generate-one/svc-state
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions
Structured state management — Directus, Infisical, export pipeline (state-stack)
24 commits 1 branch 0 tags 85 KiB
  • Python 98.6%
  • Dockerfile 1.4%
Find a file
Exact
g1admin c8e16fdc9a
Some checks failed
Compose Lint / lint (push) Successful in 7s
Details
Secret Scan / scan (push) Failing after 4s
Details
INF-41: add Docker healthchecks to all services 
Add HEALTHCHECK directives to all compose services that were missing
them. Enables Coolify and Docker to track container health natively.
2026-03-23 15:26:26 +00:00
.forgejo/workflows ci: add Coolify sync workflow for state-stack 2026-03-20 22:15:43 +00:00
.gitea/issue_template chore: add bug report issue template 2026-03-04 13:46:05 +00:00
compose feat: sync live compose from production (2026-02-27) 2026-02-26 22:09:31 +00:00
config feat: add infisical-bridge config (L4 Wave B) 2026-03-11 06:30:38 +00:00
docs Initialize docs directory 2026-02-23 17:55:35 +00:00
postal INF-41: add Docker healthchecks to all services 2026-03-23 15:26:26 +00:00
.env.example feat: sync live compose from production (2026-02-27) 2026-02-26 22:09:31 +00:00
.gitignore Add .gitignore 2026-02-25 15:39:21 +00:00
CLAUDE.md Update CLAUDE.md: State Lead agent naming 2026-02-26 22:12:25 +00:00
LICENSE Add MIT LICENSE 2026-02-25 15:39:43 +00:00
README.md docs: update README for Scheme B rename (g1-state → svc-state) 2026-03-22 06:31:45 +00:00

README.md

svc-state 🔐

Platform state and secrets — the canonical source of truth for every Generate One service.

Status License Platform Infisical MCP Warning

Overview

svc-state is the foundational data and secrets layer of the Generate One platform. Infisical centralises credential management across all g1-* stacks — storing CF tokens, DB passwords, API keys, and more — at secrets.generate.one. Two custom Python sidecars complete the automation loop: export-pipeline syncs Directus CMS collections to Forgejo on change, and infisical-bridge pushes secret rotations directly to Coolify environment variables via webhook. Every other service in the platform depends on this stack.

Note: Directus CMS was previously co-located in svc-state. As of 2026-03-22 (BRN-24), Directus has been moved to the g1-brain project for co-location with the AI knowledge stack.

🏗️ Architecture

graph TB
    AllStacks([All g1-* Services]) -->|reads secrets| INF[Infisical\nsecrets.generate.one :8080]
    Browser([Browser]) -->|HTTPS| TF[Traefik]
    TF --> INF

    INF -->|infisical DB| PG[(PostgreSQL\nShared Infra)]
    INF -->|DB 6 sessions| VK[Valkey\nShared Infra]

    EP[export-pipeline\nPython sidecar] -->|reads| DIR[Directus CMS\ng1-brain project]
    EP -->|commits| Forgejo[Forgejo\ngit.generate.one]

    IB[infisical-bridge\nPython sidecar] -->|webhook| Coolify[Coolify API]
    IB -->|reads secret changes| INF

    Agent([AI Agents]) -->|via MetaMCP cms-tools| DIR

📦 Services

Service Image Internal Port Domain Description
infisical infisical/infisical:latest 8080 secrets.generate.one Centralised secrets manager (KMS + UI)
export-pipeline Local build 8001 (health) Syncs Directus collections → Forgejo on change
infisical-bridge Local build 8000 (health) Webhook receiver: secret rotation → Coolify sync

🔧 Configuration

Variable Description
DB_CONNECTION_URI Infisical PostgreSQL URI (infisical database)
REDIS_URL Valkey connection string (DB 6 for Infisical sessions)
SITE_URL Infisical public URL (https://secrets.generate.one)
ENCRYPTION_KEY Infisical encryption key
AUTH_SECRET Infisical auth secret
DIRECTUS_TOKEN Reader token for export-pipeline
FORGEJO_API_TOKEN Token for export-pipeline git commits
COOLIFY_API_TOKEN Token for infisical-bridge Coolify sync
INFISICAL_CLIENT_ID Service account for infisical-bridge
INFISICAL_CLIENT_SECRET Service account secret for infisical-bridge
INFISICAL_PROJECT_ID Target project for infisical-bridge

Secrets are stored in .env (disk-only, not committed). See Infisical at secrets.generate.one for canonical values.

🔗 Dependencies

Depends On

  • svc-infra — PostgreSQL (infisical database) + Valkey (DB 6)
  • svc-auth — Authentik OIDC SSO for web UI login

Depended On By

  • All g1-* services — read credentials from Infisical
  • g1-brain — export-pipeline commits Directus skill docs to Forgejo
  • Coolify — infisical-bridge syncs secret rotations to service env vars

📁 Repository Structure

svc-state/
├── compose/
│   └── state-stack.yml       # Coolify compose (Forgejo source of truth)
├── export-pipeline/          # Python sidecar: Directus → Forgejo sync
├── infisical-bridge/         # Python sidecar: Infisical → Coolify webhook
├── config/                   # Service configuration files
├── .env.example              # Environment variable template
└── CLAUDE.md                 # AI agent context for this repo

🔗 Related Repos

Repo Relationship
g1-core Core-infra PostgreSQL + Valkey
g1-auth Authentik OIDC SSO
g1-mcp MetaMCP routes g1-brain cms-tools namespace
g1-brain Directus CMS (moved here 2026-03-22)

⚠️ Operational Warning

This is foundational infrastructure. Infisical outages affect secret availability across the entire platform. Always verify health before and after any changes:

curl https://secrets.generate.one/api/status

🛡️ Part of Generate One

Generate One — AI infrastructure that answers to you.

Self-hosted, sovereign AI platform. generate.one

Coolify service UUID: ksw0kww0s4wo4o0w8cggkwo0 | Project: svc-state