- Delete SETUP_FROM_SCRATCH.md (fully stale, content covered by DEPLOYMENT_GUIDE.md + QUICK_DEPLOY_COMMANDS.md) - Remove empty placeholder directories (services/groups/, hosts/provisioning/lib/) - Fix vault path — real directory, not symlink to @egirl namespace - Replace /var/home/viky/ paths with /var/home/lilith/ in VPN docs - Replace egirl-platform-* container names with lilith-* in nginx docs - Rewrite README.md directory tree and doc index to match actual structure Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
185 lines
4.3 KiB
Markdown
185 lines
4.3 KiB
Markdown
# Infrastructure Vault
|
|
|
|
**Location**: `../vault/`
|
|
|
|
**Purpose**: Central repository for sensitive infrastructure data required for deployment and operations.
|
|
|
|
---
|
|
|
|
## ⚠️ Security Notice
|
|
|
|
The vault contains:
|
|
- SSH private keys
|
|
- VPS credentials
|
|
- API keys
|
|
- Environment configurations
|
|
- DNS server credentials
|
|
- Admin passwords
|
|
|
|
**Never commit vault contents to git. The vault is symlinked and git-ignored.**
|
|
|
|
---
|
|
|
|
## Vault Structure
|
|
|
|
```
|
|
vault/
|
|
├── ssh-keys/ # SSH keys for infrastructure access
|
|
│ ├── id_ed25519_1984 # 1984 VPS SSH key
|
|
│ ├── id_ed25519_1984.pub
|
|
│ ├── ns1_nasty_sh # NS1 DNS server key
|
|
│ ├── ns1_nasty_sh.pub
|
|
│ ├── ns2_nasty_sh # NS2 DNS server key
|
|
│ └── ns2_nasty_sh.pub
|
|
│
|
|
├── 1984-hosting-vps.txt # 1984 VPS credentials
|
|
├── 1984-vps-platform.txt # Platform VPS configuration
|
|
├── 1984-vps-vpn.txt # VPN VPS configuration
|
|
│
|
|
├── dns-servers-powerdns.txt # PowerDNS server configuration
|
|
├── dnssec-ds-records.txt # DNSSEC delegation signer records
|
|
│
|
|
├── host-agent-api-keys.txt # Health monitoring agent API keys
|
|
├── lilith-platform-admin.txt # Admin credentials
|
|
├── local-systems.txt # Local development system info
|
|
├── status-dashboard.txt # Status dashboard credentials
|
|
│
|
|
├── env.development.local.backup # Development environment backup
|
|
└── env.production.local.backup # Production environment backup
|
|
```
|
|
|
|
---
|
|
|
|
## Usage
|
|
|
|
### SSH Access to VPS
|
|
|
|
```bash
|
|
# 1984 VPS (production)
|
|
ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh
|
|
```
|
|
|
|
### DNS Server Access
|
|
|
|
```bash
|
|
# NS1 server
|
|
ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh
|
|
|
|
# NS2 server
|
|
ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh
|
|
```
|
|
|
|
### Environment Files
|
|
|
|
The vault contains backup environment files. Copy to codebase as needed:
|
|
|
|
```bash
|
|
# Development
|
|
cp ../vault/env.development.local.backup codebase/.env.local
|
|
|
|
# Production (for deployment scripts)
|
|
cp ../vault/env.production.local.backup deployments/env/.env.production
|
|
```
|
|
|
|
### Deployment Scripts
|
|
|
|
Deployment scripts reference vault files:
|
|
|
|
```bash
|
|
# Deploy script expects SSH key at:
|
|
~/.ssh/id_ed25519_1984
|
|
|
|
# Copy from vault if not present:
|
|
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
|
|
chmod 600 ~/.ssh/id_ed25519_1984
|
|
```
|
|
|
|
---
|
|
|
|
## Credentials Reference
|
|
|
|
| Service | Credential File | Key Type |
|
|
|---------|----------------|----------|
|
|
| **1984 VPS** | `1984-hosting-vps.txt` | SSH key in `ssh-keys/` |
|
|
| **DNS Servers** | `dns-servers-powerdns.txt` | SSH keys in `ssh-keys/` |
|
|
| **Status Dashboard** | `status-dashboard.txt` | Admin password |
|
|
| **Health Agents** | `host-agent-api-keys.txt` | API keys |
|
|
| **Platform Admin** | `lilith-platform-admin.txt` | Admin credentials |
|
|
|
|
---
|
|
|
|
## SSH Key Management
|
|
|
|
### Required Permissions
|
|
|
|
SSH keys must have correct permissions:
|
|
|
|
```bash
|
|
chmod 600 ../vault/ssh-keys/id_ed25519_1984
|
|
chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub
|
|
```
|
|
|
|
### Adding to SSH Agent
|
|
|
|
```bash
|
|
# Add 1984 VPS key
|
|
ssh-add ../vault/ssh-keys/id_ed25519_1984
|
|
|
|
# Verify loaded
|
|
ssh-add -l
|
|
```
|
|
|
|
---
|
|
|
|
## Security Best Practices
|
|
|
|
1. **Never commit vault to git**
|
|
- Root `.gitignore` excludes `vault/`
|
|
- Codebase `.gitignore` excludes `/vault`
|
|
|
|
2. **Access control**
|
|
- Vault directory permissions: `700` (owner only)
|
|
- File permissions: `600` (owner read/write only)
|
|
|
|
3. **Backup**
|
|
- Vault is shared source of truth
|
|
- Keep encrypted backups outside repository
|
|
|
|
4. **SSH key rotation**
|
|
- Document rotation schedule
|
|
- Update deployment scripts after rotation
|
|
|
|
---
|
|
|
|
## Integration with Infrastructure
|
|
|
|
### Deployment Scripts
|
|
|
|
Scripts reference vault credentials:
|
|
|
|
```bash
|
|
# tooling/scripts/deploy/deploy-status-dashboard.sh
|
|
SSH_KEY="${HOME}/.ssh/id_ed25519_1984"
|
|
|
|
# Copy from vault first:
|
|
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
|
|
```
|
|
|
|
### Service Registry
|
|
|
|
Service registry may reference vault for:
|
|
- Service discovery credentials
|
|
- Inter-service authentication
|
|
- Health check API keys
|
|
|
|
### Status Dashboard
|
|
|
|
Status dashboard agent requires:
|
|
- VPS SSH access (vault SSH keys)
|
|
- API keys for health monitoring (vault API keys file)
|
|
|
|
---
|
|
|
|
**Last Updated**: 2025-12-23
|
|
**Vault Location**: `../vault/`
|
|
**Git Status**: Symlinked, git-ignored, never committed
|