TPT Open Source

tpt-datastack-nz

Python

NZISM-compliant sovereign cloud platform for New Zealand, built on OpenStack. Three deployment tiers: General (SMBs), Government (NZ agencies), and Classified (NZDF/intelligence). Includes OPA runtime policies, first open-source OSCAL mapping of NZISM v3.9, and continuous biometric authentication.

0 stars0 forks0 watchersMIT License
new-zealandnzismopenstackoscalsovereign-cloud
View on GitHubLive Demo

Languages

Python50.3%TypeScript36.9%Open Policy Agent7.5%HCL4.4%CSS0.8%HTML0.1%
README

TPT DataStack NZ

An open-source, NZISM-compliant sovereign cloud platform for New Zealand — built on OpenStack.

Provision a production-grade cloud in New Zealand with compliance controls, network topology, and security tooling pre-configured for the NZ environment. Three tiers cover everyone from SMBs to government agencies to classified workloads.

License: MIT OpenStack: 2026.1 Gazpacho NZISM: v3.9

Tiers

| | General | Government | Classified | |---|---|---|---| | Target | SMBs, startups, universities | NZ government agencies | NZDF, intelligence, law enforcement | | NZISM classification | Unclassified | IN-CONFIDENCE / RESTRICTED | CONFIDENTIAL / SECRET | | Network | Standard tenant VLANs | Dedicated management network, encrypted overlays | Air-gapped, no internet | | Authentication | Keystone + LDAP | Keystone + gov LDAP / RealMe | Cleared-personnel LDAP, mandatory MFA | | Continuous auth | — | — | Facial recognition + keystroke dynamics | | Encryption | Optional at-rest | Mandatory at-rest (Barbican) + in-transit | Full disk, ASD-evaluated crypto | | Logging | Standard | Centralised tamper-evident (OpenSearch + Wazuh) | Air-gapped SIEM | | Connectivity | Internet | Proxy-only egress | None — sneakernet updates | | Status | Deployable | Deployable (manual LDAP step) | Architecture-complete — accreditation required before operational use |

Architecture

This platform is a thin opinionated layer over Kolla-Ansible (containerised OpenStack deployment). The unique value is the NZ compliance layer — NZISM control mappings, OPA runtime policies, and tier topology templates.

┌──────────────────────────────────────────────┐
│           tpt-datastack-nz CLI               │
│   (tier selection · pre-flight · audit)      │
├──────────────────────────────────────────────┤
│  OPA Runtime Policies (NZISM controls)       │
├─────────────────┬────────────────────────────┤
│  Kolla-Ansible  │  Terraform pre-flight      │
│  (OpenStack)    │  (networks · storage)      │
├─────────────────┴────────────────────────────┤
│           Bare-metal / Hypervisor            │
└──────────────────────────────────────────────┘

For classified workstations, a tpt-continuous-auth daemon enforces continuous identity verification via facial recognition and keystroke dynamics.

Quick Start

Prerequisites

  • Python 3.11+
  • Ansible 10+
  • Terraform 1.8+
  • Target hardware: 3+ bare-metal nodes (General/Government) or isolated bare-metal (Classified)

Install tpt-datastack-nz

pip install tpt-datastack-nz

Deploy — General Tier

# Pre-flight check
tpt-datastack-nz pre-flight --tier general --inventory my-inventory.yml

# Deploy
tpt-datastack-nz deploy --tier general --inventory my-inventory.yml

# Audit compliance
tpt-datastack-nz audit --tier general --output report.html

Deploy — Government Tier

tpt-datastack-nz pre-flight --tier government --inventory my-inventory.yml
tpt-datastack-nz deploy --tier government --inventory my-inventory.yml

See docs/runbooks/government-deploy.md for the LDAP/RealMe integration steps.

Deploy — Classified Tier

Accreditation required. The classified tier is architecture-complete and technically deployable, but operational use requires formal NCSC/GCSB accreditation, physical security controls, TEMPEST assessment, and personnel security clearances. See docs/runbooks/classified-accreditation.md.

tpt-datastack-nz pre-flight --tier classified --inventory my-inventory.yml
tpt-datastack-nz deploy --tier classified --inventory my-inventory.yml

# Enrol a user for continuous authentication
tpt-datastack-nz enrol --user operator1

Repository Layout

tpt-datastack-nz/
├── tiers/                  # Tier-specific configuration overlays
│   ├── general/
│   ├── government/
│   └── classified/
├── deploy/
│   ├── kolla/              # Kolla-Ansible inventory + globals per tier
│   └── terraform/          # Pre-flight infrastructure (networks, storage)
├── compliance/
│   ├── nzism/oscal/        # NZISM v3.9 as OSCAL catalog + profiles
│   └── opa/                # Rego policies enforcing controls at runtime
├── cli/                    # tpt-datastack-nz CLI (Python + Typer)
├── continuous-auth/        # Continuous authentication daemon (classified tier)
├── docs/                   # MkDocs operator documentation
├── portal/                 # Web UI (React + TypeScript + Vite)
└── portal-api/             # FastAPI backend — proxies AI requests, exposes portal endpoints

NZISM Compliance

Control mappings are published in OSCAL format under compliance/nzism/oscal/. This is believed to be the first open-source OSCAL mapping of NZISM v3.9.

Controls are sourced from the NZISM v3.9 (November 2025), published by the Government Communications Security Bureau (GCSB).

Classified Tier: Continuous Authentication

The classified tier ships tpt-continuous-auth, a systemd daemon that runs on classified workstations and provides session-level identity verification:

  • Facial recognition — offline (dlib), local camera, verifies enrolled face is present throughout the session. Locks screen on absence; terminates session on prolonged absence.
  • Keystroke dynamics — captures typing rhythm (dwell time + flight time) via Linux evdev. Scores live input against enrolled profile. Anomaly triggers re-authentication challenge.

Biometric data never leaves the workstation. Session events (anomaly, lock, kill) are published to the local air-gapped SIEM only.

Contributing

See CONTRIBUTING.md. All contributions welcome — issues, PRs, NZISM control mapping corrections, and documentation improvements.

For classified tier contributions, please note that architectural changes should be reviewed against the current NZISM document before submitting.

Legal

  • License: MIT — see LICENSE
  • Classified tier: Publishing this architecture under MIT is lawful. The NZISM is a public document. Operational deployment in a classified environment requires formal accreditation by NCSC/GCSB — this software provides the technical baseline only.
  • Biometric data: Collection and use of biometric data (face encodings, keystroke profiles) is subject to the Privacy Act 2020 (NZ). Operators are responsible for lawful collection and use within their environments.

Acknowledgements

Built on Kolla-Ansible and the broader OpenStack community. NZISM compliance mappings sourced from nzism.gcsb.govt.nz.