Opplet Master Architecture: Infrastructure Constitution (v7.7)
Document Status: RATIFIED (Kitchen Migration & Dwelling Analogy Update)
Classification: INTERNAL // COMMAND EYES ONLY
Effective Date: 2026-03-11
Preamble: The Doctrine of Sovereign Computation
We, the People of Opplet, in order to secure our digital sovereignty, ensure the integrity of our data, and cultivate a meritocratic forge for talent, do ordain and establish this Infrastructure Constitution.
This enclave exists to enforce a separation of powers between The Sovereign (who owns the infrastructure) and The Talent (who utilizes it). We reject the fragility of monolithic chaos and the tyranny of third-party dependence.
Our Four Pillars of Operation:
- Identity is Sovereign: Control of the root credential is the only true ownership. We delegate access, never authority.
- Code is Law: Policy is not written in memos; it is enforced by firewalls, pipelines, and automation.
- Automation is the Manager: Human intervention is a failure of design. The machine must govern the routine; the human governs the exception.
- Observation is Truth: Trust is a vulnerability. We do not trust; we verify through logs, metrics, and immutable audit trails.
Therefore, let this document serve as the supreme law for all hardware, software, and network protocols within the Opplet, KenyaX, and WiseNxt domains. Any configuration found in violation of these articles is null and void.
1. The Hemispheric Strategy (Physical Topology)
The enclave is strictly partitioned into three physical nodes to isolate high-risk “Talent” workloads from the “Sovereign” control plane.
- The Citadel (Sovereign Core): High-Availability, Low-Power, Sovereign.
- Role: The Brain. Identity (Alpha), Internal Automation, Capital Preservation, Observability.
- The Gateway (Delivery Edge): High-Performance, High-Bandwidth.
- Role: The Forge & Front Door. Source Code, Talent Lifecycle, CI/CD Compilation, Public Traffic Proxies.
- The Range (Live Fire Sandbox): High-Density, Volatile.
- Role: The Muscle. Physically isolated sandbox existing strictly for exploitation and target practice.
2. Infrastructure Zoning Strategy
| Zone | Designation | Identity Provider | Hardware Location | Risk Profile |
|---|---|---|---|---|
| Zone 0 | The Basement | LDAP-Alpha | The Citadel | Critical |
| Zone 1 | Bunker | Admin Only | The Citadel | Sovereign |
| Zone 2 | The Desk | LDAP-Alpha | The Citadel | High |
| Zone 3 | Kitchen (Core) | LDAP-Beta | The Gateway | Medium |
| Zone 3 | Kitchen (Runners) | CI Tokens | The Gateway | Medium |
| Zone 4 | Arena | Mixed (OIDC) | The Gateway | Low |
| Zone 5 | The Range | LDAP-Beta | The Range | Extreme |
The Alpha-Override Rule: Zone 4/5 apps use LDAP-Beta for talents but MUST map Administrative privileges to LDAP-Alpha to prevent Sovereign lockout during a “Talent Wipe.”
3. Hardware Allocation (The Metal)
The Citadel: The Command Post (Zones 0 - 2)
- Nodes: 3x Xeon E3-1275v5 (64GB RAM).
- Storage: Local ZFS Replication (15m Interval).
- Mission: Run the “Sovereign Core” without public resource contention.
| Component | Role | Zone | RAM |
|---|---|---|---|
| Authentik | Gatekeeper. OIDC/SAML Hub. | 0 | 4 GB |
| LDAP-Alpha | Identity A. Sovereign Directory. | 0 | 2 GB |
| Watchtower | Wazuh / Loki / Grafana / Matomo. | 0 | 8 GB |
| n8n-Alpha | The Butler. Internal Ops. | 1 | 4 GB |
| Bunker | Nextcloud / Vaultwarden. Private Data. | 1 | 8 GB |
| ERPNext | The Bursar. Finance/Inventory. | 2 | 16 GB |
The Gateway: The Delivery Edge (Zones 3 - 4)
- Node: 1x AMD Ryzen 9 7950X3D (AX102-U Target), 128 GB DDR5 ECC RAM.
