- Python 53.8%
- Shell 29.4%
- PowerShell 7.7%
- HCL 4.8%
- Jinja 2.5%
- Other 1.8%
| .agents/skills/repo-infrastructure | ||
| .claude | ||
| .forgejo/workflows | ||
| .githooks | ||
| .ward | ||
| ansible | ||
| caddy | ||
| clusters/kai-server | ||
| deploy | ||
| docs | ||
| fail2ban | ||
| scripts | ||
| skills | ||
| sshd | ||
| sudoers | ||
| systemd | ||
| terraform | ||
| .gitattributes | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| .pylintrc | ||
| .python-version | ||
| AGENTS.md | ||
| bootstrap.sh | ||
| CLAUDE.md | ||
| Makefile | ||
| pyproject.toml | ||
| README.md | ||
| uv.lock | ||
infrastructure
Everything Kai needs to stand up and operate kai-server. Systemd units, shell scripts, k3s cluster manifests, and a small set of ward verbs for cluster-side bootstrap.
Layout
.
├── ansible/ # workstation/host convergence (macOS Homebrew today) - see ansible/README.md
├── caddy/ # (legacy, pre-traefik caddy config)
├── deploy/ # cluster-wide manifests applied via ward verbs
│ ├── cert_manager.yml # cert-manager ClusterIssuers (DNS-01 via Route 53)
│ ├── externalsecret.yml # external-secrets sync rules
│ └── secretstore.yml # SecretStore -> AWS SSM Parameter Store
├── docs/ # durable ops documentation
├── scripts/ # systemd unit ExecStart/ExecPre scripts + Python helpers for ward verbs
├── systemd/ # systemd unit files
└── Makefile # entry points for ward verbs
Eco server setup notes live in the eco-server-setup skill.
Operating the cluster
Cluster-bootstrap verbs are declared in .ward/ward.yaml and driven by Makefile targets that call scripts/k8s/ helpers. Common verbs (run via ward exec <verb>):
ward exec cert-manager # re-apply cert-manager + ClusterIssuers
ward exec aws-secrets aws_access_key_id=<ID> aws_secret_access_key=<SECRET> # bootstrap external-secrets + aws-credentials
ward exec observability # install / upgrade VictoriaMetrics metrics stack
ward exec ward-eval # launch the executable Ward director evaluation harness
ward exec test # run the ward director evaluation tests
Cluster passthroughs (SSM, kubectl, forgejo, tailscale) run through ward-kdl ops. K3s service ops go over Tailscale SSH: restart k3s with ssh kai-server -- sudo systemctl restart k3s.service. Game-server systemd ops still live in coily core (kai-server keeps coily until gaming is ported): tail / restart game servers with coily gaming <eco|core-keeper|icarus|factorio> ....
See docs/ for:
architecture.md— top-down view of what runs on kai-servercertificates.md— DNS-01 via Route 53 cert flow (no more HTTP-01 / hairpin-NAT hacks)
Commands
Dev commands are declared in .ward/ward.yaml. Run them as ward exec <verb>.
See also
- AGENTS.md - agent-facing operating rules.
- docs/FEATURES.md - inventory of what ships today.
- .ward/ward.yaml - allowlisted commands. Agents route through ward, not bare
make/uv/python/npm/cargo/dotnet.
Cross-reference convention from coilysiren/agentic-os-kai#313.