osinfra.io

🔐

Secure by default — not your problem to configure

Your infrastructure is CIS-compliant before you write a line of application code. Hardened GCP projects, KMS-encrypted state, and audit logging are built in — your team inherits a secure foundation without having to build or maintain it.

📦

Built on open standards

Infrastructure automation and runtime tooling are built on CNCF and Linux Foundation open-source projects — Kubernetes, Istio, cert-manager, OPA Gatekeeper, OpenTofu, OpenBao. No proprietary abstractions, no lock-in, no black boxes.

🤖

AI agents, not tickets

The platform is built around GitHub Copilot agents — the Nomos Agent handles team onboarding end-to-end. No YAML to write, no support ticket to file. Just describe what you need.

🤝

Inner source, not a bottleneck

Arche, Ekklesia, and Techne run as inner-source repositories — any engineer can open a pull request, and platform engineers from staffed teams review. Stream-aligned teams unblock themselves by contributing fixes and new capabilities directly to the platform.

Your team, on the platform in minutes

The Nomos Agent asks the right questions and takes care of the platform details. Your team is up and running in minutes.

See the full onboarding guide →

/agent → Nomos Agent

👋 Hi! I'm the Nomos Agent — your self-serve interface to the osinfra.io platform. Just tell me what your team needs.

Give me just a moment while I look you up…

✓ Identity validated · joe@osinfra.io

It looks like you're not part of any team yet — welcome! Would you like to join an existing team or onboard a new team from scratch?

Onboard a new team — st-fides

Based on your team key I'd suggest Fides as the display name — it appears in Google Cloud Platform, GitHub, and Datadog. Does that work?

✓ Stream-aligned team detected (st- prefix)

What email address should be the Datadog team admin?

joe@osinfra.io — and use my GitHub username as the team maintainer.

Here's what I'll create:

📁 GCP folder hierarchy — Fides (Sandbox / Non-Production / Production)
👥 Google Identity groups — admin, reader, writer
🐙 GitHub parent team + 4 child teams (sandbox-approvers, non-production-approvers, production-approvers, repository-administrators)
🐶 Datadog team — Fides

Ready to open the pull request on pt-logos?

Everything your team needs, out of the box.

From source code management to production support — already in place.

🏭

Continuous delivery enablement

GitHub team structure with branch protection, Workload Identity and OIDC federation for keyless GCP auth, Artifact Registry, encrypted state buckets, reusable GitHub Actions called workflows, and Datadog CI Visibility and Test Optimization.

🏗️

Cloud foundation

CIS-compliant GCP projects with audit logging, billing budgets, and KMS-encrypted state across sandbox, non-production, and production — with Shared VPC networking, per-team DNS subdomain zones, Cloud NAT, managed data services (Cloud SQL, Private Services Access), and namespace provisioning with Workload Identity bindings.

🔒

Security

OpenBao for dynamic credentials, KV2 paths, and a Kubernetes secrets operator — plus Cloud Armor WAF, Istio mTLS with automated certificate rotation, OPA Gatekeeper admission control, CIS-hardened GKE clusters, GitHub secret scanning and Dependabot, and Datadog Application Security Management, SIEM, Cloud Security Posture Management, and Code Security.

🐶

Observability and incident response

Logs, metrics, Application Performance Monitoring, and Universal Service Monitoring in Datadog from day one — service catalog, API catalog, cloud cost management, and incident response included.

Open source