- Delete SETUP_FROM_SCRATCH.md (fully stale, content covered by DEPLOYMENT_GUIDE.md + QUICK_DEPLOY_COMMANDS.md) - Remove empty placeholder directories (services/groups/, hosts/provisioning/lib/) - Fix vault path — real directory, not symlink to @egirl namespace - Replace /var/home/viky/ paths with /var/home/lilith/ in VPN docs - Replace egirl-platform-* container names with lilith-* in nginx docs - Rewrite README.md directory tree and doc index to match actual structure Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
4.3 KiB
4.3 KiB
Infrastructure Vault
Location: ../vault/
Purpose: Central repository for sensitive infrastructure data required for deployment and operations.
⚠️ Security Notice
The vault contains:
- SSH private keys
- VPS credentials
- API keys
- Environment configurations
- DNS server credentials
- Admin passwords
Never commit vault contents to git. The vault is symlinked and git-ignored.
Vault Structure
vault/
├── ssh-keys/ # SSH keys for infrastructure access
│ ├── id_ed25519_1984 # 1984 VPS SSH key
│ ├── id_ed25519_1984.pub
│ ├── ns1_nasty_sh # NS1 DNS server key
│ ├── ns1_nasty_sh.pub
│ ├── ns2_nasty_sh # NS2 DNS server key
│ └── ns2_nasty_sh.pub
│
├── 1984-hosting-vps.txt # 1984 VPS credentials
├── 1984-vps-platform.txt # Platform VPS configuration
├── 1984-vps-vpn.txt # VPN VPS configuration
│
├── dns-servers-powerdns.txt # PowerDNS server configuration
├── dnssec-ds-records.txt # DNSSEC delegation signer records
│
├── host-agent-api-keys.txt # Health monitoring agent API keys
├── lilith-platform-admin.txt # Admin credentials
├── local-systems.txt # Local development system info
├── status-dashboard.txt # Status dashboard credentials
│
├── env.development.local.backup # Development environment backup
└── env.production.local.backup # Production environment backup
Usage
SSH Access to VPS
# 1984 VPS (production)
ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh
DNS Server Access
# NS1 server
ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh
# NS2 server
ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh
Environment Files
The vault contains backup environment files. Copy to codebase as needed:
# Development
cp ../vault/env.development.local.backup codebase/.env.local
# Production (for deployment scripts)
cp ../vault/env.production.local.backup deployments/env/.env.production
Deployment Scripts
Deployment scripts reference vault files:
# Deploy script expects SSH key at:
~/.ssh/id_ed25519_1984
# Copy from vault if not present:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
chmod 600 ~/.ssh/id_ed25519_1984
Credentials Reference
| Service | Credential File | Key Type |
|---|---|---|
| 1984 VPS | 1984-hosting-vps.txt |
SSH key in ssh-keys/ |
| DNS Servers | dns-servers-powerdns.txt |
SSH keys in ssh-keys/ |
| Status Dashboard | status-dashboard.txt |
Admin password |
| Health Agents | host-agent-api-keys.txt |
API keys |
| Platform Admin | lilith-platform-admin.txt |
Admin credentials |
SSH Key Management
Required Permissions
SSH keys must have correct permissions:
chmod 600 ../vault/ssh-keys/id_ed25519_1984
chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub
Adding to SSH Agent
# Add 1984 VPS key
ssh-add ../vault/ssh-keys/id_ed25519_1984
# Verify loaded
ssh-add -l
Security Best Practices
-
Never commit vault to git
- Root
.gitignoreexcludesvault/ - Codebase
.gitignoreexcludes/vault
- Root
-
Access control
- Vault directory permissions:
700(owner only) - File permissions:
600(owner read/write only)
- Vault directory permissions:
-
Backup
- Vault is shared source of truth
- Keep encrypted backups outside repository
-
SSH key rotation
- Document rotation schedule
- Update deployment scripts after rotation
Integration with Infrastructure
Deployment Scripts
Scripts reference vault credentials:
# tooling/scripts/deploy/deploy-status-dashboard.sh
SSH_KEY="${HOME}/.ssh/id_ed25519_1984"
# Copy from vault first:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
Service Registry
Service registry may reference vault for:
- Service discovery credentials
- Inter-service authentication
- Health check API keys
Status Dashboard
Status dashboard agent requires:
- VPS SSH access (vault SSH keys)
- API keys for health monitoring (vault API keys file)
Last Updated: 2025-12-23
Vault Location: ../vault/
Git Status: Symlinked, git-ignored, never committed