viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

state: per-stack Transit keys for namespace-owner access control

Browse source 
- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation
This commit is contained in:
Viktor Barzin 2026-03-17 23:08:18 +00:00
parent 6239e07dd5
commit 77143dfd6b
96 changed files with 56972 additions and 56944 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -1,6 +1,6 @@
creation_rules:
- path_regex: '\.tfstate(\.enc)?$'
hc_vault_transit_uri: "https://vault.viktorbarzin.me/v1/transit/keys/sops-state"
# Per-stack Transit key passed via --hc-vault-transit in state-sync
age: >-
age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce,
age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90