osinfra.io

🔐

Secure by default — not your problem to configure

Your infrastructure is CIS-compliant before you write a line of application code. Hardened GCP projects, KMS-encrypted state, and audit logging are built in — your team inherits a secure foundation without having to build or maintain it.

📦

Built on open standards

Infrastructure automation and runtime tooling are built on CNCF and Linux Foundation open-source projects — Kubernetes, Istio, cert-manager, OPA Gatekeeper, OpenTofu, OpenBao. No proprietary abstractions, no lock-in, no black boxes.

🤖

AI agents, not tickets

The platform is built around GitHub Copilot agents — the Nomos Agent handles team onboarding end-to-end. No YAML to write, no support ticket to file. Just describe what you need.

🤝

Innersource, not a bottleneck

Arche, Ekklesia, and Techne run as innersource repositories — any engineer can open a pull request, and platform engineers from staffed teams review. Stream-aligned teams unblock themselves by contributing fixes and new capabilities directly to the platform.

Your team, on the platform in minutes

The Nomos Agent asks the right questions and takes care of the platform details. Use the interactive prompt builder to describe what your team needs — the agent opens a pull request with every change.

Build your agent prompt →

Onboard a new team — Fides. Team key: st-fides. Maintainers: joesmith. Admin email: joe@osinfra.io.

👋 Hi! I'm the Nomos Agent — onboarding a new team for you now.

Give me just a moment while I look you up…

✓ get_me → joesmith · joe@osinfra.io · osinfra-io member

✓ lookup_user → no existing team memberships found

Welcome! I have everything I need from your prompt. Here's what I'll create for st-fides:

📁 GCP folder — Fides with Sandbox / Non-Production / Production sub-folders
👥 Google Identity groups — admin, reader, writer per environment
🐙 GitHub parent team st-fides + 4 standard child teams
🐶 Datadog team — Fides, admin: joe@osinfra.io

Any optional features to enable — Google Cloud project, OpenTofu state management, or additional GitHub repositories?

Enable google project and workflows. Add repo st-fides-api.

✓ open_team_pr → PR #142 opened on pt-logos

Done — PR #142 is open on pt-logos. Once it merges, your GCP folder, identity groups, GitHub teams, and Datadog team will be created automatically.

Corpus and Pneuma deploy on their own schedules — your Google Cloud project and CI/CD service accounts will provision after the Corpus PR merges.

Everything your team needs, out of the box.

From source code management to production support — already in place.

🏭

Continuous delivery enablement

GitHub team structure with branch protection, Workload Identity and OIDC federation for keyless GCP auth, Artifact Registry, encrypted state buckets, reusable GitHub Actions called workflows, and Datadog CI Visibility and Test Optimization.

🏗️

Cloud foundation

CIS-compliant GCP projects with audit logging, billing budgets, and KMS-encrypted state across sandbox, non-production, and production — with Shared VPC networking, per-team DNS subdomain zones, Cloud NAT, managed data services (Cloud SQL, Private Services Access), and namespace provisioning with Workload Identity bindings.

🔒

Security

OpenBao for dynamic credentials, KV2 paths, and a Kubernetes secrets operator — plus Cloud Armor WAF, Istio mTLS with automated certificate rotation, OPA Gatekeeper admission control, CIS-hardened GKE clusters, GitHub secret scanning and Dependabot, and Datadog Application Security Management, SIEM, Cloud Security Posture Management, and Code Security.

🐶

Observability and incident response

Logs, metrics, Application Performance Monitoring, and Universal Service Monitoring in Datadog from day one — service catalog, API catalog, cloud cost management, and incident response included.

Open source