From c1ffed17a9101ec705798842975879f327f89436 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 4 Jul 2026 12:55:43 +0000 Subject: [PATCH] backup-mx design: credentials to Vaultwarden, not Vault KV Viktor asked for the Rollernet account credentials to live in Vaultwarden (the personal password manager) rather than HashiCorp Vault. Item 'Rollernet (backup MX)' created; doc updated to match. Co-Authored-By: Claude Fable 5 --- docs/plans/2026-07-04-backup-mx-rollernet-design.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/plans/2026-07-04-backup-mx-rollernet-design.md b/docs/plans/2026-07-04-backup-mx-rollernet-design.md index 2cb737e9..585374ed 100644 --- a/docs/plans/2026-07-04-backup-mx-rollernet-design.md +++ b/docs/plans/2026-07-04-backup-mx-rollernet-design.md @@ -76,11 +76,13 @@ sender MTA ──► MX lookup ┤ - Account email: **`rollernet@viktorbarzin.me`** (Viktor, 2026-07-04; resolves via catch-all → `spam@`). Known circularity: during an outage their notifications to this address are themselves queued (at their side) until - recovery. Accepted — credentials and config live in Vault and the runbook + recovery. Accepted — credentials live in Vaultwarden and the runbook documents ACC access; nothing operational depends on receiving their mail mid-outage. -- Credentials → Vault `secret/viktor` (`rollernet_password`, plus API key if - minted). +- Credentials → **Vaultwarden** item `Rollernet (backup MX)` (Viktor, + 2026-07-04 — personal web login, so the password manager, not Vault KV; + retrieve via `homelab vault get "Rollernet (backup MX)"`). Any API key + minted later joins the same item as a custom field. - Domain `viktorbarzin.me` in **Secondary MX** mode; valid-user table default action = **allow any** (catch-all). - `abuse@` / `postmaster@` must be deliverable (their RFC requirement) — the