Wiki Index
Read this file first when navigating the wiki.
Core
- homepage - Public-facing entry point and orientation page for the rendered wiki.
- overview - Top-level purpose, scope, and current shape of the wiki.
- log - Append-only history of ingests, durable queries, lint passes, and structural changes.
Sources
- sources/blog-zero-credentials-on-disk - TazPod migration toward AWS SSO and S3-backed encrypted vault recovery.
- sources/blog-tailscale-secure-backbone - Tailscale as declarative network backbone managed in
ephemeral-castle. - sources/blog-lushycorp-vault-security-architecture - Design-first rationale for the Hetzner Vault runtime security model.
- sources/blog-terraforming-the-cloud-vault-hetzner - Execution chronicle for the Hetzner Vault local lifecycle and remote durability runtime.
- sources/blog-recursive-memory-compact-context - Explanation of the recursive
memorylayer and why it was added after contexts. - sources/research-proxmox-and-talos-iac - Proxmox, Talos, and Terraform provisioning research.
- sources/research-tailscale-and-networking - Tailscale, Talos networking, VIP, and MetalLB research.
- sources/research-talos-storage-and-persistence - Longhorn, Talos storage, and Kubernetes persistence research.
- sources/research-kubernetes-core-models - Kubernetes controllers and storage primitive research.
- sources/research-kubernetes-secrets-and-sops - Talos security, Vault, Infisical, and SOPS research.
- sources/research-terminal-tooling - Operator terminal productivity stack research.
Entities
- entities/agents-ctx - Governance repository for contexts, active memory, and cross-project agent rules.
- entities/tazpod - Operator environment layer hub.
- entities/ephemeral-castle - Provider-specific infrastructure layer hub.
- entities/tazlab-k8s - Provider-agnostic Flux GitOps desired-state layer hub.
- entities/mnemosyne-mcp-server - Semantic memory service hub.
- entities/blog-src - Hugo blog source.
- entities/wiki-tazlab-net - Wiki repository hub.
- entities/hermes - Hermes Agent LXC deployment hub.
- entities/hashicorp-vault - Vault secret-management platform, Hetzner runtime, cluster integration status.
Concepts
- concepts/tazlab-knowledge-layers - Roles of
memory,mnemosyne, andwiki.tazlab.net. - concepts/zero-trust-architecture — Security model across all TazLab layers.
- concepts/nomadic-operator — Portable operator identity across environments.
Topics
Knowledge Systems (mnemosyne-mcp-server)
- topics/mnemosyne-architecture — Architecture, component map, data flow, design decisions.
- topics/mnemosyne-mcp-tools — 5 MCP tools: ingest, retrieve, get, list, delete.
- topics/mnemosyne-embedding-model — Gemini embedding integration and TD-002 dimension mismatch.
- topics/mnemosyne-async-ingestion — Background worker pool, dedup, silent failure risks.
- topics/mnemosyne-database-schema — PostgreSQL
memoriestable, pgvector, dimension auto-detection.
Context Governance (AGENTS.ctx)
- topics/agents-ctx-context-system — Context registry, load order, priorities, rule inheritance.
- topics/agents-ctx-memory-system — Chronicle, system-state, debts, reports, archive cycle.
- topics/agents-ctx-crisp-methodology — C-R-I-S-P phases, project hierarchy, split rules.
- topics/agents-ctx-pi-council — Roles, rounds, orchestration.
- topics/agents-ctx-wiki-archivist — Fractal wiki, survey workflow, depth model.
TazLab Ecosystem
- topics/tazlab-system-map - High-level system map.
- topics/tazlab-repository-map - Boundaries and relationships across repositories.
- topics/tazlab-operating-model - How repositories fit together in daily work.
- topics/tazlab-cluster-delivery-flow - Bootstrap to GitOps handoff.
- topics/tazlab-secret-and-identity-flow - Secret-management strategy.
- topics/tazlab-crisp-program-map - Map of the main CRISP workstreams.
- topics/tazlab-infrastructure-tech-stack - Technology reference stack.
GitOps & Cluster (tazlab-k8s)
- topics/tazlab-k8s-flux-dag - Flux dependency graph (DAG) and synchronization logic.
- topics/tazlab-k8s-repository-mapping - Directory structure, file types, and variable substitution.
- topics/tazlab-k8s-operators-inventory - List and roles of all cluster controllers.
- topics/tazlab-k8s-bootstrap-logic - Cluster cold-start handling and wait-for-db pattern.
- topics/tazlab-k8s-conventions - Coding standards, naming, and manifest purity.
- topics/tazlab-k8s-structure - Kustomize layering pattern (apps/base vs apps/cluster).
- topics/tazlab-k8s-image-automation - Flux image update policy and setter markers.
- topics/tazlab-k8s-secrets-mapping - ExternalSecret mapping to external providers.
