Skip to content

WeOwnNetwork/ai

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

505 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

♾️ WeOwn AI - Enterprise Kubernetes Infrastructure

πŸš€ WeOwn AI Infrastructure - Production-grade Kubernetes platform delivering secure, scalable AI and automation services with enterprise security, zero-trust networking, and SOC2/ISO42001 compliance.

πŸ“¦ Application Stack

πŸ€– AI & Automation Platform

AnythingLLM - Private AI Chat & Document Processing

  • Purpose: Secure, self-hosted AI assistant with document ingestion and RAG capabilities
  • Use Cases: Private document Q&A, team AI assistant, knowledge base processing
  • Security: Zero-trust networking, JWT authentication, isolated data processing
  • Integration: Local LLMs, OpenAI, Anthropic, with enterprise compliance controls

n8n - Visual Workflow Automation Platform

  • Purpose: No-code/low-code automation and enterprise system integration
  • Use Cases: API orchestration, data pipelines, notification workflows, CRM automation
  • Features: 24-hour auth sessions, queue mode scaling, SQLite/PostgreSQL support
  • Enterprise: Multi-tenant namespace isolation, comprehensive backup system

πŸ” Security & Infrastructure

Vaultwarden - Enterprise Password Management

  • Purpose: Self-hosted Bitwarden-compatible password manager with Argon2id security
  • Use Cases: Team password sharing, secure credential storage, enterprise compliance
  • Security: Argon2id PHC hashing, zero-trust networking, automated backups
  • Compliance: SOC2/ISO42001 ready with comprehensive audit trails

Monitoring - Kubernetes Observability Stack

  • Purpose: Cluster monitoring, resource optimization, and visual management
  • Components: Portainer CE, Kubernetes Metrics Server, custom dashboards
  • Features: Real-time resource monitoring, auto-scaling integration, enterprise security
  • Operations: Performance baselines, scaling strategies, incident response runbooks

🌐 Content & Collaboration

WordPress-Docker - Copier Template for WordPress on DigitalOcean Droplets

  • Purpose: Templated WordPress deployments on DigitalOcean droplets with Docker + OpenTofu
  • Use Cases: Standalone WordPress sites, rapid site provisioning, cohort deployments
  • Stack: Docker Compose, Caddy (TLS), MariaDB, OpenTofu (IaC)
  • Features: Copier templating, Wordfence WAF auto-config, skinny backups, Infisical secrets
  • Sites: burnedout.xyz, ptoken.agency

WordPress - Enterprise Content Management (Kubernetes)

  • Purpose: Secure, scalable WordPress with enterprise hardening and auto-scaling
  • Use Cases: Corporate websites, documentation portals, member content systems
  • Features: Auto-configuration, NetworkPolicy security, HPA scaling, MySQL/Redis
  • Security: Pod Security Standards: Restricted, automated credential management

