viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1781 commits 2 branches 0 tags 2.3 GiB
Commit graph

41 commits

Author SHA1 Message Date
Viktor Barzin
c13e9a75ca state(coturn): update encrypted state 2026-03-21 11:22:38 +00:00
Viktor Barzin
53e05e63b5 state(cnpg): update encrypted state 2026-03-21 11:22:33 +00:00
Viktor Barzin
a5136749b7 state(claude-memory): update encrypted state 2026-03-21 11:21:49 +00:00
Viktor Barzin
73ca114ffa state(city-guesser): update encrypted state 2026-03-21 11:20:36 +00:00
Viktor Barzin
b5fbd19088 state(changedetection): update encrypted state 2026-03-21 11:20:30 +00:00
Viktor Barzin
9b4bf85933 state(calibre): update encrypted state 2026-03-21 11:19:09 +00:00
Viktor Barzin
0888cb100a state(blog): update encrypted state 2026-03-21 11:19:04 +00:00
Viktor Barzin
8551e75305 state(authentik): update encrypted state 2026-03-21 11:18:56 +00:00
Viktor Barzin
92aba3a9f7 state(audiobookshelf): update encrypted state 2026-03-21 11:18:53 +00:00
Viktor Barzin
d4edd53367 state(affine): update encrypted state 2026-03-21 11:18:02 +00:00
Viktor Barzin
0d69403aaa state(actualbudget): update encrypted state 2026-03-21 11:16:01 +00:00
Viktor Barzin
c848c9a39b state(dawarich): update encrypted state 2026-03-21 11:09:39 +00:00
Viktor Barzin
c28c2cf654 state(n8n): update encrypted state 2026-03-21 11:08:46 +00:00
Viktor Barzin
3029c708b8 state(actualbudget): update encrypted state 2026-03-21 11:06:32 +00:00
Viktor Barzin
fcd602a257 state(freshrss): update encrypted state 2026-03-21 11:06:24 +00:00
Viktor Barzin
8dccf4f5ef state(openclaw): update encrypted state 2026-03-19 23:44:11 +00:00
Viktor Barzin
fd207f4db5 state(openclaw): update encrypted state 2026-03-19 23:29:48 +00:00
Viktor Barzin
89bb74c4ee state(immich): update encrypted state 2026-03-19 22:47:32 +00:00
Viktor Barzin
c7dc63f923 state(immich): update encrypted state 2026-03-19 20:39:18 +00:00
Viktor Barzin
62d42657e6 state(redis): update encrypted state 2026-03-19 20:32:27 +00:00
Viktor Barzin
5be9f70a0d state(infra-maintenance): update encrypted state 2026-03-19 20:32:19 +00:00
Viktor Barzin
13759e58da state(redis): update encrypted state 2026-03-19 20:31:13 +00:00
Viktor Barzin
2511c1d78d state(infra-maintenance): update encrypted state 2026-03-19 20:30:50 +00:00
Viktor Barzin
414232cf5e state(redis): update encrypted state 2026-03-19 20:27:38 +00:00
Viktor Barzin
4680dd5fbc state(infra-maintenance): update encrypted state 2026-03-19 20:27:15 +00:00
Viktor Barzin
03f55d969f state(vault): update encrypted state 2026-03-18 21:30:59 +00:00
Viktor Barzin
82b9dd9e8a state(webhook_handler): update encrypted state 2026-03-17 23:52:32 +00:00
Viktor Barzin
5b29cfc73a state(vault): update encrypted state 2026-03-17 23:46:56 +00:00
Viktor Barzin
4d40c51a97 state(vault): update encrypted state 2026-03-17 23:14:24 +00:00
Viktor Barzin
7a8452e4c7 state(vault): update encrypted state 2026-03-17 23:14:16 +00:00
Viktor Barzin
0215d81622 state(vault): update encrypted state 2026-03-17 23:13:57 +00:00
Viktor Barzin
750cfcce7c state(vault): update encrypted state 2026-03-17 23:13:55 +00:00
Viktor Barzin
e54ad33315 state(vault): update encrypted state 2026-03-17 23:13:19 +00:00
Viktor Barzin
02d0291797 state(vault): update encrypted state 2026-03-17 23:12:58 +00:00
Viktor Barzin
468df3c5c4 state(vault): update encrypted state 2026-03-17 23:12:35 +00:00
Viktor Barzin
cf570c3d3b state(vault): update encrypted state 2026-03-17 23:12:03 +00:00
Viktor Barzin
4277b41c28 state(vault): update encrypted state 2026-03-17 23:11:55 +00:00
Viktor Barzin
77143dfd6b state: per-stack Transit keys for namespace-owner access control 
- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation
 2026-03-17 23:08:18 +00:00
Viktor Barzin
4e7ca1ad61 state: add Vault Transit as primary SOPS backend, age as fallback 
- .sops.yaml: add hc_vault_transit_uri for transit/keys/sops-state
- state-sync: try Vault Transit first, fall back to age key on disk
- Re-encrypted all 101 state files with both Vault Transit + age
- Normal workflow: vault login → decrypt via Transit (no key files)
- Bootstrap/DR: age key at ~/.config/sops/age/keys.txt
 2026-03-17 22:56:33 +00:00
Viktor Barzin
9f80eb7ba0 state: add devvm as SOPS recipient 
Add devvm age public key to .sops.yaml and re-encrypt all 101 state
files with both laptop and devvm keys.
 2026-03-17 22:41:19 +00:00
Viktor Barzin
b6faa24349 state: add SOPS-encrypted terraform state to git 
- SOPS + age encrypts all 101 .tfstate files (JSON-aware: keys visible, values encrypted)
- scripts/state-sync: encrypt/decrypt/commit wrapper
- scripts/tg: auto-decrypt before ops, auto-encrypt+commit after apply/destroy
- terragrunt.hcl: -backup=- prevents backup file accumulation
- .gitignore: track .tfstate.enc, ignore plaintext .tfstate
- Cleaned 964MB of stale backups (state/backups/, .backup files)
 2026-03-17 22:37:56 +00:00