- topics/tazlab-k8s-ingress-and-auth - Traefik stack and ForwardAuth with Dex/OAuth2Proxy.
- topics/tazlab-k8s-monitoring - Grafana and Prometheus observability.
- topics/tazlab-k8s-layers - Functional split of cluster resources.
Tailscale Networking
- topics/tailscale-iac-management — Terraform provider, ACL as code, OAuth client model.
- topics/tailscale-operator-connectivity — Userspace daemon (deprecated) and hostnet+TUN mode, auth key minting, socket auto-detection.
- topics/tailscale-service-exposure — Ingress and LoadBalancer via Tailscale Operator, replacing MetalLB and public Traefik.
- topics/tailscale-cluster-integration — Talos System Extension, raw IP vs DNS gap.
- topics/tailscale-vault-contract — Vault MagicDNS convergence, custom alias debt.
Infrastructure (ephemeral-castle)
- topics/ephemeral-castle-architecture - Philosophy and Terragrunt structure.
- topics/ephemeral-castle-terragrunt-layers - The 6 sequential/parallel layers.
- topics/ephemeral-castle-rebirth-protocol - Create/Destroy lifecycle.
- topics/ephemeral-castle-vault-runtime-architecture - Hetzner Vault unseal and storage details.
- topics/ephemeral-castle-vault-bootstrap-and-restore - State classification and restore flow.
- topics/ephemeral-castle-tailnet-security - Tags, ACLs, and OAuth bootstrap.
- topics/ephemeral-castle-tailscale-bridge - Talos node integration into mesh.
Blog & Publishing (blog-src)
- topics/blog-publication-pipeline — Multi-step chain: Git → GitHub Action → Docker → Flux → cluster.
- topics/blog-content-structure — Article organization, front matter, bilingual model.
- topics/blog-comments-system — Cusdis Cloud integration, bilingual threads.
- topics/blog-theme-management — Blowfish versioning, pinning, overrides.
Operator Tooling (tazpod)
- topics/tazpod-image-hierarchy - Docker layering and build policy.
- topics/tazpod-vault-security - RAM enclave, AES encryption, and AWS bridging.
- topics/tazpod-nomadic-workflow - Smart recovery path, local bootstrap, and host-to-host restoration via S3 and Vault.
- topics/tazpod-provisioning-and-dotfiles - Bashrc logic, persistence symlinks, and auto-init.
- topics/tazpod-sync-daemon - Background save/push mechanics.
AI Agent Services (hermes)
- topics/hermes-lxc-deployment — Bare-metal Hermes Agent in hardened Proxmox LXC, managed volume + backup/restore cycle.
Details
- details/mnemosyne-mcp-debts-detail — Known issues, code gaps, and technical debt for the semantic memory service (TD-002 and related findings).
- details/mnemosyne-ingest-memory-detail — Step-by-step ingestion pipeline: MCP handler, async worker, dedup, embed, DB insert.
- details/mnemosyne-retrieve-memories-detail — Semantic search flow: query embedding, cosine similarity, temporal filter gap.
- details/mnemosyne-deployment-detail — Docker build, GitHub Actions, env vars, Flux automation, cluster manifests.
- details/mnemosyne-python-tools-detail — chronicler.py and gather_sessions.py session archiving tools.
- details/tazlab-k8s-flux-kustomizations-detail — All 12 Flux Kustomizations with exact spec, dependencies, and health checks.
- details/tazlab-k8s-image-automation-detail — 4 image automation pipelines with tag patterns and commit strategy.
- details/tazlab-k8s-cert-manager-detail — Certificate lifecycle, ClusterIssuers, DNS01 integration.
- details/tazlab-k8s-traefik-detail — Edge routing, LoadBalancer, middlewares, ingress.
- details/tazlab-k8s-external-secrets-detail — ESO ClusterSecretStore and all ExternalSecret manifests.
- details/tazlab-k8s-tazlab-db-detail — PostgreSQL cluster, databases, users, S3 backup.
- details/tazlab-k8s-dex-oauth2-detail — Dex OIDC, OAuth2 Proxy, ForwardAuth flow.
- details/tazlab-k8s-hugo-blog-detail — Blog deployment, ingress redirects, image automation.
- details/tazlab-k8s-hugo-wiki-detail — Wiki deployment, TLS, image automation.
- details/tazlab-k8s-monitoring-detail — Prometheus, Grafana, dashboards as code.
- details/tazpod-smart-entry-detail — No-args guided flow through container, vault, and shell.
- details/tazpod-vault-lifecycle-detail — Unlock, lock, save, push, pull step-by-step.
- details/tazpod-sync-daemon-detail — Background 5-min save/push cycle with SIGTERM handling.
- details/tazpod-container-lifecycle-detail — Docker create, start, stop, remove with exact flags.