πŸ“ Repository Structure

WeOwn/ai/
β”œβ”€β”€ README.md                           # This file - platform overview and architecture
β”œβ”€β”€ .gitignore                          # Repository-wide Git ignore rules
β”‚
β”œβ”€β”€ anythingllm/                        # AI Document Processing & Chat Platform
β”‚   β”œβ”€β”€ deploy.sh                       # Enterprise deployment script
β”‚   β”œβ”€β”€ helm/                           # Kubernetes Helm chart
β”‚   β”‚   β”œβ”€β”€ Chart.yaml                  # Chart metadata and security annotations
β”‚   β”‚   β”œβ”€β”€ values.yaml                 # Production-ready configuration
β”‚   β”‚   └── templates/                  # Kubernetes manifests (12 files)
β”‚   β”œβ”€β”€ README.md                       # AnythingLLM deployment guide
β”‚   β”œβ”€β”€ CHANGELOG.md                    # Version history and security fixes
β”‚   └── docker-compose.yml              # Local development setup
β”‚
β”œβ”€β”€ n8n/                                # Visual Workflow Automation Platform
β”‚   β”œβ”€β”€ deploy.sh                       # Enterprise deployment script (20K+ lines)
β”‚   β”œβ”€β”€ helm/                           # Kubernetes Helm chart
β”‚   β”‚   β”œβ”€β”€ Chart.yaml                  # Chart metadata with security annotations
β”‚   β”‚   β”œβ”€β”€ values.yaml                 # Production configuration with auth options
β”‚   β”‚   └── templates/                  # Kubernetes manifests (13 files)
β”‚   β”œβ”€β”€ README.md                       # n8n deployment and management guide
β”‚   β”œβ”€β”€ CHANGELOG.md                    # Version history including v2.3.0 compatibility
β”‚   β”œβ”€β”€ n8n-final-security-audit.sh     # Comprehensive security audit script
β”‚   └── WORKFLOW_MIGRATION_README.md    # Docker to Kubernetes migration guide
β”‚
β”œβ”€β”€ vaultwarden/                        # Password Manager (Bitwarden-compatible)
β”‚   β”œβ”€β”€ deploy.sh                       # Enterprise deployment with Argon2id security
β”‚   β”œβ”€β”€ helm/                           # Kubernetes Helm chart
β”‚   β”‚   β”œβ”€β”€ Chart.yaml                  # Chart metadata with security focus
β”‚   β”‚   β”œβ”€β”€ values.yaml                 # Security-hardened configuration
β”‚   β”‚   └── templates/                  # Kubernetes manifests (11 files)
β”‚   β”œβ”€β”€ README.md                       # Vaultwarden deployment guide
β”‚   β”œβ”€β”€ CHANGELOG.md                    # Version history and security enhancements
β”‚   └── install.sh                      # One-command installer for rapid deployment
β”‚
β”œβ”€β”€ wordpress/                          # Enterprise Content Management System
β”‚   β”œβ”€β”€ deploy.sh                       # Cross-platform deployment script
β”‚   β”œβ”€β”€ helm/                           # Kubernetes Helm chart
β”‚   β”‚   β”œβ”€β”€ Chart.yaml                  # Chart metadata with enterprise features
β”‚   β”‚   β”œβ”€β”€ values.yaml                 # Production WordPress configuration
β”‚   β”‚   └── templates/                  # Kubernetes manifests (9 files)
β”‚   β”œβ”€β”€ README.md                       # WordPress deployment and scaling guide
β”‚   β”œβ”€β”€ CHANGELOG.md                    # Version history and security updates
β”‚   └── TROUBLESHOOTING.md              # Common issues and resolution procedures
β”‚
β”œβ”€β”€ wordpress-docker/                   # WordPress on DigitalOcean Droplets (Copier Template)
β”‚   β”œβ”€β”€ copier.yaml                     # Copier template configuration
β”‚   β”œβ”€β”€ README.md                       # Template usage and documentation
β”‚   β”œβ”€β”€ docs/
β”‚   β”‚   └── INFISICAL_INTEGRATION.md    # Secrets management integration guide
β”‚   β”œβ”€β”€ template/                       # Jinja2 templates for site generation
β”‚   β”‚   β”œβ”€β”€ docker/                     # Docker Compose, Caddyfile, Wordfence WAF
β”‚   β”‚   β”œβ”€β”€ terraform/                  # OpenTofu infrastructure code
β”‚   β”‚   └── scripts/                    # Deploy, backup, restore scripts
β”‚   └── sites/                          # Pre-generated site configurations
β”‚       β”œβ”€β”€ burnedout-xyz/              # burnedout.xyz (apex domain style)
β”‚       └── ptoken-agency/              # ptoken.agency (www domain style)
β”‚
└── k8s/                                # Kubernetes Infrastructure Tools
    └── monitoring/                     # Cluster Monitoring & Management
        β”œβ”€β”€ deploy.sh                   # Monitoring stack deployment
        β”œβ”€β”€ enterprise-monitoring-complete.yaml  # Templated monitoring manifests
        β”œβ”€β”€ README.md                   # Monitoring setup and operations guide
        └── MONITORING_BASELINE_REPORT.md        # Resource usage and optimization

