feat: Integrate infrastructure vault with sensitive credentials
Added symlink to egirl.vault at lilith-platform root for centralized credential management. Changes: - Created vault symlink: ../vault → ../../@egirl/egirl.vault - Added root .gitignore to exclude vault/, worktrees/, releases/ - Updated codebase .gitignore to exclude /vault - Created infrastructure/VAULT.md with comprehensive documentation - Updated infrastructure/README.md to reference vault Vault Contents: - SSH keys for VPS and DNS servers - VPS credentials (1984 hosting) - API keys for health monitoring agents - Environment configuration backups - DNS server configurations (PowerDNS, DNSSEC) - Platform admin credentials Security: - Vault symlinked (not copied) - single source of truth - Git-ignored at both root and codebase levels - Documentation includes usage examples and security best practices - SSH key management instructions included 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
9b41041af3
commit
e627a7630c
3 changed files with 190 additions and 0 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
|
@ -1,3 +1,6 @@
|
|||
# Vault (symlink to sensitive infrastructure data)
|
||||
/vault
|
||||
|
||||
# Dependencies
|
||||
node_modules/
|
||||
.pnpm-store/
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
**Architecture**: VPN-based deployment with databases on apricot, applications on nasty.sh VPS
|
||||
|
||||
**Vault**: Sensitive credentials in `../vault/` (symlinked to `../../@egirl/egirl.vault`) - see [VAULT.md](./VAULT.md)
|
||||
|
||||
---
|
||||
|
||||
## Production Architecture
|
||||
|
|
|
|||
185
infrastructure/VAULT.md
Normal file
185
infrastructure/VAULT.md
Normal file
|
|
@ -0,0 +1,185 @@
|
|||
# Infrastructure Vault
|
||||
|
||||
**Location**: `../vault/` (symlink to `../../@egirl/egirl.vault`)
|
||||
|
||||
**Purpose**: Central repository for sensitive infrastructure data required for deployment and operations.
|
||||
|
||||
---
|
||||
|
||||
## ⚠️ Security Notice
|
||||
|
||||
The vault contains:
|
||||
- SSH private keys
|
||||
- VPS credentials
|
||||
- API keys
|
||||
- Environment configurations
|
||||
- DNS server credentials
|
||||
- Admin passwords
|
||||
|
||||
**Never commit vault contents to git. The vault is symlinked and git-ignored.**
|
||||
|
||||
---
|
||||
|
||||
## Vault Structure
|
||||
|
||||
```
|
||||
vault/
|
||||
├── ssh-keys/ # SSH keys for infrastructure access
|
||||
│ ├── id_ed25519_1984 # 1984 VPS SSH key
|
||||
│ ├── id_ed25519_1984.pub
|
||||
│ ├── ns1_nasty_sh # NS1 DNS server key
|
||||
│ ├── ns1_nasty_sh.pub
|
||||
│ ├── ns2_nasty_sh # NS2 DNS server key
|
||||
│ └── ns2_nasty_sh.pub
|
||||
│
|
||||
├── 1984-hosting-vps.txt # 1984 VPS credentials
|
||||
├── 1984-vps-platform.txt # Platform VPS configuration
|
||||
├── 1984-vps-vpn.txt # VPN VPS configuration
|
||||
│
|
||||
├── dns-servers-powerdns.txt # PowerDNS server configuration
|
||||
├── dnssec-ds-records.txt # DNSSEC delegation signer records
|
||||
│
|
||||
├── host-agent-api-keys.txt # Health monitoring agent API keys
|
||||
├── lilith-platform-admin.txt # Admin credentials
|
||||
├── local-systems.txt # Local development system info
|
||||
├── status-dashboard.txt # Status dashboard credentials
|
||||
│
|
||||
├── env.development.local.backup # Development environment backup
|
||||
└── env.production.local.backup # Production environment backup
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Usage
|
||||
|
||||
### SSH Access to VPS
|
||||
|
||||
```bash
|
||||
# 1984 VPS (production)
|
||||
ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh
|
||||
```
|
||||
|
||||
### DNS Server Access
|
||||
|
||||
```bash
|
||||
# NS1 server
|
||||
ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh
|
||||
|
||||
# NS2 server
|
||||
ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh
|
||||
```
|
||||
|
||||
### Environment Files
|
||||
|
||||
The vault contains backup environment files. Copy to codebase as needed:
|
||||
|
||||
```bash
|
||||
# Development
|
||||
cp ../vault/env.development.local.backup codebase/.env.local
|
||||
|
||||
# Production (for deployment scripts)
|
||||
cp ../vault/env.production.local.backup infrastructure/env/.env.production
|
||||
```
|
||||
|
||||
### Deployment Scripts
|
||||
|
||||
Deployment scripts reference vault files:
|
||||
|
||||
```bash
|
||||
# Deploy script expects SSH key at:
|
||||
~/.ssh/id_ed25519_1984
|
||||
|
||||
# Copy from vault if not present:
|
||||
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
|
||||
chmod 600 ~/.ssh/id_ed25519_1984
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Credentials Reference
|
||||
|
||||
| Service | Credential File | Key Type |
|
||||
|---------|----------------|----------|
|
||||
| **1984 VPS** | `1984-hosting-vps.txt` | SSH key in `ssh-keys/` |
|
||||
| **DNS Servers** | `dns-servers-powerdns.txt` | SSH keys in `ssh-keys/` |
|
||||
| **Status Dashboard** | `status-dashboard.txt` | Admin password |
|
||||
| **Health Agents** | `host-agent-api-keys.txt` | API keys |
|
||||
| **Platform Admin** | `lilith-platform-admin.txt` | Admin credentials |
|
||||
|
||||
---
|
||||
|
||||
## SSH Key Management
|
||||
|
||||
### Required Permissions
|
||||
|
||||
SSH keys must have correct permissions:
|
||||
|
||||
```bash
|
||||
chmod 600 ../vault/ssh-keys/id_ed25519_1984
|
||||
chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub
|
||||
```
|
||||
|
||||
### Adding to SSH Agent
|
||||
|
||||
```bash
|
||||
# Add 1984 VPS key
|
||||
ssh-add ../vault/ssh-keys/id_ed25519_1984
|
||||
|
||||
# Verify loaded
|
||||
ssh-add -l
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
1. **Never commit vault to git**
|
||||
- Root `.gitignore` excludes `vault/`
|
||||
- Codebase `.gitignore` excludes `/vault`
|
||||
|
||||
2. **Access control**
|
||||
- Vault directory permissions: `700` (owner only)
|
||||
- File permissions: `600` (owner read/write only)
|
||||
|
||||
3. **Backup**
|
||||
- Vault is shared source of truth
|
||||
- Keep encrypted backups outside repository
|
||||
|
||||
4. **SSH key rotation**
|
||||
- Document rotation schedule
|
||||
- Update deployment scripts after rotation
|
||||
|
||||
---
|
||||
|
||||
## Integration with Infrastructure
|
||||
|
||||
### Deployment Scripts
|
||||
|
||||
Scripts reference vault credentials:
|
||||
|
||||
```bash
|
||||
# infrastructure/scripts/deploy-status-dashboard.sh
|
||||
SSH_KEY="${HOME}/.ssh/id_ed25519_1984"
|
||||
|
||||
# Copy from vault first:
|
||||
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
|
||||
```
|
||||
|
||||
### Service Registry
|
||||
|
||||
Service registry may reference vault for:
|
||||
- Service discovery credentials
|
||||
- Inter-service authentication
|
||||
- Health check API keys
|
||||
|
||||
### Status Dashboard
|
||||
|
||||
Status dashboard agent requires:
|
||||
- VPS SSH access (vault SSH keys)
|
||||
- API keys for health monitoring (vault API keys file)
|
||||
|
||||
---
|
||||
|
||||
**Last Updated**: 2025-12-23
|
||||
**Vault Location**: `../vault/` → `../../@egirl/egirl.vault`
|
||||
**Git Status**: Symlinked, git-ignored, never committed
|
||||
Loading…
Add table
Reference in a new issue