Initial commit: Velocity-OS migration

infrastructure/k3s/ingress/caddyfile-base.conf

@@ -0,0 +1,64 @@
+{
+	email admin@desineuron.in
+	log {
+		output file /var/log/caddy/admin.log
+		format json
+	}
+}
+
+office.desineuron.in, git.desineuron.in, cloud.desineuron.in, projects.desineuron.in, talk.desineuron.in, vpn.desineuron.in {
+	tls /etc/caddy/tls/fullchain.pem /etc/caddy/tls/privkey.pem
+
+	log {
+		output file /var/log/caddy/access.log
+		format json
+	}
+
+	reverse_proxy https://127.0.0.1:8443 {
+		header_up Host {host}
+		header_up X-Forwarded-Host {host}
+		header_up X-Forwarded-Proto {scheme}
+		header_up X-Forwarded-For {remote_host}
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+}
+
+velocity.desineuron.in {
+	log {
+		output file /var/log/caddy/access.log
+		format json
+	}
+
+	import /etc/caddy/managed/llm_upstream.caddy_inc
+
+	reverse_proxy https://127.0.0.1:8443 {
+		header_up Host {host}
+		header_up X-Forwarded-Host {host}
+		header_up X-Forwarded-Proto {scheme}
+		header_up X-Forwarded-For {remote_host}
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+}
+
+ops.desineuron.in {
+	log {
+		output file /var/log/caddy/access.log
+		format json
+	}
+
+	reverse_proxy https://127.0.0.1:8443 {
+		header_up Host {host}
+		header_up X-Forwarded-Host {host}
+		header_up X-Forwarded-Proto {scheme}
+		header_up X-Forwarded-For {remote_host}
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+}
+
+import /etc/caddy/managed/*.caddy

infrastructure/k3s/ingress/ingress.yaml

@@ -0,0 +1,158 @@
+# ============================================================
+# Velocity-OS — K3s Traefik Ingress
+# Domain: velocity.local | TLS: self-signed via cert-manager
+# ============================================================
+
+# ── cert-manager ClusterIssuer (self-signed for velocity.local) ──
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: velocity-selfsigned-issuer
+spec:
+  selfSigned: {}
+
+---
+# Self-signed CA Certificate
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: velocity-local-ca
+  namespace: velocity-infra
+spec:
+  isCA: true
+  commonName: velocity-local-ca
+  secretName: velocity-local-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: velocity-selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+
+---
+# CA-backed ClusterIssuer for velocity.local
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: velocity-ca-issuer
+spec:
+  ca:
+    secretName: velocity-local-ca-secret
+
+---
+# TLS Certificate for velocity.local
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: velocity-local-tls
+  namespace: velocity-os
+spec:
+  secretName: velocity-local-tls-secret
+  duration: 8760h   # 1 year
+  renewBefore: 720h # renew 30 days before expiry
+  subject:
+    organizations: [Desineuron]
+  commonName: velocity.local
+  dnsNames:
+    - velocity.local
+    - "*.velocity.local"
+  issuerRef:
+    name: velocity-ca-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+
+---
+# ── Main Ingress ─────────────────────────────────────────────
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: velocity-os-ingress
+  namespace: velocity-os
+  annotations:
+    # Traefik (K3s built-in)
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # WebSocket support (Sentinel, Oracle canvas, Catalyst)
+    traefik.ingress.kubernetes.io/router.middlewares: velocity-os-ws-headers@kubernetescrd
+spec:
+  tls:
+    - hosts:
+        - velocity.local
+      secretName: velocity-local-tls-secret
+  rules:
+    - host: velocity.local
+      http:
+        paths:
+          # API (FastAPI backend)
+          - path: /api
+            pathType: Prefix
+            backend:
+              service:
+                name: core-api
+                port:
+                  number: 8443
+          # WebSockets (must route before generic /api catch)
+          - path: /ws
+            pathType: Prefix
+            backend:
+              service:
+                name: core-api
+                port:
+                  number: 8443
+          # Dream Weaver gateway
+          - path: /dream-weaver
+            pathType: Prefix
+            backend:
+              service:
+                name: media-engine
+                port:
+                  number: 8290
+          # Vault public links (no auth)
+          - path: /vault
+            pathType: Prefix
+            backend:
+              service:
+                name: core-api
+                port:
+                  number: 8443
+          # WebOS (React SPA — catch-all last)
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: webos
+                port:
+                  number: 80
+
+---
+# ── Traefik Middleware: WebSocket upgrade headers ─────────────
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: ws-headers
+  namespace: velocity-os
+spec:
+  headers:
+    customRequestHeaders:
+      Connection: "Upgrade"
+      Upgrade: "websocket"
+
+---
+# ── Traefik Middleware: Security headers ─────────────────────
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: velocity-os
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    forceSTSHeader: true
+    contentTypeNosniff: true
+    browserXssFilter: true
+    referrerPolicy: strict-origin-when-cross-origin
+    frameDeny: true