2.0.