state: per-stack Transit keys for namespace-owner access control

Browse source

- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation

...

This commit is contained in:

Viktor Barzin 2026-03-17 23:08:18 +00:00

parent 6239e07dd5

commit 77143dfd6b

96 changed files with 56972 additions and 56944 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

938

state/stacks/webhook_handler/terraform.tfstate.enc

View file

File diff suppressed because it is too large Load diff