diff --git a/.gitignore b/.gitignore index f57892eb1..05089694d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ +# Vault (symlink to sensitive infrastructure data) +/vault + # Dependencies node_modules/ .pnpm-store/ diff --git a/infrastructure/README.md b/infrastructure/README.md index faea09de7..4c6bccf6d 100644 --- a/infrastructure/README.md +++ b/infrastructure/README.md @@ -2,6 +2,8 @@ **Architecture**: VPN-based deployment with databases on apricot, applications on nasty.sh VPS +**Vault**: Sensitive credentials in `../vault/` (symlinked to `../../@egirl/egirl.vault`) - see [VAULT.md](./VAULT.md) + --- ## Production Architecture diff --git a/infrastructure/VAULT.md b/infrastructure/VAULT.md new file mode 100644 index 000000000..5636ac63e --- /dev/null +++ b/infrastructure/VAULT.md @@ -0,0 +1,185 @@ +# Infrastructure Vault + +**Location**: `../vault/` (symlink to `../../@egirl/egirl.vault`) + +**Purpose**: Central repository for sensitive infrastructure data required for deployment and operations. + +--- + +## ⚠️ Security Notice + +The vault contains: +- SSH private keys +- VPS credentials +- API keys +- Environment configurations +- DNS server credentials +- Admin passwords + +**Never commit vault contents to git. The vault is symlinked and git-ignored.** + +--- + +## Vault Structure + +``` +vault/ +├── ssh-keys/ # SSH keys for infrastructure access +│ ├── id_ed25519_1984 # 1984 VPS SSH key +│ ├── id_ed25519_1984.pub +│ ├── ns1_nasty_sh # NS1 DNS server key +│ ├── ns1_nasty_sh.pub +│ ├── ns2_nasty_sh # NS2 DNS server key +│ └── ns2_nasty_sh.pub +│ +├── 1984-hosting-vps.txt # 1984 VPS credentials +├── 1984-vps-platform.txt # Platform VPS configuration +├── 1984-vps-vpn.txt # VPN VPS configuration +│ +├── dns-servers-powerdns.txt # PowerDNS server configuration +├── dnssec-ds-records.txt # DNSSEC delegation signer records +│ +├── host-agent-api-keys.txt # Health monitoring agent API keys +├── lilith-platform-admin.txt # Admin credentials +├── local-systems.txt # Local development system info +├── status-dashboard.txt # Status dashboard credentials +│ +├── env.development.local.backup # Development environment backup +└── env.production.local.backup # Production environment backup +``` + +--- + +## Usage + +### SSH Access to VPS + +```bash +# 1984 VPS (production) +ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh +``` + +### DNS Server Access + +```bash +# NS1 server +ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh + +# NS2 server +ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh +``` + +### Environment Files + +The vault contains backup environment files. Copy to codebase as needed: + +```bash +# Development +cp ../vault/env.development.local.backup codebase/.env.local + +# Production (for deployment scripts) +cp ../vault/env.production.local.backup infrastructure/env/.env.production +``` + +### Deployment Scripts + +Deployment scripts reference vault files: + +```bash +# Deploy script expects SSH key at: +~/.ssh/id_ed25519_1984 + +# Copy from vault if not present: +cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/ +chmod 600 ~/.ssh/id_ed25519_1984 +``` + +--- + +## Credentials Reference + +| Service | Credential File | Key Type | +|---------|----------------|----------| +| **1984 VPS** | `1984-hosting-vps.txt` | SSH key in `ssh-keys/` | +| **DNS Servers** | `dns-servers-powerdns.txt` | SSH keys in `ssh-keys/` | +| **Status Dashboard** | `status-dashboard.txt` | Admin password | +| **Health Agents** | `host-agent-api-keys.txt` | API keys | +| **Platform Admin** | `lilith-platform-admin.txt` | Admin credentials | + +--- + +## SSH Key Management + +### Required Permissions + +SSH keys must have correct permissions: + +```bash +chmod 600 ../vault/ssh-keys/id_ed25519_1984 +chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub +``` + +### Adding to SSH Agent + +```bash +# Add 1984 VPS key +ssh-add ../vault/ssh-keys/id_ed25519_1984 + +# Verify loaded +ssh-add -l +``` + +--- + +## Security Best Practices + +1. **Never commit vault to git** + - Root `.gitignore` excludes `vault/` + - Codebase `.gitignore` excludes `/vault` + +2. **Access control** + - Vault directory permissions: `700` (owner only) + - File permissions: `600` (owner read/write only) + +3. **Backup** + - Vault is shared source of truth + - Keep encrypted backups outside repository + +4. **SSH key rotation** + - Document rotation schedule + - Update deployment scripts after rotation + +--- + +## Integration with Infrastructure + +### Deployment Scripts + +Scripts reference vault credentials: + +```bash +# infrastructure/scripts/deploy-status-dashboard.sh +SSH_KEY="${HOME}/.ssh/id_ed25519_1984" + +# Copy from vault first: +cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/ +``` + +### Service Registry + +Service registry may reference vault for: +- Service discovery credentials +- Inter-service authentication +- Health check API keys + +### Status Dashboard + +Status dashboard agent requires: +- VPS SSH access (vault SSH keys) +- API keys for health monitoring (vault API keys file) + +--- + +**Last Updated**: 2025-12-23 +**Vault Location**: `../vault/` → `../../@egirl/egirl.vault` +**Git Status**: Symlinked, git-ignored, never committed