- Storage: 2x 1.92 TB Gen4 Datacenter NVMe SSDs (Local ZFS Mirror).
- Mission: Handle heavy I/O, CI/CD compilation, source code management, and proxy all public/talent web traffic.
| Component | Role | Zone | RAM |
|---|---|---|---|
| GitLab Core | The Factory. Source Code & Registry. | 3 | 24 GB |
| LDAP-Beta | Identity B. Talent Directory. | 3 | 4 GB |
| Build Farm | Runners. CI/CD Compilers. | 3 | 40 GB |
| Moodle | Ledger. Talent Database & Web UI. | 4 | 16 GB |
| Arena Comms | Jitsi / Discourse / HumHub. | 4 | 32 GB |
| Traefik/Proxies | Ingress, Auth Outpost, Guacamole. | 4 | 12 GB |
The Range: The Live Fire Sandbox (Zone 5)
- Node: 1x AMD Ryzen 9 3900 (Auction) or similar, 128 GB DDR4 ECC RAM.
- Storage: 2x 1+ TB U.2 Datacenter NVMe SSDs (Local ZFS Mirror).
- Mission: Host defensible VMs and vulnerable targets in a physically air-gapped environment.
| Component | Role | Zone | RAM |
|---|---|---|---|
| Range Targets | Defensible VMs & Payloads. | 5 | 120 GB |
| Telemetry | Local Wazuh Forwarders. | 5 | 8 GB |
4. Software Matrix (The Weapons Locker)
A. The Sovereign Core (The Citadel)
| App | Product Role | Zone | Tech | Identity Source |
|---|---|---|---|---|
| OpenLDAP-A | Identity Provider (Root) | 0 | Native | Self (Alpha Root) |
| WireGuard | Secure Sovereign Tunnel | 0 | Kernel | Key Pairs |
| Wazuh | SIEM / Security Monitoring | 0 | C++ | Local Admin |
| Matomo | Privacy-First Analytics | 0 | PHP | Local Admin |
| Grafana | Observability Dashboards | 0 | Go | LDAP-Alpha |
| n8n-Alpha | The Butler (Sovereign Automation) | 1 | Node | LDAP-Alpha |
| BookStack-A | The Grimoire (Private SOPs) | 1 | PHP | LDAP-Alpha |
| Bunker | Credential & Private File Storage | 1 | Mixed | Local Admin |
| ERPNext | The Bursar (Finance/Inventory) | 2 | Python | LDAP-Alpha |
B. The Factory & Edge (The Gateway & The Range)
| App | Product Role | Hardware | Zone | Identity Source |
|---|---|---|---|---|
| GitLab CE | The Forge (Opplet/KenyaX/WiseNxt) | Gateway | 3 | Mixed (Alpha/Beta) |
| OpenLDAP-B | Talent Identity (Directory B) | Gateway | 3 | Self (Beta Root) |
| GitLab Runner | CI/CD Compiler (The Muscle) | Gateway | 3 | Reg. Token |
| Moodle | WiseNxt (Talent Ledger & LMS) | Gateway | 4 | LDAP-Beta |
| Jitsi/Discourse | Arena Comms (Community & Training) | Gateway | 4 | Authentik (OIDC) |
| Traefik | The Gatekeeper (Public Ingress) | Gateway | 4 | Local Config |
| Guacamole | The Air-Lock (Remote Access Proxy) | Gateway | 4 | Authentik (OIDC) |
| BookStack-B | The Common Library (Public Docs) | Gateway | 4 | LDAP-Beta |
| Target VMs | Exploitation Targets (Training) | Range | 5 | Local Accounts |
C. Infrastructure OS & Dependencies
- Hypervisor: Proxmox VE (Debian) across all nodes.
- Edge Router: OPNsense (Hardened BSD) virtualized on The Citadel.
- Storage: OpenZFS (Strictly local to each node).
- SMTP Relay: Mailgun / SES for trusted outbound email.
- Watchdog: External Uptime Kuma (Micro-VPS) for external uptime monitoring.
5. The CMS/Static Triad (Public Fronts)
Hosted on The Gateway (Zone 4) behind Traefik.
- Opplet.com: Hugo (Static). Commercial / Infrastructure Brand.
- KenyaX.com: Grav (Flat-File). Logistics & Impact.
- WiseNxt.com: MkDocs (Static). Recruitment & Training.
6. Network Protocol (The Sovereign Gap)
A. The Janitor Rule (Traffic Flow)
- The Citadel $\rightarrow$ Gateway/Range: ALLOWED. (Telemetry Pull, Admin Management).
- Gateway/Range $\rightarrow$ The Citadel: DENIED.
- Exception 1: OIDC calls to Authentik (HTTPS 443).
- Exception 2: n8n-Alpha triggers (Encrypted Internal Webhooks via X-Internal-Token).
- Exception 3: The Backup Bridge. The Gateway pushes state to PBS (Zone 1).
B. The Storage Isolation Mandate
Distributed storage protocols (including Ceph, GlusterFS, vSAN) are EXPLICITLY BANNED from spanning across physical nodes. Storage must remain strictly local (ZFS) to each hypervisor to preserve NVMe IOPS capabilities and enforce the Sovereign Gap. State transfer shall occur exclusively via the encrypted Backup Bridge.
C. The Talent Proxy
- Direct Access: Talents log into access.wisenxt.com (Zone 4) on The Gateway.
- Isolation: Apache Guacamole on The Gateway proxies the VNC/SSH connection directly to The Range via Hetzner’s vSwitch. The talent’s local hardware never touches the execution network layer.
D. The Backup Bridge
The Gateway pushes “State” (GitLab Artifacts, Moodle DB) to The Citadel nightly via Proxmox Backup Server.
- Security: This is a “Drop-Only” permission. The Gateway cannot read or delete existing backups on The Citadel.
7. The Kill Switch Matrix
| Level | Trigger | Action | Mechanism |
|---|---|---|---|
| L1 | Moodle Inactivity | Suspend User | n8n-Alpha locks LDAP-Beta account. |
| L2 | Range Breach | Isolate Zone 5 | OPNsense cuts VLAN 5 WAN access. |
| L3 | Gateway Compromise | Physical Sever | OPNsense on The Citadel disables the uplink port to The Gateway. |
8. The Intelligence Layer (Observability & Meritocracy)
A. The Split-Brain Protocol
- Sovereign Data: (Internal ops) Stays on The Citadel ZFS. No offsite transit except via encrypted PBS.
- Liability Data: (Talent logs) Wazuh agents on The Range and Gateway forward immutable telemetry over the Janitor Rule exception directly to Watchtower (Zone 0) for non-repudiation.
B. The Meritocracy Loop
- Event: Talent passes quiz in Moodle (The Gateway).
- Signal: Moodle sends webhook to n8n-Alpha (The Citadel).
- Action: n8n-Alpha connects to LDAP-Beta (The Gateway) and promotes user to “Associate.”
- Result: User instantly gains access to GitLab Writers Group.
C. The External Pulse
- Uptime Kuma (VPS): Pings the Gateway and Citadel public IPs every 60 seconds.
- Dead Man’s Switch: If The Citadel goes dark, it sends a high-priority Pushover notification to the Owner via 5G/LTE.
9. Documentation Structure
With GitLab migrating to the Gateway, the physical location of documentation is split to enforce the Sovereign Gap.
- GitLab (The Gateway): Technical Source of Truth (Infrastructure as Code, CI/CD pipelines, Opplet/KenyaX source code).
- BookStack-Alpha (The Citadel): The Sovereign’s Grimoire (Owner’s private SOPs, architecture blueprints, disaster recovery keys).
- BookStack-Beta (The Gateway): The Common Library (Public knowledge base, community guides, and Talent onboarding instructions).