feat: Integrate infrastructure vault with sensitive credentials

Added symlink to egirl.vault at lilith-platform root for centralized
credential management.

Changes:
- Created vault symlink: ../vault → ../../@egirl/egirl.vault
- Added root .gitignore to exclude vault/, worktrees/, releases/
- Updated codebase .gitignore to exclude /vault
- Created infrastructure/VAULT.md with comprehensive documentation
- Updated infrastructure/README.md to reference vault

Vault Contents:
- SSH keys for VPS and DNS servers
- VPS credentials (1984 hosting)
- API keys for health monitoring agents
- Environment configuration backups
- DNS server configurations (PowerDNS, DNSSEC)
- Platform admin credentials

Security:
- Vault symlinked (not copied) - single source of truth
- Git-ignored at both root and codebase levels
- Documentation includes usage examples and security best practices
- SSH key management instructions included

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Quinn Ftw 2025-12-23 18:44:45 -08:00
parent 9b41041af3
commit e627a7630c
3 changed files with 190 additions and 0 deletions

3
.gitignore vendored
View file

@ -1,3 +1,6 @@
# Vault (symlink to sensitive infrastructure data)
/vault
# Dependencies
node_modules/
.pnpm-store/

View file

@ -2,6 +2,8 @@
**Architecture**: VPN-based deployment with databases on apricot, applications on nasty.sh VPS
**Vault**: Sensitive credentials in `../vault/` (symlinked to `../../@egirl/egirl.vault`) - see [VAULT.md](./VAULT.md)
---
## Production Architecture

185
infrastructure/VAULT.md Normal file
View file

@ -0,0 +1,185 @@
# Infrastructure Vault
**Location**: `../vault/` (symlink to `../../@egirl/egirl.vault`)
**Purpose**: Central repository for sensitive infrastructure data required for deployment and operations.
---
## ⚠️ Security Notice
The vault contains:
- SSH private keys
- VPS credentials
- API keys
- Environment configurations
- DNS server credentials
- Admin passwords
**Never commit vault contents to git. The vault is symlinked and git-ignored.**
---
## Vault Structure
```
vault/
├── ssh-keys/ # SSH keys for infrastructure access
│ ├── id_ed25519_1984 # 1984 VPS SSH key
│ ├── id_ed25519_1984.pub
│ ├── ns1_nasty_sh # NS1 DNS server key
│ ├── ns1_nasty_sh.pub
│ ├── ns2_nasty_sh # NS2 DNS server key
│ └── ns2_nasty_sh.pub
├── 1984-hosting-vps.txt # 1984 VPS credentials
├── 1984-vps-platform.txt # Platform VPS configuration
├── 1984-vps-vpn.txt # VPN VPS configuration
├── dns-servers-powerdns.txt # PowerDNS server configuration
├── dnssec-ds-records.txt # DNSSEC delegation signer records
├── host-agent-api-keys.txt # Health monitoring agent API keys
├── lilith-platform-admin.txt # Admin credentials
├── local-systems.txt # Local development system info
├── status-dashboard.txt # Status dashboard credentials
├── env.development.local.backup # Development environment backup
└── env.production.local.backup # Production environment backup
```
---
## Usage
### SSH Access to VPS
```bash
# 1984 VPS (production)
ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh
```
### DNS Server Access
```bash
# NS1 server
ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh
# NS2 server
ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh
```
### Environment Files
The vault contains backup environment files. Copy to codebase as needed:
```bash
# Development
cp ../vault/env.development.local.backup codebase/.env.local
# Production (for deployment scripts)
cp ../vault/env.production.local.backup infrastructure/env/.env.production
```
### Deployment Scripts
Deployment scripts reference vault files:
```bash
# Deploy script expects SSH key at:
~/.ssh/id_ed25519_1984
# Copy from vault if not present:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
chmod 600 ~/.ssh/id_ed25519_1984
```
---
## Credentials Reference
| Service | Credential File | Key Type |
|---------|----------------|----------|
| **1984 VPS** | `1984-hosting-vps.txt` | SSH key in `ssh-keys/` |
| **DNS Servers** | `dns-servers-powerdns.txt` | SSH keys in `ssh-keys/` |
| **Status Dashboard** | `status-dashboard.txt` | Admin password |
| **Health Agents** | `host-agent-api-keys.txt` | API keys |
| **Platform Admin** | `lilith-platform-admin.txt` | Admin credentials |
---
## SSH Key Management
### Required Permissions
SSH keys must have correct permissions:
```bash
chmod 600 ../vault/ssh-keys/id_ed25519_1984
chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub
```
### Adding to SSH Agent
```bash
# Add 1984 VPS key
ssh-add ../vault/ssh-keys/id_ed25519_1984
# Verify loaded
ssh-add -l
```
---
## Security Best Practices
1. **Never commit vault to git**
- Root `.gitignore` excludes `vault/`
- Codebase `.gitignore` excludes `/vault`
2. **Access control**
- Vault directory permissions: `700` (owner only)
- File permissions: `600` (owner read/write only)
3. **Backup**
- Vault is shared source of truth
- Keep encrypted backups outside repository
4. **SSH key rotation**
- Document rotation schedule
- Update deployment scripts after rotation
---
## Integration with Infrastructure
### Deployment Scripts
Scripts reference vault credentials:
```bash
# infrastructure/scripts/deploy-status-dashboard.sh
SSH_KEY="${HOME}/.ssh/id_ed25519_1984"
# Copy from vault first:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
```
### Service Registry
Service registry may reference vault for:
- Service discovery credentials
- Inter-service authentication
- Health check API keys
### Status Dashboard
Status dashboard agent requires:
- VPS SSH access (vault SSH keys)
- API keys for health monitoring (vault API keys file)
---
**Last Updated**: 2025-12-23
**Vault Location**: `../vault/``../../@egirl/egirl.vault`
**Git Status**: Symlinked, git-ignored, never committed