platform-deployments/VAULT.md
Quinn Ftw 596a2a9ae0 chore: Clean up stale egirl-platform references and outdated documentation
- Delete SETUP_FROM_SCRATCH.md (fully stale, content covered by
  DEPLOYMENT_GUIDE.md + QUICK_DEPLOY_COMMANDS.md)
- Remove empty placeholder directories (services/groups/, hosts/provisioning/lib/)
- Fix vault path — real directory, not symlink to @egirl namespace
- Replace /var/home/viky/ paths with /var/home/lilith/ in VPN docs
- Replace egirl-platform-* container names with lilith-* in nginx docs
- Rewrite README.md directory tree and doc index to match actual structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 00:29:58 -08:00

185 lines
4.3 KiB
Markdown

# Infrastructure Vault
**Location**: `../vault/`
**Purpose**: Central repository for sensitive infrastructure data required for deployment and operations.
---
## ⚠️ Security Notice
The vault contains:
- SSH private keys
- VPS credentials
- API keys
- Environment configurations
- DNS server credentials
- Admin passwords
**Never commit vault contents to git. The vault is symlinked and git-ignored.**
---
## Vault Structure
```
vault/
├── ssh-keys/ # SSH keys for infrastructure access
│ ├── id_ed25519_1984 # 1984 VPS SSH key
│ ├── id_ed25519_1984.pub
│ ├── ns1_nasty_sh # NS1 DNS server key
│ ├── ns1_nasty_sh.pub
│ ├── ns2_nasty_sh # NS2 DNS server key
│ └── ns2_nasty_sh.pub
├── 1984-hosting-vps.txt # 1984 VPS credentials
├── 1984-vps-platform.txt # Platform VPS configuration
├── 1984-vps-vpn.txt # VPN VPS configuration
├── dns-servers-powerdns.txt # PowerDNS server configuration
├── dnssec-ds-records.txt # DNSSEC delegation signer records
├── host-agent-api-keys.txt # Health monitoring agent API keys
├── lilith-platform-admin.txt # Admin credentials
├── local-systems.txt # Local development system info
├── status-dashboard.txt # Status dashboard credentials
├── env.development.local.backup # Development environment backup
└── env.production.local.backup # Production environment backup
```
---
## Usage
### SSH Access to VPS
```bash
# 1984 VPS (production)
ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh
```
### DNS Server Access
```bash
# NS1 server
ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh
# NS2 server
ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh
```
### Environment Files
The vault contains backup environment files. Copy to codebase as needed:
```bash
# Development
cp ../vault/env.development.local.backup codebase/.env.local
# Production (for deployment scripts)
cp ../vault/env.production.local.backup deployments/env/.env.production
```
### Deployment Scripts
Deployment scripts reference vault files:
```bash
# Deploy script expects SSH key at:
~/.ssh/id_ed25519_1984
# Copy from vault if not present:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
chmod 600 ~/.ssh/id_ed25519_1984
```
---
## Credentials Reference
| Service | Credential File | Key Type |
|---------|----------------|----------|
| **1984 VPS** | `1984-hosting-vps.txt` | SSH key in `ssh-keys/` |
| **DNS Servers** | `dns-servers-powerdns.txt` | SSH keys in `ssh-keys/` |
| **Status Dashboard** | `status-dashboard.txt` | Admin password |
| **Health Agents** | `host-agent-api-keys.txt` | API keys |
| **Platform Admin** | `lilith-platform-admin.txt` | Admin credentials |
---
## SSH Key Management
### Required Permissions
SSH keys must have correct permissions:
```bash
chmod 600 ../vault/ssh-keys/id_ed25519_1984
chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub
```
### Adding to SSH Agent
```bash
# Add 1984 VPS key
ssh-add ../vault/ssh-keys/id_ed25519_1984
# Verify loaded
ssh-add -l
```
---
## Security Best Practices
1. **Never commit vault to git**
- Root `.gitignore` excludes `vault/`
- Codebase `.gitignore` excludes `/vault`
2. **Access control**
- Vault directory permissions: `700` (owner only)
- File permissions: `600` (owner read/write only)
3. **Backup**
- Vault is shared source of truth
- Keep encrypted backups outside repository
4. **SSH key rotation**
- Document rotation schedule
- Update deployment scripts after rotation
---
## Integration with Infrastructure
### Deployment Scripts
Scripts reference vault credentials:
```bash
# tooling/scripts/deploy/deploy-status-dashboard.sh
SSH_KEY="${HOME}/.ssh/id_ed25519_1984"
# Copy from vault first:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
```
### Service Registry
Service registry may reference vault for:
- Service discovery credentials
- Inter-service authentication
- Health check API keys
### Status Dashboard
Status dashboard agent requires:
- VPS SSH access (vault SSH keys)
- API keys for health monitoring (vault API keys file)
---
**Last Updated**: 2025-12-23
**Vault Location**: `../vault/`
**Git Status**: Symlinked, git-ignored, never committed