🌐 WeOwn Cloud Architecture

WeOwn Cloud represents a single-tenant, multi-cluster infrastructure that transforms individual Kubernetes clusters into unified cloud environments. Each cluster runs the complete WeOwn application stack with enterprise-grade security, enabling teams to deploy AI, automation, and productivity tools with zero-trust networking.

Core Concept: Single-Tenant Cloud

Rather than traditional multi-tenant SaaS, WeOwn Cloud provides each organization with their own dedicated cluster environment:

  • Dedicated Resources: No resource sharing between organizations
  • Data Sovereignty: Complete control over data location and processing
  • Security Isolation: Zero-trust networking with complete tenant isolation
  • Custom Configurations: Tailored to specific organizational needs
  • Direct Kubernetes Access: Full infrastructure control and transparency

πŸ“š Enterprise Integration

Multi-Cluster Cohort Model:

WeOwn Cloud enables cohort-based deployment where each team or organization receives:

  1. Dedicated Cluster: Full Kubernetes environment with enterprise security
  2. Standard Application Stack: AI, automation, password management, CMS
  3. Custom Domain Configuration: Professional subdomain structure
  4. Independent Data Sovereignty: Complete control over data and processing
  5. Unified Management Tools: Consistent deployment and monitoring across clusters

Scaling Strategies:

Horizontal Pod Autoscaling (HPA):

  • WordPress: Scale replicas based on CPU/memory usage
  • n8n: Scale workflow execution pods for high throughput

Vertical Pod Autoscaling (VPA):

  • AnythingLLM: Automatic memory adjustment for AI workloads
  • All Applications: Learn usage patterns, optimize resource requests

Cluster Scaling:

  • Horizontal: Add nodes for more total capacity
  • Vertical: Upgrade node sizes for memory-intensive workloads

🎯 Why WeOwn Cloud?

vs. Traditional Multi-Tenant SaaS:

  • βœ… Data Sovereignty: Your data never leaves your cluster
  • βœ… Security Isolation: Zero shared infrastructure vulnerabilities
  • βœ… Custom Configuration: Tailor applications to specific needs
  • βœ… Compliance Ready: SOC2, ISO42001, GDPR-compliant by design
  • βœ… Cost Transparency: Direct infrastructure costs, no vendor markup

vs. Self-Managed Infrastructure:

  • βœ… Enterprise Security: Zero-trust networking out of the box
  • βœ… Operational Excellence: Automated backups, monitoring, scaling
  • βœ… Proven Architecture: Battle-tested across 6 production clusters
  • βœ… Comprehensive Documentation: Every aspect documented and reproducible
  • βœ… Expert Support: WeOwn AI team maintains and evolves the platform

πŸ›‘οΈ Compliance & Governance

WeOwn AI infrastructure follows a layered, phased compliance program progressing through NIST CSF 2.0 + CIS Controls v8 β†’ CSA CCM v4 β†’ ISO/IEC 27001:2022 β†’ SOC 2 Type II β†’ ISO/IEC 42001:2023. Current baseline: Phase 1 (NIST CSF 2.0 + CIS v8 IG1), version v3.3.4.1 per #WeOwnVer.

Core Documents

State Files (For AI Agents & Continuity)

These files maintain persistent state across work sessions. New AI agents should read these first to understand current context:

Note: Additional state files (GOVERNANCE.md, WORK_LOG.md, TIME_LOG.md, WEEKLY_LOG.md) are maintained at the workspace root (outside this repo) and are gitignored here. See workspace README for initialization protocol.