- details/tazpod-dotfiles-detail — bashrc, tmux, starship, OpenCode auto-seeding.
- details/tazpod-config-detail —
.tazpod/config.yamlfields and struct definitions. - details/tazpod-crypto-detail — AES-256-GCM encryption, PBKDF2, output format.
- details/tazpod-s3-detail — S3 client for vault persistence, lineage concept.
- details/tazpod-ci-detail — Conditional CI pipeline per Docker layer.
- details/tazpod-code-structure-detail — Package tree, file-by-file function inventory, call chains, cross-file dependencies.
- details/tailscale-terraform-root-detail —
tailscale/module resources and variables. - details/tailscale-acl-policy-detail — Tag ownership, ACL rules, SSH access.
- details/tailscale-oauth-client-detail — OAuth client flow, key minting, lifecycle.
- details/tailscale-talos-bridge-detail — System Extension, AuthKey injection, connectivity.
- details/tailscale-magicdns-detail — Naming contracts, custom alias pitfalls.
- details/ephemeral-castle-create-destroy-detail — 6-stage Hetzner Vault pipeline and destroy process.
- details/ephemeral-castle-ansible-vault-detail — Classification, PKI, bootstrap, restore orchestration.
- details/ephemeral-castle-terraform-modules-detail — 6 reusable Terraform modules for cluster provisioning.
- details/ephemeral-castle-terragrunt-layers-detail — Dependency chain, env.hcl variables, secret injection.
- details/ephemeral-castle-vault-ansible-scripts-detail — 4 shell scripts: bootstrap, unseal, backup, restore.
- details/ephemeral-castle-vault-systemd-detail — 5 systemd units, Quadlet issue (TD-016).
- details/ephemeral-castle-golden-image-detail — Builder pipeline, v1-v4 history.
- details/ephemeral-castle-proxmox-cluster-detail — Create/destroy/nuclear-wipe scripts.
- details/agents-ctx-archive-flow-detail — Archive script and regeneration phases.
- details/agents-ctx-crisp-workflow-detail — Project lifecycle, split integrity, registry updates.
- details/agents-ctx-memory-files-detail — Roles of chronicle, system-state, debts, past-summary.
- details/blog-post-workflow-detail — Writing flow, translation rules, image processing.
- details/blog-hugo-config-detail — Site, language, theme configuration reference.
- details/blog-ci-detail — GitHub Actions build pipeline, tags, delivery chain.
References
references/tazlab-k8s/flux-kustomization-example — Annotated Kustomization YAML with field explanations.
references/tazlab-k8s/image-policy-example — ImageRepository + ImagePolicy + ImageUpdateAutomation example.
references/tazlab-k8s/external-secret-example — ExternalSecret variants: simple, TLS template, S3 template.
references/tazlab-k8s/kustomize-layering — Base vs cluster overlay pattern explanation.
references/tazpod/config-yaml-example — Annotated
.tazpod/config.yaml.references/tazpod/dockerfile-base — TazPod base image with dev tools and shell tools.
references/tazpod/dockerfile-aws — AWS CLI v2 layer.
references/tazpod/dockerfile-k8s — Kubernetes tools layer with exact versions.
references/tazpod/dockerfile-ai — AI coding agents layer.
references/tazpod/bashrc-full — Annotated
.bashrcwith persistence symlinks.references/tazpod/taskfile-yml — Build tasks reference.
references/tailscale/acl-json — Current Tailscale ACL policy.
references/tailscale/terraform-main-tf — Terraform root module for tailscale.
references/tailscale/start-sh — Operator-side daemon start script.
references/ephemeral-castle/vault-hcl-template — Annotated Vault HCL configuration template.
references/ephemeral-castle/create-sh-stages — Stage-by-stage breakdown with failure modes.
references/ephemeral-castle/ansible-inventory — Generated inventory format.
references/ephemeral-castle/env-hcl — Cluster variables reference.
references/ephemeral-castle/vault-certs-fetch — PKI fetch-back from VM to controller.
references/tazlab-k8s/flux-kustomization-example — Annotated Kustomization YAML with field explanations.
references/tazlab-k8s/image-policy-example — ImageRepository + ImagePolicy + ImageUpdateAutomation example.
references/tazlab-k8s/external-secret-example — ExternalSecret variants: simple, TLS template, S3 template.
references/tazlab-k8s/kustomize-layering — Base vs cluster overlay pattern explanation.
Analyses
- analyses/ephemeral-castle-topology-drift - Notes the current 1 CP + 1 worker code truth versus older 2-worker prose.
Operations
- operations/tazlab-flux-dag-troubleshooting - Flux runbook.
- operations/ephemeral-castle-commands - Infrastructure cheat sheet.
- operations/tazpod-cli-reference - TazPod command guide.
Contexts
- contexts/INDEX — Library of pre-built operational contexts for common tasks and projects.