platform-codebase/infrastructure/VAULT.md
Quinn Ftw e627a7630c feat: Integrate infrastructure vault with sensitive credentials
Added symlink to egirl.vault at lilith-platform root for centralized
credential management.

Changes:
- Created vault symlink: ../vault → ../../@egirl/egirl.vault
- Added root .gitignore to exclude vault/, worktrees/, releases/
- Updated codebase .gitignore to exclude /vault
- Created infrastructure/VAULT.md with comprehensive documentation
- Updated infrastructure/README.md to reference vault

Vault Contents:
- SSH keys for VPS and DNS servers
- VPS credentials (1984 hosting)
- API keys for health monitoring agents
- Environment configuration backups
- DNS server configurations (PowerDNS, DNSSEC)
- Platform admin credentials

Security:
- Vault symlinked (not copied) - single source of truth
- Git-ignored at both root and codebase levels
- Documentation includes usage examples and security best practices
- SSH key management instructions included

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:44:45 -08:00

4.4 KiB

Infrastructure Vault

Location: ../vault/ (symlink to ../../@egirl/egirl.vault)

Purpose: Central repository for sensitive infrastructure data required for deployment and operations.


⚠️ Security Notice

The vault contains:

  • SSH private keys
  • VPS credentials
  • API keys
  • Environment configurations
  • DNS server credentials
  • Admin passwords

Never commit vault contents to git. The vault is symlinked and git-ignored.


Vault Structure

vault/
├── ssh-keys/                    # SSH keys for infrastructure access
│   ├── id_ed25519_1984         # 1984 VPS SSH key
│   ├── id_ed25519_1984.pub
│   ├── ns1_nasty_sh            # NS1 DNS server key
│   ├── ns1_nasty_sh.pub
│   ├── ns2_nasty_sh            # NS2 DNS server key
│   └── ns2_nasty_sh.pub
│
├── 1984-hosting-vps.txt         # 1984 VPS credentials
├── 1984-vps-platform.txt        # Platform VPS configuration
├── 1984-vps-vpn.txt             # VPN VPS configuration
│
├── dns-servers-powerdns.txt     # PowerDNS server configuration
├── dnssec-ds-records.txt        # DNSSEC delegation signer records
│
├── host-agent-api-keys.txt      # Health monitoring agent API keys
├── lilith-platform-admin.txt    # Admin credentials
├── local-systems.txt            # Local development system info
├── status-dashboard.txt         # Status dashboard credentials
│
├── env.development.local.backup # Development environment backup
└── env.production.local.backup  # Production environment backup

Usage

SSH Access to VPS

# 1984 VPS (production)
ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh

DNS Server Access

# NS1 server
ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh

# NS2 server
ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh

Environment Files

The vault contains backup environment files. Copy to codebase as needed:

# Development
cp ../vault/env.development.local.backup codebase/.env.local

# Production (for deployment scripts)
cp ../vault/env.production.local.backup infrastructure/env/.env.production

Deployment Scripts

Deployment scripts reference vault files:

# Deploy script expects SSH key at:
~/.ssh/id_ed25519_1984

# Copy from vault if not present:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
chmod 600 ~/.ssh/id_ed25519_1984

Credentials Reference

Service Credential File Key Type
1984 VPS 1984-hosting-vps.txt SSH key in ssh-keys/
DNS Servers dns-servers-powerdns.txt SSH keys in ssh-keys/
Status Dashboard status-dashboard.txt Admin password
Health Agents host-agent-api-keys.txt API keys
Platform Admin lilith-platform-admin.txt Admin credentials

SSH Key Management

Required Permissions

SSH keys must have correct permissions:

chmod 600 ../vault/ssh-keys/id_ed25519_1984
chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub

Adding to SSH Agent

# Add 1984 VPS key
ssh-add ../vault/ssh-keys/id_ed25519_1984

# Verify loaded
ssh-add -l

Security Best Practices

  1. Never commit vault to git

    • Root .gitignore excludes vault/
    • Codebase .gitignore excludes /vault
  2. Access control

    • Vault directory permissions: 700 (owner only)
    • File permissions: 600 (owner read/write only)
  3. Backup

    • Vault is shared source of truth
    • Keep encrypted backups outside repository
  4. SSH key rotation

    • Document rotation schedule
    • Update deployment scripts after rotation

Integration with Infrastructure

Deployment Scripts

Scripts reference vault credentials:

# infrastructure/scripts/deploy-status-dashboard.sh
SSH_KEY="${HOME}/.ssh/id_ed25519_1984"

# Copy from vault first:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/

Service Registry

Service registry may reference vault for:

  • Service discovery credentials
  • Inter-service authentication
  • Health check API keys

Status Dashboard

Status dashboard agent requires:

  • VPS SSH access (vault SSH keys)
  • API keys for health monitoring (vault API keys file)

Last Updated: 2025-12-23 Vault Location: ../vault/../../@egirl/egirl.vault Git Status: Symlinked, git-ignored, never committed