# Infrastructure Vault **Location**: `../vault/` **Purpose**: Central repository for sensitive infrastructure data required for deployment and operations. --- ## ⚠️ Security Notice The vault contains: - SSH private keys - VPS credentials - API keys - Environment configurations - DNS server credentials - Admin passwords **Never commit vault contents to git. The vault is symlinked and git-ignored.** --- ## Vault Structure ``` vault/ ├── ssh-keys/ # SSH keys for infrastructure access │ ├── id_ed25519_1984 # 1984 VPS SSH key │ ├── id_ed25519_1984.pub │ ├── ns1_nasty_sh # NS1 DNS server key │ ├── ns1_nasty_sh.pub │ ├── ns2_nasty_sh # NS2 DNS server key │ └── ns2_nasty_sh.pub │ ├── 1984-hosting-vps.txt # 1984 VPS credentials ├── 1984-vps-platform.txt # Platform VPS configuration ├── 1984-vps-vpn.txt # VPN VPS configuration │ ├── dns-servers-powerdns.txt # PowerDNS server configuration ├── dnssec-ds-records.txt # DNSSEC delegation signer records │ ├── host-agent-api-keys.txt # Health monitoring agent API keys ├── lilith-platform-admin.txt # Admin credentials ├── local-systems.txt # Local development system info ├── status-dashboard.txt # Status dashboard credentials │ ├── env.development.local.backup # Development environment backup └── env.production.local.backup # Production environment backup ``` --- ## Usage ### SSH Access to VPS ```bash # 1984 VPS (production) ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh ``` ### DNS Server Access ```bash # NS1 server ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh # NS2 server ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh ``` ### Environment Files The vault contains backup environment files. Copy to codebase as needed: ```bash # Development cp ../vault/env.development.local.backup codebase/.env.local # Production (for deployment scripts) cp ../vault/env.production.local.backup deployments/env/.env.production ``` ### Deployment Scripts Deployment scripts reference vault files: ```bash # Deploy script expects SSH key at: ~/.ssh/id_ed25519_1984 # Copy from vault if not present: cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/ chmod 600 ~/.ssh/id_ed25519_1984 ``` --- ## Credentials Reference | Service | Credential File | Key Type | |---------|----------------|----------| | **1984 VPS** | `1984-hosting-vps.txt` | SSH key in `ssh-keys/` | | **DNS Servers** | `dns-servers-powerdns.txt` | SSH keys in `ssh-keys/` | | **Status Dashboard** | `status-dashboard.txt` | Admin password | | **Health Agents** | `host-agent-api-keys.txt` | API keys | | **Platform Admin** | `lilith-platform-admin.txt` | Admin credentials | --- ## SSH Key Management ### Required Permissions SSH keys must have correct permissions: ```bash chmod 600 ../vault/ssh-keys/id_ed25519_1984 chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub ``` ### Adding to SSH Agent ```bash # Add 1984 VPS key ssh-add ../vault/ssh-keys/id_ed25519_1984 # Verify loaded ssh-add -l ``` --- ## Security Best Practices 1. **Never commit vault to git** - Root `.gitignore` excludes `vault/` - Codebase `.gitignore` excludes `/vault` 2. **Access control** - Vault directory permissions: `700` (owner only) - File permissions: `600` (owner read/write only) 3. **Backup** - Vault is shared source of truth - Keep encrypted backups outside repository 4. **SSH key rotation** - Document rotation schedule - Update deployment scripts after rotation --- ## Integration with Infrastructure ### Deployment Scripts Scripts reference vault credentials: ```bash # tooling/scripts/deploy/deploy-status-dashboard.sh SSH_KEY="${HOME}/.ssh/id_ed25519_1984" # Copy from vault first: cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/ ``` ### Service Registry Service registry may reference vault for: - Service discovery credentials - Inter-service authentication - Health check API keys ### Status Dashboard Status dashboard agent requires: - VPS SSH access (vault SSH keys) - API keys for health monitoring (vault API keys file) --- **Last Updated**: 2025-12-23 **Vault Location**: `../vault/` **Git Status**: Symlinked, git-ignored, never committed