Open source · Rust-powered · MIT licensed

The governed control plane for multi‑site infrastructure

Ryuki gives system engineers an auditable way to request, operate, evidence, and retire infrastructure services — through a growing adapter framework: 17 providers spanning virtualization, backup, monitoring, and ITSM, from VMware and Nutanix AHV to Zabbix and ServiceNow.

Get Started View on GitHub
58
Domain engines
116
Catalog contracts
230
Static validation checks
100%
Rust, end to end
Features

Everything your platform team operates

Operational workflows for system engineering teams running multi-site datacenter infrastructure — governed by default, evidenced at every step.

VM Lifecycle

Provision, resize, migrate, and retire VMs across six hypervisors — with capacity governance and placement policies per cluster.

VMwareHyper-VProxmoxNutanix AHVXenKVM

Monitoring & Alerting

Host onboarding, alert routing, maintenance windows, and configuration drift detection across thousands of hosts — on the monitoring stack you already run.

ZabbixPrometheusDatadogGrafanaSolarWinds

Backup & Recovery

Backup coverage tracking, restore testing, DR orchestration, and repository health across sites — whichever backup platform protects them.

VeeamCommvaultRubrikCohesityNetBackup

CMDB & Inventory

ServiceNow CMDB integration with Excel import/export, CI reconciliation, and relationship graph visualization.

ServiceNowExcelGraph

OS Patching & Compliance

Windows and Linux deployment, scheduled patching with approval gates, and OS baseline compliance reporting across the fleet.

WindowsLinuxSQL Server

Image Factory

Monthly golden image pipeline: template construction, automated testing, promotion through environments, and publishing.

PackerWindowsLinux

Evidence & Audit

Redacted evidence packs per work item, approval chain lineage, shift handover reports, and audit-ready export without exposing credentials.

AuditComplianceRBAC

Datacenter Fabric

Hardware lifecycle management, firmware baselines, switchport/VLAN readiness checks, and physical asset tracking across sites.

NetworkFirmwareLifecycle
Request Lifecycle

Nine governed stages. Zero blind spots.

Every infrastructure request flows through the same governed pipeline. Each stage produces redacted evidence suitable for audit, CAB, incident review, and shift handover. Dashed stages are next on the roadmap.

  1. 01Draft
  2. 02Intake
  3. 03Validate
  4. 04Plan
  5. 05Approve
  6. 06Lock
  7. 07Execute
  8. 08Verify
  9. 09Complete
  1. 10Protect (planned)
  2. 11Publish (planned)
  3. 12Maintain (planned)
  4. 13Retire (planned)

Select a stage to see what it governs.

A failed request is terminal and keeps its full evidence trail. Break-glass emergency changes follow the same pipeline — no bypass on evidence.

Architecture

Full-stack Rust control plane

SSR portal behind a same-origin boundary, a governed API, and a domain engine — with secrets isolated in Vault. The browser never talks to a provider directly.

Browser

Ingress over TLS only

Portal UI

Leptos / Axum SSR, same-origin boundary

Platform API

Axum, Entra ID SSO, request lifecycle

Engine

Domain models, evidence, adapters

PostgreSQL
Vault

Adapters reach only approved provider endpoints. Credentials never leave Vault.

ComponentStackDescription
portal-ui Rust / Leptos / Axum Full-stack SSR portal with role-filtered navigation. Same-origin isolation — never calls provider APIs directly.
ryuki-api Rust / Axum / sqlx Control plane API with Entra ID SSO, role-based access, and the governed request lifecycle.
ryuki-engine Rust Domain models, evidence generation, health probes, and provider adapters.
ryuki-core Rust Shared types, utilities, secret scanning, and cross-cutting configuration.
ryuki-validator Rust Self-contained static validation engine (352 slices) for pre-commit and CI guardrails.
PostgreSQL CloudNativePG / Docker Control plane database with schema migrations via sqlx.
Vault HashiCorp Vault Secrets management — provider credentials never committed or logged.
Quick Start

Running in minutes

Start PostgreSQL, configure the environment, build the workspace, and validate.

shell 
# Start PostgreSQL via Docker Compose
docker compose -f deploy/compose/compose.yaml up -d platform-db

# Copy and configure environment
cp .env.example .env

# Build the full workspace
cargo build --workspace

# Run the test suite
cargo test --workspace

# Execute all validators
cargo run --manifest-path scripts/validator-rs/Cargo.toml -- run-all

Ready to tame your infrastructure?

Self-hosted, open source, audit-first. Deploy the control plane and bring governance to every request.

Read the Docs View on GitHub