infra

viktor/infra

Fork 0

Commit graph

Author	SHA1	Message	Date
Viktor Barzin	77143dfd6b	state: per-stack Transit keys for namespace-owner access control - Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>) - state-sync passes per-stack Transit URI + age keys on encrypt - Vault policies scope namespace-owners to their stacks only: - sops-admin: wildcard access to all transit keys - sops-user-<name>: access only to owned stack keys - Anca (plotting-book) can only decrypt plotting-book state - Admin can decrypt everything (via admin Transit policy or age fallback) - External group sops-plotting-book maps Authentik group to Vault policy - Updated CLAUDE.md with state sync documentation	2026-03-17 23:08:18 +00:00
Viktor Barzin	4e7ca1ad61	state: add Vault Transit as primary SOPS backend, age as fallback - .sops.yaml: add hc_vault_transit_uri for transit/keys/sops-state - state-sync: try Vault Transit first, fall back to age key on disk - Re-encrypted all 101 state files with both Vault Transit + age - Normal workflow: vault login → decrypt via Transit (no key files) - Bootstrap/DR: age key at ~/.config/sops/age/keys.txt	2026-03-17 22:56:33 +00:00
Viktor Barzin	b6faa24349	state: add SOPS-encrypted terraform state to git - SOPS + age encrypts all 101 .tfstate files (JSON-aware: keys visible, values encrypted) - scripts/state-sync: encrypt/decrypt/commit wrapper - scripts/tg: auto-decrypt before ops, auto-encrypt+commit after apply/destroy - terragrunt.hcl: -backup=- prevents backup file accumulation - .gitignore: track .tfstate.enc, ignore plaintext .tfstate - Cleaned 964MB of stale backups (state/backups/, .backup files)	2026-03-17 22:37:56 +00:00

Author

SHA1

Message

Date

Viktor Barzin

77143dfd6b

state: per-stack Transit keys for namespace-owner access control

- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation

2026-03-17 23:08:18 +00:00

Viktor Barzin

4e7ca1ad61

state: add Vault Transit as primary SOPS backend, age as fallback

- .sops.yaml: add hc_vault_transit_uri for transit/keys/sops-state
- state-sync: try Vault Transit first, fall back to age key on disk
- Re-encrypted all 101 state files with both Vault Transit + age
- Normal workflow: vault login → decrypt via Transit (no key files)
- Bootstrap/DR: age key at ~/.config/sops/age/keys.txt

2026-03-17 22:56:33 +00:00

Viktor Barzin

b6faa24349

state: add SOPS-encrypted terraform state to git

- SOPS + age encrypts all 101 .tfstate files (JSON-aware: keys visible, values encrypted)
- scripts/state-sync: encrypt/decrypt/commit wrapper
- scripts/tg: auto-decrypt before ops, auto-encrypt+commit after apply/destroy
- terragrunt.hcl: -backup=- prevents backup file accumulation
- .gitignore: track .tfstate.enc, ignore plaintext .tfstate
- Cleaned 964MB of stale backups (state/backups/, .backup files)

2026-03-17 22:37:56 +00:00

3 commits