Architecture Decision Records (ADRs)

Code Review Model

Every PR to main requires:

  • βœ… GitHub Copilot AI code review (automatic on PRs from weown-bot)
  • βœ… 1 human approval (enforced by branch protection + CODEOWNERS)
  • βœ… Review from Code Owners per .github/CODEOWNERS
  • βœ… All conversations resolved before merge
  • βœ… branch-name-check.yml status check passes
  • βœ… All commits cryptographically signed ("Verified" badge on every commit)

First-Time Contributor Setup

New contributors: read CONTRIBUTING.md before your first commit. It covers:

  • SSH-based commit signing setup (required β€” ~3 minutes, one-time per machine)
  • Branch naming convention (enforced by CI)
  • Commit message conventions
  • PR workflow, review expectations, and troubleshooting

Signed commits are mandatory β€” enforced by branch protection on main. Unsigned commits are rejected at merge time. See CONTRIBUTING.md Β§3 for the 4-command setup.

Branch Strategy β€” GitHub Flow

Short-lived branches off main, merged back via reviewed PRs. Naming convention:

<type>/<dev>-<short-description>
e.g., feature/roman-add-pat-health-check
      fix/nik-resolve-tls-warning
      docs/mohammed-update-compliance-roadmap
      hotfix/shahid-patch-auth-bypass

Enforced by .github/workflows/branch-name-check.yml. See .github/workflows/README.md Β§3 for full convention and Β§8.2 for enforcement layers.

Replicating weown-bot for Other Repos / Workflows

The weown-bot service account is ecosystem-wide. Adding it to another repo takes ~10 minutes. Full step-by-step instructions β€” including coverage for different workflow types (auto-PR, release, cross-repo dispatch, issue automation) and per-workflow least-privilege PAT scopes β€” live in .github/workflows/README.md Β§5.

Quick summary:

  1. Generate a fine-grained PAT scoped only to the new repo with minimum permissions per Β§5.2–§5.5
  2. Store in Infisical project weown-bot GitHub PATs as WEOWN_BOT_PAT__<ORG>_<REPO>
  3. Extend the Infisical GitHub App to the new repo; create a new Secret Sync mapping to GitHub secret name WEOWN_BOT_PAT
  4. Copy the relevant workflow(s) and configure branch protection + naming enforcement per Β§8

πŸ“ž Support & Community

WeOwn AI Team: WeOwn.xyz Documentation: This repository contains complete deployment guides Security: All deployments include enterprise-grade security by default Scaling: Resource optimization across all supported cluster sizes

πŸ› οΈ WeOwn CLI (DigitalOcean K8s Deployer)

The cli/weown module provides an interactive interface for deploying and managing WeOwn stacks on DigitalOcean Kubernetes:

  • Cluster management: Scale, create, and delete node pools; delete the entire cluster via doctl with confirmation prompts.
  • Infrastructure deployment: Install shared components such as ingress-nginx, cert-manager, ExternalDNS, and the monitoring stack.
  • Application stacks: Deploy WordPress, Matomo, n8n, AnythingLLM and other apps into their dedicated namespaces using the curated Helm values.
  • Status & visibility: List Helm deployments and inspect cluster resources from a single entry point.

CLI Setup

  1. Ensure kubectl, helm, and doctl are installed and authenticated against your DigitalOcean account.

  2. Create cli/.env with at least:

    • DO_TOKEN, DO_REGION, PROJECT_NAME, CLUSTER_NAME
    • BASE_DOMAIN, WP_DOMAIN, MATOMO_DOMAIN, LETSENCRYPT_EMAIL
    • WP_ADMIN_PASSWORD, MATOMO_DB_ROOT_PASSWORD, MATOMO_DB_PASSWORD
  3. From the repository root, run:

    ./cli/weown

Use the interactive menu to manage node pools, deploy infrastructure and applications, and verify cluster health for your WeOwn cloud instance.

About

πŸ€– AI projects within ♾️ WeOwn.xyz 🌐

Resources

License

Contributing

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors