search

Infrastructure

This document describes the infrastructure design for mutx.dev, including VPC architecture, bare-metal provisioning, network topology, and security zones.

hashtag
VPC Design

hashtag
Overview

mutx.dev uses a multi-tenant VPC architecture where each customer receives a dedicated Virtual Private Cloud. This ensures complete isolation and eliminates "noisy neighbor" problems.

┌─────────────────────────────────────────────────────────────────────────────────┐
│                         mutx.dev Control Plane                                   │
│                         (Railway + Vercel)                                       │
│                                                                                  │
│  ┌───────────────────────────────────────────────────────────────────────────┐  │
│  │                        mutx API (FastAPI)                                 │  │
│  │   - Agent management                                                      │  │
│  │   - Deployment orchestration                                              │  │
│  │   - Tenant provisioning                                                  │  │
│  └───────────────────────────────────────────────────────────────────────────┘  │
│                                      │                                           │
│                                      │ API Calls                                 │
│                                      ▼                                           │
│                         ┌──────────────────────────┐                              │
│                         │  Terraform Cloud/Local  │                              │
│                         │  Provisioning Engine    │                              │
│                         └────────────┬────────────┘                              │
└──────────────────────────────────────┼───────────────────────────────────────────┘

                    ┌──────────────────┼──────────────────┐
                    │                  │                  │
                    ▼                  ▼                  ▼
         ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
         │   Tenant VPC A   │ │   Tenant VPC B   │ │   Tenant VPC C   │
         │   (Customer 1)   │ │   (Customer 2)   │ │   (Customer 3)   │
         │   10.0.1.0/24    │ │   10.0.2.0/24    │ │   10.0.3.0/24   │
         └──────────────────┘ └──────────────────┘ └──────────────────┘

hashtag
VPC Specification

Each tenant VPC is provisioned on DigitalOcean with the following configuration:

Parameter
Value

Region

Customer-selected (NYC, SFO, AMS, etc.)

VPC CIDR

/24 (256 addresses)

Subnets

1x /24 (agent tier)

Internet Gateway

Egress only (no inbound)

DHCP

Managed (10.0.x.0/24 range)

hashtag
Bare-Metal Provisioning

hashtag
Provisioning Pipeline

The provisioning pipeline follows a two-stage approach:

hashtag
Terraform Configuration

The Terraform provisioning (infrastructure/ansible/playbooks/provision.yml) creates:

  1. Droplet (Compute)

    • Size: Customer-selected (starting 4GB RAM)

    • Image: Ubuntu 22.04 LTS

    • VPC: Tenant VPC

  2. Networking

    • Private networking enabled

    • Floating IP (optional, for management)

  3. Storage

    • Volume for data (optional)

    • Snapshots enabled

hashtag
Ansible Configuration

After Terraform provisions the compute, Ansible configures:

Role
Purpose

docker

Install Docker, configure daemon

postgresql

PostgreSQL 15 with pgvector

redis

Redis with password auth

tailscale

Zero-trust VPN mesh

ufw

Firewall rules

fail2ban

Intrusion prevention

agent

Deploy agent containers

hashtag
Inventory Structure

hashtag
Network Topology

hashtag
Network Diagram

hashtag
IP Address Allocation

Range
Purpose
Hosts

10.0.1.0/27

Reserved

-

10.0.1.32/27

Agent pool

30 agents

10.0.1.64/27

EvalView

1 guardrail VM

10.0.1.128/27

Data services

PostgreSQL, Redis, Vector DB

10.0.1.192/26

Reserved

Future use

10.0.2.0/24

Management

Monitoring, Tailscale node

hashtag
Security Zones

hashtag
Zone Architecture

hashtag
Firewall Rules (UFW)

From infrastructure/ansible/playbooks/provision.yml:

hashtag
Network Segmentation

Component
Zone
Access
Notes

EvalView Guard

DMZ

Agents → Guard → Out

Input/output validation

Agent Containers

App

Guard → Agent

Tool execution

PostgreSQL

Data

Agent → DB

Via Unix socket

Redis

Data

Agent → Redis

Password protected

Tailscale

Mgmt

All

WireGuard mesh

hashtag
Service Communication

hashtag
Internal Communication

All inter-service communication within a tenant VPC uses:

  1. Private Networking: 10.0.x.x addresses

  2. Service Mesh: Tailscale for encryption

  3. Authentication: Service-specific tokens

hashtag
External Communication

Direction
Method
Security

Agent → LLM Provider

HTTPS

API key in Vault

Agent → Vector DB

Unix socket

Local only

Tenant → Agent

Tailscale

WireGuard + Auth

Control → Tenant

Tailscale

mTLS via Tailscale

hashtag
Next Steps

PreviousAgent RuntimeNextArchitecture Overview

Last updated